File name:	expressvpn-windows-x64-14.0.0.12844_release.exe
Full analysis:	https://app.any.run/tasks/ca50d3d9-474c-4bfa-8dc2-fe8ab8507be7
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 02, 2026, 14:25:12
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg stealer rust ip-check
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	B707E1E6E54033E42CB543EFD2A94304
SHA1:	7DA3928568DA29780B98ED0B44FE94495B6B3FF3
SHA256:	FC67EFA643530487F7A4D2E8F3A252BAAC9D9A24DE980000ED86FC73252C91DD
SSDEEP:	786432:IPa0Z6+nmTeB885sqCVwUPhDbGgSrnuMg+Xb:IPZZ6+MeW85sqCV/tGgjMg+L

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2026:04:01 15:15:49+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.44
CodeSize:	352768
InitializedDataSize:	46169088
UninitializedDataSize:	-
EntryPoint:	0x32790
OSVersion:	6.1
ImageVersion:	-
SubsystemVersion:	6.1
Subsystem:	Windows GUI


(PID) Process:	(736) expressvpn-windows-x64-14.0.0.12844_release.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\expressvpn
Operation:	write	Name:	URL Protocol
Value:
(PID) Process:	(508) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:	write	Name:	setupapi.dev.log
Value: 4096
(PID) Process:	(508) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\expressvpn-pkf\Parameters
Operation:	write	Name:	NdisImPlatformBindingOptions
Value: 2
(PID) Process:	(508) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|1140\|expressvpn-pkf\|{5B0514CE-0DEF-4217-8D6E-F8737C3380DE}\Ndi
Operation:	write	Name:	Service
Value: expressvpn-pkf
(PID) Process:	(508) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|1140\|expressvpn-pkf\|{5B0514CE-0DEF-4217-8D6E-F8737C3380DE}\Ndi
Operation:	write	Name:	CoServices
Value: expressvpn-pkf
(PID) Process:	(508) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|1140\|expressvpn-pkf\|{5B0514CE-0DEF-4217-8D6E-F8737C3380DE}\Ndi
Operation:	write	Name:	HelpText
Value: ExpressVPN Packet Filter
(PID) Process:	(508) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|1140\|expressvpn-pkf\|{5B0514CE-0DEF-4217-8D6E-F8737C3380DE}\Ndi
Operation:	write	Name:	FilterClass
Value: compression
(PID) Process:	(508) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|1140\|expressvpn-pkf\|{5B0514CE-0DEF-4217-8D6E-F8737C3380DE}\Ndi
Operation:	write	Name:	FilterType
Value: 2
(PID) Process:	(508) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|1140\|expressvpn-pkf\|{5B0514CE-0DEF-4217-8D6E-F8737C3380DE}\Ndi\Interfaces
Operation:	write	Name:	UpperRange
Value: noupper
(PID) Process:	(508) netcfg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|1140\|expressvpn-pkf\|{5B0514CE-0DEF-4217-8D6E-F8737C3380DE}\Ndi\Interfaces
Operation:	write	Name:	LowerRange
Value: ndis5,ndis4

PID	Process	Filename		Type
736	expressvpn-windows-x64-14.0.0.12844_release.exe	C:\Program Files\ExpressVPN\api-ms-win-core-file-l1-1-0.dll		executable
		MD5:29B6F5B855893E31FEC2E047AF1E5D1E	SHA256:F0B8675DAB58229B6C991F2CDF49178FDA0887BB49B5BEF9C29AF4874706506B
736	expressvpn-windows-x64-14.0.0.12844_release.exe	C:\Program Files\ExpressVPN\api-ms-win-core-console-l1-1-0.dll		executable
		MD5:8ED4B6804EE25C5EE3EC4C8BBE6F37CC	SHA256:4EE9B580ACB5B899FF1D7CC17BF361054769C9E6E52B4AAF944C48D64017FC71
736	expressvpn-windows-x64-14.0.0.12844_release.exe	C:\Program Files\ExpressVPN\api-ms-win-core-errorhandling-l1-1-0.dll		executable
		MD5:48F8B502D0FD36DB27DD88F79CBEA390	SHA256:F38A64B5F7A33CBE8CB30AA48AA455DCE48ABD50C48FAD1047F1588BF060DF54
736	expressvpn-windows-x64-14.0.0.12844_release.exe	C:\Program Files\ExpressVPN\api-ms-win-core-debug-l1-1-0.dll		executable
		MD5:CA8F7C07AEA56DBA888D022B80908453	SHA256:F012891183A5D3AA225AA11CC24A1574632F4CBF7C37AD64914D9AE33446AB2A
736	expressvpn-windows-x64-14.0.0.12844_release.exe	C:\Program Files\ExpressVPN\api-ms-win-core-datetime-l1-1-0.dll		executable
		MD5:5C64252EB0A47295EAE3007567145C97	SHA256:059410AF8EC19939558A4959E22A40C20B5A83A4DF245ACAAF67F67D49617A66
736	expressvpn-windows-x64-14.0.0.12844_release.exe	C:\Program Files\ExpressVPN\api-ms-win-core-handle-l1-1-0.dll		executable
		MD5:7770E28BAEECE2430B0F59186461ABF6	SHA256:2E9E619DFCCA9A2C7D9603AFE1EB8AFB6B338B718B1BCFF880C758CEF34A97BE
736	expressvpn-windows-x64-14.0.0.12844_release.exe	C:\Program Files\ExpressVPN\api-ms-win-core-memory-l1-1-0.dll		executable
		MD5:484C58C0D0E06B16FD30B4E2E9EEA750	SHA256:D3E4FC3FC45EFF9FA0C8982D30B28AF1BD0B93F1493DE4258E29C370B618027F
736	expressvpn-windows-x64-14.0.0.12844_release.exe	C:\Program Files\ExpressVPN\api-ms-win-core-file-l1-2-0.dll		executable
		MD5:A8DC0EFB47C4219F18C0E741E7ABB357	SHA256:78639BC79EFAAB481A5D2B9D4E1FD05B458CBCCBD827542F638221D2F75EFF7C
736	expressvpn-windows-x64-14.0.0.12844_release.exe	C:\Program Files\ExpressVPN\api-ms-win-core-localization-l1-2-0.dll		executable
		MD5:699AA1BB86C170E1628D951B35BEC144	SHA256:575E0D9072FBCD5E69216344370A698F7365D48A53F9A08782F2D8616D4243F3
736	expressvpn-windows-x64-14.0.0.12844_release.exe	C:\Program Files\ExpressVPN\api-ms-win-core-file-l2-1-0.dll		executable
		MD5:29C053ADB9F27DD14BBAD21DE071E862	SHA256:386BEEDE6F3E50066C9B4EB785302232C2770232562765059FF311EBA219CAFB

