Analysis Overview
SHA256
6713695798164eeef13de43bffb24f47b82e58a68c12b92bcee41d45f864e931
Threat Level: Known bad
The file expressvpn_windows_12.49.0.4_release [pesktop.com].exe was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
RevengeRat Executable
Downloads MZ/PE file
Blocklisted process makes network request
Enumerates connected drives
Adds Run key to start application
Drops file in System32 directory
Checks computer location settings
Drops file in Windows directory
Executes dropped EXE
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Registers COM server for autorun
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Uses Volume Shadow Copy service COM API
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-28 06:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-28 06:50
Reported
2023-06-28 06:53
Platform
win7-20230621-en
Max time kernel
29s
Max time network
35s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe"
C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
"C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
Network
Files
\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
| MD5 | 6a25e359c5876cbb2695abb2f0242e76 |
| SHA1 | bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224 |
| SHA256 | f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8 |
| SHA512 | c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619 |
C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
| MD5 | 6a25e359c5876cbb2695abb2f0242e76 |
| SHA1 | bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224 |
| SHA256 | f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8 |
| SHA512 | c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619 |
C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
| MD5 | 6a25e359c5876cbb2695abb2f0242e76 |
| SHA1 | bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224 |
| SHA256 | f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8 |
| SHA512 | c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-28 06:50
Reported
2023-06-28 06:59
Platform
win10v2004-20230621-en
Max time kernel
506s
Max time network
516s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Downloads MZ/PE file
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{6cad862f-afe1-438f-bb94-c3e847bed3b1} = "\"C:\\ProgramData\\Package Cache\\{6cad862f-afe1-438f-bb94-c3e847bed3b1}\\ExpressVPN_12.49.0.4.exe\" /burn.runonce" | C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{d4cecf3b-b68f-4995-8840-52ea0fab646e} = "\"C:\\ProgramData\\Package Cache\\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\\VC_redist.x64.exe\" /burn.runonce" | C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ExpressVPNNotificationService = "\"C:\\Program Files (x86)\\ExpressVPN\\expressvpn-ui\\ExpressVPNNotificationServiceStarter.exe\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\msvcp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\msvcp140_2.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140deu.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfcm140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\msvcp140_2.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\concrt140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\vcamp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\concrt140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\msvcp140_atomic_wait.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\vcomp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfcm140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfcm140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\msvcp140_atomic_wait.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140fra.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140enu.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\msvcp140_codecvt_ids.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\vccorlib140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140esn.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140kor.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140cht.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140enu.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\vcruntime140_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfcm140u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140esn.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\vcruntime140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140ita.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140rus.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140deu.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\vcomp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140ita.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140kor.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140rus.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140chs.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\msvcp140_codecvt_ids.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\vccorlib140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\msvcp140_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\msvcp140_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\vcamp140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140cht.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140jpn.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\vcruntime140.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\vcruntime140_1.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140fra.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc140jpn.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\mfc140chs.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\msvcp140.dll | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.IO.Compression.Native.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\fr\System.Windows.Forms.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Assets\en-US\70x70Logo.scale-150.png | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\Microsoft.Extensions.Options.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Runtime.Serialization.Xml.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ja\UIAutomationTypes.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\PresentationFramework.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.AppService.Grpc.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.deps.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.Utils.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\Google.Protobuf.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\it\System.Windows.Controls.Ribbon.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\System.Diagnostics.EventLog.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.IO.FileSystem.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.ServiceProcess.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ja\System.Windows.Forms.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ko\Microsoft.VisualBasic.Forms.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\System.Windows.Input.Manipulations.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\cs\UIAutomationClientSideProviders.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\wintun\driver\expressvpn-tun.sys | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\Polly.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\mscordaccore.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\es\System.Xaml.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\UIAutomationProvider.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pt-BR\System.Windows.Input.Manipulations.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Threading.Thread.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.ComponentModel.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-core-datetime-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\PresentationFramework.Aero2.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ru\System.Windows.Forms.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\de\System.Windows.Controls.Ribbon.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Caliburn.Micro.Platform.Core.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\Microsoft.Extensions.Configuration.UserSecrets.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-crt-heap-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\wintun\tapinstall\tapinstall.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\Microsoft.Extensions.Logging.Console.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Resources.ResourceManager.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ja\System.Windows.Input.Manipulations.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Assets\en-US\150x150Logo.scale-200.png | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Windows.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Reflection.Emit.ILGeneration.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hant\UIAutomationClient.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pt-BR\System.Windows.Forms.Design.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\System.Reactive.Core.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\System.ServiceProcess.ServiceController.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-crt-string-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.Client.Proteus.Adapter.dll.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\lightway.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\log4net.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pl\System.Windows.Forms.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hant\System.Windows.Controls.Ribbon.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ru\WindowsFormsIntegration.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pt-BR\System.Windows.Controls.Ribbon.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Resources.pri | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\xvclient_csharp.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Drawing.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\Microsoft.WindowsDesktop.App.runtimeconfig.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hant\System.Windows.Input.Manipulations.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.BrowserHelper.runtimeconfig.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.Grpc.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.5 (x64).swidtag | C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Assets\en-US\150x150Logo.scale-150.png | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\Grpc.Core.Api.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\Serilog.Sinks.Async.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIF025.tmp-\LaunchDarkly.InternalSdk.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBD26.tmp-\System.Text.Encodings.Web.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID0A2.tmp-\LaunchDarkly.InternalSdk.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID5A4.tmp-\ManagedWifi.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF825.tmp-\Polly.Contrib.WaitAndRetry.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B61.tmp-\Microsoft.IdentityModel.Abstractions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDCF8.tmp-\Microsoft.Extensions.DependencyInjection.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC3C.tmp-\System.Security.AccessControl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF825.tmp-\Microsoft.Extensions.Configuration.Binder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF825.tmp-\System.Management.Automation.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B61.tmp-\Microsoft.IdentityModel.JsonWebTokens.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC3C.tmp-\ExpressVpn.Client.Setup.CustomActions.pdb | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDCF8.tmp-\Microsoft.Extensions.Logging.EventLog.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC3C.tmp-\DeviceId.Windows.Wmi.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC3C.tmp-\System.Threading.Tasks.Extensions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF825.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAEAD.tmp-\Microsoft.Extensions.Logging.EventLog.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID0A2.tmp-\WixSharp.UI.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID5A4.tmp-\Microsoft.Extensions.Options.ConfigurationExtensions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDCF8.tmp-\Microsoft.Extensions.Logging.Abstractions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF025.tmp-\System.Diagnostics.DiagnosticSource.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE0C2.tmp-\LaunchDarkly.CommonSdk.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC3C.tmp-\Microsoft.Extensions.Configuration.Binder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC3C.tmp-\Microsoft.IdentityModel.JsonWebTokens.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID5A4.tmp-\log4net.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID5A4.tmp-\Microsoft.Extensions.Configuration.CommandLine.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\e57caf3.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC3C.tmp-\System.Security.AccessControl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID5A4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID5A4.tmp-\Grpc.Core.Api.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE0C2.tmp-\log4net.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAEAD.tmp-\System.Security.Principal.Windows.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBD26.tmp-\ExpressVpn.Common.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Logging.Configuration.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE532.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID0A2.tmp-\Microsoft.Extensions.Logging.EventSource.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF025.tmp-\DeviceId.Windows.Wmi.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF825.tmp-\Microsoft.Extensions.DependencyInjection.