Malware Analysis Report

2025-01-18 04:43

Sample ID 230817-zkg6badc58
Target https://www.expressvpn.com/clients/latest/windows
Tags
revengerat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://www.expressvpn.com/clients/latest/windows was found to be: Known bad.

Malicious Activity Summary

revengerat persistence stealer trojan

RevengeRAT

RevengeRat Executable

Downloads MZ/PE file

Blocklisted process makes network request

Loads dropped DLL

Executes dropped EXE

Registers COM server for autorun

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies system certificate store

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-17 20:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-17 20:46

Reported

2023-08-17 21:00

Platform

win10v2004-20230703-en

Max time kernel

810s

Max time network

806s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.expressvpn.com/clients/latest/windows

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.be\ExpressVPN_12.55.0.27.exe N/A
N/A N/A C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe N/A
N/A N/A C:\Windows\Temp\{01AB023E-EA9E-4443-A077-A920FB72CAAA}\.cr\VC_redist.x64.exe N/A
N/A N/A C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\.be\VC_redist.x64.exe N/A
N/A N/A C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
N/A N/A C:\Windows\Temp\{CF9FF220-1487-4972-9DDE-A7686E67B971}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
N/A N/A C:\Windows\Temp\{36981485-B1B9-461F-9EB5-9C9462F2361D}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\lightway.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe N/A
N/A N/A C:\Windows\Temp\{01AB023E-EA9E-4443-A077-A920FB72CAAA}\.cr\VC_redist.x64.exe N/A
N/A N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A
N/A N/A C:\Windows\Temp\{CF9FF220-1487-4972-9DDE-A7686E67B971}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\WOW6432Node\CLSID\{c1a51ea5-665e-cac3-4426-32d306a827af}\LocalServer32 C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\WOW6432Node\CLSID\{c1a51ea5-665e-cac3-4426-32d306a827af}\LocalServer32\ = "\"C:\\Program Files (x86)\\ExpressVPN\\expressvpn-ui\\ExpressVPNNotificationService.exe\" -ToastActivated" C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{1b5f1335-d71c-41d7-b62a-26db1d5378b7} = "\"C:\\ProgramData\\Package Cache\\{1b5f1335-d71c-41d7-b62a-26db1d5378b7}\\ExpressVPN_12.55.0.27.exe\" /burn.runonce" C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.be\ExpressVPN_12.55.0.27.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{d4cecf3b-b68f-4995-8840-52ea0fab646e} = "\"C:\\ProgramData\\Package Cache\\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\\VC_redist.x64.exe\" /burn.runonce" C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ExpressVPNNotificationService = "\"C:\\Program Files (x86)\\ExpressVPN\\expressvpn-ui\\ExpressVPNNotificationServiceStarter.exe\"" C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140ita.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140deu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140ita.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140deu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcamp140.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hans\ReachFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pt-BR\System.Windows.Forms.Primitives.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\HtmlAgilityPack.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\Polly.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Formats.Asn1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\es\UIAutomationProvider.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ru\WindowsBase.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\UIAutomationClientSideProviders.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ko\System.Windows.Input.Manipulations.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pl\PresentationCore.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Logging.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Xml.XmlDocument.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-core-synch-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pl\PresentationFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Assets\en-US\70x70Logo.scale-100.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.BrowserHelper.runtimeconfig.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.Client.Installer.dll.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.Client.Installer.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Net.Quic.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-crt-conio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-crt-convert-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Private.Uri.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ko\UIAutomationProvider.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\tr\PresentationCore.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pt-BR\WindowsBase.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Assets\en-US\70x70Logo.scale-200.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.5 (x64).swidtag C:\Windows\Temp\{36981485-B1B9-461F-9EB5-9C9462F2361D}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-crt-heap-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\Serilog.Formatting.Compact.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\System.Text.Json.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.NetworkUtils.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\Microsoft.Extensions.Hosting.Abstractions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-core-errorhandling-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\cs\System.Windows.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-core-libraryloader-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ko\ReachFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\System.Diagnostics.EventLog.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Collections.Immutable.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-core-string-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\cs\WindowsFormsIntegration.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\fr\System.Windows.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hant\System.Windows.Forms.Primitives.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\System.Windows.Extensions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-core-fibers-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-core-rtlsupport-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-crt-stdio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\tr\System.Windows.Controls.Ribbon.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hans\PresentationFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.runtimeconfig.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-core-file-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Web.HttpUtility.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Configuration.EnvironmentVariables.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hans\System.Xaml.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Reflection.DispatchProxy.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\host\fxr\6.0.5\hostfxr.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hant\System.Windows.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hans\System.Windows.Controls.Ribbon.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Grpc.Core.Api.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\mscorlib.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.IO.Compression.Native.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIA9C3.tmp-\Microsoft.Extensions.Primitives.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSID2AB.tmp-\System.Reactive.Interfaces.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF84A.tmp-\Microsoft.Extensions.Logging.Abstractions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF84A.tmp-\MissingLinq.Linq2Management.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIFFDD.tmp-\Grpc.Core.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIC0A8.tmp-\System.Management.Automation.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIE4B0.tmp-\ExpressVpn.Common.Logging.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIE8C8.tmp-\Microsoft.IdentityModel.JsonWebTokens.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF84A.tmp-\Grpc.Core.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF84A.tmp-\Microsoft.Extensions.Configuration.UserSecrets.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF84A.tmp-\Microsoft.Extensions.FileProviders.Abstractions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF84A.tmp-\Microsoft.Extensions.Hosting.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF84A.tmp-\Microsoft.Extensions.Primitives.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIFFDD.tmp-\Microsoft.Extensions.Configuration.FileExtensions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Installer\e59eef3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8781.tmp-\Microsoft.Extensions.Primitives.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9CA2.tmp-\MissingLinq.Linq2Management.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF4DE.tmp-\Microsoft.Extensions.DependencyInjection.Abstractions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI47C0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID2AB.tmp-\Microsoft.Extensions.Logging.Configuration.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIE8C8.tmp-\MissingLinq.Linq2Management.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA9C3.tmp-\Microsoft.Extensions.Configuration.Json.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA9C3.tmp-\Microsoft.Extensions.Hosting.Abstractions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA9C3.tmp-\Newtonsoft.Json.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIE8C8.tmp-\LaunchDarkly.JsonStream.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA9C3.tmp-\Microsoft.Extensions.FileSystemGlobbing.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIC0A8.tmp-\Grpc.Core.Api.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIDCC0.tmp-\Microsoft.Extensions.Configuration.FileExtensions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9CA2.tmp-\LaunchDarkly.JsonStream.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA9C3.tmp-\System.Buffers.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSICBE4.tmp-\ManagedWifi.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSICBE4.tmp-\System.ValueTuple.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIDCC0.tmp-\ExpressVpn.Utils.Wmi.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIE4B0.tmp-\LaunchDarkly.CommonSdk.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF4DE.tmp-\LaunchDarkly.Logging.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF84A.tmp-\Microsoft.IdentityModel.Logging.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF84A.tmp-\WixSharp.UI.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI5409.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9CA2.tmp-\log4net.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9CA2.tmp-\Microsoft.Extensions.Primitives.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF84A.tmp-\Microsoft.Extensions.Logging.EventLog.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA9C3.tmp-\Google.Protobuf.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSICBE4.tmp-\Microsoft.Extensions.Hosting.Abstractions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSID2AB.tmp-\Microsoft.Extensions.Configuration.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIDCC0.tmp-\Microsoft.Extensions.Configuration.UserSecrets.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF84A.tmp-\LaunchDarkly.Logging.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Installer\e59eee3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC0A8.tmp-\CustomAction.config C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSID2AB.tmp-\DeviceId.Windows.Wmi.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIE4B0.tmp-\System.Numerics.Vectors.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIE8C8.tmp-\log4net.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF4DE.tmp-\Microsoft.Extensions.Logging.Console.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF4DE.tmp-\System.ValueTuple.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF84A.tmp-\System.Collections.Immutable.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIFFDD.tmp-\Microsoft.Extensions.Logging.Console.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIC0A8.tmp-\Microsoft.Extensions.Configuration.FileExtensions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA9C3.tmp-\log4net.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIE8C8.tmp-\Microsoft.Extensions.DependencyInjection.Abstractions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF84A.tmp-\LaunchDarkly.ClientSdk.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF84A.tmp-\Microsoft.Extensions.Options.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9CA2.tmp-\LaunchDarkly.EventSource.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSICBE4.tmp-\Microsoft.Extensions.Configuration.UserSecrets.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9CA2.tmp-\ExpressVpn.Client.Setup.CustomActions.pdb C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIE8C8.tmp-\Microsoft.Extensions.Options.ConfigurationExtensions.dll C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133367788011191505" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{0f711ee3-eb88-456d-acb4-c2ee31add211} C:\Windows\Temp\{36981485-B1B9-461F-9EB5-9C9462F2361D}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\10EA62E1536592372BC00B2945329E52\23B875EDA4807E94E855F6853A57870C C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.23.40699_x64\Dependents\{0f711ee3-eb88-456d-acb4-c2ee31add211} C:\Windows\Temp\{36981485-B1B9-461F-9EB5-9C9462F2361D}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{1b5f1335-d71c-41d7-b62a-26db1d5378b7} C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.be\ExpressVPN_12.55.0.27.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList\PackageName = "vc_runtimeAdditional_x64.msi" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B99D387C4\ProductIcon = "C:\\Windows\\Installer\\{E5B9C3E5-889C-4F22-A959-F4B8993D784C}\\app_icon.ico" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5E3C9B5EC98822F49A954F8B6DDC8703\5E3C9B5EC98822F49A954F8B99D387C4 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{CF4C347D-954E-4543-88D2-EC17F07F466F}" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\Version = "237141179" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{089A177D-98AE-4195-A115-D3C45613B875}v48.23.40665\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\14DCC6E369B6DB74E8E17D5B39EC9E67\Version = "806854361" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\.be\VC_redist.x64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\expressvpn\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{1b5f1335-d71c-41d7-b62a-26db1d5378b7}\ = "{1b5f1335-d71c-41d7-b62a-26db1d5378b7}" C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.be\ExpressVPN_12.55.0.27.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\ProductName = "Microsoft .NET Host - 6.0.5 (x64)" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\expressvpn\ = "URL:ExpressVPN Protocol" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\AppUserModelId\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}/ExpressVPN/expressvpn-ui/ExpressVPNNotificationService.exe\CustomActivator = "{c1a51ea5-665e-cac3-4426-32d306a827af}" C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6\VC_Runtime_Minimum C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f711ee3-eb88-456d-acb4-c2ee31add211}\Dependents\{0f711ee3-eb88-456d-acb4-c2ee31add211} C:\Windows\Temp\{36981485-B1B9-461F-9EB5-9C9462F2361D}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\14DCC6E369B6DB74E8E17D5B39EC9E67\Provider C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1B242EAE62A0A584FBBE2029EEF930BC\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\14DCC6E369B6DB74E8E17D5B39EC9E67\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{3E6CCD41-6B96-47BD-8E1E-D7B593CEE976}v48.23.40665\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\Version = "806854395" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents\{d4cecf3b-b68f-4995-8840-52ea0fab646e} C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.34.31931" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\14DCC6E369B6DB74E8E17D5B39EC9E67\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\14DCC6E369B6DB74E8E17D5B39EC9E67\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.34.31931" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\094F9C7997352096B7082D27C35AD959\B16A3B3F61CDA9242A06BDFA6E76149A C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.23.40699_x64\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.5 (x64)" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B99D387C4\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1B242EAE62A0A584FBBE2029EEF930BC C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\14DCC6E369B6DB74E8E17D5B39EC9E67\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\14DCC6E369B6DB74E8E17D5B39EC9E67\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XDeviceID\{d644612c-0716-4e6f-b1df-cec7d37c698c} C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\Version = "237141179" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.23.40665_x64 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\PackageCode = "3C57FB7C5C8A52B40956C723EAB175C1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\14DCC6E369B6DB74E8E17D5B39EC9E67 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B99D387C4\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{d4cecf3b-b68f-4995-8840-52ea0fab646e} C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{c1a51ea5-665e-cac3-4426-32d306a827af}\RunAs = "Interactive User" C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{E5B9C3E5-889C-4F22-A959-F4B8993D784C}\Dependents C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.be\ExpressVPN_12.55.0.27.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{1b5f1335-d71c-41d7-b62a-26db1d5378b7}\Version = "12.55.0.27" C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.be\ExpressVPN_12.55.0.27.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.23.40665_x64\Dependents C:\Windows\Temp\{36981485-B1B9-461F-9EB5-9C9462F2361D}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\AppUserModelId\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}/ExpressVPN/expressvpn-ui/ExpressVPNNotificationService.exe\IconBackgroundColor = "FFDDDDDD" C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1080 wrote to memory of 3844 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 3844 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 2904 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 1980 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1080 wrote to memory of 4608 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.expressvpn.com/clients/latest/windows

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f3d59758,0x7ff8f3d59768,0x7ff8f3d59778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1772,i,13472414582880991961,4109424661459038813,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1772,i,13472414582880991961,4109424661459038813,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1772,i,13472414582880991961,4109424661459038813,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1772,i,13472414582880991961,4109424661459038813,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=1772,i,13472414582880991961,4109424661459038813,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 --field-trial-handle=1772,i,13472414582880991961,4109424661459038813,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5488 --field-trial-handle=1772,i,13472414582880991961,4109424661459038813,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5516 --field-trial-handle=1772,i,13472414582880991961,4109424661459038813,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 --field-trial-handle=1772,i,13472414582880991961,4109424661459038813,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1772,i,13472414582880991961,4109424661459038813,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6004 --field-trial-handle=1772,i,13472414582880991961,4109424661459038813,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6028 --field-trial-handle=1772,i,13472414582880991961,4109424661459038813,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 --field-trial-handle=1772,i,13472414582880991961,4109424661459038813,131072 /prefetch:8

C:\Users\Admin\Downloads\expressvpn_windows_12.55.0.27_release.exe

"C:\Users\Admin\Downloads\expressvpn_windows_12.55.0.27_release.exe"

C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe

"C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe" -burn.clean.room="C:\Users\Admin\Downloads\expressvpn_windows_12.55.0.27_release.exe" -burn.filehandle.attached=568 -burn.filehandle.self=576

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.be\ExpressVPN_12.55.0.27.exe

"C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.be\ExpressVPN_12.55.0.27.exe" -q -burn.elevated BurnPipe.{49570176-4D22-432A-8D2B-0BFAC89CBDD7} {74782F81-BF4C-4CEE-BB42-7B28B0C6D19A} 4436

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=988 --field-trial-handle=1772,i,13472414582880991961,4109424661459038813,131072 /prefetch:2

C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe

"C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" /install /quiet /norestart

C:\Windows\Temp\{01AB023E-EA9E-4443-A077-A920FB72CAAA}\.cr\VC_redist.x64.exe

"C:\Windows\Temp\{01AB023E-EA9E-4443-A077-A920FB72CAAA}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" -burn.filehandle.attached=720 -burn.filehandle.self=560 /install /quiet /norestart

C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\.be\VC_redist.x64.exe

"C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{B5EBB02E-B37A-40A2-8381-5118378C7431} {3E3DB672-9E2B-48B2-803B-DB1652A5781B} 1100

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1072 -burn.embedded BurnPipe.{32D987DA-7954-4B7A-9B87-1283A0B0C8F0} {E3D29F4A-32C2-4291-910B-E40495B15A45} 216

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=488 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1072 -burn.embedded BurnPipe.{32D987DA-7954-4B7A-9B87-1283A0B0C8F0} {E3D29F4A-32C2-4291-910B-E40495B15A45} 216

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{25ABA227-945E-4218-85FA-7C3A350D584B} {40D400FC-5686-4F47-8B68-EFBD18C51864} 4724

C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe

"C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe" /install /quiet /norestart -burn.filehandle.self=1660 -burn.embedded BurnPipe.{A9F003A4-199F-473D-AF63-FA549F2C5F71} {68FCF115-DBF0-4BC8-B758-9ECB8CB9696B} 1548

C:\Windows\Temp\{CF9FF220-1487-4972-9DDE-A7686E67B971}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe

"C:\Windows\Temp\{CF9FF220-1487-4972-9DDE-A7686E67B971}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=676 /install /quiet /norestart -burn.filehandle.self=1660 -burn.embedded BurnPipe.{A9F003A4-199F-473D-AF63-FA549F2C5F71} {68FCF115-DBF0-4BC8-B758-9ECB8CB9696B} 1548

C:\Windows\Temp\{36981485-B1B9-461F-9EB5-9C9462F2361D}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe

"C:\Windows\Temp\{36981485-B1B9-461F-9EB5-9C9462F2361D}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe" -q -burn.elevated BurnPipe.{FB5F31C5-13CE-4E4D-ABD9-3128C344C452} {D3B180D4-0CB3-4798-9868-766EB010B781} 2056

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 3DBCC8C5C68112DB4C0AE0EF917307B8

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6904288F2478AF809E5A8F8653F5F723

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F18C62E7909EB4DEE9ECF4DDCB0B7FD6

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 827A87254247BEE8B1B1165A6F2E3829

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 7711E5AE571DEFE9F3C0FA5ED3A16DED

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI8781.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240814109 26 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CloseMainApp

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI9CA2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240819359 38 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.SaveDogfoodWasInstalled

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 80F3D2076ECA4576E03F26C6005249BC E Global\MSI0000

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIA9C3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240823125 42 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.RemoveData

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIC0A8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240828593 49 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.SetBrowserHelperPath

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSICBE4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240831609 53 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateAccessTokens

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSID2AB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240833218 57 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateDefaultPortConfiguration

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSID76F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240834406 61 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateServiceCredentials

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIDCC0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240835765 65 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.InitializeProteusId

C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe

"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIE4B0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240837812 69 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.SetServicesFailureActions

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIE8C8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240838859 73 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.AddErrorReportingKeys

C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe

"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe"

C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe

"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe"

C:\Program Files (x86)\ExpressVPN\services\lightway.exe

"C:\Program Files (x86)\ExpressVPN\services\lightway.exe" --version

C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe

"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIF4DE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240841953 77 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.RemoveLegacyRegistryData

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIF84A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240842828 81 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.RemoveUserFolderData

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIFFDD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240844765 91 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.DeleteBinaries

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe

"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe" install

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe

"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe"

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe

"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe" uihaslaunched

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ujsrxts.com/order?utm_source=windows_app&utm_medium=apps&utm_campaign=app_buy_subscription&utm_content=not_activated_buy_a_subscription

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8de1146f8,0x7ff8de114708,0x7ff8de114718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,5056166272283147975,850399216042904812,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,5056166272283147975,850399216042904812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,5056166272283147975,850399216042904812,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5056166272283147975,850399216042904812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5056166272283147975,850399216042904812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5056166272283147975,850399216042904812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 www.expressvpn.com udp
NL 108.156.60.109:443 www.expressvpn.com tcp
US 8.8.8.8:53 109.60.156.108.in-addr.arpa udp
US 8.8.8.8:53 42.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 www.expressvpn.works udp
NL 13.227.219.119:443 www.expressvpn.works tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 189.211.227.13.in-addr.arpa udp
US 8.8.8.8:53 119.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 254.49.247.8.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 65.129.54.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 download.visualstudio.microsoft.com udp
US 93.184.215.201:443 download.visualstudio.microsoft.com tcp
US 8.8.8.8:53 201.215.184.93.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 o137163.ingest.sentry.io udp
US 34.120.195.249:443 o137163.ingest.sentry.io tcp
US 34.120.195.249:443 o137163.ingest.sentry.io tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.11:80 www.msftncsi.com tcp
US 8.8.8.8:53 249.195.120.34.in-addr.arpa udp
US 8.8.8.8:53 11.101.122.92.in-addr.arpa udp
US 34.120.195.249:443 o137163.ingest.sentry.io tcp
US 8.8.8.8:53 clientstream.launchdarkly.com udp
US 13.248.151.210:443 clientstream.launchdarkly.com tcp
US 8.8.8.8:53 210.151.248.13.in-addr.arpa udp
NL 92.122.101.11:80 www.msftncsi.com tcp
US 8.8.8.8:53 mobile.launchdarkly.com udp
US 34.195.138.232:443 mobile.launchdarkly.com tcp
N/A 127.0.0.1:2021 tcp
N/A 127.0.0.1:2022 tcp
NL 92.122.101.11:80 www.msftncsi.com tcp
N/A 127.0.0.1:2020 tcp
US 34.195.138.232:443 mobile.launchdarkly.com tcp
US 8.8.8.8:53 232.138.195.34.in-addr.arpa udp
N/A 127.0.0.1:2020 tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.25:80 www.msftncsi.com tcp
US 8.8.8.8:53 25.101.122.92.in-addr.arpa udp
NL 92.122.101.25:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.ujsrxts.com udp
NL 108.156.60.37:443 www.ujsrxts.com tcp
US 8.8.8.8:53 37.60.156.108.in-addr.arpa udp
US 8.8.8.8:53 www.expressvpn.com udp
NL 108.156.60.8:443 www.expressvpn.com tcp
US 8.8.8.8:53 xvp.imgix.net udp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
US 8.8.8.8:53 storage.googleapis.com udp
US 8.8.8.8:53 connect.facebook.net udp
NL 157.240.201.15:443 connect.facebook.net tcp
NL 142.250.179.176:443 storage.googleapis.com tcp
US 8.8.8.8:53 8.60.156.108.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.150.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 176.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 js.chargebee.com udp
US 8.8.8.8:53 js.braintreegateway.com udp
NL 52.222.139.127:443 js.chargebee.com tcp
US 151.101.2.133:443 js.braintreegateway.com tcp
US 151.101.2.133:443 js.braintreegateway.com tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
NL 142.250.102.155:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 cdn3.forter.com udp
US 8.8.8.8:53 6f72b696c74a40d2a055546e9c5798b5-5e03eac5ed10.cdn.forter.com udp
US 8.8.8.8:53 cdn9.forter.com udp
US 8.8.8.8:53 bat.bing.com udp
US 54.80.130.168:443 cdn3.forter.com tcp
US 204.79.197.200:443 bat.bing.com tcp
DE 143.204.98.64:443 cdn9.forter.com tcp
US 54.158.164.13:443 6f72b696c74a40d2a055546e9c5798b5-5e03eac5ed10.cdn.forter.com tcp
US 8.8.8.8:53 127.139.222.52.in-addr.arpa udp
US 8.8.8.8:53 133.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 194.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 155.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 64.98.204.143.in-addr.arpa udp
US 8.8.8.8:53 168.130.80.54.in-addr.arpa udp
US 8.8.8.8:53 13.164.158.54.in-addr.arpa udp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.25:80 www.msftncsi.com tcp
NL 92.122.101.25:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.11:80 www.msftncsi.com tcp
NL 92.122.101.11:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.11:80 www.msftncsi.com tcp
NL 92.122.101.11:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.11:80 www.msftncsi.com tcp
NL 92.122.101.11:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.11:80 www.msftncsi.com tcp
NL 92.122.101.11:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.11:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.11:80 www.msftncsi.com tcp
NL 92.122.101.11:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.11:80 www.msftncsi.com tcp
NL 92.122.101.11:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.25:80 www.msftncsi.com tcp
NL 92.122.101.25:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.11:80 www.msftncsi.com tcp
NL 92.122.101.11:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.11:80 www.msftncsi.com tcp
NL 92.122.101.11:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.25:80 www.msftncsi.com tcp
NL 92.122.101.25:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.11:80 www.msftncsi.com tcp
NL 92.122.101.11:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.11:80 www.msftncsi.com tcp
NL 92.122.101.11:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.11:80 www.msftncsi.com tcp
NL 92.122.101.11:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.25:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.25:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.25:80 www.msftncsi.com tcp
NL 92.122.101.25:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.11:80 www.msftncsi.com tcp
NL 92.122.101.11:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 92.122.101.11:80 www.msftncsi.com tcp

Files

\??\pipe\crashpad_1080_TEZVTEOLBXBXUBAM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 f6e21b8843e15f82c66959017406868d
SHA1 76c89aac50989b264635b147a81357479a6b3ce7
SHA256 a0c639cc86d90c56530daa377c2d3f95658fd604d589812a5320b45a1589392e
SHA512 bdffa0fb12044a43c08f67ad05c6d3afee2143bd8c46388fe6c4d160bd2308d5ec7cae9d8575013ab7e703fdc3e239f2fd79abf7aaa2dd7e6a559f523844ae8c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f610a724-3d24-451a-bf3c-950ab31886df.tmp

MD5 6132e73021472da2952c305a724dfaad
SHA1 044ce37a73cb1a9ae2d710b045a81933e3e1bdd5
SHA256 74abfd79eb47586e8d2956e6cd58d268e4e65f1d7ca9965786d4fb141b219ea1
SHA512 44a3df231150e72f45caa7d8046efe1a83e3b4577afe27cdc142f8d0ff7d4c20d80e5dca43ce5a3053667c3959d58de6f5a4f4f019e470ce3ab1e0597e8283f7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 ce7f78d3260a56f2903c984daf6c46f3
SHA1 02c811db66f911d48c487fc889e98199e171c714
SHA256 09de4087cb0574d266d574a68d794eccc5177eb546de80b05f8193096e4f9830
SHA512 9612de6ae90c6ac8cda87aa7598ed8f43b9ba8520cb250b44e1f9aa812ccf4ae692b6cb3c56831e40f16abcf4619dce07b87ecac44bdd0876acf2c8d3b87485a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 7bc0aa3dc1755878e7b72cb57bb68917
SHA1 77904e2aa18ee878687d560e36d8f7334b855504
SHA256 571a42a566201e1bb034ae8b3bc1ff8aaee1239e72503265e62681f66b30e81e
SHA512 824d51bedf3cc6d61664bf75102c4835fb60f5570f674174316cb151ed409f3fcf984b179cf7a558d125e1632f729d9e2ebad561aef65e5a4dbd885314ccb7ba

C:\Users\Admin\Downloads\expressvpn_windows_12.55.0.27_release.exe

MD5 01ea6bbb71d93bb90ff3eabddf487bd0
SHA1 251cddc2dfebc6adca191ba2f11fff3a4fef8746
SHA256 8644aab58a88f3490f6a1989b679d2e8a74309b8909d6fb4168470bc7023d0bc
SHA512 fbaaf23bd4cc2bd238c0b4f6634e70e769ae30e2ce8ff67d34898a1fc24da264b4cc5afbd5f740970d5614c5e9d7407a7e6009f4e3728de9db19bf4af0ad9be6

C:\Users\Admin\Downloads\expressvpn_windows_12.55.0.27_release.exe

MD5 01ea6bbb71d93bb90ff3eabddf487bd0
SHA1 251cddc2dfebc6adca191ba2f11fff3a4fef8746
SHA256 8644aab58a88f3490f6a1989b679d2e8a74309b8909d6fb4168470bc7023d0bc
SHA512 fbaaf23bd4cc2bd238c0b4f6634e70e769ae30e2ce8ff67d34898a1fc24da264b4cc5afbd5f740970d5614c5e9d7407a7e6009f4e3728de9db19bf4af0ad9be6

C:\Users\Admin\Downloads\expressvpn_windows_12.55.0.27_release.exe

MD5 01ea6bbb71d93bb90ff3eabddf487bd0
SHA1 251cddc2dfebc6adca191ba2f11fff3a4fef8746
SHA256 8644aab58a88f3490f6a1989b679d2e8a74309b8909d6fb4168470bc7023d0bc
SHA512 fbaaf23bd4cc2bd238c0b4f6634e70e769ae30e2ce8ff67d34898a1fc24da264b4cc5afbd5f740970d5614c5e9d7407a7e6009f4e3728de9db19bf4af0ad9be6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 36a1da194454da90f8c62f635e68726b
SHA1 39b4a9a04009485ebea2ae9af154f939b46b1ea5
SHA256 2ffaf5ed242f4887194dd3447a84ffa7a2d62f92535db4e40fef6708afdda0c5
SHA512 b2e01059ab5f5ffe107220f95205b18be830afa90cc7fc404f733736e4e4f4506b7ce9bb62e4979156132de1b8e05fa994b8beb0a3056656f8498510f4fbe3cc

C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe

MD5 b63f7c2aef96808ed27afbc2d07e7319
SHA1 69f3cdefab1a690b0f4adc8e7bb98ef9fa3300d9
SHA256 c7388b14c3c5cd82252a60ee13844e7bbc81b6b635759475685f210e965fe9b5
SHA512 7d5ab33f55df2cfc9224f4acd67a86cbb15ec83d3ff8e5b04c5de442c75f303f0c64d44ddd01baf97f82905ffd45c773116bd8bd1eafd5bdd7d1aa5a49e5f526

C:\Windows\Temp\{90907AF7-96F0-48A8-8738-4636B7DA0D94}\.cr\expressvpn_windows_12.55.0.27_release.exe

MD5 b63f7c2aef96808ed27afbc2d07e7319
SHA1 69f3cdefab1a690b0f4adc8e7bb98ef9fa3300d9
SHA256 c7388b14c3c5cd82252a60ee13844e7bbc81b6b635759475685f210e965fe9b5
SHA512 7d5ab33f55df2cfc9224f4acd67a86cbb15ec83d3ff8e5b04c5de442c75f303f0c64d44ddd01baf97f82905ffd45c773116bd8bd1eafd5bdd7d1aa5a49e5f526

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 4bb0458b9b1b42c00439821eac340def
SHA1 006ed827271441fccb504d8b9568800e50ca1bdb
SHA256 e1d1c1440d48c4c1b0ea879230b3c0043c4f5889891a093b78ba327c3075d467
SHA512 c7afa3973b1471f01b64eeb7e47b2be24a4e4c2c429aeaac70205880aa596418bb2077ec423bf2fd524d6940d13e0be90483087bd4d5da3e4166f2adb89fc205

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe589555.TMP

MD5 e25cea4b2d4c5079d056c470514225f2
SHA1 03d041f755a7fe5e40305bf3c5d04709113e3e4a
SHA256 2a76cba7a192dcb96f62261ebb310bbcec7c5910468a30e3e63c946528c373e5
SHA512 f1052398a2b6e29f2f99507293b98bfcf9052910cd645688976afe1ad90fb0ded3cd4d5ebea81f61621225a4c48b82c4521f2c11559d55d24e09d1582643ab89

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\mbahost.dll

MD5 c59832217903ce88793a6c40888e3cae
SHA1 6d9facabf41dcf53281897764d467696780623b8
SHA256 9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db
SHA512 1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

memory/4436-349-0x0000000073DA0000-0x0000000074550000-memory.dmp

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

memory/4436-355-0x00000000066A0000-0x00000000066B0000-memory.dmp

memory/4436-356-0x00000000066A0000-0x00000000066B0000-memory.dmp

memory/4436-354-0x0000000006560000-0x0000000006578000-memory.dmp

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\BootstrapperCore.config

MD5 a591cca57a0534087061bb7509208f80
SHA1 b16c4f3651308cbb6a01efc16ee376f6ef5068e0
SHA256 d1f7224eae4295cb89e21d4aaf6aff5f8cfe912090350d8c7a25c3022ee9f75a
SHA512 e416b4cb1b860c99dc5121dcf81bf38b8973d262e810f447ad5dcba33a6e2d485c62a675fc29e259a943174cf7a91d96a74af40787bb2db3336eefb2d41d94ae

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\WixSharp Setup.exe

MD5 306c76e7c9ebb185392f05089abe813c
SHA1 739fd057d6b90b84b3a7a887990de7e947ddb2d6
SHA256 64c8180576126a5284cac1478cfe5f9301c5da75c8435855a706ebf9a628d368
SHA512 8808069101cfb7c1d894797aec62c43c95358f71186b6472cda86f4e56cd8adb278971e3b22d0b5cd5a778e3af3cc7cc526bfd15f429696dee4f0b3256a6bd87

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\WixSharp Setup.exe

MD5 306c76e7c9ebb185392f05089abe813c
SHA1 739fd057d6b90b84b3a7a887990de7e947ddb2d6
SHA256 64c8180576126a5284cac1478cfe5f9301c5da75c8435855a706ebf9a628d368
SHA512 8808069101cfb7c1d894797aec62c43c95358f71186b6472cda86f4e56cd8adb278971e3b22d0b5cd5a778e3af3cc7cc526bfd15f429696dee4f0b3256a6bd87

memory/4436-363-0x0000000006B40000-0x0000000006CCA000-memory.dmp

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\ExpressVpn.Client.Setup.Shared.dll

MD5 e2ca3d32206d27ef62097196320b5149
SHA1 7eccaf65b4a4d27a40fae7bf74975cfc03e0f21a
SHA256 91227073892d648c36205f21dcdb8c77c619e8e88776d91721c9bc7aa338e1fa
SHA512 4f5bce725c9534db02c4afa4ed9638220a1ffd779bb4114334fa6eece36f630b5198d1ed168d5ecea7387cf29c7c9e14809ff452f0ae8bcb52ddb5b85dc44930

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\ExpressVpn.Client.Setup.Shared.dll

MD5 e2ca3d32206d27ef62097196320b5149
SHA1 7eccaf65b4a4d27a40fae7bf74975cfc03e0f21a
SHA256 91227073892d648c36205f21dcdb8c77c619e8e88776d91721c9bc7aa338e1fa
SHA512 4f5bce725c9534db02c4afa4ed9638220a1ffd779bb4114334fa6eece36f630b5198d1ed168d5ecea7387cf29c7c9e14809ff452f0ae8bcb52ddb5b85dc44930

memory/4436-367-0x0000000006AC0000-0x0000000006AC8000-memory.dmp

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5 405bf969e7e50ef47422e54fa33605c8
SHA1 4f3c5c8803212719ee74c60813b9ae08604684b3
SHA256 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512 d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5 405bf969e7e50ef47422e54fa33605c8
SHA1 4f3c5c8803212719ee74c60813b9ae08604684b3
SHA256 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512 d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

memory/4436-371-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\ExpressVpn.Common.Logging.dll

MD5 0fb9bb66f522eabafe83121c422d66c5
SHA1 492ddeb7dde8283d549222d0966d3e23aa98fd8a
SHA256 0490afdd9b00d111362a104b07c553abfc6f53292336325b79f1649059940fdd
SHA512 ceeb40c2d3a35e404ee93f8e13f7e772353f1736d13efa5c878ec371cf462188a419aa8e6ac2e080b2f58fcea01eb45fd9425f4ba39b419a91965629ef500594

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\ExpressVpn.Common.Logging.dll

MD5 0fb9bb66f522eabafe83121c422d66c5
SHA1 492ddeb7dde8283d549222d0966d3e23aa98fd8a
SHA256 0490afdd9b00d111362a104b07c553abfc6f53292336325b79f1649059940fdd
SHA512 ceeb40c2d3a35e404ee93f8e13f7e772353f1736d13efa5c878ec371cf462188a419aa8e6ac2e080b2f58fcea01eb45fd9425f4ba39b419a91965629ef500594

memory/4436-375-0x0000000006B10000-0x0000000006B28000-memory.dmp

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\ExpressVPN.Common.Shared.dll

MD5 dd0a1c213076c88de018a6f3646564be
SHA1 01d5477fae492568f062305fd6ac3d17d9227b7c
SHA256 abc21001f94e57821c6fb89fe5f3f2aeebf2b2b236f41e6f520cdb9e9f9c2c77
SHA512 8c4d6218f9ac2e45faccf49b16361117c36eb54c4bb18a4213f4ffb9ccaf479baefbd0695a6a7e395e814eb5cf3a4cf6bf4bfc535ce2f5e5696d52329d8c72f4

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\ExpressVPN.Common.Shared.dll

MD5 dd0a1c213076c88de018a6f3646564be
SHA1 01d5477fae492568f062305fd6ac3d17d9227b7c
SHA256 abc21001f94e57821c6fb89fe5f3f2aeebf2b2b236f41e6f520cdb9e9f9c2c77
SHA512 8c4d6218f9ac2e45faccf49b16361117c36eb54c4bb18a4213f4ffb9ccaf479baefbd0695a6a7e395e814eb5cf3a4cf6bf4bfc535ce2f5e5696d52329d8c72f4

memory/4436-379-0x0000000006CD0000-0x0000000006CEC000-memory.dmp

memory/4436-380-0x0000000006CF0000-0x0000000006D0A000-memory.dmp

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\ExpressVPN.Utils.dll

MD5 05b0fc5cb5b7a3aba8d0aa7a7b4afeca
SHA1 8ac8c654a53f00b7e7a5ee6801a122e17ac65a4c
SHA256 5328eedb03cefbb184915d01c1667e7b9c3fac0a91d52532f4fbddfb490de2ea
SHA512 7eb613f4f5f88867df493b184ac5c7f101008addc61bf3d14c2eda5ce46241bc77a41aff5a70ca324bfd06abea1607639b531ac6a32a954abb88d670aea25171

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\ExpressVPN.Utils.dll

MD5 05b0fc5cb5b7a3aba8d0aa7a7b4afeca
SHA1 8ac8c654a53f00b7e7a5ee6801a122e17ac65a4c
SHA256 5328eedb03cefbb184915d01c1667e7b9c3fac0a91d52532f4fbddfb490de2ea
SHA512 7eb613f4f5f88867df493b184ac5c7f101008addc61bf3d14c2eda5ce46241bc77a41aff5a70ca324bfd06abea1607639b531ac6a32a954abb88d670aea25171

memory/4436-384-0x0000000006D30000-0x0000000006D50000-memory.dmp

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\Microsoft.Extensions.DependencyInjection.dll

MD5 f2a9c263e730b94057d26d8e6562e342
SHA1 e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256 d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\Microsoft.Extensions.DependencyInjection.dll

MD5 f2a9c263e730b94057d26d8e6562e342
SHA1 e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256 d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

memory/4436-388-0x0000000006E50000-0x0000000006E68000-memory.dmp

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\Microsoft.Bcl.AsyncInterfaces.dll

MD5 48efe61d6ca3054309907b532d576d2a
SHA1 f36403aabb16540c93fb35245ec0b4e435628aae
SHA256 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\Microsoft.Bcl.AsyncInterfaces.dll

MD5 48efe61d6ca3054309907b532d576d2a
SHA1 f36403aabb16540c93fb35245ec0b4e435628aae
SHA256 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

memory/4436-392-0x0000000006B30000-0x0000000006B3A000-memory.dmp

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

memory/4436-396-0x0000000006D10000-0x0000000006D1A000-memory.dmp

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\Microsoft.Extensions.Logging.Abstractions.dll

MD5 1237591a98cea80b03eaa68dbbcb2176
SHA1 5761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256 ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA512 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\Microsoft.Extensions.Logging.Abstractions.dll

MD5 1237591a98cea80b03eaa68dbbcb2176
SHA1 5761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256 ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA512 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

memory/4436-400-0x0000000006E80000-0x0000000006E90000-memory.dmp

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\Newtonsoft.Json.dll

MD5 715a1fbee4665e99e859eda667fe8034
SHA1 e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256 c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512 bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.ba\Newtonsoft.Json.dll

MD5 715a1fbee4665e99e859eda667fe8034
SHA1 e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256 c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512 bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

memory/4436-404-0x00000000070A0000-0x0000000007152000-memory.dmp

memory/4436-407-0x00000000066A0000-0x00000000066B0000-memory.dmp

memory/4436-408-0x000000007F7A0000-0x000000007F7B0000-memory.dmp

memory/4436-409-0x0000000007060000-0x0000000007082000-memory.dmp

memory/4436-412-0x00000000066A0000-0x00000000066B0000-memory.dmp

memory/4436-413-0x0000000009AF0000-0x0000000009AF8000-memory.dmp

memory/4436-414-0x000000000A000000-0x000000000A038000-memory.dmp

memory/4436-415-0x0000000009FE0000-0x0000000009FEE000-memory.dmp

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.be\ExpressVPN_12.55.0.27.exe

MD5 b63f7c2aef96808ed27afbc2d07e7319
SHA1 69f3cdefab1a690b0f4adc8e7bb98ef9fa3300d9
SHA256 c7388b14c3c5cd82252a60ee13844e7bbc81b6b635759475685f210e965fe9b5
SHA512 7d5ab33f55df2cfc9224f4acd67a86cbb15ec83d3ff8e5b04c5de442c75f303f0c64d44ddd01baf97f82905ffd45c773116bd8bd1eafd5bdd7d1aa5a49e5f526

memory/4436-419-0x000000000A230000-0x000000000A238000-memory.dmp

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.be\ExpressVPN_12.55.0.27.exe

MD5 b63f7c2aef96808ed27afbc2d07e7319
SHA1 69f3cdefab1a690b0f4adc8e7bb98ef9fa3300d9
SHA256 c7388b14c3c5cd82252a60ee13844e7bbc81b6b635759475685f210e965fe9b5
SHA512 7d5ab33f55df2cfc9224f4acd67a86cbb15ec83d3ff8e5b04c5de442c75f303f0c64d44ddd01baf97f82905ffd45c773116bd8bd1eafd5bdd7d1aa5a49e5f526

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\.be\ExpressVPN_12.55.0.27.exe

MD5 b63f7c2aef96808ed27afbc2d07e7319
SHA1 69f3cdefab1a690b0f4adc8e7bb98ef9fa3300d9
SHA256 c7388b14c3c5cd82252a60ee13844e7bbc81b6b635759475685f210e965fe9b5
SHA512 7d5ab33f55df2cfc9224f4acd67a86cbb15ec83d3ff8e5b04c5de442c75f303f0c64d44ddd01baf97f82905ffd45c773116bd8bd1eafd5bdd7d1aa5a49e5f526

memory/4436-429-0x0000000073DA0000-0x0000000074550000-memory.dmp

memory/4436-430-0x00000000066A0000-0x00000000066B0000-memory.dmp

memory/4436-431-0x00000000066A0000-0x00000000066B0000-memory.dmp

memory/4436-441-0x00000000066A0000-0x00000000066B0000-memory.dmp

memory/4436-442-0x00000000066A0000-0x00000000066B0000-memory.dmp

memory/4436-443-0x000000007F7A0000-0x000000007F7B0000-memory.dmp

memory/4436-444-0x00000000066A0000-0x00000000066B0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 d10aca532765fa131b55eb54e1c7828d
SHA1 63edc327a1baaf251cd9bd4c514392429a47e811
SHA256 70db290029b0ff2a364c6e6665629aba372ed98607af15bd210be1a7a45411a2
SHA512 8ade296b54631a63b661c7a75cf199862ad94be54447cce49ae0ba88d0e4fb9fbd8161d5063dcdf5c5beaff4feda291a76e82c2bd7dc388e8990b0c113b1997f

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\VCRedist64

MD5 703bd677778f2a1ba1eb4338bac3b868
SHA1 a176f140e942920b777f80de89e16ea57ee32be8
SHA256 2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9
SHA512 a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\Net6DesktopRuntime64

MD5 26d558f92be15a50d59b8261123de56b
SHA1 b5b1819cca753b070181f50411375b80412860a3
SHA256 1b305b1ae89b2391a4411bb2c5edb6b059a7bf7955275c57b43d1f2a94ce3f62
SHA512 5eb1537295cdb513197419c311777229fd43af6cea0ef6134f9990b32b8ac26aa51139f2c0b63d9cdfb6d753dd9db6f243b887ec511f15866157aa9e127b5cea

C:\Windows\Temp\{1E9E2474-6687-44DF-A143-66AB8F106EC4}\MainMsi

MD5 3651558f6176021868c2c1d5f3e93fdc
SHA1 adfd4a85ea2d5b3305bb9f14e926c6b9fffef653
SHA256 551c605ea377acd967c5cf8d1d4b61bcbd4c3f3c738e49ad69c3ed1fbbafa4a7
SHA512 bfa8983b6b96833c345c0a969c96433e99fe264c4b2630c6847a723a172351ed7d1fb38f713d4fc4d8f11e705cd212bfb5808b0cb9e903d57b568438a170c5e2

C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe

MD5 703bd677778f2a1ba1eb4338bac3b868
SHA1 a176f140e942920b777f80de89e16ea57ee32be8
SHA256 2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9
SHA512 a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041

C:\Windows\Temp\{01AB023E-EA9E-4443-A077-A920FB72CAAA}\.cr\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{01AB023E-EA9E-4443-A077-A920FB72CAAA}\.cr\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\.be\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\.be\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\.be\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\ProgramData\Package Cache\{1b5f1335-d71c-41d7-b62a-26db1d5378b7}\state.rsm

MD5 f1159fe4e3d7cb4dd0b7bd911c3138ed
SHA1 8baab94ed08e0501ecd7acb664650f5c74bd9664
SHA256 0210f5bfda323e7ea0528cb331538be50e82b7d381a305e94151e326700ebcea
SHA512 83407666a55c92ee29a08ab3387877577b10fd93fa7128bb16ebc8da9cd33caf637ab47cd5d67488cdb90a5ee036ffe8453e4524a712ceb9f401768101671f28

C:\ProgramData\Package Cache\{1b5f1335-d71c-41d7-b62a-26db1d5378b7}\ExpressVPN_12.55.0.27.exe

MD5 b63f7c2aef96808ed27afbc2d07e7319
SHA1 69f3cdefab1a690b0f4adc8e7bb98ef9fa3300d9
SHA256 c7388b14c3c5cd82252a60ee13844e7bbc81b6b635759475685f210e965fe9b5
SHA512 7d5ab33f55df2cfc9224f4acd67a86cbb15ec83d3ff8e5b04c5de442c75f303f0c64d44ddd01baf97f82905ffd45c773116bd8bd1eafd5bdd7d1aa5a49e5f526

C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\vcRuntimeMinimum_x64

MD5 df77fc41aa2f85ca423919e397084137
SHA1 5b87cd2dfb661df49f9557e2fc3b95c7833c9b0b
SHA256 51b6a928f7becbf525cbeff180442b05533f8ea8f8494cc97a491e29bdd4b7c2
SHA512 a36b093011b9534db0881eb72de4638e39be67a9844b14fcd3e40539aafd9aa9ce7b14d3968aedb092ecf9bca9ac0918a65f65632643782edafefa36fc12c3e2

C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\vcRuntimeAdditional_x64

MD5 c214a9e931bbdd960bb48ac1a2b91945
SHA1 a640c55dd522e01d0be4307a5eee9a40f779a6cc
SHA256 1dbd3e4e71c6678e640c289c1c64bbb12c70f65f52b27191680a9e4141d64b11
SHA512 d25fef3bdd3cd18035892618602e27621e9fb3a913e7972ec7bb624d593ae4b766e718fd2e2c7342c589e9a97beb03d2fedef22e824c6b539b83f199cb967933

C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\cab5046A8AB272BF37297BB7928664C9503

MD5 45c9c674c0ba87f57168d6ab852e9641
SHA1 73ace24362f14dc58d4099dae6e4e62902e9e950
SHA256 d14f231d1ab0d928e309b067622b5389e0dc6c4f0d3671632066f6586c442c76
SHA512 5bb06ca9c966c9edd30944523a84efd3c13b8eb9f6a5c6cfd961a0c82a1cb193e7b58baf888dede7b740ed42ce76ab20c3e41a684c4dd9d818ff8b0d9e52e684

C:\Windows\Temp\{2B46A6B7-4B45-4F53-A504-12242AC9A8C6}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

MD5 62bc0f466e65d9219281cf75c8f91380
SHA1 0826a1591b81acf0fe30d58e19b0a87df2a49a3e
SHA256 534dd81be6b7a23a745c36eda87e6387c5d146c3a96c84793d0edc7eb85b40f3
SHA512 17713f4228c0c2793c622bbb0a90bd5688d98a6576a695cb956fa233238c4c6e5b0cb43510be4f072613ad575d0b44e7c847f48b785a161cc337a9e6fdca3bb5

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20230817204854_000_vcRuntimeMinimum_x64.log

MD5 c3f8fc0445c51d4aaf914f9b74dbcca9
SHA1 31e1b694f39ba2193cd175bca9d670b8638b6aaf
SHA256 e4fdd176e20b03cb4503421ff0615ff72db7c49355d8bc720ed43e3ae1868ab5
SHA512 34c443f68834916cd09aa6501cb06c984dc9242b9d1d643d9661ce03bb1e9719b3f90d009958e5f307294abeeeb2b32723f6523091846cc9bb80fd1d7af5b3da

C:\Windows\Installer\e59eecd.msi

MD5 df77fc41aa2f85ca423919e397084137
SHA1 5b87cd2dfb661df49f9557e2fc3b95c7833c9b0b
SHA256 51b6a928f7becbf525cbeff180442b05533f8ea8f8494cc97a491e29bdd4b7c2
SHA512 a36b093011b9534db0881eb72de4638e39be67a9844b14fcd3e40539aafd9aa9ce7b14d3968aedb092ecf9bca9ac0918a65f65632643782edafefa36fc12c3e2

C:\Config.Msi\e59eec0.rbs

MD5 998e128cdbbd55abe22590f84e45f13e
SHA1 931e9b2ba456cefdba69211886b197aa07400bda
SHA256 fc5e94af150eb6b7ac7e6e4ea6e3d24c199caf4d4a2fec9f27d2b49393c99aa1
SHA512 a3b9dd02b445ac972ec652d7eabbe4ce7c9291277f0a85c3aefa455fc9d245b8a4c62266c3819f9c24736661c357ba46f731c40b8d5934544c3f8ca59b150331

C:\Config.Msi\e59eecc.rbs

MD5 cf9477ffc8bbe84be16aa503dacaf5f1
SHA1 e2c30a81711f30cfa72dfa2b40c8baa1ccd39df0
SHA256 8348baea025939e685ebafbb50341a75d861d24793272ffce9d3ad65131942d8
SHA512 23ed11f9b40ee1616f5c44a65453edf7031793e75cc9eb36222c5b2865cc61627ed55cb1b698b05c5e58b1e7848acc680926a93b838a37e7e79a1732f8e1efed

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20230817204854_001_vcRuntimeAdditional_x64.log

MD5 60db71d20f1cacfa883a922f0efbc6ce
SHA1 28ac029be18fa2e9e47b3a97af1bd10b2fea1701
SHA256 4b4d9c8dbe5e7f9360064cee91924689723e96102cc084059940e1110813adff
SHA512 8b35f32e45905c498613a834cc231f86bfc00f7c0f64071d6ff8c3dea35583fb1462bdb732c8a4b142f8dac798fcaf9ea234dcdc29684a93106f6a39b13fac49

C:\Config.Msi\e59eed3.rbs

MD5 47e53f6d36afb89ccdc1ce8c44790256
SHA1 24a01f041402f59ff910bc4e8c1615b00f616ab3
SHA256 53bc550c3c8a8054449da977661a73c5349250caee2330d5e20c4758d1f64d00
SHA512 221d8e1bcf4599ba4a9db7a4b8cb962b7cb1922f98137a0c60a72fe60385d884ec05359d79a4126d11ebb3c385ed51de5d74c5dc79102d54885714547504aca2

C:\Config.Msi\e59eee2.rbs

MD5 f6be4125c66c9f0eeb1230c83a737848
SHA1 d1a2b06b1c9311e44bd215035cefbd2f8e0b33c3
SHA256 67cad6121c6a0dbdb7152035d17ecae62b653ceaf51875bb7ad95df3831f2f75
SHA512 08c9ce66a8b0de53a7e9ad431066b69a61de027a6c2558440f926f8e9b5680ec24375708c7676219ea6eb55267b314ba29e1bf11702beeaadf0dff6d4b56ab6f

C:\Windows\Temp\{DFD81883-D135-4600-A5E3-F963BE013C6F}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{DFD81883-D135-4600-A5E3-F963BE013C6F}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{36981485-B1B9-461F-9EB5-9C9462F2361D}\.ba\bg.png

MD5 9eb0320dfbf2bd541e6a55c01ddc9f20
SHA1 eb282a66d29594346531b1ff886d455e1dcd6d99
SHA256 9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA512 9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

C:\Windows\Temp\{36981485-B1B9-461F-9EB5-9C9462F2361D}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe

MD5 987433e22c318ff3bfd596f6b7bb3d0d
SHA1 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e
SHA256 ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73
SHA512 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46

C:\Windows\Installer\e59eee8.msi

MD5 abf5dbc0196845d9c906189aa70d07ec
SHA1 4a6879976ca9d64a151e1679d0b08d975883a7b2
SHA256 f8f96b0c0a444a391d1a5c02d217d530905c32895166251d16a1b5903b6815f1
SHA512 035fffdf011e5d30b06ca3b78b37ceb90c1773b08244efc0ca8f7e8b7c4ef83b1b0c5273431e752d0f7dc83a49ccf5fbb733f8235825bf5b8ded32f7b51939e3

C:\Config.Msi\e59eee7.rbs

MD5 70427fb27377d03955dbe48fecea68db
SHA1 25f52910550c3f9a1963f79761d615bc9dcd4a78
SHA256 19d8a67bcd9fb0b349e92318fec1fc27c5ebcaa9a4df50899de2bc32fabe17c8
SHA512 e9b0f650569e33401135601a9ce4d4a9feaadaec314c2401528f6551d961918746628a8ba6ff28109c8858e4894cd25b97910a9492f30271fd7a6de86b5a1a6b

C:\Windows\Installer\MSI47C0.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\e59eee9.msi

MD5 eef7d4eaa530df3288c03b8e6463aaa3
SHA1 4d94b0073d5afeb1642a2f0da5c178f5765857b3
SHA256 cbdda269bf97e5e990d909fc503149005e4cd70e68d565c0fd4fbed3222d7711
SHA512 2be6dbc2c4d2a8d68653ffd8cb56196178c4ecea2f247a8d6f6cf3061917a43ff814ce48ab2939b475ae0d69df8fe41e0864ebaa282adcfb3e578ca0da10f823

C:\Config.Msi\e59eeec.rbs

MD5 bc8b70d8a5c5e76595c6dbdf1e33a884
SHA1 99dad2f9e9991b8e8f447a59afa07c5e15fb703b
SHA256 26a533369c9c4f8295a86922e9d0425d773b9def557bb4df6f6c38a172a838cf
SHA512 d346389856313bfad70a4ffef98ad778c3b381a3fe95901f773274ea1cbcaa208ca1e1b4785351c3498a26f7a1333103baf179482326efa3040bcb5008e815fc

C:\Program Files\dotnet\LICENSE.txt

MD5 31c5a77b3c57c8c2e82b9541b00bcd5a
SHA1 153d4bc14e3a2c1485006f1752e797ca8684d06d
SHA256 7f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d
SHA512 ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6

C:\Program Files\dotnet\ThirdPartyNotices.txt

MD5 f77a4aecfaf4640d801eb6dcdfddc478
SHA1 7424710f255f6205ef559e4d7e281a3b701183bb
SHA256 d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7
SHA512 1b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b

C:\Config.Msi\e59eef1.rbs

MD5 5012289fabd186231a13819de413dc41
SHA1 6db4accecd8502326a38e9d353f12d8cdc707e61
SHA256 4d7d5282bba69e01e639fca0e04d0e6fef4511578f43540a2b1f720b855e9d67
SHA512 b4a0baaaa0a10d046d85cef56ba46498e27774f7112cc0292e78b73070a8d7a3e5496375e7694f1ec1764ca9a53bc8dbfe55fffbf522d2de1d2d4882cc543163

C:\Windows\Installer\e59eef7.msi

MD5 bf16e0cb45daf8f291ecfa351cb0c3c2
SHA1 1491de942eec40921a35f35aa377c2f8f7332c5b
SHA256 0c3b15d1e680e29377a08ec0577d87d222dda47b84c955f4e834497b59041f9c
SHA512 a69a495b265e6e16fbc4a06455a02baabe35c6ad4abf499ca99a4b5cc9dfe2bcf337b6a60d32bfb15eca03b4c08710a095111ec637b2fbef0279c26d9e9e9ae8

C:\Config.Msi\e59eef6.rbs

MD5 2b85adcfc0f4776617d4d19157feec55
SHA1 816c3b56dbdd60e07753afe89181cc4d26a74c49
SHA256 ab5e64aef1189d89b09436216e592ca5dfccbcd6f03feda2f86eca30e9a2236e
SHA512 99f1a4bb34078dce62c06f54348808e1156ccccf10afc8a96b70d9cece53addf4d35fa56d52ec5b0f6fcc448b7ba0bf8798cfdea540bec0646c32e382ef50a80

C:\Windows\Installer\MSI8781.tmp-\Newtonsoft.Json.dll

MD5 715a1fbee4665e99e859eda667fe8034
SHA1 e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256 c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512 bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

memory/4636-1572-0x0000000004F00000-0x0000000004F2E000-memory.dmp

memory/4636-1573-0x0000000073DA0000-0x0000000074550000-memory.dmp

memory/4636-1576-0x0000000004F50000-0x0000000004F68000-memory.dmp

memory/4636-1579-0x0000000004F40000-0x0000000004F48000-memory.dmp

memory/4636-1580-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

memory/4636-1577-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

memory/4636-1574-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

memory/4636-1582-0x0000000004FB0000-0x0000000004FC8000-memory.dmp

memory/4636-1585-0x0000000004FF0000-0x000000000500C000-memory.dmp

memory/4636-1587-0x00000000050A0000-0x0000000005110000-memory.dmp

memory/4636-1589-0x0000000005050000-0x0000000005070000-memory.dmp

memory/4636-1591-0x0000000005040000-0x000000000504A000-memory.dmp

memory/4636-1593-0x0000000005070000-0x000000000507C000-memory.dmp

C:\Windows\Installer\MSI8781.tmp-\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5 405bf969e7e50ef47422e54fa33605c8
SHA1 4f3c5c8803212719ee74c60813b9ae08604684b3
SHA256 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512 d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

C:\Windows\Installer\MSI8781.tmp-\Microsoft.Bcl.AsyncInterfaces.dll

MD5 48efe61d6ca3054309907b532d576d2a
SHA1 f36403aabb16540c93fb35245ec0b4e435628aae
SHA256 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

C:\Windows\Installer\MSI8781.tmp-\Microsoft.Extensions.DependencyInjection.dll

MD5 f2a9c263e730b94057d26d8e6562e342
SHA1 e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256 d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

C:\Windows\Installer\MSI8781.tmp-\Microsoft.Extensions.Logging.Abstractions.dll

MD5 1237591a98cea80b03eaa68dbbcb2176
SHA1 5761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256 ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA512 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

C:\Windows\Installer\MSI8781.tmp-\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

memory/4636-1700-0x0000000073DA0000-0x0000000074550000-memory.dmp

C:\Windows\Installer\MSI9CA2.tmp-\Microsoft.Deployment.WindowsInstaller.dll

MD5 1a5caea6734fdd07caa514c3f3fb75da
SHA1 f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256 cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512 a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

C:\Windows\Installer\MSI9CA2.tmp-\CustomAction.config

MD5 c9c40af1656f8531eaa647caceb1e436
SHA1 907837497508de13d5a7e60697fc9d050e327e19
SHA256 1a67f60962ca1cbf19873b62a8518efe8c701a09cd609af4c50ecc7f0b468bb8
SHA512 0f7033686befa3f4acf3ed355c1674eaa6e349fba97e906446c8a7000be6876f157bc015bf5d3011fbbdc2c771bcbaea97918b8d24c064cbbd302741cc70cbc7

memory/2592-1795-0x0000000073DA0000-0x0000000074550000-memory.dmp

memory/2592-1797-0x0000000004D30000-0x0000000004D40000-memory.dmp

C:\Windows\Installer\MSI9CA2.tmp-\ExpressVpn.Client.Setup.CustomActions.dll

MD5 03d920190ba3822b3dc32d4006d9a87f
SHA1 4dba2d46a5af7fb21f8e9b0543e94ace9ff19429
SHA256 0683d6a7cb8dd2614ddde42b3a1361499f922c399c2a3642f3c5a9f2d5a5445c
SHA512 6795cfd33366d700e9343f3f59f234e9522c3fb07947cfc28c3e894a8822bd78a36575ec6f10575a6f5453ca25708e4f95a4fa45ef16c4688f4b63f17bd1dc79

memory/2592-1796-0x0000000004D30000-0x0000000004D40000-memory.dmp

C:\Windows\Installer\MSI9CA2.tmp-\ExpressVpn.Common.Logging.dll

MD5 900704a24f798bf083d74850ed71853e
SHA1 918406236a746f4a6ec92e1222a0fab74efefb57
SHA256 e366870c224e8867494da86ff94897446f0d5f41da14911235651d2e1f36aba8
SHA512 9624bce2d9be94c748b79459beb2447a65f2da99a016e640eb28325c5bc4ffc31cea076498a42dfbbedd39b89e1321ae6b975596288fb88bed8695df8190801f

memory/2592-1800-0x0000000004D30000-0x0000000004D40000-memory.dmp

C:\Windows\Installer\MSI9CA2.tmp-\ExpressVpn.Client.Setup.Shared.dll

MD5 52e6a0ca8ee05559add49d35f886f49b
SHA1 4888a15718e15303bfa5606358c88a3421c4819b
SHA256 b314994c9cc8025cb07728f29529c06b9a38f294701104c8fe7f6e00d7f4f7ee
SHA512 37ae18b67ec65bd5d4b8dbc8a50993b61439d775fe47e78af4fd4c7ca4fb4b6ea8fd66caacbf7f0c97210686c58e7dfde9d1e539bf773ba013ce59cef46dd508

memory/2592-1803-0x0000000004D30000-0x0000000004D40000-memory.dmp

C:\Windows\Installer\MSI9CA2.tmp-\ExpressVPN.Common.Shared.dll

MD5 ee342d63e82a68cfdc81d8e44aa05e30
SHA1 6eed17e5382c0b74c138f6843cd0dc27ffc8324f
SHA256 4e56e13a8d2851813b9fb6679a6c9452d6828ed43c7cfab5760df4d1f6dfdb97
SHA512 794bcc03f49016d235aa2c8a2f6145469d8f9028bcc99fec0d5ad8255f2ccb525c0520140934249b06a31346c71d6a51f3034ebdc406da957fb828794f1fe1d2

C:\Windows\Installer\MSI9CA2.tmp-\WixSharp.dll

MD5 6c3dcc803bdc616fc4041137cfd62b78
SHA1 92d7b3b497c6ddc13bd1bb2ae083118017be0cbd
SHA256 0a82e4db427a80e111016bdf04477556e82773a21f143131563cda3f08c004fe
SHA512 7af9d3af8ebdc7cc9fa7453d998a89d973019df97231d3b1761e215b36e9e34a277d9a97aad99ed175027c5593ba74105368188555cc42342473717065cf01a7

C:\Windows\Installer\MSI9CA2.tmp-\ExpressVPN.Utils.dll

MD5 892080d10eb9a120bc616826fff9f2ae
SHA1 a695ecca342055c80691301668e09fd13ce112f2
SHA256 6cc4e6979e68baa126af5b6a5bd2b98d3f0ec8131dc0532daec460f1bd25d4b6
SHA512 53ffedc92bbe7174ae0a0afa5d6d1b2c5677d64d84ba144642c27ef1959cf1db23495edb85a5fd3a8d80a51212bb0b247b67adcdd9e98be9a92a064458baccb7

C:\Windows\Installer\MSI9CA2.tmp-\ExpressVpn.Utils.Wmi.dll

MD5 21c4acf5d8472b092feca231973d5a01
SHA1 b46a14545c2b3a5563547edce55fc8b574ec5540
SHA256 f57daadf9b51276aa7d584d8d52fa50ec25cad212d0c5e03be83b68d7e651571
SHA512 1985d9c53066b16f1151ffe01feb60c71bcc606e7931ec640066e21612d49b4f0b123c267a202cdacc3e66ecbaacf85cc1556fb776a8cccd4504d32efaeff793

C:\Windows\Installer\MSI9CA2.tmp-\ExpressVPN.Client.Installer.dll

MD5 617af2c8f57fd0315d3825736b347626
SHA1 294bf003ae5f528e5a129fca43667a145e752f61
SHA256 61191e86b9696207187cac6651e3ed7d0d2c462c9dd5e29e464f915a74aced6d
SHA512 c5b55cdff5d652b15ecf7c66e6380783513a7d0e96bc07b0f2ea9c60c7181fe3b7e83027e6d7a6fa5f085418742c57bc9070ed9dda72688444fcfe03cf1f24d2

memory/2592-1914-0x0000000073DA0000-0x0000000074550000-memory.dmp

C:\Windows\Installer\MSIA9C3.tmp

MD5 fd22b9c9f88759e68069b48bee372444
SHA1 1d73a4a455020098ff260aea775dd072cd75d1a8
SHA256 7c7a41dfb4e389161e378301cc813ac2e2c10f3ce6ebfd9c67a2446d106d7a15
SHA512 59fba4e973687929b101f1cdad777ffe16cab621dcacdb4b2a004d68830412e6993304430e4b7117ee42d520a2e026d0e19ed03508270de780877cfeeb071c20

C:\Windows\Installer\MSIA9C3.tmp-\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

memory/2632-2013-0x0000000000A90000-0x0000000000AA0000-memory.dmp

memory/2632-2012-0x0000000073DA0000-0x0000000074550000-memory.dmp

memory/2632-2017-0x0000000000A90000-0x0000000000AA0000-memory.dmp

memory/2632-2021-0x0000000000A90000-0x0000000000AA0000-memory.dmp

memory/2632-2126-0x0000000073DA0000-0x0000000074550000-memory.dmp

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Google.Protobuf.dll

MD5 25647dfce0e91490e97f8c6366b2632a
SHA1 8b812d8418143e0e8bc782e6687583dee13710bd
SHA256 da005e408ac85c4fafae30aa79ab7c18ddfa9fb5b23cd7fb2228a88413388c54
SHA512 5c0947cceb867f765ef4e77a73c2e2cea11f80ed83cdd43f3f5816ac2c27403fa74ea6a7edd648061d14d3e480d0f5e8271b754688d8da62e8653ae7581bb910

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Grpc.Core.Api.dll

MD5 33e82bfceee2a76c34edee46091bafc8
SHA1 55c8e27e8efa1e08e87f96424c574ec581335910
SHA256 1e6db7069217797180cf7664e555994a9993db0155c9761be8012860bb82f8a2
SHA512 2818f76c324cfa556c5c9b68cba712c57d12da2f1bf6cf6defd314c0a5dbe4f504e20c04deaf9b69be6a56b01f47fe341ffbca2a431df9a71b28d38c9e1ec6bc

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Grpc.Core.dll

MD5 832a45191b8711adc888d8d45b26f0f8
SHA1 a90d87c10f3e5ed48a80f8e1cf0e883a07830c8d
SHA256 873b7debc4411c2707b48de1454d2ff437d9d56d44ad603c6487a8fb69b4413c
SHA512 94fe9bad110671a1bd965f4847609ed20955f082f96c049b1679634fbc878b189edaf952914137316a3a7ee65996df020ed2c65dcce0b7ba55db853f48132ef4

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Configuration.Abstractions.dll

MD5 baa7644ed2f322d1d2c953220987c4a9
SHA1 3860c3d54413837fd23e9a7081c15d27ab2ed4f0
SHA256 5da295c08aba9257c8f27a39a3d21e0ee82c4e55c098794688305c270b4983b6
SHA512 034cb63f8a8ccf99d2cb182c72e7e5ad67cd23baaca376dff3444c13e9c0bb78e1e5643ed82999130e9398fbd643cd86a875249401a49438b7d7976329d2ac74

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Configuration.Binder.dll

MD5 b825099a89c81fe4127ee2628596d5d1
SHA1 8e69faa62f82dd042a51a345eea19b959442e985
SHA256 f2f6d158380c32a50bdb827b4d63f97c364f221813641daf74c257034484b507
SHA512 5c8dd2275702daa09bee2a8dac563d1292eef6735cd0a3a250f633afb3ac7823769435c4a29796b0b3522d72312497bac86b5ca71cbba2fbe31ce9cc24557068

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Configuration.CommandLine.dll

MD5 2d3b7a8112a2f148c75ed0820ee2a568
SHA1 e34f939e35591d03b982fe963a6532b427f6c844
SHA256 dabae732fa2b9cdb25bdd6e6f6c804fbd7c512380abcd1e0b8b0e3e32bfed7d9
SHA512 aa270196c7d56679ba47c9c8e0cf0a9e34fafbb15a7ccae2478f7b3410e5c9a4863d48b55fa6d4ca0c91b5563075ecc54969953c32808eec26385c2dc32ffc12

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Configuration.dll

MD5 4ae4c4004b28a9c7286ce1b4f2bbf415
SHA1 423c11f0e71b51378f39eb275093aa223c49f848
SHA256 d5f7cd54e4aa3b02bd445bd5b8ff4786cb6463ec976cbfe820fced5e272ec572
SHA512 7bf95813a0c66425dcf3e4d7e0078f72e97a3df9baff9cc525f2292f5cdbbe1cb52fd674089d1be15516770f214b9e7bc937de314eb9042441bf0ef1be28b044

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Configuration.EnvironmentVariables.dll

MD5 f502afa74d2f363e79f3cb93c07b3655
SHA1 5c3aadc3ee63e726f840d9f2c0ac44744dd0fa19
SHA256 5ee4134c25d7c95dadf2d3681949a8b61f72358542edcdb4f2a56fbb469a69ea
SHA512 3630e378e93548762fabfda06a2cb2189e450e16a67583b207c70fbe836e257e0551f829dec10f6ba040e7d95caaccbe3db576266c6e8fc6a3e59e623c6b81d8

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Configuration.FileExtensions.dll

MD5 8be2c97bbbe81795e3042602a21965e6
SHA1 cf89501075ac6713c091ca773dad2ba946b7c6ea
SHA256 385ec618612990af5b4d8ec6edffb13fbb5ff5a03e7786033b42ea061ee3976e
SHA512 d89a13ac0e3639acbb26f43739cd7a01ddb07fb03d7e0db5940dd28624d76014ba5e420b45f2d35b1acf0d9b3117a06f41f56109066fc95e9bb438d7516afc04

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Configuration.Json.dll

MD5 ae4d8069218e6a793e4cb461e09d4d9e
SHA1 cba0b162d94d80def76020a36c855543e8787ef9
SHA256 dfa8ce0bbd09c898957dc08ca9d3e1db2e87edd5d940c78f6b0becc6243d9d9e
SHA512 6c838cbba6623ec3f9168f79f27ba651073a96cda48cdce244883caba27004ac72f76c77f5012f0b044877fd3d90c1b9425465fc1782f0b5dc37d33c9f124e3e

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Configuration.UserSecrets.dll

MD5 313cfefa5ac9c9f5d76382a4d738bf3c
SHA1 0bbcd9de636b6c9133a4030f42c0c04aaf51ddf1
SHA256 bc707ac67c82cbf3d7eefdcce641e061227267ddf7a66e08d68be37db5c896ee
SHA512 fc4c2dd62e85a0bb1e62c9702bd9fbec2b93388fc890da3265a13855fabd65b3a64032fa2e1e38bc6be3f1c450b85475843138a4716eefaf404aef8e112904f9

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.FileProviders.Abstractions.dll

MD5 9b981dcb9329e9043987eb2c24371714
SHA1 c3c45b42a67525cbf8596cf6ef9a56d103bb70f9
SHA256 0706cedcd984a2478f10a9e57bb06e81bae2e0a1271507b26e91fb8f8c3413fe
SHA512 566bf7d258d3306742c3c585d04d19b338a8e1224e29ec7af35770e6827bf597a613775223cf93aa9afcb4ea3da0ca53b99493d9b3c6684da815907c8629b03e

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.FileProviders.Physical.dll

MD5 4e153e7492eae30cd0aa49a3140c1ebe
SHA1 55c123a2f3d1c7e24c4ed5edc54043cd9c37810a
SHA256 6bda4bddedfbb9023a5330dc1fd528e851cf2c869e53f3248e704927cec107cc
SHA512 ba25bbbba4c3e454f4ec064195f5f5e9d0cc4c217b9b4ee538fd31d138224a12c58c0b97c588ea4ea482b2303b0afa04125c30bed102b7c5f2aa645d8e7c03bf

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.FileSystemGlobbing.dll

MD5 f8dc23b883576fb84eccd1b7b56490d3
SHA1 c447b48529380954c878f1d933a10ef1bc402bb6
SHA256 1acb904f6eee86f33b507a7e7cf8f2112d34d1b34daf1532df4d800795d328bc
SHA512 2604147c8a3664e2abeeafe9503cbed07866c763581c7587f59f8472718995c7d17782385826d70ab515a73bf4efc57e91ec5738d09363689305592c38fdb6db

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Hosting.Abstractions.dll

MD5 e4e839b5661a74bb03505202231b56d4
SHA1 31b10ca90a0e492945dbec6cf530389504a7a462
SHA256 601e2c40c930dcd582d421f8f887b62eeadf8a675b77aaa2f98f532d8d97e24b
SHA512 a304a0e18865edd8225ee25ff99ac72843acb9970089e2328cdea8d116a839998d98a58310956b1f8c03caf15e57b91fcf7c2e65672839892fca700fb33f54eb

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Hosting.dll

MD5 39d2e1cf94347200c4e2d0f5415dec53
SHA1 0c2e97003acd0c2c0bc516c5b4c892de382239de
SHA256 2c355909c0c6415de0a8a8cc09ee5d6a4538fc19ede1fcff8baab3b1bdf5242b
SHA512 ea6b8deb8e807f87e52d6e06eae62afe595a83d247566a6210155aec9dfa7f9602da789e0985ae87157a56ef26f57bd458bb77f6f3bc34752139f6633f6db712

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Http.dll

MD5 1129546f4edbff1a420986dd25bec97a
SHA1 d01664a6749cc7fdf4d5997abdf72951a45f487c
SHA256 70dab4e760c996a618bd86fd514061f76296c70dc9a9e0da327635ffe6ee88d5
SHA512 a219d16ff2c9b4a5acbb07169b081d4a684355201469591dd75fd5cdee5103e5158c4e11fa32b4f81318aefb6363fa4d2cb61dc39e1b07d01b2d02161fb86d9f

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Logging.Configuration.dll

MD5 2ca8343993aa0c8d6d619cc2dcab3539
SHA1 d6f6dca968ea17998b7c98585f9d04f2d60f615d
SHA256 92182678c59bff339c919c6d37c94e57904987ac2b1a7f8edbc7a198f0f802f7
SHA512 804337f7a9311d1a7ac364131a095a3c93784ec5c0dc147ee4abedc804170a742f8e3aba4b326c795ca18d43cab76113d9c231f2d0c6023a7a0ea44228984fef

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Logging.Console.dll

MD5 f8536e13697fc017c0c4038a4db6074a
SHA1 1cde865ebae9bd7d000bd29872d692a1d9dba0f0
SHA256 a7e1a4601fa280ad97e4a94069157b057c2d5158388e57058f87cd9f8915337c
SHA512 fd061d0ba67fc6983479bf579d7dba71ac8cf1f3372ee97438b2e455344d56111f6f8ef601e9769d9d9a18789a174a96d7a47f04ca719b189bb56b42922ec061

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Logging.Debug.dll

MD5 523731ef0c75f3cf36d17e0c0f7c6ee7
SHA1 50e24c55d1399ea6550652e3de8d80de7d1d02f7
SHA256 ce241f96331ca11eacac64c683e11fe659e5ac157eaa224c9fe742d20b1ce983
SHA512 727539dbcacb28b23a21e037d439bc8c506ac2aaccf1d1a7a76f6d91c6739f0c317a3e1ee2e6bff3f3f1eee172daacbce21fd35b4bff3ad4459de405167cfa7e

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Logging.dll

MD5 73eab96c0898a78a61d89782ef6fab83
SHA1 07541eed457b5977890c13622d4fc4cabebc67fb
SHA256 c4b2b98c21b24b88640bc0be5dcd335d82df129dcaa0dcc778d91a759a037524
SHA512 90e8b699f451667d18762cbeb0f050f5462e97186b2b495b5de737ae565a7e1667c0ae5d89442ad93c08f2b5db5459b7febb63b1667466e13908f24cf1e3c075

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Logging.EventLog.dll

MD5 fc9949be824804ec4875dfcb0eda5057
SHA1 85a10da292711b68ed97d493bb04cf6552b7d998
SHA256 97f6d53966086a22da7cff8c6bfa38dd5469f8faed34cbaeb0922e5ba576421f
SHA512 13cb04ea01094fcb904640d7bcb552bc8f523581932a5dd2a5660e362e92e21dc73e285663ab91ee2128b0cdb4b067f3e2e3a8cc798df333fdc5fe5cacc29a91

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Logging.EventSource.dll

MD5 3a6dda95bb1aa1e413008d68b957bca2
SHA1 ac364ffc2cb711ffd43131ac9c6e86f1c408de65
SHA256 221c6c8fbdcf28e01aebd74ac8d39cdf230d9eb51138102b443b8c8cc1c0d74b
SHA512 2e4960640d3aaf7c4c9318f29fedfe3ca3c004681acbb69581c6a2b5803d57ea453a1db153a8c22482c2b490e58d721ebf32190abb4296df6f62466ee10272fd

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Options.ConfigurationExtensions.dll

MD5 40a801619f536846ff777beadcd62f27
SHA1 5a3c722df02ffc81d813224d98af375ab7b09cf9
SHA256 9d38b26507120c8cbefacbf6d2ddb5e89a53db475efefcfde221685b8eed0803
SHA512 d2ad123ebe1e3c41a5ce58e54b3c7847236e99ca3d30ba92f75df432fd94276d185e982fc6d72c2cd2d4d22eff5094b92ddea7b9d5615df14c2d1aab90936a01

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Options.dll

MD5 3ddea0033ead23660b51921146dda017
SHA1 5708c44aa5326da0a69072a9b0e48715112a4bdd
SHA256 c4673c6000602e76844bad63feecbe42d88fc72639b1fd64d2acde48955be970
SHA512 d57e25a2412f2685770e3fd1d6650ee433ed28d337221941841eb9589dbf3868a27efb0d488f960f75785e60357cd2914b0eece1da62aa9ffe77219340c03576

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.Extensions.Primitives.dll

MD5 d833ddcb52e5c6d6da71bae25395a911
SHA1 17ce025ad7a0175c467f5a7108ca81a813e4ac21
SHA256 76152e774b2bd9c5a0d301e92e253d8bf55fa90e191d0155dfd86b2b84766ae8
SHA512 fd963a9fa5bdd10a1c54ce8fcba862b59786280ca5d668fa041b30b80d7fa2b84230d33b1c0541423534c764e7432213039d5f586d0427d542c0faf703081a79

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.IdentityModel.Abstractions.dll

MD5 4a33568984c97ab8db98b56f55b88b93
SHA1 368abcd3d56dbeaf66392575914f9bbd2e7cc85d
SHA256 2a621fb5b3c3dc83c989667527570c62a4f6e65bbd239753410ea0857777e1ac
SHA512 eea1e09319bd92d1e079b32779b9635d8d698a8785d05fcd2dfd1ec9bdba5cb866f4c9e4f4fd03a46dff68daf2ef872ac537f4b6fbee14059bbb7756b048ebef

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.IdentityModel.JsonWebTokens.dll

MD5 7bd1e91ad4273dbcde6e373597fd83af
SHA1 b0b3b60aa2a7423f82464f69215c2e051cc7e940
SHA256 53164e2aeaff7159ac8ab382c932c9ff744478ac4012bd5652f70c7ae4829fb9
SHA512 0a4b04ef1eb85f74f19490c420a4434632e44c110abe427bf30d301f0bc633048bc3b52c480e14bccbe51afbd33413b84d948ba04d6af4261a8b390cb414d734

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.IdentityModel.Logging.dll

MD5 a588b379588e876fd4332007a7b0b959
SHA1 5c4df46b6de81d96062eab5b9ef1d65132a03960
SHA256 e53c9d284acb1ea6d3e9f107e0f438d3254d4f773ea24b9258f6a7bec77a3652
SHA512 12b0f872a74d670ce0bd24b65817b75e99d0f79569ff18b50ae0f472410d70d58e74fa8f897dbaffa2f450bb461831c080f0530aa59817aef3272d48b7746604

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Microsoft.IdentityModel.Tokens.dll

MD5 6c80eaf13c1d1f82ebec05b199546940
SHA1 62d69b4d752e5d689bb8f9e413c911e796b0aa01
SHA256 dc7a38cbaa808bc20fd529d174cbfd83b66fc814cbb63704e2d9f350e7fe0bf5
SHA512 78b512313740ff15f12d4cfde7c3c06484db47661e26d959983acf5b8ef16ab347a8d5af0be9ccd6602823d3f6ec6d8b38ec545b2c17c7f9b3aba82814375c69

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\System.Buffers.dll

MD5 ecdfe8ede869d2ccc6bf99981ea96400
SHA1 2f410a0396bc148ed533ad49b6415fb58dd4d641
SHA256 accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb
SHA512 5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\System.Collections.Immutable.dll

MD5 c598080fa777d6e63dfd0370e97ec8f3
SHA1 9d1236dcfb3caa07278a6d4ec751798d67d73cc2
SHA256 646d3b52a4898078f46534727bdb06ff23b72523441458b9f49ecc315bf3ef5c
SHA512 8a5b4afb4363732008c97d53f13ee430401e4a17677af37123da035f15f9e9409a2aeb74ae238379291fd5de07c3cd4e3de2778da5edf83a42649fa5b281cb32

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\System.Diagnostics.DiagnosticSource.dll

MD5 ccb6a65fa77074cdb0cb00478a89aecc
SHA1 be6e62302419bfcd9fd9842a9084e64367580970
SHA256 599a79d25958eae655ddae7337477d16ebc4f013b6896bbd60719c85b37db88c
SHA512 0495c13ced63266fe1adbabc0e2c86e7d6ce1b1dc3065f42a40607239ae88c92c39eba07a02dc0c68e200883b65a8541fd7b5c3dea58cb4c6d494dee0946d605

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\System.IdentityModel.Tokens.Jwt.dll

MD5 f82c0055ab6c947dc914e6590ebecc06
SHA1 a13340f024502a3a22cc29598ffcaa5c1b167be4
SHA256 552ed472029e12788877041719164261eccceaded535228933191449425e3870
SHA512 49360174e430fc35edcd4cc437ef93d4626896b1e652f5680b720424e5220a61a0d3a1cf1595eeaf19d58be5549860c4d9c9dced66414554a48bec1238e3c4fa

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\System.Numerics.Vectors.dll

MD5 aaa2cbf14e06e9d3586d8a4ed455db33
SHA1 3d216458740ad5cb05bc5f7c3491cde44a1e5df0
SHA256 1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183
SHA512 0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\System.Reactive.Core.dll

MD5 f20967beae947a5d54156b5cb40d0c04
SHA1 c5ea57f70835e22cbaf08ac5262716de3de16f2b
SHA256 ac464ea84539c60cbdb498dd787f6fb90b2f11067a5acc9e1ed4f8f62cb7bc7a
SHA512 7f1fd97ac58bfe5194e348a141595bb261870bed0cdab0e491aec40da7a930d2d821457aa2e44c80da276bbce98dd3a08e344de3539037367977815055a79435

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\System.Reactive.Interfaces.dll

MD5 0a471405a43ace8273b6e266f819901f
SHA1 bb7c4d3930358fa574136248cc1da6c9bcf5f192
SHA256 c86b4625d3a35b6f600d8f0d129b82eb73928e5d4f9df1a028e527aac86ee4e4
SHA512 27da5c7d98cac39525b845f40f128cbbdec6a693c1f20be689a1bc2ec0a2fa33a1a82605dad06e410371cf069304663bd6bf1c4a5864d99921e0584243b33997

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\System.Reactive.Linq.dll

MD5 317dce13b2316abee548a2b013f26471
SHA1 3123573b2291a0f01badb10b149f741bcb9eb0f7
SHA256 21fad2983b4b2f95049e975c9f26a77bfe9281d8ed18e380c9017fc82137a1d9
SHA512 3444f813632f5f397b5c27e0314479a404b7ade058a5e6c540331fa4fd5fa798ba7352b1bf58d6f977e5e61912ed9620a1ec1350901d0b00fad2ace3eaeb6163

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\System.Reflection.Metadata.dll

MD5 c4ea65bd802f1ccd3ea2ad1841fd85c2
SHA1 2364d6dd5dd3b566e06e6b1dc960533d2b3017b7
SHA256 46451e1168dd11d450aa9b6119f17cec9a70928a40ac3c752abf61ce809cba6f
SHA512 fc4c18ea6a6f38d8c4b4f2e02d3d077cc729b531ca08cf9602c65e22aadc0be770e441660cc980cbfed3b27bd783e65f793838532673e2845276390b4b22d730

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\System.Text.Encodings.Web.dll

MD5 e8cdacfd2ef2f4b3d1a8e6d59b6e3027
SHA1 9a85d938d8430a73255a65ea002a7709c81a4cf3
SHA256 edf13ebf2d45152e26a16b947cd953aeb7a42602fa48e53fd7673934e5acea30
SHA512 ee1005270305b614236d68e427263b4b4528ad3842057670fad061867286815577ec7d3ed8176e6683d723f9f592abcbf28d24935ce8a34571ab7f1720e2ffc5

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\System.Text.Json.dll

MD5 38470ca21414a8827c24d8fe0438e84b
SHA1 1c394a150c5693c69f85403f201caa501594b7ab
SHA256 2c7435257690ac95dc03b45a236005124097f08519adf3134b1d1ece4190e64c
SHA512 079f7320cc2f3b97a5733725d3b13dff17b595465159daabca5a166d39777100e5a2d9af2a75989dfabdb2f29eac0710e16c3bb2660621344b7a63c5dbb87ef8

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\System.ValueTuple.dll

MD5 23ee4302e85013a1eb4324c414d561d5
SHA1 d1664731719e85aad7a2273685d77feb0204ec98
SHA256 e905d102585b22c6df04f219af5cbdbfa7bc165979e9788b62df6dcc165e10f4
SHA512 6b223ce7f580a40a8864a762e3d5cccf1d34a554847787551e8a5d4d05d7f7a5f116f2de8a1c793f327a64d23570228c6e3648a541dd52f93d58f8f243591e32

C:\Windows\Installer\MSIC0A8.tmp-\System.IO.FileSystem.AccessControl.dll

MD5 3409c581f0c5083f0c2a93a7a5ac9790
SHA1 18ea7bd41d31247148abf184527c9368a26f39e7
SHA256 e6026501ad4056ff2f1655b0afdfe8923bc6e8fbad67e1e9ef56e3002f49fbb9
SHA512 ae877c6fddad0e4133274e6372d783eaa4dd6bdcbbf40ab66302fb89bd2f76b215130001186b5c9a135abd16336c5bfd4d414177704d7d359539da91918e82ed

C:\Windows\Installer\MSIC0A8.tmp-\System.Memory.dll

MD5 6fb95a357a3f7e88ade5c1629e2801f8
SHA1 19bf79600b716523b5317b9a7b68760ae5d55741
SHA256 8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7
SHA512 293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0

C:\Windows\Installer\MSIC0A8.tmp-\System.Runtime.CompilerServices.Unsafe.dll

MD5 c610e828b54001574d86dd2ed730e392
SHA1 180a7baafbc820a838bbaca434032d9d33cceebe
SHA256 37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf
SHA512 441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

C:\Windows\Installer\MSIC0A8.tmp-\System.Security.AccessControl.dll

MD5 996aab294e1d369b148d732e5ec0dfdc
SHA1 28465fd34680a082506f160107f350b46140a1aa
SHA256 1fda491eebdb19ea0a83cf6c16ab5dd004a1bfdfc845ede017ebe0945beb927f
SHA512 5e6b172d2de5928915b38ec80c7b76f42430aac959f04aa3521c63495b6f3c4f82df139c275e9fc5024b1a0a4f307daade6130b6028779f98f456282ae8b61cd

C:\Windows\Installer\MSIC0A8.tmp-\System.Security.Principal.Windows.dll

MD5 be2962225b441cc23575456f32a9cf6a
SHA1 9a5be1fcf410fe5934d720329d36a2377e83747e
SHA256 b4d8e15adc235d0e858e39b5133e5d00a4baa8c94f4f39e3b5e791b0f9c0c806
SHA512 3f7692e94419bffe3465d54c0e25c207330cd1368fcdfad71dbeed1ee842474b5abcb03dba5bc124bd10033263f22dc9f462f12c20f866aebc5c91eb151af2e6

memory/2864-2473-0x0000000073DA0000-0x0000000074550000-memory.dmp

memory/2864-2476-0x0000000005170000-0x0000000005180000-memory.dmp

memory/2864-2478-0x0000000005170000-0x0000000005180000-memory.dmp

memory/2864-2481-0x0000000005170000-0x0000000005180000-memory.dmp

memory/2864-2484-0x0000000005170000-0x0000000005180000-memory.dmp

memory/2864-2489-0x0000000005490000-0x0000000005506000-memory.dmp

memory/2864-2490-0x0000000005520000-0x000000000553E000-memory.dmp

memory/2864-2595-0x0000000073DA0000-0x0000000074550000-memory.dmp

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe

MD5 f5d8469bd89262b9d97d73528f23b2d7
SHA1 73295f57edf95daa10f76f7328b54cabe542e673
SHA256 3bfc2015f604ac3b1b36ef6baa47dd70e65daf97b38ac804dd7859b368043030
SHA512 06bc31c5fa17bc7adee0a842f22194d0adc93f6e302ba2a08cbd86ddca8be90f73bae17ea1e95d5436d07e31957248d8c649722352a42c7901a298727ddb3077

C:\Windows\Installer\MSICBE4.tmp-\ExpressVpn.Client.Setup.CustomActions.pdb

MD5 00096f7c8e737a6207fe6b3ffb9316e8
SHA1 b60d4537ceb99baac24c08867893ca05a40c6ea1
SHA256 6f3116718dde1f784037740231e72aaa2b53b6a8cadf7284dece924e1faccaab
SHA512 29a69511864bbda009a2d2b9f1e68c219723e4227d302bd40107a201550132017524a23f443e9dbaa05e271a94ab91bef6dfb84f5dd7e89012ce0b9c407678b4

C:\Windows\Installer\MSICBE4.tmp-\DeviceId.Windows.Wmi.dll

MD5 6b8de9e5016f4e51b7f5556ae0130af4
SHA1 799f150da2f5c484e29c7384f9637870e43aad79
SHA256 fb445433c07fecc6ad26033fa89d45430ab7726db5beb465feb197440dbc0e35
SHA512 89d6b9160bfb4e5e73f965b4cb5f6da22b4477bdc96dfb033b0be67a902848c0f1fecda827949ce0f66cb02397f534e5586084f0900e928907ecdddef9479a5c

C:\Windows\Installer\MSICBE4.tmp-\DeviceId.Windows.dll

MD5 31df7c0f440942989a0d57d7cadcc7f8
SHA1 451641929eee0b222c62d4310847a8fa24c34c96
SHA256 258ed9e94210dc983f1b4b6b2dbc651c36e4806877233ee82a63f4059d0517c1
SHA512 6d862009c90db51f1b852226eebd8c71878fadc21f2904b0de29b6aa79e49d856dcf0423bdcb7e5f31f5cb8f83dac7aec13f52e6b1c7ad566cd69d7da5411f36

C:\Windows\Installer\MSICBE4.tmp-\DeviceId.dll

MD5 e2ba8ce4b851abca137f65aa9ccc6ea0
SHA1 da5bd6c757c51beab86803ea071b24cae6ef5318
SHA256 1ed1250f4245e1a582d395ecda9bff3dcf3d28fa54d79e74d35dfc40d8f7d01e
SHA512 b8b4d58fc78da6c22a07e5c26173b4944704e2f711461f4fc45418bd067a3b491eb52714d33f8e041aaeda6ab4ea0db1a21c855175898298515b874d32dae8d3

C:\Windows\Installer\MSICBE4.tmp-\Kape.Braze.dll

MD5 9fb574eb92af344a849fc2cb4a80530f
SHA1 9eb0c493e4eb8ac0fc72970d00515340170374a0
SHA256 390282dbe1d5d7d053fed0df1ba434582554e4f5f5c64629d186f7c00d88ae6f
SHA512 5d25699cfae84f6d546e3b3bbea9569128f507c76502149c9b5a75924d6ee5252bee8112f21e42734826b8eb9efd61e7049c714a5fcae711893b61fe0ec0d586

C:\Windows\Installer\MSICBE4.tmp-\LaunchDarkly.ClientSdk.dll

MD5 105cf915b3150eac9d79288fdd964760
SHA1 a22104651ac3b0ade82b2b62ca47892f369361bf
SHA256 e277ec049e104842d499529996eb7b804c5db1376453d47e1e276bc54e0b8cc2
SHA512 d1f552476c24a3363e8c994ac202d2d3aa3c6490a3a477617773d13ceb22fb75e7284b7137866d352270588dc0092ead0dcd8ea61e336eb80d534a4a4d466121

C:\Windows\Installer\MSICBE4.tmp-\LaunchDarkly.CommonSdk.dll

MD5 82f45ad67c0e60d6c696fc92241322bb
SHA1 a8146019d19a665a1272845aba288a257da708bd
SHA256 8b038e0b6f40f9900932d965f69b651dc7d64e729a5b0423d816c345e97b56eb
SHA512 e4752c8a319d684f8b3e7866cb9ddba926cf60881fb777b7c52d4aa5df6bf57c620e2e0330c2d6794663bd50385e64dce05202f2e0ed6ea3f7425d25e9922db7

C:\Windows\Installer\MSICBE4.tmp-\ManagedWifi.dll

MD5 26cffce5c0c23e56163bb7bf364179ed
SHA1 e8aadf70075d08738a83fe44fb7abe1bde3921fd
SHA256 8230d3431ff724e9d4c52dd1b2ac64aff945071088aeedeb47a81eacfd66eea6
SHA512 38aa464328f33c506b3ef43da06c2b0b5dba4b823e96bbdf1daeb69082fb7e735653c7422576fcb7139cd9482f80c3865dbc4a1feca1d2288bf04c98916c5b15

C:\Windows\Installer\MSICBE4.tmp-\log4net.dll

MD5 2b7439a34d462a7ea2351a8f9e9f24ab
SHA1 7003aabfc4e068920f5e42ff6fab7c93f0c64301
SHA256 ac4e610da23819631fbade66b0107e969fbdb9ace02d1f57a6238aa3e1ecafa0
SHA512 ea6c35e015f47b2726f05a421cb3971245ec6b82f565e85be7317676187ba55d2becc973762fc73eec3b92ede1bb8704d74ae79fa094a7020baa2447259d4ded

C:\Windows\Installer\MSICBE4.tmp-\LaunchDarkly.Logging.dll

MD5 e253422ce4ac1d0a52b265b0cdce9c2d
SHA1 a0f1eba97e0542ee365a736fa05aa12ada3c4ab6
SHA256 edecc0f29377e9527823b472c6fae9cb0d998035ca93c08b1e8ab64adb0e8c05
SHA512 ef0f0c9b5afc8ad039653d9edf1edcfccc5093c3ad99c976a6770a3ae61895e41c8b9b09ce7122fa536de154091ab0c6a0d56deee27911dc63fc5ce362c96ccc

C:\Windows\Installer\MSICBE4.tmp-\LaunchDarkly.JsonStream.dll

MD5 3e1eb4509f8ef686e98b31b4b13a3323
SHA1 a63e9dd6945245e940a6d6a1d19e9bc013b6da80
SHA256 9a24cae456f1b47049895767f1e56dcfd4f73d8e38300527422a6f5b01292acf
SHA512 a6dac2ee3e5ae678f23d45683823d46a0a874141a1b723919e9798cf1ade318b065ea74e6904d154108a3f8cb1b619280ba79cc476aefad55d89cd191d84bd47

C:\Windows\Installer\MSICBE4.tmp-\LaunchDarkly.InternalSdk.dll

MD5 faba806124d4ec72859a830f2e4b4faf
SHA1 c8013402680e1d95a01c5ed58512d80527ccb212
SHA256 eae38132da2108217be77dea0f736b63f12bf5f5f3453b4466f3e87cabdd4ea4
SHA512 40ab40d0a3f29b8cbba178d60f80208f1f817adbb661d539a7e0b12933da7a54287513cf39fa4ec08c2e576a6398e773147e2ff8888513a2a9218a9f1b63321c

C:\Windows\Installer\MSICBE4.tmp-\LaunchDarkly.EventSource.dll

MD5 6cb1a37a829e88fb45271fe24f084cbe
SHA1 c02660751838a9c20cc61d084a9bf59ddc465499
SHA256 b82a52a25349da5811dbc8e08fb33aa1afc5e0c7cb25300d67b28df355e9aab7
SHA512 607608062053e30112d7c7c7cde29c92dc976260455e40bc6e66346c42acf70e077b1e5789feb31e772ee52df9c547458c500d6be592944ea38d7531187fd7ce

C:\Windows\Installer\MSICBE4.tmp-\MissingLinq.Linq2Management.dll

MD5 d9234f27c88f2c2e1337442f75110e60
SHA1 ff797534ccd06e95a504ae5c974e3699b074511e
SHA256 ea3e76179efbe2cc85ee498acb2cac88ce7535d3c3fa7c8202ea6502c44bc628
SHA512 7c7a403efce0bcafb8529c8144b1908d7c07b7c9d963f0c4489d39dfd208fb968a601debaf991fb2e8c65a6374ca5d99bf70ce4d8d3a15b55d310d90093ec9b4

C:\Windows\Installer\MSICBE4.tmp-\Sentry.Extensions.Logging.dll

MD5 e7bc74aeee3f139d980f39dae10c2dcd
SHA1 0270a471e762200d7cbf369012d54f2173772533
SHA256 32f1baebe359c543dc77fbc3da95ab38113ae1d9edc1d4520a5d7fe6f5defa5d
SHA512 a0d110f07fee3fc1eb800420f5a653866c67b9073e63a5129d9130f25774a678541161e8696a3d17cd09689f8e4f7738b1c0e546a535b751f027d28e66c519b5

C:\Windows\Installer\MSICBE4.tmp-\Sentry.dll

MD5 38b3781747ae1025772ac4b1962b55dd
SHA1 dfb0a301e2ea5646567a92e2a73c4573ab0cdd5c
SHA256 812a61bf1a21074ee22305f82a37b7c850bba67eb631489411cc36698285a006
SHA512 7df26469373eac24ed679fd93efeca67894e48da196cc215ef5132e8cbb4fef5e148302c1708b94917a7dc715d8bc6d37b161ac0a078fd134743c1d0d3d5b615

C:\Windows\Installer\MSICBE4.tmp-\Polly.dll

MD5 849d66e555f24c7cb254fa83267d35d6
SHA1 a1ff49590625758a0ee098f5b4a2edeea4e19333
SHA256 0fe08a755cdf1ebb6c64b635cb3956b74425f28e40656e9eccdca4de8cc05e3d
SHA512 fa7d29044ce2a6e7cdc69189d38ce9b3ab29ff9a55a106b5dd9ec6aeafce200d050b7885df7d7b3ac55126caf09acdb347655fdaeb6690d4de796e74312d4d63

C:\Windows\Installer\MSICBE4.tmp-\Polly.Contrib.WaitAndRetry.dll

MD5 d5e62b0b549534de633d7fe7c3b9e34c
SHA1 0848c14f7324b533e704b1ca004af33f6102dc28
SHA256 f6a0d6c7a1f679e8282236662450eb6df04bab68e6c807e0afb18f65be4f0d28
SHA512 933efb45a6721f8e1a6fc33ee3c45a92c2de1e56e33e49e53ffc2562ae51521d05cb620b587e1545113c865a4eef1c4be73b08d03171034779d65172adf27641

C:\Windows\Installer\MSICBE4.tmp-\NLog.dll

MD5 2ad4b728eb088cb528d63ea03f73f8ec
SHA1 1951d820f29f7b96c2511c2f3a3f5a312aba66ce
SHA256 09e07a6d2cf754e2409c98ed95e19ed1029bb3a04b02b04473af7a947ddc0fca
SHA512 99e938c392d238f0e6d586c585b2eb0278a0bdcef1c3890fb3092615c95176cbbe580b4f75d847a109e71a9ab89526aba238f1b0c01ab5bdb65d2edf18b2424a

C:\Windows\Installer\MSICBE4.tmp-\System.Management.Automation.dll

MD5 d5d6edd5d2ac9ae59c4c0e59d408eb04
SHA1 0ec49c3538807fa30531c18cb3d5d909470664ca
SHA256 b1324e206cf35b8ce0a631affd9927ed9bdf02f742e89140c0aa1af5f5d97600
SHA512 603f215e727f0f0704f26addd65c092bb6df7a17bc227b82e72afe068eae479ce33e6ff523000f24b0857dc72c816245fe05ed6549c7c004e48b1ca3640eb016

C:\Windows\Installer\MSICBE4.tmp-\WixSharp.UI.dll

MD5 73a49586775676e27bba42b7d4877aa1
SHA1 9a989f850f26605f989bc88658e14ebb80ab9a96
SHA256 017b7e5848aaa5151345c0ff95b3df866e26cc89e958a28fa9d962b99353084f
SHA512 b74a23f53336d36f3aa45b1d55f262c9e0903f25295596f837cbf2606c1185e885dbf9c554eb8ae4e40c157b4845956ddafb31f46beee32c2958e1b2b82b3670

C:\Windows\Installer\MSICBE4.tmp-\WixSharp.Msi.dll

MD5 f640c7e477a3b1524328c5680e1fd837
SHA1 b263ed19ce10de352f525dd026245d5f3fd62793
SHA256 34dbd8a746a6e017712094988864a47d131c1a5743770c0d5b25c583b2c8af78
SHA512 dc395b7635afaaded4487d9c04085652dac0e6b6bfc3912e850f6a3f2cf6eafc8546ecc3389a3068f1abac894087690ada51a836cac9efa32e9e1d87a9f2a367

C:\Windows\Installer\e59eefc.msi

MD5 3651558f6176021868c2c1d5f3e93fdc
SHA1 adfd4a85ea2d5b3305bb9f14e926c6b9fffef653
SHA256 551c605ea377acd967c5cf8d1d4b61bcbd4c3f3c738e49ad69c3ed1fbbafa4a7
SHA512 bfa8983b6b96833c345c0a969c96433e99fe264c4b2630c6847a723a172351ed7d1fb38f713d4fc4d8f11e705cd212bfb5808b0cb9e903d57b568438a170c5e2

C:\ProgramData\ExpressVPN\Config\p3d0hfrs.bin

MD5 2de105f1f7c26b2b3bec11fbaba43138
SHA1 82d343188b0d6fd00b4666a53d8c72fa5e7fa828
SHA256 b5218708c03fdf4a47b64199c5ff68ac5ab433c10d934f92f105e1d42592559d
SHA512 0dc42127e781b150bc69193e482d770ba63a7ffce05540c0447b5ad09be04af549a86576b497544c8ceabb436cf9bfc5b09a26afcdcd68579ee9e3a01b843864

C:\Config.Msi\e59eefb.rbs

MD5 594c062abe8d506fba0d935dd9e48918
SHA1 eea9f2c56f6c6e02e7bb9754ee88c0b62204dc9a
SHA256 41e90dd163f212629786b47b506522bb8c40268874c21ab5e4d3e18b3a1165d6
SHA512 1dbcb20f716e64c9b62b0488fe2504bac6001fc4d380a64e0c76cb497b4b829f28428381cd8bab7fc021c90a3066d31ea335853720ee4dc36ba28e94c4e8d9b6

C:\Windows\Installer\MSI404.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Users\Admin\AppData\Local\Temp\DEL9E1.tmp

MD5 e2ca3d32206d27ef62097196320b5149
SHA1 7eccaf65b4a4d27a40fae7bf74975cfc03e0f21a
SHA256 91227073892d648c36205f21dcdb8c77c619e8e88776d91721c9bc7aa338e1fa
SHA512 4f5bce725c9534db02c4afa4ed9638220a1ffd779bb4114334fa6eece36f630b5198d1ed168d5ecea7387cf29c7c9e14809ff452f0ae8bcb52ddb5b85dc44930

C:\Users\Admin\AppData\Local\Temp\DEL9E2.tmp

MD5 0fb9bb66f522eabafe83121c422d66c5
SHA1 492ddeb7dde8283d549222d0966d3e23aa98fd8a
SHA256 0490afdd9b00d111362a104b07c553abfc6f53292336325b79f1649059940fdd
SHA512 ceeb40c2d3a35e404ee93f8e13f7e772353f1736d13efa5c878ec371cf462188a419aa8e6ac2e080b2f58fcea01eb45fd9425f4ba39b419a91965629ef500594

C:\Users\Admin\AppData\Local\Temp\DEL9E4.tmp

MD5 05b0fc5cb5b7a3aba8d0aa7a7b4afeca
SHA1 8ac8c654a53f00b7e7a5ee6801a122e17ac65a4c
SHA256 5328eedb03cefbb184915d01c1667e7b9c3fac0a91d52532f4fbddfb490de2ea
SHA512 7eb613f4f5f88867df493b184ac5c7f101008addc61bf3d14c2eda5ce46241bc77a41aff5a70ca324bfd06abea1607639b531ac6a32a954abb88d670aea25171

C:\Users\Admin\AppData\Local\Temp\DEL9E3.tmp

MD5 dd0a1c213076c88de018a6f3646564be
SHA1 01d5477fae492568f062305fd6ac3d17d9227b7c
SHA256 abc21001f94e57821c6fb89fe5f3f2aeebf2b2b236f41e6f520cdb9e9f9c2c77
SHA512 8c4d6218f9ac2e45faccf49b16361117c36eb54c4bb18a4213f4ffb9ccaf479baefbd0695a6a7e395e814eb5cf3a4cf6bf4bfc535ce2f5e5696d52329d8c72f4

C:\Users\Admin\AppData\Local\Temp\DEL9FA.tmp

MD5 306c76e7c9ebb185392f05089abe813c
SHA1 739fd057d6b90b84b3a7a887990de7e947ddb2d6
SHA256 64c8180576126a5284cac1478cfe5f9301c5da75c8435855a706ebf9a628d368
SHA512 8808069101cfb7c1d894797aec62c43c95358f71186b6472cda86f4e56cd8adb278971e3b22d0b5cd5a778e3af3cc7cc526bfd15f429696dee4f0b3256a6bd87

C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.55.0.27\user.config

MD5 df2ea154c113c86c064714b3b0b5555a
SHA1 c0b1a1a0a78a372d9fdd7ba4a029cdee42a0de65
SHA256 c2cf2a4af9784fca26bb94e650209bfdf1decee29f02e1398b902ad49182588d
SHA512 c7cbbe4c79af3c2a246ba361842d1adcdd541e1eeadffa1ea55e9be75ce5099b90d020864def8f449b8fe472a3576454809f036533404e706b1baa142402a0fe

C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.55.0.27\kcskq5jg.newcfg

MD5 26e3e068ccf44f130f40a158db8c4526
SHA1 c5f43d44ddadff0fd11a4f6285b54329196d668f
SHA256 18c2b162e66a3fe5edfb24eb6215dda7c075cc8afa9eb69cd2bcb0785f400e79
SHA512 7720c82b2464879668763cad16963de5d4ecc5ac377b641cc8675d113c91a462c46733396be023417be05ac3b3eca3a8749c1e91fe191bd697db092df14e6856

C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.55.0.27\lzpqr4is.newcfg

MD5 286c05e5e213d7e97069184c0c44c85b
SHA1 009b760165d9332fc7af6bfa05a826fb87964f9e
SHA256 d29a7bc5b1f30f8d9dde55e417e89eb86b5339613910e293405b5aaf50fea7ed
SHA512 eaf3ebf413e08b111a6937947da7b29100737d6c1b4c21783392d1093db3ec9e28371f1afe203c3335f866bb09a213000d48a60e71a7c54d2750b1582c033b1c

C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.55.0.27\rzg1ph0w.newcfg

MD5 0b5a51b4d5c666f5df3161ed1bc62511
SHA1 362568ee7b81c337f4abbc2179682346445785bb
SHA256 95eaf9af9ccb14c33daeb04c498cad14f7b4eca49e890cb0c6debdb189a0538c
SHA512 947d1717325db18bbd7782929b018ac54660a8465d52c9264fa0d4b2521682ffcadb15bcc93c9bd141ffa3c7d9ee3397b4b7fcae74a9511bb404d244eb660b12

C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.55.0.27\uv321azx.newcfg

MD5 703e7a5ec48599d9a161492047423735
SHA1 475998aa1b1fbaab8f54216a060abb877bf4dc16
SHA256 8b1d0f75ae5b37fb0abe4b4ceadc9849767d5cca1a3c3e91a05e5f749ed02c27
SHA512 c6bf062fb4957b83b12012a4eac160475907142ddbe2302bf3725ad5f08d5ffa66f3e4ff6ad8690a4377edc46126f73b8b849d272df21977de3bda99d9fc103c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a7ad9bb1054aa03e39b3554833d0c3ec
SHA1 cbd5b99ca100bc2f1292df23bf8e2a5a6f9640d9
SHA256 0c3eae39386b4117ad26187afc4933e254468cd12d813271f4b7420cee73c189
SHA512 d1d0b77e0bc412b4ee687e849531a7c9b70200d45d0bdbf38357b6fc59af835522e749b2fd8c2d4cde73518970568c38d73416c97381a11cc6029c14b1678276

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 150c03cea19b64d00ab236c243dd83bc
SHA1 ee43833e25b421c2cff4a5b7fc8c94964d1879d2
SHA256 79a60e4c88cfafb899a7b67c8cfe2a00c548dd728dfa67d8f2250e8812d22cc4
SHA512 c99b7b9e85c82a50a43c56d15b81a9e858b9b86454abe4fde03f92c4eddc37b7c1e8eae462857c2616efd28e8be2593f8dcf39f8991d0afe759e23b4dd1ace74

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 53804b84c0f5204075ca67e198ef3133
SHA1 813d9317d432c690e1dcc98c014c482b288b3d78
SHA256 472a8f1d159be9bc99271dc4a53c13c0caf1307d83589543ca0e42abc11ad424
SHA512 3af0f81ef2bd3b08a56f7482d7ea270f9e2444c2d42ec765aae7a7ff35b3f29685d96058a8d425cf03c6a9d679b56c6c317d7a0a54efee9ff7df6a1e3679943d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8b17df88f36cadd3bd7a465903dc31bf
SHA1 d9ac225bd61d636b2be17da39b46a4bfc8eafd1f
SHA256 33b94be4b2e687a4dd480b58081f8326bd6edca936105eaf4ad1bef5312f4da6
SHA512 e5c26ad9edc742e825dd405a777bf4997767314669cc8d2649153eac08b853fb82a5ca545488bb29cfdc4875e7b1393513f0b215ebc842b7b1b5bc7284849c71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 93eb1af1234a6df8eeb1f0e595513272
SHA1 4cb8c68f765ce83f4e8afa6304de0c3a217de798
SHA256 c58bd4a8484436c06195230566d4d9b720a4f92b00940c67f46d4a3b19f217ec
SHA512 481bb6de15f6ed1889a0b6c08fcb9932b507128bd1b6407765e3f6e986d66359c8eaa39a78f69d8f8a0768c849cc4bd9a6223827f20a4a270d6e096b22377488

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 2816b0ac86deb18ed9d903725dcae378
SHA1 10c507eaedc2c140aa365341a1bbf4638d16cc07
SHA256 842334ac74ca1a5a0feb28c1f969434eda950a12701147fac6485fe5215b80f2
SHA512 f620bbecf185b4fee3409a715774c24839b238dd84e0dda21179d4387b7c0c239411da68a77c8977e17479e556c98efde55f52ac2ff12c9fef01384184157e0c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 1ecce6bc5082434a5c600857ff8925a0
SHA1 8e9a46bb9ef7f565cc134270990e59d9a3ef33b6
SHA256 0d00cda85a328f667c4bdd4dd8ffa5dceb3f06ff8dc67da5db037fb154839b06
SHA512 57230c8d4fddf96efaf84da30567843806c08770df8092659a5da093f268910a5a4d9d821279cc4443a037de1ec99408b0ba7dfb9ac9ec0b6394eb8fd896a79d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 ba21fb31bfee4981a105a3df2345545b
SHA1 df021e222c049b34db8525af6bd127a8ef2c59ad
SHA256 d170e85934fd0224d87586aa5ae8ce9ed361d1106b2f1cb084768404f7c95ba1
SHA512 2607dece7e40ad83ae3fd895e5f8a994e7871c18983b945d20512065aeac3c8b46953078bb7a43fdbbf7edf1cc5d6b22548b5212f48ccac765e17ce30326ff99