Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 26, 2024, 7:11 p.m.	June 26, 2024, 7:12 p.m.

Size	92.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`295d21696b6f6a24ef966b9e2018d5d4`
SHA256	`e0918810a97e028b79644adb0374cdbc7079945691baff00ca9375633ef24d67`
CRC32	`B07173D2`
ssdeep	`1572864:7X805BnJpWvJGiqAAiT94/p8ki6HP1p2qIgLD4ikSqLAyc1IWURq1AsNOgUPFdbF:7HnJIpAi6/+gHP1pBIg/MLg1f1wgUR4j`
PDB Path	C:\agent\_work\66\s\build\ship\x86\burn.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) CAB_file_format - CAB archive file UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

expressvpn_windows_12.82.0.89_release (1).exe "C:\Users\test22\AppData\Local\Temp\expressvpn_windows_12.82.0.89_release (1).exe"
2688
- expressvpn_windows_12.82.0.89_release (1).exe "C:\Windows\Temp\{D0448D13-C2A5-4408-90DD-966C9D37B77C}\.cr\expressvpn_windows_12.82.0.89_release (1).exe" -burn.clean.room="C:\Users\test22\AppData\Local\Temp\expressvpn_windows_12.82.0.89_release (1).exe" -burn.filehandle.attached=200 -burn.filehandle.self=208
  2784

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\agent\_work\66\s\build\ship\x86\burn.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 26, 2024, 7:11 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.wixburn

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 26, 2024, 7:11 p.m.	stacktrace: DllCanUnloadNow-0xb95 imjkapi+0xf2b1 @ 0x7328f2b1 DllCanUnloadNow-0x25c imjkapi+0xfbea @ 0x7328fbea DllCanUnloadNow-0x24b imjkapi+0xfbfb @ 0x7328fbfb DllCanUnloadNow-0x53b4 imjkapi+0xaa92 @ 0x7328aa92 DllCanUnloadNow-0x6b91 imjkapi+0x92b5 @ 0x732892b5 DllCanUnloadNow-0x5302 imjkapi+0xab44 @ 0x7328ab44 DllCanUnloadNow-0x53b4 imjkapi+0xaa92 @ 0x7328aa92 DllCanUnloadNow-0x5b6 imkrapi+0x9d6d @ 0x73fd9d6d DllCanUnloadNow-0x269 imkrapi+0xa0ba @ 0x73fda0ba DllCanUnloadNow-0x39a imkrapi+0x9f89 @ 0x73fd9f89 DllCanUnloadNow-0x18f9 imjkapi+0xe54d @ 0x7328e54d PropVariantCopy+0x37f CoFreeAllLibraries-0x2185 ole32+0x3bd44 @ 0x746fbd44 CoRegisterMessageFilter+0x4124 ObjectStublessClient5-0xf45 ole32+0x3a71d @ 0x746fa71d GetHGlobalFromStream+0x8a2 CLSIDFromProgID-0x5c5 ole32+0x24a77 @ 0x746e4a77 GetHGlobalFromStream+0x86b CLSIDFromProgID-0x5fc ole32+0x24a40 @ 0x746e4a40 GetHGlobalFromStream+0x700 CLSIDFromProgID-0x767 ole32+0x248d5 @ 0x746e48d5 NdrServerInitialize+0x240 NdrConformantArrayFree-0x342 rpcrt4+0x3586c @ 0x75c6586c NdrStubCall2+0x256 NdrUnmarshallBasetypeInline-0x301 rpcrt4+0xb05f1 @ 0x75ce05f1 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 84079204 registers.edi: 35429604 registers.eax: 35423932 registers.ebp: 84079244 registers.edx: 1330380898 registers.ebx: 0 registers.esi: 35454860 registers.ecx: 54337456	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 26, 2024, 7:11 p.m.

stacktrace:

DllCanUnloadNow-0xb95 imjkapi+0xf2b1 @ 0x7328f2b1
DllCanUnloadNow-0x25c imjkapi+0xfbea @ 0x7328fbea
DllCanUnloadNow-0x24b imjkapi+0xfbfb @ 0x7328fbfb
DllCanUnloadNow-0x53b4 imjkapi+0xaa92 @ 0x7328aa92
DllCanUnloadNow-0x6b91 imjkapi+0x92b5 @ 0x732892b5
DllCanUnloadNow-0x5302 imjkapi+0xab44 @ 0x7328ab44
DllCanUnloadNow-0x53b4 imjkapi+0xaa92 @ 0x7328aa92
DllCanUnloadNow-0x5b6 imkrapi+0x9d6d @ 0x73fd9d6d
DllCanUnloadNow-0x269 imkrapi+0xa0ba @ 0x73fda0ba
DllCanUnloadNow-0x39a imkrapi+0x9f89 @ 0x73fd9f89
DllCanUnloadNow-0x18f9 imjkapi+0xe54d @ 0x7328e54d
PropVariantCopy+0x37f CoFreeAllLibraries-0x2185 ole32+0x3bd44 @ 0x746fbd44
CoRegisterMessageFilter+0x4124 ObjectStublessClient5-0xf45 ole32+0x3a71d @ 0x746fa71d
GetHGlobalFromStream+0x8a2 CLSIDFromProgID-0x5c5 ole32+0x24a77 @ 0x746e4a77
GetHGlobalFromStream+0x86b CLSIDFromProgID-0x5fc ole32+0x24a40 @ 0x746e4a40
GetHGlobalFromStream+0x700 CLSIDFromProgID-0x767 ole32+0x248d5 @ 0x746e48d5
NdrServerInitialize+0x240 NdrConformantArrayFree-0x342 rpcrt4+0x3586c @ 0x75c6586c
NdrStubCall2+0x256 NdrUnmarshallBasetypeInline-0x301 rpcrt4+0xb05f1 @ 0x75ce05f1
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x0
registers.esp: 84079204
registers.edi: 35429604
registers.eax: 35423932
registers.ebp: 84079244
registers.edx: 1330380898
registers.ebx: 0
registers.esi: 35454860
registers.ecx: 54337456

Creates executable files on the filesystem (50 out of 86 events)

file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Deployment.WindowsInstaller.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Text.Encodings.Web.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Configuration.Abstractions.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\LaunchDarkly.CommonSdk.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\ExpressVpn.Common.Logging.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Options.ConfigurationExtensions.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Security.AccessControl.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Logging.Console.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.IO.FileSystem.AccessControl.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Options.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\BootstrapperCore.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\NLog.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Diagnostics.DiagnosticSource.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\ExpressVPN.Common.Shared.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Primitives.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Reactive.Linq.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Configuration.CommandLine.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\LaunchDarkly.ClientSdk.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Grpc.Core.Api.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Numerics.Vectors.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Bcl.AsyncInterfaces.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Configuration.Json.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.IdentityModel.Abstractions.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Threading.Tasks.Extensions.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\LaunchDarkly.JsonStream.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Http.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\LaunchDarkly.Logging.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Hosting.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Reactive.Core.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Logging.Debug.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.IdentityModel.Tokens.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Memory.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.IdentityModel.Tokens.Jwt.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Google.Protobuf.dll
file	C:\Windows\Temp\{D0448D13-C2A5-4408-90DD-966C9D37B77C}\.cr\expressvpn_windows_12.82.0.89_release (1).exe
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Sentry.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.FileProviders.Physical.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Security.Principal.Windows.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Configuration.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Logging.Abstractions.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\grpc_csharp_ext.x86.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Text.Json.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\WixSharp Setup.exe
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.IdentityModel.Logging.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Hosting.Abstractions.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\mbapreq.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.FileProviders.Abstractions.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.ServiceProcess.ServiceController.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.IdentityModel.JsonWebTokens.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Logging.Configuration.dll

Drops a binary and executes it (1 event)

file	C:\Windows\Temp\{D0448D13-C2A5-4408-90DD-966C9D37B77C}\.cr\expressvpn_windows_12.82.0.89_release (1).exe

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

MaxSecure

Win.MxResIcn.Heur.Gen

Deletes executed files from disk (1 event)

file	C:\Windows\Temp\{D0448D13-C2A5-4408-90DD-966C9D37B77C}\.cr\expressvpn_windows_12.82.0.89_release (1).exe

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 114 events)

file	C:\Windows\Temp\{D0448D13-C2A5-4408-90DD-966C9D37B77C}\.cr\expressvpn_windows_12.82.0.89_release (1).exe
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Deployment.WindowsInstaller.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\1046\mbapreq.wxl
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Text.Encodings.Web.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Configuration.Abstractions.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\1049\mbapreq.wxl
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\LaunchDarkly.CommonSdk.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\ExpressVpn.Common.Logging.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\1044\mbapreq.wxl
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Options.ConfigurationExtensions.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Security.AccessControl.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Logging.Console.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.IO.FileSystem.AccessControl.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\1035\mbapreq.wxl
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Options.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Security.Principal.Windows.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\BootstrapperCore.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\NLog.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Diagnostics.DiagnosticSource.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\ExpressVPN.Common.Shared.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\1045\mbapreq.wxl
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\mbapreq.thm
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Primitives.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\1060\mbapreq.wxl
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Reactive.Linq.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Configuration.CommandLine.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\LaunchDarkly.ClientSdk.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Grpc.Core.Api.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Numerics.Vectors.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\1031\mbapreq.wxl
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Bcl.AsyncInterfaces.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Configuration.Json.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\BootstrapperApplicationData.xml
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.IdentityModel.Abstractions.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Threading.Tasks.Extensions.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\LaunchDarkly.JsonStream.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\1055\mbapreq.wxl
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\1029\mbapreq.wxl
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Http.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\3082\mbapreq.wxl
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\LaunchDarkly.Logging.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Hosting.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Reactive.Core.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Microsoft.Extensions.Logging.Debug.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\1041\mbapreq.wxl
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.Memory.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\System.IdentityModel.Tokens.Jwt.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Google.Protobuf.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\Sentry.dll
file	C:\Windows\Temp\{0D634914-1775-4DDE-B564-E8C773D3DBD0}\.ba\BootstrapperCore.config

expressvpn_windows_12.82.0.89_release (1).exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All