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAEAD.tmp-\Microsoft.Extensions.Configuration.Binder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC797.tmp-\log4net.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC797.tmp-\Microsoft.Extensions.Http.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B61.tmp-\System.IO.FileSystem.AccessControl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B61.tmp-\System.Threading.Tasks.Extensions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID5A4.tmp-\Microsoft.Extensions.Logging.EventLog.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC3C.tmp-\LaunchDarkly.JsonStream.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B61.tmp-\Microsoft.Extensions.Configuration.Binder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B61.tmp-\Sentry.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B61.tmp-\System.Collections.Immutable.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC797.tmp-\ExpressVPN.Utils.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDCF8.tmp-\Polly.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF825.tmp-\Kape.Braze.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF825.tmp-\Microsoft.IdentityModel.Abstractions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{F3B3A61B-DC16-429A-A260-DBAFE66741A9} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57cb19.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBD26.tmp-\LaunchDarkly.CommonSdk.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC3C.tmp-\Microsoft.Extensions.Configuration.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA74A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC797.tmp-\Microsoft.IdentityModel.JsonWebTokens.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE0C2.tmp-\System.Reflection.Metadata.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B61.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF825.tmp-\System.Buffers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF025.tmp-\ExpressVPN.Utils.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC3C.tmp-\ExpressVPN.Client.Installer.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC3C.tmp-\log4net.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\WOW6432Node\CLSID\{c1a51ea5-665e-cac3-4426-32d306a827af}\LocalServer32 | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\WOW6432Node\CLSID\{c1a51ea5-665e-cac3-4426-32d306a827af}\LocalServer32\ = "\"C:\\Program Files (x86)\\ExpressVPN\\expressvpn-ui\\ExpressVPNNotificationService.exe\" -ToastActivated" | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003c70357fb409b87e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003c70357f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff0000000007000100006809003c70357f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff0000000007000100006809193c70357f000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003c70357f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{CF4C347D-954E-4543-88D2-EC17F07F466F}v14.34.31931\\packages\\vcRuntimeMinimum_amd64\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14 | C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.23.40665_x64 | C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.34.31931" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_48.23.40699_x64 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f711ee3-eb88-456d-acb4-c2ee31add211}\Dependents\{0f711ee3-eb88-456d-acb4-c2ee31add211} | C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.23.40665_x64\ = "{089A177D-98AE-4195-A115-D3C45613B875}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\expressvpn\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\10EA62E1536592372BC00B2945329E52\23B875EDA4807E94E855F6853A57870C | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.23.40665_x64 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\Version = "806854361" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{E5B9C3E5-889C-4F22-A959-F4B899DD7835}\DisplayName = "ExpressVPN" | C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.23.40699_x64\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.5 (x64)" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5E3C9B5EC98822F49A954F8B99DD8753 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\ = "{d4cecf3b-b68f-4995-8840-52ea0fab646e}" | C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents\{d4cecf3b-b68f-4995-8840-52ea0fab646e} | C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\expressvpn | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c1a51ea5-665e-cac3-4426-32d306a827af} | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\AppUserModelId\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}/ExpressVPN/expressvpn-ui/ExpressVPNNotificationService.exe\DisplayName = "ExpressVPN" | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\D743C4FCE4593454882DCE710FF764F6 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\14DCC6E369B6DB74E8E17D5B39EC9E67 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\14DCC6E369B6DB74E8E17D5B39EC9E67\ProductName = "Microsoft .NET Host FX Resolver - 6.0.5 (x64)" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\ = "{F3B3A61B-DC16-429A-A260-DBAFE66741A9}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B99DD8753\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{c1a51ea5-665e-cac3-4426-32d306a827af} | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c1a51ea5-665e-cac3-4426-32d306a827af}\LocalServer32 | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D771A980EA8959141A513D4C65318B57\Provider | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.23.40665_x64\Dependents | C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{EAE242B1-0A26-485A-BFEB-0292EE9F03CB}v14.34.31931\\packages\\vcRuntimeAdditional_amd64\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\23B875EDA4807E94E855F6853A57870C\Provider | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B99DD8753\ProductName = "ExpressVPN" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.23.40699_x64\Dependents | C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B99DD8753\SourceList\PackageName = "ExpressVPN.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6\VC_Runtime_Minimum | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{EAE242B1-0A26-485A-BFEB-0292EE9F03CB}v14.34.31931\\packages\\vcRuntimeAdditional_amd64\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} | C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f711ee3-eb88-456d-acb4-c2ee31add211}\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.5 (x64)" | C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\DisplayName = "Microsoft .NET Host - 6.0.5 (x64)" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{CF4C347D-954E-4543-88D2-EC17F07F466F}v14.34.31931\\packages\\vcRuntimeMinimum_amd64\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\23B875EDA4807E94E855F6853A57870C | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{E5B9C3E5-889C-4F22-A959-F4B899DD7835}\ = "{E5B9C3E5-889C-4F22-A959-F4B899DD7835}" | C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5E3C9B5EC98822F49A954F8B99DD8753\Complete | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.23.40699_x64\ = "{DE578B32-084A-49E7-8E55-6F58A37578C0}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\WOW6432Node\CLSID\{c1a51ea5-665e-cac3-4426-32d306a827af}\LocalServer32 | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe"
C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
"C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe" -burn.filehandle.attached=700 -burn.filehandle.self=704
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe
"C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe" -q -burn.elevated BurnPipe.{6DDFA8F5-BA23-4B9E-9034-1E82FD79EFD8} {1AE74B34-ABE9-462E-86FB-0F42697B4D71} 3588
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
"C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" /install /quiet /norestart
C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe
"C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart
C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe
"C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{B1663C9F-B1DB-470C-A88D-82221B8BB6BA} {A9860BDB-F1C5-4F9E-95CC-B7328BFB44BA} 3672
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1088 -burn.embedded BurnPipe.{A081CDAC-580B-43DB-98D2-F67B7E1A1BFA} {4F530CD7-23BD-4297-AED9-8E090CE575D5} 3916
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1088 -burn.embedded BurnPipe.{A081CDAC-580B-43DB-98D2-F67B7E1A1BFA} {4F530CD7-23BD-4297-AED9-8E090CE575D5} 3916
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{0E5D2DF7-7740-4851-91F2-4BECE9056CCC} {74A80C32-6B92-41D2-A459-0F78ABFB750B} 1168
C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe
"C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe" /install /quiet /norestart -burn.filehandle.self=988 -burn.embedded BurnPipe.{493C3436-2558-4C35-BCD7-95A8E5D4B7F2} {C4EB9B81-A677-4198-93B5-C4B648869228} 5104
C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe
"C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=688 /install /quiet /norestart -burn.filehandle.self=988 -burn.embedded BurnPipe.{493C3436-2558-4C35-BCD7-95A8E5D4B7F2} {C4EB9B81-A677-4198-93B5-C4B648869228} 5104
C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe
"C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe" -q -burn.elevated BurnPipe.{3C6F56FC-88CC-4568-A07A-5922BDEEF629} {F881A2A3-C1FA-482F-913E-17F391F917AF} 2248
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9ACC93B039BB17455E63719BAB13DB56
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 35F89EF459865A871A16B7BCFCAAA59F
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D55CD0FEE4821D1365739CB4F3E4ACB2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5351BDBA96D98B5F6483DBCAF9B3E0E2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BF5774569E9125ABA4A01C1E8EA0870C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI9B61.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240688171 26 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CloseMainApp
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 88650BAE337E5A603B0262ADFA411313 E Global\MSI0000
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIAEAD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240693046 38 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.RemoveData
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIBD26.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240696656 45 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.SetBrowserHelperPath
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIC797.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240699328 49 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateAccessTokens
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSICC3C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240700484 53 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateDefaultPortConfiguration
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSID0A2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240701609 57 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateServiceCredentials
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSID5A4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240702875 61 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.InitializeProteusId
C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe
"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIDCF8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240704750 65 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.SetServicesFailureActions
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIE0C2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240705734 69 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.AddErrorReportingKeys
C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe
"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe"
C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe
"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe"
C:\Program Files (x86)\ExpressVPN\services\lightway.exe
"C:\Program Files (x86)\ExpressVPN\services\lightway.exe" --version
C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe
"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIEC3C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240708718 73 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.RemoveLegacyRegistryData
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIF025.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240709687 77 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.RemoveUserFolderData
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIF825.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240711718 87 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.DeleteBinaries
C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe
"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe" install
C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe
"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe"
C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe
"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe" uihaslaunched
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ujsrxts.com/order?utm_source=windows_app&utm_medium=apps&utm_campaign=app_buy_subscription&utm_content=not_activated_buy_a_subscription
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffba30146f8,0x7ffba3014708,0x7ffba3014718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5764 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5748 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7244 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff660265460,0x7ff660265470,0x7ff660265480
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7244 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3260 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.104.205.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.113.223.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.220.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.21.66.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.visualstudio.microsoft.com | udp |
| US | 93.184.215.201:443 | download.visualstudio.microsoft.com | tcp |
| US | 8.8.8.8:53 | 201.215.184.93.in-addr.arpa | udp |
| US | 20.189.173.4:443 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.121.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.14.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.15.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | o137163.ingest.sentry.io | udp |
| US | 34.120.195.249:443 | o137163.ingest.sentry.io | tcp |
| US | 34.120.195.249:443 | o137163.ingest.sentry.io | tcp |
| US | 8.8.8.8:53 | www.msftncsi.com | udp |
| NL | 95.101.74.221:80 | www.msftncsi.com | tcp |
| US | 8.8.8.8:53 | 249.195.120.34.in-addr.arpa | udp |
| NL | 95.101.74.221:80 | www.msftncsi.com | tcp |
| US | 34.120.195.249:443 | o137163.ingest.sentry.io | tcp |
| US | 8.8.8.8:53 | 221.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clientstream.launchdarkly.com | udp |
| US | 15.197.213.252:443 | clientstream.launchdarkly.com | tcp |
| NL | 95.101.74.221:80 | www.msftncsi.com | tcp |
| US | 8.8.8.8:53 | 252.213.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mobile.launchdarkly.com | udp |
| US | 35.170.211.240:443 | mobile.launchdarkly.com | tcp |
| US | 8.8.8.8:53 | 240.211.170.35.in-addr.arpa | udp |
| N/A | 127.0.0.1:2021 | tcp | |
| N/A | 127.0.0.1:2022 | tcp | |
| NL | 95.101.74.221:80 | www.msftncsi.com | tcp |
| N/A | 127.0.0.1:2020 | tcp | |
| N/A | 127.0.0.1:2020 | tcp | |
| US | 8.8.8.8:53 | www.msftncsi.com | udp |
| NL | 95.101.74.221:80 | www.msftncsi.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ujsrxts.com | udp |
| NL | 108.156.60.14:443 | www.ujsrxts.com | tcp |
| NL | 108.156.60.14:443 | www.ujsrxts.com | tcp |
| US | 8.8.8.8:53 | 14.60.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.expressvpn.com | udp |
| NL | 108.156.60.31:443 | www.expressvpn.com | tcp |
| US | 8.8.8.8:53 | xvp.imgix.net | udp |
| NL | 199.232.150.208:443 | xvp.imgix.net | tcp |
| NL | 199.232.150.208:443 | xvp.imgix.net | tcp |
| NL | 199.232.150.208:443 | xvp.imgix.net | tcp |
| NL | 199.232.150.208:443 | xvp.imgix.net | tcp |
| NL | 199.232.150.208:443 | xvp.imgix.net | tcp |
| NL | 199.232.150.208:443 | xvp.imgix.net | tcp |
| NL | 199.232.150.208:443 | xvp.imgix.net | tcp |
| NL | 199.232.150.208:443 | xvp.imgix.net | tcp |
| NL | 199.232.150.208:443 | xvp.imgix.net | tcp |
| NL | 199.232.150.208:443 | xvp.imgix.net | tcp |
| US | 8.8.8.8:53 | storage.googleapis.com | udp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| US | 157.240.0.6:443 | connect.facebook.net | tcp |
| NL | 142.251.36.48:443 | storage.googleapis.com | tcp |
| US | 8.8.8.8:53 | 31.60.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.150.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.0.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | js.chargebee.com | udp |
| NL | 52.222.139.33:443 | js.chargebee.com | tcp |
| US | 8.8.8.8:53 | js.braintreegateway.com | udp |
| US | 151.101.2.133:443 | js.braintreegateway.com | tcp |
| US | 151.101.2.133:443 | js.braintreegateway.com | tcp |
| US | 8.8.8.8:53 | 032abab40d5946349911dd26aca7c536-5e03eac5ed10.cdn.forter.com | udp |
| US | 8.8.8.8:53 | cdn9.forter.com | udp |
| US | 8.8.8.8:53 | cdn3.forter.com | udp |
| US | 34.198.208.8:443 | cdn3.forter.com | tcp |
| US | 54.81.184.157:443 | 032abab40d5946349911dd26aca7c536-5e03eac5ed10.cdn.forter.com | tcp |
| US | 8.8.8.8:53 | 33.139.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.179.250.142.in-addr.arpa | udp |
| US | 18.239.94.67:443 | cdn9.forter.com | tcp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| NL | 142.250.102.156:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | bat.bing.com | udp |
| US | 204.79.197.200:443 | bat.bing.com | tcp |
| US | 8.8.8.8:53 | 5e03eac5ed10.cdn4.forter.com | udp |
| NL | 142.251.36.2:443 | googleads.g.doubleclick.net | tcp |
| NL | 52.222.139.87:443 | 5e03eac5ed10.cdn4.forter.com | tcp |
| NL | 142.251.36.2:443 | googleads.g.doubleclick.net | udp |
| NL | 142.250.102.156:443 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | analytics.google.com | udp |
| US | 8.8.8.8:53 | payments.braintree-api.com | udp |
| US | 216.239.36.181:443 | analytics.google.com | tcp |
| US | 76.223.13.31:443 | payments.braintree-api.com | tcp |
| US | 8.8.8.8:53 | 67.94.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.208.198.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.184.81.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.139.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.36.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.13.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkout.paypal.com | udp |
| US | 8.8.8.8:53 | client-analytics.braintreegateway.com | udp |
| US | 18.220.4.23:443 | client-analytics.braintreegateway.com | tcp |
| US | 18.220.4.23:443 | client-analytics.braintreegateway.com | tcp |
| US | 18.220.4.23:443 | client-analytics.braintreegateway.com | tcp |
| US | 8.8.8.8:53 | www.paypal.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | ec2-52-23-111-175.compute-1.amazonaws.com | udp |
| US | 52.23.111.175:3478 | ec2-52-23-111-175.compute-1.amazonaws.com | udp |
| US | 151.101.1.21:443 | www.paypal.com | tcp |
| US | 8.8.8.8:53 | www.paypalobjects.com | udp |
| US | 8.8.8.8:53 | t.paypal.com | udp |
| US | 151.101.1.35:443 | t.paypal.com | tcp |
| US | 192.229.210.155:443 | www.paypalobjects.com | tcp |
| US | 192.229.210.155:443 | www.paypalobjects.com | tcp |
| US | 8.8.8.8:53 | xv-pacs.chargebeestaticv2.com | udp |
| NL | 13.227.219.44:443 | xv-pacs.chargebeestaticv2.com | tcp |
| US | 8.8.8.8:53 | 175.111.23.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.4.220.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.210.229.192.in-addr.arpa | udp |
| US | 151.101.1.21:443 | www.paypal.com | tcp |
| US | 8.8.8.8:53 | 44.219.227.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.paypal.com | udp |
| US | 151.101.1.35:443 | c.paypal.com | tcp |
| US | 8.8.8.8:53 | b.stats.paypal.com | udp |
| US | 34.106.92.18:443 | b.stats.paypal.com | tcp |
| US | 54.81.184.157:443 | 032abab40d5946349911dd26aca7c536-5e03eac5ed10.cdn.forter.com | tcp |
| US | 8.8.8.8:53 | 9120728.fls.doubleclick.net | udp |
| NL | 142.250.179.134:443 | 9120728.fls.doubleclick.net | tcp |
| US | 8.8.8.8:53 | c6.paypal.com | udp |
| US | 8.8.8.8:53 | slc.stats.paypal.com | udp |
| NL | 142.250.179.134:443 | 9120728.fls.doubleclick.net | udp |
| US | 34.106.92.18:443 | slc.stats.paypal.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| DE | 157.240.252.35:443 | www.facebook.com | tcp |
| DE | 157.240.252.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 18.92.106.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.252.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn0.forter.com | udp |
| US | 34.192.191.43:443 | cdn0.forter.com | tcp |
| US | 8.8.8.8:53 | 162.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.191.192.34.in-addr.arpa | udp |
| US | 34.198.208.8:443 | cdn3.forter.com | tcp |
| US | 8.8.8.8:53 | www.msftncsi.com | udp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
| US | 8.8.8.8:53 | 215.74.101.95.in-addr.arpa | udp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
| US | 8.8.8.8:53 | www.msftncsi.com | udp |
| NL | 95.101.74.221:80 | www.msftncsi.com | tcp |
| NL | 95.101.74.221:80 | www.msftncsi.com | tcp |
| US | 8.8.8.8:53 | www.msftncsi.com | udp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
| US | 8.8.8.8:53 | www.msftncsi.com | udp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.msftncsi.com | udp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
| US | 8.8.8.8:53 | www.msftncsi.com | udp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
| US | 8.8.8.8:53 | www.msftncsi.com | udp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
| US | 8.8.8.8:53 | www.msftncsi.com | udp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
| US | 8.8.8.8:53 | www.msftncsi.com | udp |
| NL | 95.101.74.221:80 | www.msftncsi.com | tcp |
| NL | 95.101.74.221:80 | www.msftncsi.com | tcp |
| US | 8.8.8.8:53 | www.msftncsi.com | udp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
| US | 8.8.8.8:53 | www.msftncsi.com | udp |
| NL | 95.101.74.215:80 | www.msftncsi.com | tcp |
Files
C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
| MD5 | 6a25e359c5876cbb2695abb2f0242e76 |
| SHA1 | bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224 |
| SHA256 | f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8 |
| SHA512 | c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619 |
C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
| MD5 | 6a25e359c5876cbb2695abb2f0242e76 |
| SHA1 | bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224 |
| SHA256 | f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8 |
| SHA512 | c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619 |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\mbahost.dll
| MD5 | c59832217903ce88793a6c40888e3cae |
| SHA1 | 6d9facabf41dcf53281897764d467696780623b8 |
| SHA256 | 9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db |
| SHA512 | 1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9 |
memory/3588-253-0x00000000065B0000-0x00000000065C0000-memory.dmp
memory/3588-254-0x00000000065B0000-0x00000000065C0000-memory.dmp
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\BootstrapperCore.dll
| MD5 | b0d10a2a622a322788780e7a3cbb85f3 |
| SHA1 | 04d90b16fa7b47a545c1133d5c0ca9e490f54633 |
| SHA256 | f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426 |
| SHA512 | 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\BootstrapperCore.dll
| MD5 | b0d10a2a622a322788780e7a3cbb85f3 |
| SHA1 | 04d90b16fa7b47a545c1133d5c0ca9e490f54633 |
| SHA256 | f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426 |
| SHA512 | 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f |
memory/3588-259-0x0000000006440000-0x0000000006458000-memory.dmp
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\BootstrapperCore.config
| MD5 | a591cca57a0534087061bb7509208f80 |
| SHA1 | b16c4f3651308cbb6a01efc16ee376f6ef5068e0 |
| SHA256 | d1f7224eae4295cb89e21d4aaf6aff5f8cfe912090350d8c7a25c3022ee9f75a |
| SHA512 | e416b4cb1b860c99dc5121dcf81bf38b8973d262e810f447ad5dcba33a6e2d485c62a675fc29e259a943174cf7a91d96a74af40787bb2db3336eefb2d41d94ae |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\WixSharp Setup.exe
| MD5 | 3689c949c8a9e50c4be0ad69e85b796b |
| SHA1 | 81b527ac5326fb1a8520f53473079f16bb9206b8 |
| SHA256 | a4ba0ad01375437bdd766af50417f29c27a97a6dcb5ce101341df9866bf6475f |
| SHA512 | a117a1641832d1706211ac14941e2f620bdd08088fe0c0e0b1f6a8863df5cd3b2b0a0b736bbcceda50b4c45faf0d1b24bf42c20518293a09145de07937c6ed89 |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\WixSharp Setup.exe
| MD5 | 3689c949c8a9e50c4be0ad69e85b796b |
| SHA1 | 81b527ac5326fb1a8520f53473079f16bb9206b8 |
| SHA256 | a4ba0ad01375437bdd766af50417f29c27a97a6dcb5ce101341df9866bf6475f |
| SHA512 | a117a1641832d1706211ac14941e2f620bdd08088fe0c0e0b1f6a8863df5cd3b2b0a0b736bbcceda50b4c45faf0d1b24bf42c20518293a09145de07937c6ed89 |
memory/3588-266-0x00000000065B0000-0x00000000065C0000-memory.dmp
memory/3588-267-0x00000000069D0000-0x0000000006B5A000-memory.dmp
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\ExpressVpn.Client.Setup.Shared.dll
| MD5 | d0e13c9902ceda116a2da4e52f19d8d2 |
| SHA1 | d3b8dc458fe7f8b62ef67c5e792ab2a63135d739 |
| SHA256 | 9efcfb62ec60c4d6cbaa7f4f345d48daf8d892a5b7fd1c2a004c276cb4c56025 |
| SHA512 | 65aad37155404f79f2df315826e2e00f5b4d210ad9189e9ef8a3607fa7c7ea6d466473beea2a45f94dd72b81c829473417fa73b3eb6493c1c7139e97536e3d26 |
memory/3588-271-0x0000000006980000-0x0000000006988000-memory.dmp
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\ExpressVpn.Client.Setup.Shared.dll
| MD5 | d0e13c9902ceda116a2da4e52f19d8d2 |
| SHA1 | d3b8dc458fe7f8b62ef67c5e792ab2a63135d739 |
| SHA256 | 9efcfb62ec60c4d6cbaa7f4f345d48daf8d892a5b7fd1c2a004c276cb4c56025 |
| SHA512 | 65aad37155404f79f2df315826e2e00f5b4d210ad9189e9ef8a3607fa7c7ea6d466473beea2a45f94dd72b81c829473417fa73b3eb6493c1c7139e97536e3d26 |
memory/3588-275-0x00000000069A0000-0x00000000069B0000-memory.dmp
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll
| MD5 | 405bf969e7e50ef47422e54fa33605c8 |
| SHA1 | 4f3c5c8803212719ee74c60813b9ae08604684b3 |
| SHA256 | 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1 |
| SHA512 | d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll
| MD5 | 405bf969e7e50ef47422e54fa33605c8 |
| SHA1 | 4f3c5c8803212719ee74c60813b9ae08604684b3 |
| SHA256 | 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1 |
| SHA512 | d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\ExpressVpn.Common.Logging.dll
| MD5 | 8e03da8aa1af38b35eccdecef5275fc1 |
| SHA1 | dfd4a470498deff650aa5ced5a39cab3266b6e35 |
| SHA256 | 42f9b0dc9d9c582fcbcd839ebb6d3e264d25445ea4013ed7e83e9160171042e3 |
| SHA512 | 01c84101bfd2d496ef655befbacc98368ded039ec7df5263336a00bf873069f3767825766c5820fdbb9d28a60000f5c5c08d93d8522dca39fe58466dffe602a9 |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\ExpressVpn.Common.Logging.dll
| MD5 | 8e03da8aa1af38b35eccdecef5275fc1 |
| SHA1 | dfd4a470498deff650aa5ced5a39cab3266b6e35 |
| SHA256 | 42f9b0dc9d9c582fcbcd839ebb6d3e264d25445ea4013ed7e83e9160171042e3 |
| SHA512 | 01c84101bfd2d496ef655befbacc98368ded039ec7df5263336a00bf873069f3767825766c5820fdbb9d28a60000f5c5c08d93d8522dca39fe58466dffe602a9 |
memory/3588-279-0x0000000006B60000-0x0000000006B78000-memory.dmp
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\ExpressVPN.Common.Shared.dll
| MD5 | f2e58ebf64836cb13255857c5aa3928d |
| SHA1 | aec4007a55d1d26bbce778b80b99a9ba5e35ab86 |
| SHA256 | 35390aafdc7b170a7ea52a72312e2a363bc44eaf90d056f420a83c673371285a |
| SHA512 | 8b45cd809ae6af63d28740905bb544b4d0b7840b24f4ec468224d7ea374b5f7d6e5d9bb35b5fb7eedae9c87248023bc48c68e3e526060c998ee56ff6df21ae6f |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\ExpressVPN.Common.Shared.dll
| MD5 | f2e58ebf64836cb13255857c5aa3928d |
| SHA1 | aec4007a55d1d26bbce778b80b99a9ba5e35ab86 |
| SHA256 | 35390aafdc7b170a7ea52a72312e2a363bc44eaf90d056f420a83c673371285a |
| SHA512 | 8b45cd809ae6af63d28740905bb544b4d0b7840b24f4ec468224d7ea374b5f7d6e5d9bb35b5fb7eedae9c87248023bc48c68e3e526060c998ee56ff6df21ae6f |
memory/3588-283-0x0000000006B80000-0x0000000006B9C000-memory.dmp
memory/3588-284-0x0000000006BA0000-0x0000000006BBA000-memory.dmp
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\ExpressVPN.Utils.dll
| MD5 | 7030752e082569358c38af7d55f0e09b |
| SHA1 | b876868cd2e6a02d6449cc70deebd7b9207de4a0 |
| SHA256 | 326662d937b47e063aaa709f385c300c6bf096a81f3dc48255ff6601b0c6dedd |
| SHA512 | 6cf78bc60d9cb013862f524ffb16feac0ce867fd60bd5b7ca29e4ffb1a7d9def8577644f7dbdc457b0977f2393a25a437d5de65fbf035f03b04a5190ab34db69 |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\ExpressVPN.Utils.dll
| MD5 | 7030752e082569358c38af7d55f0e09b |
| SHA1 | b876868cd2e6a02d6449cc70deebd7b9207de4a0 |
| SHA256 | 326662d937b47e063aaa709f385c300c6bf096a81f3dc48255ff6601b0c6dedd |
| SHA512 | 6cf78bc60d9cb013862f524ffb16feac0ce867fd60bd5b7ca29e4ffb1a7d9def8577644f7dbdc457b0977f2393a25a437d5de65fbf035f03b04a5190ab34db69 |
memory/3588-288-0x0000000006BE0000-0x0000000006C00000-memory.dmp
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Microsoft.Extensions.DependencyInjection.dll
| MD5 | f2a9c263e730b94057d26d8e6562e342 |
| SHA1 | e36e4c8100585db5c7dbd07ff66f4adad8ccd37f |
| SHA256 | d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c |
| SHA512 | 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9 |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Microsoft.Extensions.DependencyInjection.dll
| MD5 | f2a9c263e730b94057d26d8e6562e342 |
| SHA1 | e36e4c8100585db5c7dbd07ff66f4adad8ccd37f |
| SHA256 | d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c |
| SHA512 | 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9 |
memory/3588-292-0x0000000006D00000-0x0000000006D18000-memory.dmp
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Microsoft.Bcl.AsyncInterfaces.dll
| MD5 | 48efe61d6ca3054309907b532d576d2a |
| SHA1 | f36403aabb16540c93fb35245ec0b4e435628aae |
| SHA256 | 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78 |
| SHA512 | 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3 |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Microsoft.Bcl.AsyncInterfaces.dll
| MD5 | 48efe61d6ca3054309907b532d576d2a |
| SHA1 | f36403aabb16540c93fb35245ec0b4e435628aae |
| SHA256 | 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78 |
| SHA512 | 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3 |
memory/3588-296-0x0000000006BC0000-0x0000000006BCA000-memory.dmp
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\System.Threading.Tasks.Extensions.dll
| MD5 | e1e9d7d46e5cd9525c5927dc98d9ecc7 |
| SHA1 | 2242627282f9e07e37b274ea36fac2d3cd9c9110 |
| SHA256 | 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6 |
| SHA512 | da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11 |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\System.Threading.Tasks.Extensions.dll
| MD5 | e1e9d7d46e5cd9525c5927dc98d9ecc7 |
| SHA1 | 2242627282f9e07e37b274ea36fac2d3cd9c9110 |
| SHA256 | 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6 |
| SHA512 | da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11 |
memory/3588-300-0x0000000006BD0000-0x0000000006BDA000-memory.dmp
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Microsoft.Extensions.Logging.Abstractions.dll
| MD5 | 1237591a98cea80b03eaa68dbbcb2176 |
| SHA1 | 5761dfe8070d1e273c20bf6ce50eb46a8780e065 |
| SHA256 | ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1 |
| SHA512 | 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07 |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Microsoft.Extensions.Logging.Abstractions.dll
| MD5 | 1237591a98cea80b03eaa68dbbcb2176 |
| SHA1 | 5761dfe8070d1e273c20bf6ce50eb46a8780e065 |
| SHA256 | ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1 |
| SHA512 | 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07 |
memory/3588-304-0x0000000006D40000-0x0000000006D50000-memory.dmp
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Newtonsoft.Json.dll
| MD5 | 715a1fbee4665e99e859eda667fe8034 |
| SHA1 | e13c6e4210043c4976dcdc447ea2b32854f70cc6 |
| SHA256 | c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e |
| SHA512 | bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Newtonsoft.Json.dll
| MD5 | 715a1fbee4665e99e859eda667fe8034 |
| SHA1 | e13c6e4210043c4976dcdc447ea2b32854f70cc6 |
| SHA256 | c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e |
| SHA512 | bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad |
memory/3588-308-0x0000000006ED0000-0x0000000006F82000-memory.dmp
memory/3588-311-0x000000007F250000-0x000000007F260000-memory.dmp
memory/3588-312-0x00000000068A0000-0x00000000068C2000-memory.dmp
memory/3588-315-0x00000000065B0000-0x00000000065C0000-memory.dmp
memory/3588-316-0x0000000007810000-0x0000000007818000-memory.dmp
memory/3588-317-0x0000000009D90000-0x0000000009DC8000-memory.dmp
memory/3588-318-0x0000000009D50000-0x0000000009D5E000-memory.dmp
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe
| MD5 | 6a25e359c5876cbb2695abb2f0242e76 |
| SHA1 | bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224 |
| SHA256 | f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8 |
| SHA512 | c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619 |
memory/3588-322-0x000000000A940000-0x000000000A948000-memory.dmp
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe
| MD5 | 6a25e359c5876cbb2695abb2f0242e76 |
| SHA1 | bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224 |
| SHA256 | f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8 |
| SHA512 | c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619 |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe
| MD5 | 6a25e359c5876cbb2695abb2f0242e76 |
| SHA1 | bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224 |
| SHA256 | f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8 |
| SHA512 | c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619 |
memory/3588-331-0x00000000065B0000-0x00000000065C0000-memory.dmp
memory/3588-332-0x00000000065B0000-0x00000000065C0000-memory.dmp
memory/3588-333-0x00000000065B0000-0x00000000065C0000-memory.dmp
memory/3588-335-0x000000007F250000-0x000000007F260000-memory.dmp
memory/3588-334-0x00000000065B0000-0x00000000065C0000-memory.dmp
memory/3588-336-0x00000000065B0000-0x00000000065C0000-memory.dmp
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\VCRedist64
| MD5 | 703bd677778f2a1ba1eb4338bac3b868 |
| SHA1 | a176f140e942920b777f80de89e16ea57ee32be8 |
| SHA256 | 2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9 |
| SHA512 | a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041 |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\Net6DesktopRuntime64
| MD5 | 26d558f92be15a50d59b8261123de56b |
| SHA1 | b5b1819cca753b070181f50411375b80412860a3 |
| SHA256 | 1b305b1ae89b2391a4411bb2c5edb6b059a7bf7955275c57b43d1f2a94ce3f62 |
| SHA512 | 5eb1537295cdb513197419c311777229fd43af6cea0ef6134f9990b32b8ac26aa51139f2c0b63d9cdfb6d753dd9db6f243b887ec511f15866157aa9e127b5cea |
C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\MainMsi
| MD5 | 4e70ff7a831e48ab45c70c3754d68b70 |
| SHA1 | e3e2aa31c73740fa4b86e98646d2701c92fe982c |
| SHA256 | 99d86ae18806781c9f2855c1e2a827e1919a6b85db2b097519a1208eef4d0912 |
| SHA512 | 7b927cce79056361963eef287e89be01bc191f7e76d4b71592b32610a9e747697fe34e1f12d60aa6805bb42ca803c974c6cad15516a0a192e8d72d79dcd2a086 |
C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
| MD5 | 703bd677778f2a1ba1eb4338bac3b868 |
| SHA1 | a176f140e942920b777f80de89e16ea57ee32be8 |
| SHA256 | 2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9 |
| SHA512 | a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041 |
C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe
| MD5 | 848da6b57cb8acc151a8d64d15ba383d |
| SHA1 | 8f4d4a1afa9fd985c67642213b3e7ccf415591da |
| SHA256 | 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12 |
| SHA512 | ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6 |
C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe
| MD5 | 848da6b57cb8acc151a8d64d15ba383d |
| SHA1 | 8f4d4a1afa9fd985c67642213b3e7ccf415591da |
| SHA256 | 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12 |
| SHA512 | ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6 |
C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.ba\wixstdba.dll
| MD5 | eab9caf4277829abdf6223ec1efa0edd |
| SHA1 | 74862ecf349a9bedd32699f2a7a4e00b4727543d |
| SHA256 | a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041 |
| SHA512 | 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2 |
C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.ba\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe
| MD5 | 848da6b57cb8acc151a8d64d15ba383d |
| SHA1 | 8f4d4a1afa9fd985c67642213b3e7ccf415591da |
| SHA256 | 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12 |
| SHA512 | ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6 |
C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe
| MD5 | 848da6b57cb8acc151a8d64d15ba383d |
| SHA1 | 8f4d4a1afa9fd985c67642213b3e7ccf415591da |
| SHA256 | 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12 |
| SHA512 | ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6 |
C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe
| MD5 | 848da6b57cb8acc151a8d64d15ba383d |
| SHA1 | 8f4d4a1afa9fd985c67642213b3e7ccf415591da |
| SHA256 | 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12 |
| SHA512 | ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6 |
C:\ProgramData\Package Cache\{6cad862f-afe1-438f-bb94-c3e847bed3b1}\state.rsm
| MD5 | b37213e7fb19738364c81905e279b2e2 |
| SHA1 | 21f518f20e39ec24bd836881f622b21efea687fe |
| SHA256 | 5662d303f8a21bb8ea001fb39a15ea114684b8d40e3ca9ae940bb3aa01d16e40 |
| SHA512 | e1101bb558a3e2b2b6346b25c657797208a1f29107f559dd7ff6c0511f8b44abf16f34b527489509607746ca8e18ebe3f4258ea36fec54d3481589af316ecf8b |
C:\ProgramData\Package Cache\{6cad862f-afe1-438f-bb94-c3e847bed3b1}\ExpressVPN_12.49.0.4.exe
| MD5 | 6a25e359c5876cbb2695abb2f0242e76 |
| SHA1 | bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224 |
| SHA256 | f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8 |
| SHA512 | c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619 |
C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\vcRuntimeAdditional_x64
| MD5 | c214a9e931bbdd960bb48ac1a2b91945 |
| SHA1 | a640c55dd522e01d0be4307a5eee9a40f779a6cc |
| SHA256 | 1dbd3e4e71c6678e640c289c1c64bbb12c70f65f52b27191680a9e4141d64b11 |
| SHA512 | d25fef3bdd3cd18035892618602e27621e9fb3a913e7972ec7bb624d593ae4b766e718fd2e2c7342c589e9a97beb03d2fedef22e824c6b539b83f199cb967933 |
C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\cab2C04DDC374BD96EB5C8EB8208F2C7C92
| MD5 | 62bc0f466e65d9219281cf75c8f91380 |
| SHA1 | 0826a1591b81acf0fe30d58e19b0a87df2a49a3e |
| SHA256 | 534dd81be6b7a23a745c36eda87e6387c5d146c3a96c84793d0edc7eb85b40f3 |
| SHA512 | 17713f4228c0c2793c622bbb0a90bd5688d98a6576a695cb956fa233238c4c6e5b0cb43510be4f072613ad575d0b44e7c847f48b785a161cc337a9e6fdca3bb5 |
C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\cab5046A8AB272BF37297BB7928664C9503
| MD5 | 45c9c674c0ba87f57168d6ab852e9641 |
| SHA1 | 73ace24362f14dc58d4099dae6e4e62902e9e950 |
| SHA256 | d14f231d1ab0d928e309b067622b5389e0dc6c4f0d3671632066f6586c442c76 |
| SHA512 | 5bb06ca9c966c9edd30944523a84efd3c13b8eb9f6a5c6cfd961a0c82a1cb193e7b58baf888dede7b740ed42ce76ab20c3e41a684c4dd9d818ff8b0d9e52e684 |
C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\vcRuntimeMinimum_x64
| MD5 | df77fc41aa2f85ca423919e397084137 |
| SHA1 | 5b87cd2dfb661df49f9557e2fc3b95c7833c9b0b |
| SHA256 | 51b6a928f7becbf525cbeff180442b05533f8ea8f8494cc97a491e29bdd4b7c2 |
| SHA512 | a36b093011b9534db0881eb72de4638e39be67a9844b14fcd3e40539aafd9aa9ce7b14d3968aedb092ecf9bca9ac0918a65f65632643782edafefa36fc12c3e2 |
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20230628065218_000_vcRuntimeMinimum_x64.log
| MD5 | d150d3c4104609f4dd15a7a2471255d4 |
| SHA1 | e359c03ab365ed448e2b6179cae6c8e6f7403454 |
| SHA256 | 427af7c9befa42018746b3d422b14a821d2fb673b313aade666118b051488959 |
| SHA512 | 3c2dac05df263d203b4b2e616a3879a4c456706ca2e35247b572ecd4c50d96a803ae5f2207837e6fa7dd6edf80b690e0674610d21003ce02ef3b7a3fd3cccd48 |
C:\Windows\Installer\e57caf3.msi
| MD5 | df77fc41aa2f85ca423919e397084137 |
| SHA1 | 5b87cd2dfb661df49f9557e2fc3b95c7833c9b0b |
| SHA256 | 51b6a928f7becbf525cbeff180442b05533f8ea8f8494cc97a491e29bdd4b7c2 |
| SHA512 | a36b093011b9534db0881eb72de4638e39be67a9844b14fcd3e40539aafd9aa9ce7b14d3968aedb092ecf9bca9ac0918a65f65632643782edafefa36fc12c3e2 |
C:\Config.Msi\e57cae6.rbs
| MD5 | de76a85fcab3604463e0aa16b62a57db |
| SHA1 | 55c46919a0a82a89cd2006d6d8b4e428cd56667f |
| SHA256 | b291f6947c14bbde14cee45d2b5f9426393d40690669ad171f7bf53f561a5d7b |
| SHA512 | 49a0b57c71e37fb18a514fcbe863689d9d8f3a27ab826e20570627bc801912628a0f1cc92cabe2191fc75ec469ceefc4ba7b6f5cfd494a9e4a7988acddcc48ff |
C:\Config.Msi\e57caf2.rbs
| MD5 | 74dcfa63a7e16bd4011fd2a5fb927e91 |
| SHA1 | 30f2c3fd9e6ce4543368e0be4572e9c17f579c5b |
| SHA256 | 84a90574b995db0a7db97adf956ad14c66c8eca8aebdd6e3b2f7171325a90a2b |
| SHA512 | b87d583a396fd95979bd04ce1978341690547c68c3716b114900059309bc326c4ebd8e154a3c51dc1c32bf20fe62387fdd41d3e2d0fa0098d28f8bc0560bd99e |
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20230628065218_001_vcRuntimeAdditional_x64.log
| MD5 | e8ab7da3a1e0420c6450aa3d68a5b818 |
| SHA1 | dc82b486e21dc13c214b831817cb37a7494f3078 |
| SHA256 | 467ba36f91b948c1f0eb669a0ef20b355bfa346d45be79206d6abe909ac96316 |
| SHA512 | 621cc7a330f6e0c0d039895e4e0888dc33f998705f943a0714b4aef01bd1f84288a1348ab3bff01f5cd8d4e8d508b31b9bd2ccb1853331630a6cadfe50d17e8a |
C:\Config.Msi\e57caf9.rbs
| MD5 | 8da24b422ae13555697cc010a36d880b |
| SHA1 | e380616b49a3460f633719cb28fc0925f959aba5 |
| SHA256 | f129e96e2901d3171570053cd4e265b07e43b10d14790cd78c78d8caaa4d028b |
| SHA512 | f91060652f639d013ed31b5ace397fe3a2dd39b1645dc5099d584defc62d993f0de6a8e8365aed940a8e9ba22244a4b2e2303b17dd327ba8092b87e7ef613c66 |
C:\Config.Msi\e57cb08.rbs
| MD5 | fe01fa86e016c7c7614b21c65008fa10 |
| SHA1 | 93815057a8ec55b22f7bf44ea586d3ad141a897e |
| SHA256 | a069f34b1f44ec575dc4234dcf988ed5f43bc8a5294dd69ec2dc6fe21689c313 |
| SHA512 | 752b7338714f15b1c928e7ccb4bc97b4c892dae55bca6f03f7c012bc54ef97d6acf68263d0ae1f08b26c239a2bc1452a9f1afa491d70744b8c4bad1356350459 |
C:\Windows\Temp\{436E93DB-4FD6-443D-9514-70D652F572B1}\.ba\wixstdba.dll
| MD5 | eab9caf4277829abdf6223ec1efa0edd |
| SHA1 | 74862ecf349a9bedd32699f2a7a4e00b4727543d |
| SHA256 | a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041 |
| SHA512 | 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2 |
C:\Windows\Temp\{436E93DB-4FD6-443D-9514-70D652F572B1}\.ba\wixstdba.dll
| MD5 | eab9caf4277829abdf6223ec1efa0edd |
| SHA1 | 74862ecf349a9bedd32699f2a7a4e00b4727543d |
| SHA256 | a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041 |
| SHA512 | 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2 |
C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe
| MD5 | 848da6b57cb8acc151a8d64d15ba383d |
| SHA1 | 8f4d4a1afa9fd985c67642213b3e7ccf415591da |
| SHA256 | 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12 |
| SHA512 | ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6 |
C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe
| MD5 | 26d558f92be15a50d59b8261123de56b |
| SHA1 | b5b1819cca753b070181f50411375b80412860a3 |
| SHA256 | 1b305b1ae89b2391a4411bb2c5edb6b059a7bf7955275c57b43d1f2a94ce3f62 |
| SHA512 | 5eb1537295cdb513197419c311777229fd43af6cea0ef6134f9990b32b8ac26aa51139f2c0b63d9cdfb6d753dd9db6f243b887ec511f15866157aa9e127b5cea |
C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe
| MD5 | 987433e22c318ff3bfd596f6b7bb3d0d |
| SHA1 | 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e |
| SHA256 | ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73 |
| SHA512 | 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46 |
C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe
| MD5 | 987433e22c318ff3bfd596f6b7bb3d0d |
| SHA1 | 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e |
| SHA256 | ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73 |
| SHA512 | 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46 |
C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.ba\wixstdba.dll
| MD5 | 4356ee50f0b1a878e270614780ddf095 |
| SHA1 | b5c0915f023b2e4ed3e122322abc40c4437909af |
| SHA256 | 41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104 |
| SHA512 | b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691 |
C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.ba\bg.png
| MD5 | 9eb0320dfbf2bd541e6a55c01ddc9f20 |
| SHA1 | eb282a66d29594346531b1ff886d455e1dcd6d99 |
| SHA256 | 9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79 |
| SHA512 | 9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d |
C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe
| MD5 | 987433e22c318ff3bfd596f6b7bb3d0d |
| SHA1 | 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e |
| SHA256 | ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73 |
| SHA512 | 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46 |
C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe
| MD5 | 987433e22c318ff3bfd596f6b7bb3d0d |
| SHA1 | 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e |
| SHA256 | ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73 |
| SHA512 | 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46 |
C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe
| MD5 | 987433e22c318ff3bfd596f6b7bb3d0d |
| SHA1 | 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e |
| SHA256 | ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73 |
| SHA512 | 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46 |
C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\state.rsm
| MD5 | faf2b0bc3d91d980ac2da3fcc4396ca1 |
| SHA1 | 4aff5acf859628bbc8364e3ce4a444e5eb00ea6f |
| SHA256 | 3955b625e2a0330c9596d635a92d45ff7f7e2e8d31aa56c0078fcb440da59c55 |
| SHA512 | 2873864f356563826c0ce2eaea6c0f3a041e5d162f502242617312bf4c4a1ff3b73f27a6dcc56a7b6d2cf3ee8bcea2a673eaedfc066ab05656b3cc4f08c4f9f3 |
C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\dotnet_runtime_6.0.5_win_x64.msi
| MD5 | abf5dbc0196845d9c906189aa70d07ec |
| SHA1 | 4a6879976ca9d64a151e1679d0b08d975883a7b2 |
| SHA256 | f8f96b0c0a444a391d1a5c02d217d530905c32895166251d16a1b5903b6815f1 |
| SHA512 | 035fffdf011e5d30b06ca3b78b37ceb90c1773b08244efc0ca8f7e8b7c4ef83b1b0c5273431e752d0f7dc83a49ccf5fbb733f8235825bf5b8ded32f7b51939e3 |
C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\windowsdesktop_runtime_6.0.5_win_x64.msi
| MD5 | bf16e0cb45daf8f291ecfa351cb0c3c2 |
| SHA1 | 1491de942eec40921a35f35aa377c2f8f7332c5b |
| SHA256 | 0c3b15d1e680e29377a08ec0577d87d222dda47b84c955f4e834497b59041f9c |
| SHA512 | a69a495b265e6e16fbc4a06455a02baabe35c6ad4abf499ca99a4b5cc9dfe2bcf337b6a60d32bfb15eca03b4c08710a095111ec637b2fbef0279c26d9e9e9ae8 |
C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\dotnet_host_6.0.5_win_x64.msi
| MD5 | bdc10a6d27e4df71409c9cd8bc40d48c |
| SHA1 | 3cd9327008fc4bc8f76d9f8174bc6a1bbf4d7632 |
| SHA256 | ec6d27122faf6585fa4419284a95212102c54bbd7ee02bd56835a496039c70de |
| SHA512 | c60196e4f34efcaa62ac3bb750205b701d7434872fe9eb866a5d80ccab6cef879b35aab0d09c19d25cdbf2a3e19c23a4170a16033ad2fbd008dccc9a6530b1c9 |
C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\dotnet_hostfxr_6.0.5_win_x64.msi
| MD5 | eef7d4eaa530df3288c03b8e6463aaa3 |
| SHA1 | 4d94b0073d5afeb1642a2f0da5c178f5765857b3 |
| SHA256 | cbdda269bf97e5e990d909fc503149005e4cd70e68d565c0fd4fbed3222d7711 |
| SHA512 | 2be6dbc2c4d2a8d68653ffd8cb56196178c4ecea2f247a8d6f6cf3061917a43ff814ce48ab2939b475ae0d69df8fe41e0864ebaa282adcfb3e578ca0da10f823 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.5_(x64)_20230628065238_000_dotnet_runtime_6.0.5_win_x64.msi.log
| MD5 | f203174bd684c81cdbf36d8813c7148a |
| SHA1 | ab674539f0b23a00ac626785215c5ad0b2c5fe21 |
| SHA256 | f83fb511d75f128fd453e488fd5c4edbe5067c880d766b6fd3e9e992968599c5 |
| SHA512 | fcee1cf8c09104e0695ba6c63c29c1a87013134652f4d1120b433aaa41d18e2839c2f409f30984b3e5469ae56b7ac97a90c245c2f8514f464f4f10af0b3cd63e |
C:\Windows\Installer\MSI30A4.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\MSI30A4.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\e57cb0e.msi
| MD5 | abf5dbc0196845d9c906189aa70d07ec |
| SHA1 | 4a6879976ca9d64a151e1679d0b08d975883a7b2 |
| SHA256 | f8f96b0c0a444a391d1a5c02d217d530905c32895166251d16a1b5903b6815f1 |
| SHA512 | 035fffdf011e5d30b06ca3b78b37ceb90c1773b08244efc0ca8f7e8b7c4ef83b1b0c5273431e752d0f7dc83a49ccf5fbb733f8235825bf5b8ded32f7b51939e3 |
C:\Config.Msi\e57cb0d.rbs
| MD5 | 3a83bfb57c444578f6ce5f0d5b043c69 |
| SHA1 | df5258a023061a3a4ea4fd695a5f3363902f684b |
| SHA256 | 98ac882c096bccf6a5bdd78f052215df42579eb80fedb7eceeb2d3f89a99fe38 |
| SHA512 | 93e681deef06026d38522def34d16e95ae06098c69c6a230888d54ee1bab2517b51d7e9b4ee8386deb51747c119c8048a3fc62221e2e43279122ee1293ca3b7f |
C:\Windows\Installer\MSI516D.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\MSI5A28.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\e57cb0f.msi
| MD5 | eef7d4eaa530df3288c03b8e6463aaa3 |
| SHA1 | 4d94b0073d5afeb1642a2f0da5c178f5765857b3 |
| SHA256 | cbdda269bf97e5e990d909fc503149005e4cd70e68d565c0fd4fbed3222d7711 |
| SHA512 | 2be6dbc2c4d2a8d68653ffd8cb56196178c4ecea2f247a8d6f6cf3061917a43ff814ce48ab2939b475ae0d69df8fe41e0864ebaa282adcfb3e578ca0da10f823 |
C:\Config.Msi\e57cb12.rbs
| MD5 | 7dca594db7cdbcef607c00444abc0240 |
| SHA1 | 8df7731b07b92c88f6edc800ee84f18569963a8f |
| SHA256 | 6c43f46b1bab05eec21e2adc3f014dfafed50aec8ce33043572a7c14e49eff87 |
| SHA512 | 1837f0cb19ea284787b503a669b13b013112557e37c548e0d6082f9ee3aa912f6bb1456570f76588003e127df5431aa478f29569ca41f56bd7c073182a4b62e0 |
C:\Program Files\dotnet\LICENSE.txt
| MD5 | 31c5a77b3c57c8c2e82b9541b00bcd5a |
| SHA1 | 153d4bc14e3a2c1485006f1752e797ca8684d06d |
| SHA256 | 7f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d |
| SHA512 | ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6 |
C:\Program Files\dotnet\ThirdPartyNotices.txt
| MD5 | f77a4aecfaf4640d801eb6dcdfddc478 |
| SHA1 | 7424710f255f6205ef559e4d7e281a3b701183bb |
| SHA256 | d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7 |
| SHA512 | 1b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b |
C:\Config.Msi\e57cb17.rbs
| MD5 | 4ed56f73cbc765854f47d73edb62273b |
| SHA1 | 32485de96f3da2fca9df5a2f1275c3b5aa563fb3 |
| SHA256 | da6fb2cff31fbc0177bdc93d3e93b87017bee3317084a468296d1e0de6b559bf |
| SHA512 | 933bc16c68562126f5cffa8267ef31265838332e31c4c8e2aea8ba3acac1c6527c67f67556589b997078c07e2df6190b2d276acc88010da8d0ddfdf9ac9b843b |
C:\Windows\Installer\e57cb1d.msi
| MD5 | bf16e0cb45daf8f291ecfa351cb0c3c2 |
| SHA1 | 1491de942eec40921a35f35aa377c2f8f7332c5b |
| SHA256 | 0c3b15d1e680e29377a08ec0577d87d222dda47b84c955f4e834497b59041f9c |
| SHA512 | a69a495b265e6e16fbc4a06455a02baabe35c6ad4abf499ca99a4b5cc9dfe2bcf337b6a60d32bfb15eca03b4c08710a095111ec637b2fbef0279c26d9e9e9ae8 |
C:\Config.Msi\e57cb1c.rbs
| MD5 | 0c0f2acd14dd389327e2c7520bd3a17b |
| SHA1 | 37962ebe61599aa57eaeef65eca6cf3109cc04f5 |
| SHA256 | 7ff821b37521f269ed465d0404a0970f60b6f2677ae200d151f53aa08dbe234f |
| SHA512 | ec2678630aaefe8a85b7f934f233233307301861fcb2735bfe5c8da44609d77ba6cc4e1a46b874e5757d7c6b1c638ed8a9a55f0574947c525b9e00b7984a66ea |
C:\Windows\Installer\MSI9B61.tmp-\Newtonsoft.Json.dll
| MD5 | 715a1fbee4665e99e859eda667fe8034 |
| SHA1 | e13c6e4210043c4976dcdc447ea2b32854f70cc6 |
| SHA256 | c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e |
| SHA512 | bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad |
memory/4892-1459-0x0000000005520000-0x000000000554E000-memory.dmp
memory/4892-1461-0x0000000005570000-0x0000000005586000-memory.dmp
memory/4892-1463-0x0000000005560000-0x0000000005568000-memory.dmp
memory/4892-1465-0x00000000055B0000-0x00000000055C8000-memory.dmp
memory/4892-1468-0x0000000005600000-0x000000000561C000-memory.dmp
memory/4892-1470-0x00000000056D0000-0x0000000005740000-memory.dmp
memory/4892-1472-0x0000000005660000-0x0000000005680000-memory.dmp
memory/4892-1474-0x0000000005680000-0x000000000568A000-memory.dmp
memory/4892-1476-0x0000000005690000-0x000000000569C000-memory.dmp
C:\Windows\Installer\MSI9B61.tmp-\Microsoft.Extensions.DependencyInjection.Abstractions.dll
| MD5 | 405bf969e7e50ef47422e54fa33605c8 |
| SHA1 | 4f3c5c8803212719ee74c60813b9ae08604684b3 |
| SHA256 | 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1 |
| SHA512 | d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a |
C:\Windows\Installer\MSI9B61.tmp-\Microsoft.Extensions.DependencyInjection.dll
| MD5 | f2a9c263e730b94057d26d8e6562e342 |
| SHA1 | e36e4c8100585db5c7dbd07ff66f4adad8ccd37f |
| SHA256 | d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c |
| SHA512 | 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9 |
C:\Windows\Installer\MSI9B61.tmp-\Microsoft.Bcl.AsyncInterfaces.dll
| MD5 | 48efe61d6ca3054309907b532d576d2a |
| SHA1 | f36403aabb16540c93fb35245ec0b4e435628aae |
| SHA256 | 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78 |
| SHA512 | 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3 |
C:\Windows\Installer\MSI9B61.tmp-\System.Threading.Tasks.Extensions.dll
| MD5 | e1e9d7d46e5cd9525c5927dc98d9ecc7 |
| SHA1 | 2242627282f9e07e37b274ea36fac2d3cd9c9110 |
| SHA256 | 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6 |
| SHA512 | da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11 |
C:\Windows\Installer\MSI9B61.tmp-\Microsoft.Extensions.Logging.Abstractions.dll
| MD5 | 1237591a98cea80b03eaa68dbbcb2176 |
| SHA1 | 5761dfe8070d1e273c20bf6ce50eb46a8780e065 |
| SHA256 | ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1 |
| SHA512 | 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07 |
memory/4892-1583-0x00000000055D0000-0x00000000055E0000-memory.dmp
C:\Windows\Installer\MSIAEAD.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 1a5caea6734fdd07caa514c3f3fb75da |
| SHA1 | f070ac0d91bd337d7952abd1ddf19a737b94510c |
| SHA256 | cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca |
| SHA512 | a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1 |
C:\Windows\Installer\MSIAEAD.tmp-\CustomAction.config
| MD5 | c9c40af1656f8531eaa647caceb1e436 |
| SHA1 | 907837497508de13d5a7e60697fc9d050e327e19 |
| SHA256 | 1a67f60962ca1cbf19873b62a8518efe8c701a09cd609af4c50ecc7f0b468bb8 |
| SHA512 | 0f7033686befa3f4acf3ed355c1674eaa6e349fba97e906446c8a7000be6876f157bc015bf5d3011fbbdc2c771bcbaea97918b8d24c064cbbd302741cc70cbc7 |
C:\Windows\Installer\MSIAEAD.tmp-\ExpressVpn.Client.Setup.CustomActions.dll
| MD5 | 0518aa303bed2ba39cf6b76fd5249ba9 |
| SHA1 | 8e4d5cd6efdc10324e2371952244f91be2222957 |
| SHA256 | 772bbfb85778b49b690ccf793e1c64f850a94416af513086c6c3a8f819e5b356 |
| SHA512 | 9bea6596f578a7bcf2f18f44d29542133a84baa16798ebbc43ed12e6ee57cc4ee6172f4ee60625b4f34caa063de311f09741a63b561b7c32354fc0c05d094ab4 |
C:\Windows\Installer\MSIAEAD.tmp-\ExpressVpn.Client.Setup.Shared.dll
| MD5 | 7623867cddde1323a79f802e1eea56ef |
| SHA1 | 3136d7aa627d676a19c17914ba8de4944f3da9b8 |
| SHA256 | 636ed49c603632e1bee61a8b9a7841bac3763fde8526c90a86b6d449fbf6b240 |
| SHA512 | bd5916239c9f5556554cab62385c7e512184f7b97c4672fce19707393954652db18096bb171b24c620b07ad39ebb7b38820e31904d9aef9e670c430ca7194a6b |
C:\Windows\Installer\MSIAEAD.tmp-\ExpressVpn.Common.Logging.dll
| MD5 | da0642b5256b7df480e5a02707e76d55 |
| SHA1 | 632683512a625ba829ac5b53597985713cea08bf |
| SHA256 | 85526c8326fc2b2d4dab0149d598643fe7e58090681fc9abe9662d4016131dd5 |
| SHA512 | da965c02578b98aa7a0c07e12087972f302855750301e5625c08ff5c36174f24113ff7fea7ae396a1ab8c32cfbcb89500ff4cfde0a91cf3fac37979a8fa0896c |
C:\Windows\Installer\MSIAEAD.tmp-\ExpressVPN.Common.Shared.dll
| MD5 | d45c73829d570a333ba921a7e658825e |
| SHA1 | 48c0da5c9f175baeeb25939c68352815c4e380cb |
| SHA256 | bb7c0c6cbe57b902dd0ecf21ca1e17c5445a81f02408100243bcaa1f9a354f91 |
| SHA512 | aa5e2764af24af330141deb6e087a34c47cfb0901810f9a319e2e346bf6af65c57bfbcbca7cacd6a10342bff40a7e3d05af60caff0eb87c87fb3ea0d66185c0a |
C:\Windows\Installer\MSIAEAD.tmp-\WixSharp.dll
| MD5 | e6864833a176336f60a6f382aba65a8b |
| SHA1 | abfcfadc0bf98908073f56c4f8e51690f9fb5014 |
| SHA256 | c9653a596f43fa8fe49b8a8f7a1a31647197950e3fefb02441a971639f33206e |
| SHA512 | 168de36aa221c31753d1e8b3ad30adfbe0c384264fd72fee8494e614b26e7ecdb3a649856c43b981be557b9888fc724f9df121fa8692e6bbcd92577bfa019f5e |
C:\Windows\Installer\MSIAEAD.tmp-\ExpressVPN.Utils.dll
| MD5 | 7f23183a8b7ab9913bd0e850a5a9e41f |
| SHA1 | 1c2670a178f577adeb2a900920a5588c6452cf21 |
| SHA256 | 364885b338c0f103c7eb850d81b02563f23f37bc42fb2ff934818fa19d378c77 |
| SHA512 | 4ac790971a1d415046fa7013d0a8f6e5420a1c0fdf5eed085094fec1100ae1aac2be8accc33a1585074e8b0c2a7bb9e85f195be63885d686dbfa8206d615bca0 |
C:\Windows\Installer\MSIAEAD.tmp-\ExpressVpn.Utils.Wmi.dll
| MD5 | 67832019648e6ab6abb4b851b171abd4 |
| SHA1 | 905fa420be05e05c2a46fd59f6a88785e0857495 |
| SHA256 | 5a40afd875245dcabc813fc9fe0eccc54938126d91573050f883bfb55dab97ba |
| SHA512 | 6425d17e254f0d603104fd049bdffd025b8c6cb06c22adfdf3be2b36f03d648b0d438ffd674d5313bc03d165008b1fab451ff30b551d4210b2ea5faa0474f671 |
C:\Windows\Installer\MSIAEAD.tmp-\ExpressVPN.Client.Installer.dll
| MD5 | dd82f1f197129cb8cc78061db1da1890 |
| SHA1 | 97b008840e76150410efac7a37e54a15148189d3 |
| SHA256 | 6c53e247393cf089b92cb84f48e35ec99f52c21e966537404b79ff92ff2274f4 |
| SHA512 | 3572b6bcbf4694d56b44dec8f44119930a71b4f9d6a4d499268c29631d38a7191fee7cd85317b116187d09d17ab2a884bedcdb9d827815857485d7d86bc9010e |
memory/4324-1692-0x0000000002450000-0x0000000002460000-memory.dmp
memory/4324-1693-0x0000000002450000-0x0000000002460000-memory.dmp
C:\Windows\Installer\MSIBD26.tmp
| MD5 | 2944325a10f55a48811f735d9ae1994c |
| SHA1 | fc5333d3524fb19cb1edf294573d7b99c631ee9a |
| SHA256 | 24cd64abaf9ff9bf73b303766a6a3cd6240ca2eb200498f4d0b10dc4fedf93e5 |
| SHA512 | d9b0c28e46811b395df629c7bc9cccea306af82cd4290969d72a9aef9b5008f3568e1483b4ed8989e9edc6c919c9fbf4876d27422553e11d2993165b96d0bee4 |
C:\Windows\Installer\MSIBD26.tmp-\BootstrapperCore.dll
| MD5 | b0d10a2a622a322788780e7a3cbb85f3 |
| SHA1 | 04d90b16fa7b47a545c1133d5c0ca9e490f54633 |
| SHA256 | f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426 |
| SHA512 | 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f |
C:\Windows\Installer\MSIBD26.tmp-\Google.Protobuf.dll
| MD5 | 25647dfce0e91490e97f8c6366b2632a |
| SHA1 | 8b812d8418143e0e8bc782e6687583dee13710bd |
| SHA256 | da005e408ac85c4fafae30aa79ab7c18ddfa9fb5b23cd7fb2228a88413388c54 |
| SHA512 | 5c0947cceb867f765ef4e77a73c2e2cea11f80ed83cdd43f3f5816ac2c27403fa74ea6a7edd648061d14d3e480d0f5e8271b754688d8da62e8653ae7581bb910 |
C:\Windows\Installer\MSIBD26.tmp-\Grpc.Core.Api.dll
| MD5 | 33e82bfceee2a76c34edee46091bafc8 |
| SHA1 | 55c8e27e8efa1e08e87f96424c574ec581335910 |
| SHA256 | 1e6db7069217797180cf7664e555994a9993db0155c9761be8012860bb82f8a2 |
| SHA512 | 2818f76c324cfa556c5c9b68cba712c57d12da2f1bf6cf6defd314c0a5dbe4f504e20c04deaf9b69be6a56b01f47fe341ffbca2a431df9a71b28d38c9e1ec6bc |
C:\Windows\Installer\MSIBD26.tmp-\Grpc.Core.dll
| MD5 | 832a45191b8711adc888d8d45b26f0f8 |
| SHA1 | a90d87c10f3e5ed48a80f8e1cf0e883a07830c8d |
| SHA256 | 873b7debc4411c2707b48de1454d2ff437d9d56d44ad603c6487a8fb69b4413c |
| SHA512 | 94fe9bad110671a1bd965f4847609ed20955f082f96c049b1679634fbc878b189edaf952914137316a3a7ee65996df020ed2c65dcce0b7ba55db853f48132ef4 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Configuration.CommandLine.dll
| MD5 | 2d3b7a8112a2f148c75ed0820ee2a568 |
| SHA1 | e34f939e35591d03b982fe963a6532b427f6c844 |
| SHA256 | dabae732fa2b9cdb25bdd6e6f6c804fbd7c512380abcd1e0b8b0e3e32bfed7d9 |
| SHA512 | aa270196c7d56679ba47c9c8e0cf0a9e34fafbb15a7ccae2478f7b3410e5c9a4863d48b55fa6d4ca0c91b5563075ecc54969953c32808eec26385c2dc32ffc12 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Configuration.UserSecrets.dll
| MD5 | 313cfefa5ac9c9f5d76382a4d738bf3c |
| SHA1 | 0bbcd9de636b6c9133a4030f42c0c04aaf51ddf1 |
| SHA256 | bc707ac67c82cbf3d7eefdcce641e061227267ddf7a66e08d68be37db5c896ee |
| SHA512 | fc4c2dd62e85a0bb1e62c9702bd9fbec2b93388fc890da3265a13855fabd65b3a64032fa2e1e38bc6be3f1c450b85475843138a4716eefaf404aef8e112904f9 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Configuration.Json.dll
| MD5 | ae4d8069218e6a793e4cb461e09d4d9e |
| SHA1 | cba0b162d94d80def76020a36c855543e8787ef9 |
| SHA256 | dfa8ce0bbd09c898957dc08ca9d3e1db2e87edd5d940c78f6b0becc6243d9d9e |
| SHA512 | 6c838cbba6623ec3f9168f79f27ba651073a96cda48cdce244883caba27004ac72f76c77f5012f0b044877fd3d90c1b9425465fc1782f0b5dc37d33c9f124e3e |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.FileProviders.Abstractions.dll
| MD5 | 9b981dcb9329e9043987eb2c24371714 |
| SHA1 | c3c45b42a67525cbf8596cf6ef9a56d103bb70f9 |
| SHA256 | 0706cedcd984a2478f10a9e57bb06e81bae2e0a1271507b26e91fb8f8c3413fe |
| SHA512 | 566bf7d258d3306742c3c585d04d19b338a8e1224e29ec7af35770e6827bf597a613775223cf93aa9afcb4ea3da0ca53b99493d9b3c6684da815907c8629b03e |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Configuration.FileExtensions.dll
| MD5 | 8be2c97bbbe81795e3042602a21965e6 |
| SHA1 | cf89501075ac6713c091ca773dad2ba946b7c6ea |
| SHA256 | 385ec618612990af5b4d8ec6edffb13fbb5ff5a03e7786033b42ea061ee3976e |
| SHA512 | d89a13ac0e3639acbb26f43739cd7a01ddb07fb03d7e0db5940dd28624d76014ba5e420b45f2d35b1acf0d9b3117a06f41f56109066fc95e9bb438d7516afc04 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Configuration.EnvironmentVariables.dll
| MD5 | f502afa74d2f363e79f3cb93c07b3655 |
| SHA1 | 5c3aadc3ee63e726f840d9f2c0ac44744dd0fa19 |
| SHA256 | 5ee4134c25d7c95dadf2d3681949a8b61f72358542edcdb4f2a56fbb469a69ea |
| SHA512 | 3630e378e93548762fabfda06a2cb2189e450e16a67583b207c70fbe836e257e0551f829dec10f6ba040e7d95caaccbe3db576266c6e8fc6a3e59e623c6b81d8 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Configuration.dll
| MD5 | 4ae4c4004b28a9c7286ce1b4f2bbf415 |
| SHA1 | 423c11f0e71b51378f39eb275093aa223c49f848 |
| SHA256 | d5f7cd54e4aa3b02bd445bd5b8ff4786cb6463ec976cbfe820fced5e272ec572 |
| SHA512 | 7bf95813a0c66425dcf3e4d7e0078f72e97a3df9baff9cc525f2292f5cdbbe1cb52fd674089d1be15516770f214b9e7bc937de314eb9042441bf0ef1be28b044 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Configuration.Binder.dll
| MD5 | b825099a89c81fe4127ee2628596d5d1 |
| SHA1 | 8e69faa62f82dd042a51a345eea19b959442e985 |
| SHA256 | f2f6d158380c32a50bdb827b4d63f97c364f221813641daf74c257034484b507 |
| SHA512 | 5c8dd2275702daa09bee2a8dac563d1292eef6735cd0a3a250f633afb3ac7823769435c4a29796b0b3522d72312497bac86b5ca71cbba2fbe31ce9cc24557068 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Configuration.Abstractions.dll
| MD5 | baa7644ed2f322d1d2c953220987c4a9 |
| SHA1 | 3860c3d54413837fd23e9a7081c15d27ab2ed4f0 |
| SHA256 | 5da295c08aba9257c8f27a39a3d21e0ee82c4e55c098794688305c270b4983b6 |
| SHA512 | 034cb63f8a8ccf99d2cb182c72e7e5ad67cd23baaca376dff3444c13e9c0bb78e1e5643ed82999130e9398fbd643cd86a875249401a49438b7d7976329d2ac74 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.FileSystemGlobbing.dll
| MD5 | f8dc23b883576fb84eccd1b7b56490d3 |
| SHA1 | c447b48529380954c878f1d933a10ef1bc402bb6 |
| SHA256 | 1acb904f6eee86f33b507a7e7cf8f2112d34d1b34daf1532df4d800795d328bc |
| SHA512 | 2604147c8a3664e2abeeafe9503cbed07866c763581c7587f59f8472718995c7d17782385826d70ab515a73bf4efc57e91ec5738d09363689305592c38fdb6db |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Hosting.dll
| MD5 | 39d2e1cf94347200c4e2d0f5415dec53 |
| SHA1 | 0c2e97003acd0c2c0bc516c5b4c892de382239de |
| SHA256 | 2c355909c0c6415de0a8a8cc09ee5d6a4538fc19ede1fcff8baab3b1bdf5242b |
| SHA512 | ea6b8deb8e807f87e52d6e06eae62afe595a83d247566a6210155aec9dfa7f9602da789e0985ae87157a56ef26f57bd458bb77f6f3bc34752139f6633f6db712 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Hosting.Abstractions.dll
| MD5 | e4e839b5661a74bb03505202231b56d4 |
| SHA1 | 31b10ca90a0e492945dbec6cf530389504a7a462 |
| SHA256 | 601e2c40c930dcd582d421f8f887b62eeadf8a675b77aaa2f98f532d8d97e24b |
| SHA512 | a304a0e18865edd8225ee25ff99ac72843acb9970089e2328cdea8d116a839998d98a58310956b1f8c03caf15e57b91fcf7c2e65672839892fca700fb33f54eb |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.FileProviders.Physical.dll
| MD5 | 4e153e7492eae30cd0aa49a3140c1ebe |
| SHA1 | 55c123a2f3d1c7e24c4ed5edc54043cd9c37810a |
| SHA256 | 6bda4bddedfbb9023a5330dc1fd528e851cf2c869e53f3248e704927cec107cc |
| SHA512 | ba25bbbba4c3e454f4ec064195f5f5e9d0cc4c217b9b4ee538fd31d138224a12c58c0b97c588ea4ea482b2303b0afa04125c30bed102b7c5f2aa645d8e7c03bf |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Http.dll
| MD5 | 1129546f4edbff1a420986dd25bec97a |
| SHA1 | d01664a6749cc7fdf4d5997abdf72951a45f487c |
| SHA256 | 70dab4e760c996a618bd86fd514061f76296c70dc9a9e0da327635ffe6ee88d5 |
| SHA512 | a219d16ff2c9b4a5acbb07169b081d4a684355201469591dd75fd5cdee5103e5158c4e11fa32b4f81318aefb6363fa4d2cb61dc39e1b07d01b2d02161fb86d9f |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Logging.Configuration.dll
| MD5 | 2ca8343993aa0c8d6d619cc2dcab3539 |
| SHA1 | d6f6dca968ea17998b7c98585f9d04f2d60f615d |
| SHA256 | 92182678c59bff339c919c6d37c94e57904987ac2b1a7f8edbc7a198f0f802f7 |
| SHA512 | 804337f7a9311d1a7ac364131a095a3c93784ec5c0dc147ee4abedc804170a742f8e3aba4b326c795ca18d43cab76113d9c231f2d0c6023a7a0ea44228984fef |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Logging.Console.dll
| MD5 | f8536e13697fc017c0c4038a4db6074a |
| SHA1 | 1cde865ebae9bd7d000bd29872d692a1d9dba0f0 |
| SHA256 | a7e1a4601fa280ad97e4a94069157b057c2d5158388e57058f87cd9f8915337c |
| SHA512 | fd061d0ba67fc6983479bf579d7dba71ac8cf1f3372ee97438b2e455344d56111f6f8ef601e9769d9d9a18789a174a96d7a47f04ca719b189bb56b42922ec061 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Logging.Debug.dll
| MD5 | 523731ef0c75f3cf36d17e0c0f7c6ee7 |
| SHA1 | 50e24c55d1399ea6550652e3de8d80de7d1d02f7 |
| SHA256 | ce241f96331ca11eacac64c683e11fe659e5ac157eaa224c9fe742d20b1ce983 |
| SHA512 | 727539dbcacb28b23a21e037d439bc8c506ac2aaccf1d1a7a76f6d91c6739f0c317a3e1ee2e6bff3f3f1eee172daacbce21fd35b4bff3ad4459de405167cfa7e |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Logging.dll
| MD5 | 73eab96c0898a78a61d89782ef6fab83 |
| SHA1 | 07541eed457b5977890c13622d4fc4cabebc67fb |
| SHA256 | c4b2b98c21b24b88640bc0be5dcd335d82df129dcaa0dcc778d91a759a037524 |
| SHA512 | 90e8b699f451667d18762cbeb0f050f5462e97186b2b495b5de737ae565a7e1667c0ae5d89442ad93c08f2b5db5459b7febb63b1667466e13908f24cf1e3c075 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Logging.EventLog.dll
| MD5 | fc9949be824804ec4875dfcb0eda5057 |
| SHA1 | 85a10da292711b68ed97d493bb04cf6552b7d998 |
| SHA256 | 97f6d53966086a22da7cff8c6bfa38dd5469f8faed34cbaeb0922e5ba576421f |
| SHA512 | 13cb04ea01094fcb904640d7bcb552bc8f523581932a5dd2a5660e362e92e21dc73e285663ab91ee2128b0cdb4b067f3e2e3a8cc798df333fdc5fe5cacc29a91 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Logging.EventSource.dll
| MD5 | 3a6dda95bb1aa1e413008d68b957bca2 |
| SHA1 | ac364ffc2cb711ffd43131ac9c6e86f1c408de65 |
| SHA256 | 221c6c8fbdcf28e01aebd74ac8d39cdf230d9eb51138102b443b8c8cc1c0d74b |
| SHA512 | 2e4960640d3aaf7c4c9318f29fedfe3ca3c004681acbb69581c6a2b5803d57ea453a1db153a8c22482c2b490e58d721ebf32190abb4296df6f62466ee10272fd |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Options.dll
| MD5 | 3ddea0033ead23660b51921146dda017 |
| SHA1 | 5708c44aa5326da0a69072a9b0e48715112a4bdd |
| SHA256 | c4673c6000602e76844bad63feecbe42d88fc72639b1fd64d2acde48955be970 |
| SHA512 | d57e25a2412f2685770e3fd1d6650ee433ed28d337221941841eb9589dbf3868a27efb0d488f960f75785e60357cd2914b0eece1da62aa9ffe77219340c03576 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Options.ConfigurationExtensions.dll
| MD5 | 40a801619f536846ff777beadcd62f27 |
| SHA1 | 5a3c722df02ffc81d813224d98af375ab7b09cf9 |
| SHA256 | 9d38b26507120c8cbefacbf6d2ddb5e89a53db475efefcfde221685b8eed0803 |
| SHA512 | d2ad123ebe1e3c41a5ce58e54b3c7847236e99ca3d30ba92f75df432fd94276d185e982fc6d72c2cd2d4d22eff5094b92ddea7b9d5615df14c2d1aab90936a01 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.IdentityModel.Logging.dll
| MD5 | a588b379588e876fd4332007a7b0b959 |
| SHA1 | 5c4df46b6de81d96062eab5b9ef1d65132a03960 |
| SHA256 | e53c9d284acb1ea6d3e9f107e0f438d3254d4f773ea24b9258f6a7bec77a3652 |
| SHA512 | 12b0f872a74d670ce0bd24b65817b75e99d0f79569ff18b50ae0f472410d70d58e74fa8f897dbaffa2f450bb461831c080f0530aa59817aef3272d48b7746604 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.IdentityModel.JsonWebTokens.dll
| MD5 | 7bd1e91ad4273dbcde6e373597fd83af |
| SHA1 | b0b3b60aa2a7423f82464f69215c2e051cc7e940 |
| SHA256 | 53164e2aeaff7159ac8ab382c932c9ff744478ac4012bd5652f70c7ae4829fb9 |
| SHA512 | 0a4b04ef1eb85f74f19490c420a4434632e44c110abe427bf30d301f0bc633048bc3b52c480e14bccbe51afbd33413b84d948ba04d6af4261a8b390cb414d734 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.IdentityModel.Abstractions.dll
| MD5 | 4a33568984c97ab8db98b56f55b88b93 |
| SHA1 | 368abcd3d56dbeaf66392575914f9bbd2e7cc85d |
| SHA256 | 2a621fb5b3c3dc83c989667527570c62a4f6e65bbd239753410ea0857777e1ac |
| SHA512 | eea1e09319bd92d1e079b32779b9635d8d698a8785d05fcd2dfd1ec9bdba5cb866f4c9e4f4fd03a46dff68daf2ef872ac537f4b6fbee14059bbb7756b048ebef |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Primitives.dll
| MD5 | d833ddcb52e5c6d6da71bae25395a911 |
| SHA1 | 17ce025ad7a0175c467f5a7108ca81a813e4ac21 |
| SHA256 | 76152e774b2bd9c5a0d301e92e253d8bf55fa90e191d0155dfd86b2b84766ae8 |
| SHA512 | fd963a9fa5bdd10a1c54ce8fcba862b59786280ca5d668fa041b30b80d7fa2b84230d33b1c0541423534c764e7432213039d5f586d0427d542c0faf703081a79 |
C:\Windows\Installer\MSIBD26.tmp-\Microsoft.IdentityModel.Tokens.dll
| MD5 | 6c80eaf13c1d1f82ebec05b199546940 |
| SHA1 | 62d69b4d752e5d689bb8f9e413c911e796b0aa01 |
| SHA256 | dc7a38cbaa808bc20fd529d174cbfd83b66fc814cbb63704e2d9f350e7fe0bf5 |
| SHA512 | 78b512313740ff15f12d4cfde7c3c06484db47661e26d959983acf5b8ef16ab347a8d5af0be9ccd6602823d3f6ec6d8b38ec545b2c17c7f9b3aba82814375c69 |
C:\Windows\Installer\MSIBD26.tmp-\System.Buffers.dll
| MD5 | ecdfe8ede869d2ccc6bf99981ea96400 |
| SHA1 | 2f410a0396bc148ed533ad49b6415fb58dd4d641 |
| SHA256 | accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb |
| SHA512 | 5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741 |
C:\Windows\Installer\MSIBD26.tmp-\System.Collections.Immutable.dll
| MD5 | c598080fa777d6e63dfd0370e97ec8f3 |
| SHA1 | 9d1236dcfb3caa07278a6d4ec751798d67d73cc2 |
| SHA256 | 646d3b52a4898078f46534727bdb06ff23b72523441458b9f49ecc315bf3ef5c |
| SHA512 | 8a5b4afb4363732008c97d53f13ee430401e4a17677af37123da035f15f9e9409a2aeb74ae238379291fd5de07c3cd4e3de2778da5edf83a42649fa5b281cb32 |
C:\Windows\Installer\MSIBD26.tmp-\System.Diagnostics.DiagnosticSource.dll
| MD5 | ccb6a65fa77074cdb0cb00478a89aecc |
| SHA1 | be6e62302419bfcd9fd9842a9084e64367580970 |
| SHA256 | 599a79d25958eae655ddae7337477d16ebc4f013b6896bbd60719c85b37db88c |
| SHA512 | 0495c13ced63266fe1adbabc0e2c86e7d6ce1b1dc3065f42a40607239ae88c92c39eba07a02dc0c68e200883b65a8541fd7b5c3dea58cb4c6d494dee0946d605 |
C:\Windows\Installer\MSIBD26.tmp-\System.IdentityModel.Tokens.Jwt.dll
| MD5 | f82c0055ab6c947dc914e6590ebecc06 |
| SHA1 | a13340f024502a3a22cc29598ffcaa5c1b167be4 |
| SHA256 | 552ed472029e12788877041719164261eccceaded535228933191449425e3870 |
| SHA512 | 49360174e430fc35edcd4cc437ef93d4626896b1e652f5680b720424e5220a61a0d3a1cf1595eeaf19d58be5549860c4d9c9dced66414554a48bec1238e3c4fa |
C:\Windows\Installer\MSIBD26.tmp-\System.Numerics.Vectors.dll
| MD5 | aaa2cbf14e06e9d3586d8a4ed455db33 |
| SHA1 | 3d216458740ad5cb05bc5f7c3491cde44a1e5df0 |
| SHA256 | 1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183 |
| SHA512 | 0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8 |
C:\Windows\Installer\MSIBD26.tmp-\System.Reactive.Core.dll
| MD5 | f20967beae947a5d54156b5cb40d0c04 |
| SHA1 | c5ea57f70835e22cbaf08ac5262716de3de16f2b |
| SHA256 | ac464ea84539c60cbdb498dd787f6fb90b2f11067a5acc9e1ed4f8f62cb7bc7a |
| SHA512 | 7f1fd97ac58bfe5194e348a141595bb261870bed0cdab0e491aec40da7a930d2d821457aa2e44c80da276bbce98dd3a08e344de3539037367977815055a79435 |
C:\Windows\Installer\MSIBD26.tmp-\System.Reactive.Interfaces.dll
| MD5 | 0a471405a43ace8273b6e266f819901f |
| SHA1 | bb7c4d3930358fa574136248cc1da6c9bcf5f192 |
| SHA256 | c86b4625d3a35b6f600d8f0d129b82eb73928e5d4f9df1a028e527aac86ee4e4 |
| SHA512 | 27da5c7d98cac39525b845f40f128cbbdec6a693c1f20be689a1bc2ec0a2fa33a1a82605dad06e410371cf069304663bd6bf1c4a5864d99921e0584243b33997 |
C:\Windows\Installer\MSIBD26.tmp-\System.Reflection.Metadata.dll
| MD5 | c4ea65bd802f1ccd3ea2ad1841fd85c2 |
| SHA1 | 2364d6dd5dd3b566e06e6b1dc960533d2b3017b7 |
| SHA256 | 46451e1168dd11d450aa9b6119f17cec9a70928a40ac3c752abf61ce809cba6f |
| SHA512 | fc4c18ea6a6f38d8c4b4f2e02d3d077cc729b531ca08cf9602c65e22aadc0be770e441660cc980cbfed3b27bd783e65f793838532673e2845276390b4b22d730 |
C:\Windows\Installer\MSIBD26.tmp-\System.Reactive.Linq.dll
| MD5 | 317dce13b2316abee548a2b013f26471 |
| SHA1 | 3123573b2291a0f01badb10b149f741bcb9eb0f7 |
| SHA256 | 21fad2983b4b2f95049e975c9f26a77bfe9281d8ed18e380c9017fc82137a1d9 |
| SHA512 | 3444f813632f5f397b5c27e0314479a404b7ade058a5e6c540331fa4fd5fa798ba7352b1bf58d6f977e5e61912ed9620a1ec1350901d0b00fad2ace3eaeb6163 |
C:\Windows\Installer\MSIBD26.tmp-\System.Text.Encodings.Web.dll
| MD5 | e8cdacfd2ef2f4b3d1a8e6d59b6e3027 |
| SHA1 | 9a85d938d8430a73255a65ea002a7709c81a4cf3 |
| SHA256 | edf13ebf2d45152e26a16b947cd953aeb7a42602fa48e53fd7673934e5acea30 |
| SHA512 | ee1005270305b614236d68e427263b4b4528ad3842057670fad061867286815577ec7d3ed8176e6683d723f9f592abcbf28d24935ce8a34571ab7f1720e2ffc5 |
C:\Windows\Installer\MSIBD26.tmp-\System.Text.Json.dll
| MD5 | 38470ca21414a8827c24d8fe0438e84b |
| SHA1 | 1c394a150c5693c69f85403f201caa501594b7ab |
| SHA256 | 2c7435257690ac95dc03b45a236005124097f08519adf3134b1d1ece4190e64c |
| SHA512 | 079f7320cc2f3b97a5733725d3b13dff17b595465159daabca5a166d39777100e5a2d9af2a75989dfabdb2f29eac0710e16c3bb2660621344b7a63c5dbb87ef8 |
C:\Windows\Installer\MSIBD26.tmp-\System.ValueTuple.dll
| MD5 | 23ee4302e85013a1eb4324c414d561d5 |
| SHA1 | d1664731719e85aad7a2273685d77feb0204ec98 |
| SHA256 | e905d102585b22c6df04f219af5cbdbfa7bc165979e9788b62df6dcc165e10f4 |
| SHA512 | 6b223ce7f580a40a8864a762e3d5cccf1d34a554847787551e8a5d4d05d7f7a5f116f2de8a1c793f327a64d23570228c6e3648a541dd52f93d58f8f243591e32 |
memory/3900-2143-0x0000000002920000-0x0000000002930000-memory.dmp
memory/3900-2146-0x0000000002920000-0x0000000002930000-memory.dmp
memory/3900-2154-0x0000000005070000-0x00000000050E6000-memory.dmp
memory/3900-2155-0x0000000005100000-0x000000000511E000-memory.dmp
C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe
| MD5 | c7cd99398cfd1a02b8165d4a68bab14b |
| SHA1 | 2a11029ebbf9077574ba9aff76b449eab26ebd92 |
| SHA256 | e5146bc3279b581b9bcaa6612d1ed2a232d50e2b8de746fd255024ad659a7e79 |
| SHA512 | f1d2f4b455b5a12b50b2b2f2859049bf0085c7daee9dd86b3a48241b5f8c08fe897f230bb7d780f9461470860a2cd0c22c78e0f1143b539e7fef15a7222bd899 |
C:\Windows\Installer\MSIC797.tmp-\System.IO.FileSystem.AccessControl.dll
| MD5 | 3409c581f0c5083f0c2a93a7a5ac9790 |
| SHA1 | 18ea7bd41d31247148abf184527c9368a26f39e7 |
| SHA256 | e6026501ad4056ff2f1655b0afdfe8923bc6e8fbad67e1e9ef56e3002f49fbb9 |
| SHA512 | ae877c6fddad0e4133274e6372d783eaa4dd6bdcbbf40ab66302fb89bd2f76b215130001186b5c9a135abd16336c5bfd4d414177704d7d359539da91918e82ed |
C:\Windows\Installer\MSIC797.tmp-\System.Memory.dll
| MD5 | 6fb95a357a3f7e88ade5c1629e2801f8 |
| SHA1 | 19bf79600b716523b5317b9a7b68760ae5d55741 |
| SHA256 | 8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7 |
| SHA512 | 293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0 |
C:\Windows\Installer\MSIC797.tmp-\System.Runtime.CompilerServices.Unsafe.dll
| MD5 | c610e828b54001574d86dd2ed730e392 |
| SHA1 | 180a7baafbc820a838bbaca434032d9d33cceebe |
| SHA256 | 37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf |
| SHA512 | 441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396 |
C:\Windows\Installer\MSIC797.tmp-\System.Security.AccessControl.dll
| MD5 | 996aab294e1d369b148d732e5ec0dfdc |
| SHA1 | 28465fd34680a082506f160107f350b46140a1aa |
| SHA256 | 1fda491eebdb19ea0a83cf6c16ab5dd004a1bfdfc845ede017ebe0945beb927f |
| SHA512 | 5e6b172d2de5928915b38ec80c7b76f42430aac959f04aa3521c63495b6f3c4f82df139c275e9fc5024b1a0a4f307daade6130b6028779f98f456282ae8b61cd |
C:\Windows\Installer\MSIC797.tmp-\System.Security.Principal.Windows.dll
| MD5 | be2962225b441cc23575456f32a9cf6a |
| SHA1 | 9a5be1fcf410fe5934d720329d36a2377e83747e |
| SHA256 | b4d8e15adc235d0e858e39b5133e5d00a4baa8c94f4f39e3b5e791b0f9c0c806 |
| SHA512 | 3f7692e94419bffe3465d54c0e25c207330cd1368fcdfad71dbeed1ee842474b5abcb03dba5bc124bd10033263f22dc9f462f12c20f866aebc5c91eb151af2e6 |
memory/3296-2365-0x0000000004FC0000-0x0000000004FD0000-memory.dmp
memory/4892-2362-0x00000000055D0000-0x00000000055E0000-memory.dmp
memory/3296-2375-0x0000000004FC0000-0x0000000004FD0000-memory.dmp
memory/3296-2377-0x0000000004FC0000-0x0000000004FD0000-memory.dmp
C:\Windows\Installer\MSICC3C.tmp-\ExpressVpn.Client.Setup.CustomActions.pdb
| MD5 | 99ba9a27930e20d5357e544c26993708 |
| SHA1 | d7e5d5c42ea64e50dbf05ccb72fdd0e11e9f5078 |
| SHA256 | b62db2dbfa954e4b60f05cc396b141398867d194fb3f477f70e17fbfc18bf9f4 |
| SHA512 | 1a506b110e3f4c6e2d180ce68d207b92636996d707348a97eabe9a80032db46591141378e013ad2e32c38c46e9c61f7e123f15c6bbd318837713cc22fabb8f93 |
C:\Windows\Installer\MSICC3C.tmp-\DeviceId.dll
| MD5 | 8b1f5955427f4887344ece41cd3bf480 |
| SHA1 | 67cb7f5453c3588aa10cc5f213b4e59f525df072 |
| SHA256 | 662bc1352c5bafd73b712f9620bd5d2db3982871135ebe7f9cca46c7f3c4a813 |
| SHA512 | cd362ce360433dea3270bf1a140340916526a99326fb9c51327ba891ed40e2b79bfc2be378b66ed51d26c4e3bdce0e6e7af8962fb7afcb79bc142843bd6f2097 |
C:\Windows\Installer\MSICC3C.tmp-\ManagedWifi.dll
| MD5 | 933db161f981bc00f1fb0d0b893ea7e0 |
| SHA1 | 36745bf6555d9782d0b11ccaf909c6a381459a23 |
| SHA256 | 96ff74fb27125735346a992a07640b243bd97a3b8b045c4737abd3d6c0e88efb |
| SHA512 | d70443109d5acc721aa22ee1f03976aacd9d22b7e0442f2776513c8d9acb885ea4d3703878357af36cef192b130eac6502fbc425dd1ff988438cca6efda4dc05 |
C:\Windows\Installer\MSICC3C.tmp-\log4net.dll
| MD5 | 7e9edcab87980b3594526bed6dbbe221 |
| SHA1 | 297c20b8fb7c47fa55e54d0f635965ed3049a45e |
| SHA256 | e5572b59b3a531e1c00e190830687c08094b9f5b0d502fde6c0058ac38974d3a |
| SHA512 | 5f828ee2471ed1737601f8685330e5f136cf49c18a753aaa456e10244bc48f4ddcfd5ea584b89e29aa98a625eb1b755f3478858fe867559f294f140452577f35 |
C:\Windows\Installer\MSICC3C.tmp-\LaunchDarkly.Logging.dll
| MD5 | 045684bc4fb0da695a65a1880ae0304d |
| SHA1 | 29e451ee9acdcc7c11e0530a1a44d5c266a0330f |
| SHA256 | c90fd7a10922e636a6a87a117b588243cb8551c27f4939ce91026a982fa8ae83 |
| SHA512 | 8d513243a3997709811471dba11ac770933ed40fa77afae60bfbfd65e1da9f7dfa9bbbf460b68aba1860609d7317a87c299034a8323e290e3fff18b91fa704b6 |
C:\Windows\Installer\MSICC3C.tmp-\LaunchDarkly.JsonStream.dll
| MD5 | cc8f6d878ac0ef88767a5d3d42d725ce |
| SHA1 | fee5ce00666da92caa02e00afb6007d1a49fc02d |
| SHA256 | c5698242f1f4537cb659c1b9f6cc26802aae725ebe07bbe20fdacbd1c306c397 |
| SHA512 | bc174f0849fb825a8c9a82d6cb565e150b2cdba942ddcb00cad99158c3574a3a094052cbdd15863e9bc080c097eee57e9c2e587d3491985229a81b61f254def1 |
C:\Windows\Installer\MSICC3C.tmp-\LaunchDarkly.InternalSdk.dll
| MD5 | c76c3eb31fd22b3d5bec29d8d641617c |
| SHA1 | 12e83531a10c18e856026f6edf8390e4218cd628 |
| SHA256 | 8f2de249e4198b9db6ec7da00039b9b9d02a773f2c81fc81c90ac5ddbb48fc97 |
| SHA512 | c38368085d75c440c7bf581ccab456299c5e12cca79e6f3eb0baa520f44a0ae36fabe55d9b97f64b43becfee4cbefe4e1e8caeaa4f5c9d150acc42c4bc04e489 |
C:\Windows\Installer\MSICC3C.tmp-\LaunchDarkly.EventSource.dll
| MD5 | 420198fc5e5f90be7feaa9c389b46489 |
| SHA1 | bccabdf3237638a7b6f57e0fb61745376126bb3b |
| SHA256 | 88b92da330c2c32916d8efa4ecc0a39aaa924ced90f808454ebe76e310b197c6 |
| SHA512 | 1982a0ecc5782d7bc6af213565c1e14c34cef854763550c0a9c4054fec8a1bc9abf28493d32e67a63525fbf57614a1961d1c8a80dfcca2a3d4484fb52ff982aa |
C:\Windows\Installer\MSICC3C.tmp-\LaunchDarkly.CommonSdk.dll
| MD5 | 2c6daf9516f465388f3d1e033c65bac3 |
| SHA1 | e893a82652bc56bda818a4cfe6db12f9e2ca50d6 |
| SHA256 | 5f84bd643ecf7d9683339d364218b6089ecc00934a10a9015e9c164020f1d476 |
| SHA512 | 9851b02d36991c5ddfd56f2d3746127fa475aac219400777f6e10fb375a7bf20b140d22d4e870763a5fc12d9c9c96bcf91587260408c0a3687dd8203136fb126 |
C:\Windows\Installer\MSICC3C.tmp-\LaunchDarkly.ClientSdk.dll
| MD5 | 5f39090d2bf4cab44aba4d2645a75d4f |
| SHA1 | 08a04a905ecb1b78c53c7a50552b2a320c4ce509 |
| SHA256 | 042ca131bcda11b9357e485f88a15ce5c0e99941d38e11b1bce255942bed059b |
| SHA512 | 3396db2254165883b5f7dbe8e5998297f21e696be842693a1bddf932646ab4241f08f39ce7c0746d7ba45c55388051fe5a6dd3bbf87cde587224014eb3ad0cf1 |
C:\Windows\Installer\MSICC3C.tmp-\Kape.Braze.dll
| MD5 | 21743849fcee930538edb37be2651e76 |
| SHA1 | 889d0ca886db2e9706d00988d80b48c58cf50498 |
| SHA256 | d46a00ba5f85a246eb41985d5abbfb185e3d98f53640ea295b5f5a85a76fa90a |
| SHA512 | 1baf4083a45d56e1008f97f1fec228883606f0b403b5fe7803b97e4d25169747d57c987225dcaf80db6fca8e975c6c6bc3008c64f6605eba97ec537ca6d62bc8 |
C:\Windows\Installer\MSICC3C.tmp-\DeviceId.Windows.Wmi.dll
| MD5 | e8e798a6142cdb270aab485f48971dfd |
| SHA1 | 36b8d28350fc92195b3e14653780dc16994762bf |
| SHA256 | d8923285927695a25c33431c08fd67f2cbb45d1f4e301023f160fd88b57f156f |
| SHA512 | 5125bb34da09faad61d897e9e168adf7f0ed5db5bac08a28ae4657583ebc3540e3012e376b200eab68000efa64f96793c139434f8d06d1c7a09ea6f2846f9c2f |
C:\Windows\Installer\MSICC3C.tmp-\DeviceId.Windows.dll
| MD5 | a8bdb6da5875c542f5acb8019ac34f03 |
| SHA1 | 1321766a805869611961bd05d352a7a733a0943a |
| SHA256 | 9da4621201a77ca4d8980ad0d39b1f6a72417b042649698e85c52e613cff7400 |
| SHA512 | 339c41e81d42346741df2663666ecb98974e504eb759aaef7509c2b6668cb4dd8e1a3c54906a855915e913c421f23ad55c5cbe392937aa56a03da3db0244ae7d |
C:\Windows\Installer\MSICC3C.tmp-\MissingLinq.Linq2Management.dll
| MD5 | 0d42ba5b2dde86f3648203166d5c5c4d |
| SHA1 | b626a0ce4cdfcc3f42b20c53075d799ba8da0423 |
| SHA256 | bdcac26be9c24bb9853d9ff30e96373286f0c3d051f22a994b6d8283f992f62a |
| SHA512 | 79aa3b29f031cb199ad1b99babd4c06bcafb1fe1bab066bbb1f15b7b254d04e0e944b1663e415cd9635c04fcc01a1b9db0fb1c894a05e0ad5b86400ac4953d96 |
C:\Windows\Installer\MSICC3C.tmp-\NLog.dll
| MD5 | 91f1a2d14e5e794bb9006783f0ccfe6a |
| SHA1 | 9e2e9515441f92030ec7f8a458fbab3d8f1c4aed |
| SHA256 | b8540401b4dcb34da8d4103dd41c089968d8cd9d873af3f44a5f71e2512e74ad |
| SHA512 | 4777754111616d7dff6352c02c55852b36887b2d725cf869d53fd97dd9af00b9d43cdc43532e41a674e06f71dcee0c482bef6d79ca3e6768889373116ec6add5 |
C:\Windows\Installer\MSICC3C.tmp-\Polly.Contrib.WaitAndRetry.dll
| MD5 | 33fbd8a8f66fd9ba06729c0c47c72353 |
| SHA1 | 9757530f43ab92f7aaccd5084a95c121393c9806 |
| SHA256 | 35e0c846962c7a29d715973c1ed8e634174b52414ad88ffe705fc427eeedc2ff |
| SHA512 | 46316963776ccf328440f0a5f0b0b92d77679667beda3383a0fd4ab2dc72274c75f2202cf5c83693af897e3e3e2a02b694930758f03539032deb68a591a188f2 |
C:\Windows\Installer\MSICC3C.tmp-\Sentry.Extensions.Logging.dll
| MD5 | a451f5639303b86e1d5d0c73042d417e |
| SHA1 | 392b5e6fcfc443e9e43ff4b92b1c3013301529c4 |
| SHA256 | 25fb6b3d647777352062fff2918afd06a9d2b40bd95c50a5e2670ec2e4884fae |
| SHA512 | 056bb1e5a3db33438d749980186d50c9bcdbc6e96c2835da3f4b61080628f720adb72966ea0e6751ede37105b7976be363f03739ee6bf8a549070e6b2d0aff1a |
C:\Windows\Installer\MSICC3C.tmp-\System.Management.Automation.dll
| MD5 | 1af650b0fc0793690f28d7fb20e16fe0 |
| SHA1 | 9a88bd53c31f05a222a385fdbe6909cfd1d5a2e9 |
| SHA256 | be67287971b51f55913d77a618730d0f37b6f5ef618a76d41686d74a3db90947 |