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4872	svchost.exe	GET	200	23.216.77.32:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
4872	svchost.exe	GET	200	23.58.106.108:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
5532	SearchApp.exe	POST	204	92.123.104.50:443	https://www.bing.com/threshold/xls.aspx?t=5&dl=1&f=9&wsbc=1	unknown	—	—	whitelisted
7664	expressvpn-service.exe	GET	200	16.15.207.69:443	https://xv-client-json-configuration.s3.us-east-1.amazonaws.com/environment/production/version/1.0.2/language/en/form.json	US	text	33.7 Kb	unknown
5532	SearchApp.exe	POST	204	184.86.251.19:443	https://www.bing.com/threshold/xls.aspx?t=5&dl=1&f=9&wsbc=1	NL	—	—	whitelisted
7664	expressvpn-service.exe	GET	200	16.15.207.69:443	https://xv-client-json-configuration.s3.us-east-1.amazonaws.com/environment/production/platform/windows/version/1.0.0/rating/rating.json	US	text	814 b	unknown
7664	expressvpn-service.exe	GET	200	16.15.183.182:443	https://xv-client-json-configuration.s3.us-east-1.amazonaws.com/environment/production/platform/windows/version/1.0.0/referral/referral_global.json	US	text	160 b	unknown
—	—	POST	500	48.192.1.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	text	512 b	whitelisted
3280	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl	US	binary	814 b	whitelisted
3280	svchost.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	NL	binary	824 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	48.192.1.65:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	184.86.251.16:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
4872	svchost.exe	23.216.77.32:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
4872	svchost.exe	23.58.106.108:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5532	SearchApp.exe	184.86.251.19:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
7664	expressvpn-service.exe	3.33.235.18:443	clientstream.launchdarkly.com	AMAZON-02	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
activation-v2.sls.microsoft.com	48.192.1.65	whitelisted
www.bing.com	184.86.251.16 184.86.251.19 184.86.251.11 184.86.251.10 184.86.251.25 184.86.251.27 184.86.251.5 184.86.251.8 184.86.251.28	whitelisted
google.com	142.251.14.139 142.251.14.101 142.251.14.138 142.251.14.102 142.251.14.100 142.251.14.113	whitelisted
crl.microsoft.com	23.216.77.32 23.216.77.33 23.216.77.6 23.216.77.30 23.216.77.29 23.216.77.5 23.216.77.27 23.216.77.28 23.216.77.25 23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	23.58.106.108 23.52.181.212	whitelisted
clientstream.launchdarkly.com	3.33.235.18 15.197.213.252 76.223.31.44 13.248.151.210	whitelisted
xv-client-json-configuration.s3.us-east-1.amazonaws.com	16.15.199.157 16.15.223.249 16.15.207.226 16.15.199.16 52.217.228.194 16.15.212.72 16.15.218.166 52.216.218.210	unknown
self.events.data.microsoft.com	104.208.16.90	whitelisted
mobile.launchdarkly.com	52.202.236.130 54.211.103.79 54.164.137.47 54.221.194.114 44.194.94.122 3.212.63.89 3.224.142.181 54.227.205.48	whitelisted

PID	Process	Class	Message
7664	expressvpn-service.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7664	expressvpn-service.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
—	—	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
—	—	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
—	—	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7664	expressvpn-service.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)

General Info

expressvpn-windows-x64-14.0.0.12844_release.exe

B707E1E6E54033E42CB543EFD2A94304

7DA3928568DA29780B98ED0B44FE94495B6B3FF3

FC67EFA643530487F7A4D2E8F3A252BAAC9D9A24DE980000ED86FC73252C91DD

786432:IPa0Z6+nmTeB885sqCVwUPhDbGgSrnuMg+Xb:IPZZ6+MeW85sqCV/tGgjMg+L

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Windows service management via SC.EXE

The process drops C-runtime libraries

Creates files in the driver directory

Drops a system driver (possible attempt to evade defenses)

Deletes a service using sc.exe

Executes as Windows Service

Possible stealing of VPN data

There is functionality for capture public ip (YARA)

INFO

Checks supported languages

Reads the computer name

The sample compiled with english language support

There is functionality for taking screenshot (YARA)

Create files in a temporary directory

Reads the machine GUID from the registry

Creates files in the driver directory

Reads security settings of Internet Explorer

Reads the time zone

Creates a software uninstall entry

Launching a file from a Registry key

Manual execution by a user

Creates files or folders in the user directory

Application based on Rust

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings