File name:	expressvpn-windows-x64-12.201.0.12153_release.exe
Full analysis:	https://app.any.run/tasks/0d0066d0-4d67-4420-acc3-8e6b05536ce8
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 07, 2026, 09:01:49
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stealer evasion ip-check rust
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	C58E271C1BDF7271D3CC432CC26F5A6D
SHA1:	04F3BCDBBF8E575CCBABE3509B9A874206261741
SHA256:	CE721F5B1EA67B25D3538D36FDFFECE18731F534084D1241B2829DB1B73AC3CE
SSDEEP:	393216:pr8QwiUpvTlFUl+TiiUFMMpVvKI4+Vr0PW4qnf:qiUpbtiiUF1vKI4+Vr0eZf

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2026:01:27 11:30:12+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.44
CodeSize:	350720
InitializedDataSize:	41861632
UninitializedDataSize:	-
EntryPoint:	0x31fd0
OSVersion:	6.1
ImageVersion:	-
SubsystemVersion:	6.1
Subsystem:	Windows GUI


(PID) Process:	(7488) expressvpn-windows-x64-12.201.0.12153_release.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\expressvpn
Operation:	write	Name:	URL Protocol
Value:
(PID) Process:	(1176) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:	write	Name:	setupapi.dev.log
Value: 4096
(PID) Process:	(1176) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|6300\|expressvpn-pkf\|{8275E232-26AA-4657-BE2C-BB6236E637F3}\Ndi
Operation:	write	Name:	Service
Value: expressvpn-pkf
(PID) Process:	(1176) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|6300\|expressvpn-pkf\|{8275E232-26AA-4657-BE2C-BB6236E637F3}\Ndi
Operation:	write	Name:	CoServices
Value: expressvpn-pkf
(PID) Process:	(1176) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|6300\|expressvpn-pkf\|{8275E232-26AA-4657-BE2C-BB6236E637F3}\Ndi
Operation:	write	Name:	HelpText
Value: ExpressVPN Packet Filter
(PID) Process:	(1176) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|6300\|expressvpn-pkf\|{8275E232-26AA-4657-BE2C-BB6236E637F3}\Ndi
Operation:	write	Name:	FilterClass
Value: compression
(PID) Process:	(1176) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|6300\|expressvpn-pkf\|{8275E232-26AA-4657-BE2C-BB6236E637F3}\Ndi
Operation:	write	Name:	FilterType
Value: 2
(PID) Process:	(1176) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|6300\|expressvpn-pkf\|{8275E232-26AA-4657-BE2C-BB6236E637F3}\Ndi\Interfaces
Operation:	write	Name:	UpperRange
Value: noupper
(PID) Process:	(1176) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|6300\|expressvpn-pkf\|{8275E232-26AA-4657-BE2C-BB6236E637F3}\Ndi\Interfaces
Operation:	write	Name:	LowerRange
Value: ndis5,ndis4
(PID) Process:	(1176) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|6300\|expressvpn-pkf\|{8275E232-26AA-4657-BE2C-BB6236E637F3}\Ndi\Interfaces
Operation:	write	Name:	FilterMediaTypes
Value: ethernet, wan, ppip, bluetooth, ndis5, nolower