| SHA512 | 9657df588fee7f913b4e0e3fb8054b6f4f92fc3e3510040e8821fcf272068ac8f75e31579cf8f42703ee65dffbb974ba905bff2e2c701c40ee7f74643b32cd83 |
C:\Windows\Installer\MSICC3C.tmp-\Sentry.dll
| MD5 | e8757986cb15124de6118ea5504cd130 |
| SHA1 | 7ef745587938de99060399d18a32e8fce1ce123a |
| SHA256 | 7db3446081da02994615217e9deb78579630062f7eb8b0dc839db9c3be766174 |
| SHA512 | 76a51b11c4e714a1dace41831eb20afa692a947acf373839365f50152c28d1b2a5723ffa4a346a7174bfa052ba273deb03f87ca386791b72c9c4cc4ef0a36bb1 |
C:\Windows\Installer\MSICC3C.tmp-\WixSharp.UI.dll
| MD5 | 5f4a744b068f5ca87eaccf61b3b5791f |
| SHA1 | 1ac72d01806c1df59e77fa5d0e2fa998722795a8 |
| SHA256 | 837f2187937db731f2f14585362a1dd7da3dbd3725a2617d4eb06ff06962842e |
| SHA512 | 31096584bc205bba085d6f9c9d8a40de97ddcc04c24d68668e89cd1840727cc9e701ba5d94dcd2dc37cee44a0b042f4f210c76461d539d3a14d0976161982fac |
C:\Windows\Installer\MSICC3C.tmp-\WixSharp.Msi.dll
| MD5 | 25aa1504a54b06d2bbd9bb1be2822cfc |
| SHA1 | 7ce8062ae9282a38db73d8e72e9a2ef4577647c8 |
| SHA256 | 54e371526f79063d28c46531872f76111af2381164b43aabbe41763ef04198c4 |
| SHA512 | b08a4529d7ada9f70ae474a2775966aac59bb9d8ecfdbbeea3544153824271ffa7a6b90887b933672e44d6500e850ca5d9d634c21774b1317b94c8058143472a |
C:\Windows\Installer\MSICC3C.tmp-\Polly.dll
| MD5 | 9de72b96d9fc5537bd1664ce83907203 |
| SHA1 | 7671411d739c7936a7fcd6e9e2261bf679a2ae1b |
| SHA256 | 957b412f5733ebe79574cf5f85256e090119e4fc945e29dfd8c1ea74f97ab0d4 |
| SHA512 | e05ed925c9c0bd10873818700ef689b9e83684fb92c37ca1614e25d54d767bd1d0de93908657575d1b0dd22d474cf215eefc401db95d1a50ecf79dc0ee25e181 |
memory/5028-2592-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
memory/5028-2588-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
memory/5028-2589-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
memory/5028-2593-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
memory/4856-2801-0x0000000002EE0000-0x0000000002EF0000-memory.dmp
memory/4856-2802-0x0000000002EE0000-0x0000000002EF0000-memory.dmp
memory/4856-2803-0x0000000002EE0000-0x0000000002EF0000-memory.dmp
memory/4856-2804-0x0000000002EE0000-0x0000000002EF0000-memory.dmp
memory/3216-3021-0x0000000002CA0000-0x0000000002CB0000-memory.dmp
memory/3216-3022-0x0000000002CA0000-0x0000000002CB0000-memory.dmp
memory/3216-3023-0x0000000002CA0000-0x0000000002CB0000-memory.dmp
memory/3216-3024-0x0000000002CA0000-0x0000000002CB0000-memory.dmp
memory/2296-3279-0x00000000026E0000-0x00000000026F0000-memory.dmp
memory/2296-3332-0x00000000026E0000-0x00000000026F0000-memory.dmp
memory/2296-3333-0x00000000026E0000-0x00000000026F0000-memory.dmp
C:\Windows\Installer\e57cb22.msi
| MD5 | 4e70ff7a831e48ab45c70c3754d68b70 |
| SHA1 | e3e2aa31c73740fa4b86e98646d2701c92fe982c |
| SHA256 | 99d86ae18806781c9f2855c1e2a827e1919a6b85db2b097519a1208eef4d0912 |
| SHA512 | 7b927cce79056361963eef287e89be01bc191f7e76d4b71592b32610a9e747697fe34e1f12d60aa6805bb42ca803c974c6cad15516a0a192e8d72d79dcd2a086 |
C:\ProgramData\ExpressVPN\Config\p3d0hfrs.bin
| MD5 | 9cb124965575221e1cf33b2d232bdc0e |
| SHA1 | 5956bf205065c16e87f42becdae7c566f6e61525 |
| SHA256 | c20f2f7347b1d121d1ae3ca325a28e3d3cdb7a644871c3047a974924a300fcf8 |
| SHA512 | 083b1ff8670f3d0ef22562ea47757e23ca876a3d1fac1f128237ffdef7c707ecc2bb912eedb8c7e4d653e65bcb930b9f2a4860818da78d67e79ad6b5e1cd2419 |
C:\Config.Msi\e57cb21.rbs
| MD5 | aebabb1360b7aa459380726ee67f2892 |
| SHA1 | 873cc6865611f232ff61c9152213eec12a3118ba |
| SHA256 | a3e781fc41fa83e92b07d396ef86d19b3447a2fb79aef22558a3f4867fc83c68 |
| SHA512 | 90a64d2c183022e602d10c1c823f8990eee3dc7aa21670ee9b7964ed853738f2b1374716a89da721125ce04e95cc071355f39a8d660938901e5e3758fb2cbd4c |
C:\Windows\Installer\MSIFC6C.tmp
| MD5 | a3ae5d86ecf38db9427359ea37a5f646 |
| SHA1 | eb4cb5ff520717038adadcc5e1ef8f7c24b27a90 |
| SHA256 | c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74 |
| SHA512 | 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0 |
C:\Users\Admin\AppData\Local\Temp\DEL1FC.tmp
| MD5 | 8e03da8aa1af38b35eccdecef5275fc1 |
| SHA1 | dfd4a470498deff650aa5ced5a39cab3266b6e35 |
| SHA256 | 42f9b0dc9d9c582fcbcd839ebb6d3e264d25445ea4013ed7e83e9160171042e3 |
| SHA512 | 01c84101bfd2d496ef655befbacc98368ded039ec7df5263336a00bf873069f3767825766c5820fdbb9d28a60000f5c5c08d93d8522dca39fe58466dffe602a9 |
C:\Users\Admin\AppData\Local\Temp\DEL1FE.tmp
| MD5 | 7030752e082569358c38af7d55f0e09b |
| SHA1 | b876868cd2e6a02d6449cc70deebd7b9207de4a0 |
| SHA256 | 326662d937b47e063aaa709f385c300c6bf096a81f3dc48255ff6601b0c6dedd |
| SHA512 | 6cf78bc60d9cb013862f524ffb16feac0ce867fd60bd5b7ca29e4ffb1a7d9def8577644f7dbdc457b0977f2393a25a437d5de65fbf035f03b04a5190ab34db69 |
C:\Users\Admin\AppData\Local\Temp\DEL1FD.tmp
| MD5 | f2e58ebf64836cb13255857c5aa3928d |
| SHA1 | aec4007a55d1d26bbce778b80b99a9ba5e35ab86 |
| SHA256 | 35390aafdc7b170a7ea52a72312e2a363bc44eaf90d056f420a83c673371285a |
| SHA512 | 8b45cd809ae6af63d28740905bb544b4d0b7840b24f4ec468224d7ea374b5f7d6e5d9bb35b5fb7eedae9c87248023bc48c68e3e526060c998ee56ff6df21ae6f |
C:\Users\Admin\AppData\Local\Temp\DEL1EB.tmp
| MD5 | d0e13c9902ceda116a2da4e52f19d8d2 |
| SHA1 | d3b8dc458fe7f8b62ef67c5e792ab2a63135d739 |
| SHA256 | 9efcfb62ec60c4d6cbaa7f4f345d48daf8d892a5b7fd1c2a004c276cb4c56025 |
| SHA512 | 65aad37155404f79f2df315826e2e00f5b4d210ad9189e9ef8a3607fa7c7ea6d466473beea2a45f94dd72b81c829473417fa73b3eb6493c1c7139e97536e3d26 |
C:\Users\Admin\AppData\Local\Temp\DEL215.tmp
| MD5 | 3689c949c8a9e50c4be0ad69e85b796b |
| SHA1 | 81b527ac5326fb1a8520f53473079f16bb9206b8 |
| SHA256 | a4ba0ad01375437bdd766af50417f29c27a97a6dcb5ce101341df9866bf6475f |
| SHA512 | a117a1641832d1706211ac14941e2f620bdd08088fe0c0e0b1f6a8863df5cd3b2b0a0b736bbcceda50b4c45faf0d1b24bf42c20518293a09145de07937c6ed89 |
C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.49.0.4\user.config
| MD5 | df2ea154c113c86c064714b3b0b5555a |
| SHA1 | c0b1a1a0a78a372d9fdd7ba4a029cdee42a0de65 |
| SHA256 | c2cf2a4af9784fca26bb94e650209bfdf1decee29f02e1398b902ad49182588d |
| SHA512 | c7cbbe4c79af3c2a246ba361842d1adcdd541e1eeadffa1ea55e9be75ce5099b90d020864def8f449b8fe472a3576454809f036533404e706b1baa142402a0fe |
C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.49.0.4\0gnnzczn.newcfg
| MD5 | 26e3e068ccf44f130f40a158db8c4526 |
| SHA1 | c5f43d44ddadff0fd11a4f6285b54329196d668f |
| SHA256 | 18c2b162e66a3fe5edfb24eb6215dda7c075cc8afa9eb69cd2bcb0785f400e79 |
| SHA512 | 7720c82b2464879668763cad16963de5d4ecc5ac377b641cc8675d113c91a462c46733396be023417be05ac3b3eca3a8749c1e91fe191bd697db092df14e6856 |
C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.49.0.4\ocqkz32q.newcfg
| MD5 | 286c05e5e213d7e97069184c0c44c85b |
| SHA1 | 009b760165d9332fc7af6bfa05a826fb87964f9e |
| SHA256 | d29a7bc5b1f30f8d9dde55e417e89eb86b5339613910e293405b5aaf50fea7ed |
| SHA512 | eaf3ebf413e08b111a6937947da7b29100737d6c1b4c21783392d1093db3ec9e28371f1afe203c3335f866bb09a213000d48a60e71a7c54d2750b1582c033b1c |
C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.49.0.4\urt3hhot.newcfg
| MD5 | 0b5a51b4d5c666f5df3161ed1bc62511 |
| SHA1 | 362568ee7b81c337f4abbc2179682346445785bb |
| SHA256 | 95eaf9af9ccb14c33daeb04c498cad14f7b4eca49e890cb0c6debdb189a0538c |
| SHA512 | 947d1717325db18bbd7782929b018ac54660a8465d52c9264fa0d4b2521682ffcadb15bcc93c9bd141ffa3c7d9ee3397b4b7fcae74a9511bb404d244eb660b12 |
C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.49.0.4\e1hatvyh.newcfg
| MD5 | ece5622be9ed08134db01639531f5a55 |
| SHA1 | 0c9dd56d65aa06d0713676cc0a0441c97114f386 |
| SHA256 | 2dfbda1f1c755a4ee30e33bf6be16a2e1a87737e537c76e82de82f9089871f26 |
| SHA512 | f96e8fb53a9cb626c24fb462fe5c88c65d207d44832ca417256b58f366b5059544ff317c8a20af2457081f2a8a3154ffbdb987f8837a68b5ff0bb2db4741a631 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c032c944f0c68db2f9bc2541ba822212 |
| SHA1 | a829f6cf1e7f3f796eeb68ef3525d7f3d177a38a |
| SHA256 | 1b4b0d7b255a79089375c9c200df8f48c8536ec99752f877e9090af9dd8e4127 |
| SHA512 | cc22cf70c068f1b5c518a8d3302cbb5a79a66929488cd34939f7743aaa999cba091f182701cdda5872b6b93cf89d396b809b0b7f6f2d5f6e7ad1b5102623cf7e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
| MD5 | e5e3377341056643b0494b6842c0b544 |
| SHA1 | d53fd8e256ec9d5cef8ef5387872e544a2df9108 |
| SHA256 | e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25 |
| SHA512 | 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e0db402062b0af9ebbf6385372ca8d0b |
| SHA1 | af778006b22dbafed0ffc708c2a08c75866173ef |
| SHA256 | 3496117f92c5f4f895aa007bdb10496eaf20edbc77be2abeef611fbc082c1827 |
| SHA512 | a38b4bcac17c451d7a34a90f3612436adf0d896e5c074de11af59fb1a8abe1bb4536b3efd3e00565fbfba296a59fa46415b7d0468ba6f00110ca605c9760eae0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | d5f6e43b9bb30966d0bc507edaa766af |
| SHA1 | f55430cdf8aac488b7e726277ff47551de8f6b3c |
| SHA256 | 26c3c700f69edb0a1ef22ad9cabc4c126967093a008638d4b9e91aea558f7053 |
| SHA512 | 580548318c413a964558422b0cbd1b05cc46f9cba53b59e2818f768f8ee9f8e3838981d686b2e82f24b3b62145cb7f1240c7602adddfabef6356730413310713 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d940feae148786b510e927647683395f |
| SHA1 | d8877beca30f49fab65ed11b44111c28d9803963 |
| SHA256 | 5e9354cd68c42ec17bd2b9322f9016987411a138cfc3d23f19c77109a732fcb9 |
| SHA512 | b2abf1783ace27776d702874df8a8599692b5aff2a600da2489d8b46a9cbb692ba272d833ab97a21fd239b46c40c6fd46600119acbe835d9e85b2625168c3e8a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
| MD5 | cef891fcf7beed219961d8b3b2cb4ff9 |
| SHA1 | b9155f9edf3f70feba056804a232437e85f2c2e2 |
| SHA256 | 1fd6cee63b454893df121332a058894b78ef6aefd18cc5c3fde1518ac8631e70 |
| SHA512 | 97f07d01af2fbda645847cf91a1bf1021c5adf270b5c1fe5259e245e7ac04f90a09a4377d532a415966705cfff6d34bbddbf4e998d15f8a17c49821c7f7d1c89 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a
| MD5 | bd9fabb2e7434eb9ebab7b28e33ec6e3 |
| SHA1 | a1cac8dd06b30bbec8c1f4c7348dd25ad4849cf3 |
| SHA256 | f6711de5a380979c740e0e42170aa58a07e1ed63b31a606b77844fc8461a31ff |
| SHA512 | 2395c72fb091a739f132ea2fcf8a34c85d5dd7935a9bdb0803df900b108085e79689f240acce0174b89e14387d21f8ac9bc1de6e3e85a13da7e96a47b05c830d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c2815a00a361af3980c5807f36cbe839 |
| SHA1 | f8e746f2aef67715eaaa808da29fb1dea1ee9dbe |
| SHA256 | c899296d21b81c5fb520c0c86f583a2803cee4480d1198abf726d68097ae3190 |
| SHA512 | ca049c6110494f75eb64cc76b892354728151b703aa05197d1e1f84d027ac8b056881c428744b9eed759056f6aab4dfc91b1a748187586457e22a0e7c5046c2c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 870a198a3d6ced28ba68e521ef1c338a |
| SHA1 | b68f45583a631591a3dee8b0d8e727797d49befd |
| SHA256 | e153729b460f0bc5539ed877043087f18c76bd77e810057dbecefe4266252d7d |
| SHA512 | 7ede577844d2e46c37fcb3071a9c65fe7508c7f81be1af61056fffde2eafa0cc20da149c4b13f0a991c45faee82dd6b7e55833d9ae69c7c7e88781a4e5643922 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0b004fd8291124bae067b8f4be758da5 |
| SHA1 | 884e0198288fbbd4d56217bd50679614786e972b |
| SHA256 | b1fad3a3469b15c1bb73848dfaafb50d218447c8bdb0f3a3f8ef184549eba9ba |
| SHA512 | 1c08d69a3239d76fe58233ee2d3ab4aec0e2f2208b14f3e4e2d5e3aebbc160f9a67ed0706d1af1c3be6c5583c2d1e2c8774281593624e5eabc51f9725ea92088 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 08ec5969be8e3995de1976a77b350ccc |
| SHA1 | 938c9a5df356d118c9e435ced818d217d55f70ee |
| SHA256 | 3eba1c53e369cbeee335d13b78116c4a74b4d4ca79531e89f6250324ca253b0b |
| SHA512 | 34c17b46774153ee3e5d0598d5300f2b336afb1d5ebd472b8da831f6dde0efd2137bd0a95a034c98e11953bbc9b06f076a8e25239f516bd5a46b06be37a90f53 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1d47d91047c1f2b6b276fb0262fa9959 |
| SHA1 | e297f1be843ad34e29d192b0e01a82e555496625 |
| SHA256 | bcec60e4d38c121d4fef2163d64ef602d233073261131a3075ff8f1d9e74e91c |
| SHA512 | 9db8d65c1d8350cce042f20e41fe4857ea50d46842b5d1fd9a395e73e47fbcb9547da1d1c9d9a34a61e7a8be85fb978939a9b3c941969e392847ab5e6c105c11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 70b994316a3187904def98789d259f7d |
| SHA1 | 1e84c59239978e5f9dc4828c8e32121ba4cef1ca |
| SHA256 | 99a6dbea696ec870bd83aa0125a015be9379a63b85e598f66a52e65d0a78c4d7 |
| SHA512 | 724d9cfa5b11208288b386d4c27464301d4411e06d45536162a50820c3522f17925c9712fc31129a540aa8a0aa5728deb75d897cbcf23dfc44fd683dad80dcc7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59c5f6.TMP
| MD5 | 11f99c7ae0c6e12d98aa326796906cc3 |
| SHA1 | 6c55f266119295d06340aa381f3d519de5ea8d26 |
| SHA256 | f06bb7955d1e42a2a03cb681c43926f15bdf4dae0af15359be8b74637d7123f4 |
| SHA512 | c058273ca003236db632674bbf6845c503353dba1d2a5a831aa6f1e44e41a33933020e8d599b9e2a6cd44f2e0f849be452175a1a3af74f66ea0c8d15fb157499 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe59d586.TMP
| MD5 | 42445d219eafeadc78f90714e218ef4a |
| SHA1 | 2f2c73f68dcec5afed3107da45045cae62a049a3 |
| SHA256 | de29aaa7ac7651fdca247854b28fb28880394c2a08515657d52d54a30ed04f9e |
| SHA512 | 2bd232448d2fd32d67c27ac6df6801f0fd3910d3fbb697f26b568cbd15117445560a94c1815e62dc0ebcdceb09bdf85e0376c4abdb37c10bc8fe0c7b7b4b5dcd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 947196651da1b41beccb0abdf07a1828 |
| SHA1 | 5e903acf00993383cfb79fb313c8115d4c79941a |
| SHA256 | 5555ffea34586d6ca4dab0f98df24db6665c254a22d93dc33c99452332de0af7 |
| SHA512 | 6d612f5b2be5264b416aa16b8055fb4d61c51e22d7f12ef2af807d50d7313d9b1faa164ea16c6e245bf03a8e7033cf54096e2f4f1db319425c033b37229d5a7f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2fa85f83ba1212f8d601967a0fa0f626 |
| SHA1 | c2520fecafbcc2874861c7ec36b36038da20c097 |
| SHA256 | 10fca4accfb1c0f527ef185bbbdc537d2330049a0f6a28ca5575ea97275f7966 |
| SHA512 | c695ab226be07d5c2c1e9c41c13054e7c085f275289da1f968210f649fc39fd6b3ae01fdc3e69cb0b419e517435a452f3a72656d4603f56fa8b4e3d56d6983d4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 4b1393d4f34add3e01276dd626b966ef |
| SHA1 | d973e2825d9425ec967c6562aac5cdbff6fadf94 |
| SHA256 | 6e96afe2c4360df18e1f5f000f4f6feca31e36ca797ba649268e1d4de15f1bb7 |
| SHA512 | 98c485383b2085dc89dabec9269dc09dcf6d1fc628945dd8c263dbd8f2808165367838dd9f4a4a6414ef90c800a45d59d06b17246cd2524b17521fa43c2779ce |