PID	Process	Filename		Type
7488	expressvpn-windows-x64-12.201.0.12153_release.exe	C:\Program Files\ExpressVPN\brand.txt		text
		MD5:70EC61806218C2A865B9F8C90E4FC9F7	SHA256:AE86A1A2DED38947D89B86C42B2722F9CEA0AB0ACD463B3A870894115C296930
7488	expressvpn-windows-x64-12.201.0.12153_release.exe	C:\Program Files\ExpressVPN\dco\win10\expressvpn-ovpn-dco.inf		text
		MD5:BBA08314602A5721EC6781B5F4231CF8	SHA256:62EABAD0E03319F313A86237C53BFBDCC580CFD9BFBC6B7DA4BF7F01F1CF19F1
7488	expressvpn-windows-x64-12.201.0.12153_release.exe	C:\Program Files\ExpressVPN\browser_helper_wrapper.sh		text
		MD5:FE46C7C1F3360AC7B62BD935FD0837DB	SHA256:203F9063120EB8BA959EB9077FF8C8200CF5ECC56F4B19F9387EB326D2980C6A
7488	expressvpn-windows-x64-12.201.0.12153_release.exe	C:\Program Files\ExpressVPN\firefox.com.expressvpn.helper.json		text
		MD5:DF8CEF13332ECE3C6A82DA79EF8CE70C	SHA256:2482C9CE3485998A34E52405F2532A5BF705E004821CA8EC3BB3FCB717AED72A
7488	expressvpn-windows-x64-12.201.0.12153_release.exe	C:\Program Files\ExpressVPN\dco\win11\expressvpn-ovpn-dco.inf		text
		MD5:BBA08314602A5721EC6781B5F4231CF8	SHA256:62EABAD0E03319F313A86237C53BFBDCC580CFD9BFBC6B7DA4BF7F01F1CF19F1
7488	expressvpn-windows-x64-12.201.0.12153_release.exe	C:\Program Files\ExpressVPN\LICENSE.txt		text
		MD5:0FBF3D8298E4D1E8D066E92AC854611A	SHA256:ADF9E7568BEB482832EFE9AB9BA0F2B279B67063831F8C051809D65F31F2484F
7488	expressvpn-windows-x64-12.201.0.12153_release.exe	C:\Program Files\ExpressVPN\ndisapi.exp		binary
		MD5:23702EC17E026B7618F428FEFFEE1E74	SHA256:CFD6C3669558D41712ACFBC9D1B5AE531566667465F46C99CB86B19F96B24D01
7488	expressvpn-windows-x64-12.201.0.12153_release.exe	C:\Program Files\ExpressVPN\architecture.txt		text
		MD5:0027F42E1E5DFCB4FD5F8F9C6DB89AF3	SHA256:7520B5A1B312EFDE4FD7E2793EF4BC0CF8F1C235F778D203AB7216A0E31B3880
7488	expressvpn-windows-x64-12.201.0.12153_release.exe	C:\Program Files\ExpressVPN\chrome.com.expressvpn.helper.json		text
		MD5:B0D9BDDF0C1AA892C0188AA5089C4E7C	SHA256:D48895D1C03E5CD6E50BCC0119EC76F7DCD210CD2AEEB7F6B40343E53B39BC62
7488	expressvpn-windows-x64-12.201.0.12153_release.exe	C:\Program Files\ExpressVPN\qml\Qt5Compat\GraphicalEffects\BrightnessContrast.qml		text
		MD5:9B41E31F1BB236ED137D610E6CBD7BCE	SHA256:CB3A577549F0E66BE514A3AE34DF03336CA8DABB180FC087B3B04F46B5049B0F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
8228	SIHClient.exe	GET	304	20.165.94.63:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	whitelisted
—	—	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	200	40.126.32.74:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	unknown
—	—	POST	200	40.126.32.74:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	unknown
—	—	POST	200	20.190.160.67:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	unknown
356	svchost.exe	POST	200	20.190.160.17:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	whitelisted
—	—	GET	304	20.165.94.63:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	20.165.94.63:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
—	—	2.16.241.205:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
—	—	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
—	—	23.216.77.6:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	20.190.160.17:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3412	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
356	svchost.exe	20.190.160.17:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
self.events.data.microsoft.com	13.89.179.8 13.89.179.14	whitelisted
www.bing.com	2.16.241.205 2.16.241.206 2.16.241.207 2.16.241.222 2.16.241.204 2.16.241.218	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
google.com	142.250.187.238	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28 23.216.77.42 2.16.168.124 2.16.168.114	whitelisted
login.live.com	20.190.160.17 20.190.160.14 20.190.160.5 20.190.160.2 40.126.32.140 20.190.160.67 40.126.32.68 20.190.160.4	whitelisted
slscr.update.microsoft.com	20.165.94.63	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
clientstream.launchdarkly.com	3.33.235.18 15.197.213.252 13.248.151.210 76.223.31.44	whitelisted

PID	Process	Class	Message
2292	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)
7288	expressvpn-service.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain (checkip .amazonaws .com) in TLS SNI
—	—	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
—	—	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7288	expressvpn-service.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7288	expressvpn-service.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
—	—	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7288	expressvpn-service.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)

General Info

expressvpn-windows-x64-12.201.0.12153_release.exe

C58E271C1BDF7271D3CC432CC26F5A6D

04F3BCDBBF8E575CCBABE3509B9A874206261741

CE721F5B1EA67B25D3538D36FDFFECE18731F534084D1241B2829DB1B73AC3CE

393216:pr8QwiUpvTlFUl+TiiUFMMpVvKI4+Vr0PW4qnf:qiUpbtiiUF1vKI4+Vr0eZf

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

Drops a system driver (possible attempt to evade defenses)

The process drops C-runtime libraries

Creates files in the driver directory

Starts SC.EXE for service management

Windows service management via SC.EXE

Executes as Windows Service

Checks for external IP

Possible stealing of VPN data

There is functionality for capture public ip (YARA)

INFO

Reads the computer name

Checks supported languages

Creates files in the program directory

The sample compiled with english language support

There is functionality for taking screenshot (YARA)

Drops script file

Create files in a temporary directory

Reads the machine GUID from the registry

Creates files in the driver directory

Reads security settings of Internet Explorer

Reads the time zone

Creates a software uninstall entry

Creates files or folders in the user directory

Application based on Rust

Process checks computer location settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests