Windows Analysis Report
SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe

Overview

General Information

Sample name: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
Analysis ID: 1427216
MD5: 35a00ae36ee03f200bad5a922afacd04
SHA1: 05dd9e5eae8378394d9426fd97e18d2d485db3fa
SHA256: c99b0aea44483bd5145b0bd811ad6b0fe4b7aa5867a4f12e979fbbea9648ad02
Tags: exe
Infos:

Detection

Score: 30
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Antivirus detection for dropped file
Modifies the DNS server
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables driver privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Program Files (x86)\PairVPN\is-GAJBA.tmp Avira: detection malicious, Label: HEUR/AGEN.1319028
Uses 32bit PE files
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.BY CONTINUING THIS INSTALLATION YOU AGREE TO BE BOUND BY ALL THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.SOFTWARE LICENSE AGREEMENTThis Agreement is a license agreement between you and MOBILE COMPANY for the use of the enclosed software (PairVPN). PairVPN is protected by both United States and International copyright law. Therefore you must treat this license and PairVPN just like a book with the following exceptions: you agree pursuant to the license not to rent or lease PairVPN in any form. In addition you may not make any copies of PairVPN except that you may make one archival copy of PairVPN for the sole purpose of backing you your Software and protecting your Investment from loss. This copy must include all copyright notices on PairVPN. By saying "just like a book" MOBILE COMPANY means that PairVPN may be used under the license by any number of people and may be freely moved from one computer location to another so long as there is no possibility of its being used at one location while it is simultaneously used at another. For example just as a book cannot be read by two Different people in two different places at the same time neither can PairVPN be used by used (without violating this agreement) by two different people in two different places at the same time.This license is not a sale. Title and copyrights to PairVPN accompanying Documentation and any copy made by your remain with MOBILE COMPANY. Unauthorized copying of PairVPN or the accompanying Documentation or failure to comply with the above restrictions will result in automatic termination of this license and will make available to MOBILE COMPANY other legal remedies. Upon termination of this license you must return all copies of PairVPN to MOBILE COMPANY and erase any copies from your hard disk.Permitted usesYou may operate PairVPN on a single device provided you do not exceed the quantity of license purchased. Additional device utilizing PairVPN must be licensed by MOBILE COMPANY.Uses not permittedYou may not:Make copies of PairVPN except as permitted in this agreement.Make copies of Related Materials.Alter decompile disassemble or reverse user PairVPN.Remove or alter the MOBILE COMPANY copyright and trademark notices.Remove or alter the icons within PairVPNRent lease sub-license or transfer PairVPN Software copies Related Materials or yourrights under this license without the prior written consent of MOBILE COMPANY.MOBILE COMPANY is not responsible for any charges you may incur from your cellular provider as a result of using PairVPN. MOBILE COMPANY MAKES AND YOU RECEIVE NO WARRANTIES EXPRESS IMPLIED STATUTORY OR IN ANY COMMUNICATION WITH YOU AND MOBILE COMPANY SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.BY CONTINUING THIS INSTALLATION YOU AGREE TO BE BOUND BY ALL THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.SOFTWARE LICENSE AGREEMENTThis Agreement is a license agreement between you and MOBILE COMPANY for the use of the enclosed software (PairVPN). PairVPN is protected by both United States and International copyright law. Therefore you must treat this license and PairVPN just like a book with the following exceptions: you agree pursuant to the license not to rent or lease PairVPN in any form. In addition you may not make any copies of PairVPN except that you may make one archival copy of PairVPN for the sole purpose of backing you your Software and protecting your Investment from loss. This copy must include all copyright notices on PairVPN. By saying "just like a book" MOBILE COMPANY means that PairVPN may be used under the license by any number of people and may be freely moved from one computer location to another so long as there is no possibility of its being used at one location while it is simultaneously used at another. For example just as a book cannot be read by two Different people in two different places at the same time neither can PairVPN be used by used (without violating this agreement) by two different people in two different places at the same time.This license is not a sale. Title and copyrights to PairVPN accompanying Documentation and any copy made by your remain with MOBILE COMPANY. Unauthorized copying of PairVPN or the accompanying Documentation or failure to comply with the above restrictions will result in automatic termination of this license and will make available to MOBILE COMPANY other legal remedies. Upon termination of this license you must return all copies of PairVPN to MOBILE COMPANY and erase any copies from your hard disk.Permitted usesYou may operate PairVPN on a single device provided you do not exceed the quantity of license purchased. Additional device utilizing PairVPN must be licensed by MOBILE COMPANY.Uses not permittedYou may not:Make copies of PairVPN except as permitted in this agreement.Make copies of Related Materials.Alter decompile disassemble or reverse user PairVPN.Remove or alter the MOBILE COMPANY copyright and trademark notices.Remove or alter the icons within PairVPNRent lease sub-license or transfer PairVPN Software copies Related Materials or yourrights under this license without the prior written consent of MOBILE COMPANY.MOBILE COMPANY is not responsible for any charges you may incur from your cellular provider as a result of using PairVPN. MOBILE COMPANY MAKES AND YOU RECEIVE NO WARRANTIES EXPRESS IMPLIED STATUTORY OR IN ANY COMMUNICATION WITH YOU AND MOBILE COMPANY SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.BY CONTINUING THIS INSTALLATION YOU AGREE TO BE BOUND BY ALL THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.SOFTWARE LICENSE AGREEMENTThis Agreement is a license agreement between you and MOBILE COMPANY for the use of the enclosed software (PairVPN). PairVPN is protected by both United States and International copyright law. Therefore you must treat this license and PairVPN just like a book with the following exceptions: you agree pursuant to the license not to rent or lease PairVPN in any form. In addition you may not make any copies of PairVPN except that you may make one archival copy of PairVPN for the sole purpose of backing you your Software and protecting your Investment from loss. This copy must include all copyright notices on PairVPN. By saying "just like a book" MOBILE COMPANY means that PairVPN may be used under the license by any number of people and may be freely moved from one computer location to another so long as there is no possibility of its being used at one location while it is simultaneously used at another. For example just as a book cannot be read by two Different people in two different places at the same time neither can PairVPN be used by used (without violating this agreement) by two different people in two different places at the same time.This license is not a sale. Title and copyrights to PairVPN accompanying Documentation and any copy made by your remain with MOBILE COMPANY. Unauthorized copying of PairVPN or the accompanying Documentation or failure to comply with the above restrictions will result in automatic termination of this license and will make available to MOBILE COMPANY other legal remedies. Upon termination of this license you must return all copies of PairVPN to MOBILE COMPANY and erase any copies from your hard disk.Permitted usesYou may operate PairVPN on a single device provided you do not exceed the quantity of license purchased. Additional device utilizing PairVPN must be licensed by MOBILE COMPANY.Uses not permittedYou may not:Make copies of PairVPN except as permitted in this agreement.Make copies of Related Materials.Alter decompile disassemble or reverse user PairVPN.Remove or alter the MOBILE COMPANY copyright and trademark notices.Remove or alter the icons within PairVPNRent lease sub-license or transfer PairVPN Software copies Related Materials or yourrights under this license without the prior written consent of MOBILE COMPANY.MOBILE COMPANY is not responsible for any charges you may incur from your cellular provider as a result of using PairVPN. MOBILE COMPANY MAKES AND YOU RECEIVE NO WARRANTIES EXPRESS IMPLIED STATUTORY OR IN ANY COMMUNICATION WITH YOU AND MOBILE COMPANY SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Static PE information: certificate valid
Source: unknown HTTPS traffic detected: 45.33.111.235:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\vmware\AllPairVPNGit\Windows\pvextra\x64\Release\pvextra.pdb source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, pvextra.exe, 00000003.00000000.2189765772.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, pvextra.exe, 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, is-GAJBA.tmp.2.dr
Source: Binary string: NetSetupuser.pdb source: service.0.etl.8.dr
Source: Binary string: NetSetupSvc.pdb source: service.0.etl.8.dr
Source: Binary string: NetSetupApi.pdb source: service.0.etl.8.dr
Source: Binary string: C:\vmware\AllPairVPNGit\Windows\pvservice\x64\Release\pvservice.pdb"" source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000002.2367358119.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-A2FHO.tmp.2.dr
Source: Binary string: C:\vmware\AllPairVPNGit\Windows\PairVPN2_Windows\Release\PairVPN2.pdb source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.dr
Source: Binary string: C:\vmware\AllPairVPNGit\Windows\pvservice\x64\Release\pvservice.pdb source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000002.2367358119.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-A2FHO.tmp.2.dr
Source: Binary string: Z:\AllPairVPNGit\Windows\pveth\60\x64\Release\pveth.pdb source: pvextra.exe, 00000003.00000003.2258632091.0000024B76E41000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000005.00000003.2201598405.00000201173FA000.00000004.00000020.00020000.00000000.sdmp, SET39E7.tmp.3.dr, SET3B7E.tmp.5.dr, is-UADM2.tmp.2.dr
Source: Binary string: NetSetupApi.pdbdb source: service.0.etl.8.dr
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B0558988 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 3_2_00007FF6B0558988
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /dev/install.php?err=t11037 HTTP/1.1Host: pairv.netCache-Control: no-cache
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /dev/install.php?err=t11037 HTTP/1.1Host: pairv.netCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: pairv.net
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: is-2PSH3.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/transfer/Get
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/04/discovery
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/devprof
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: pvextra.exe, 00000003.00000002.2276030070.0000024B76E55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pairv.net/
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, pvextra.exe, pvextra.exe, 00000003.00000000.2189765772.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, pvextra.exe, 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, is-GAJBA.tmp.2.dr String found in binary or memory: https://pairv.net/dev/install.php?err=t%d
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, pvextra.exe, 00000003.00000000.2189765772.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, pvextra.exe, 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, is-GAJBA.tmp.2.dr String found in binary or memory: https://pairv.net/dev/install.php?err=t%d/uPairVPN_cls/twintrust.dllCryptCATAdminAcquireContext2
Source: pvextra.exe, 00000003.00000002.2275353729.0000024B75259000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pairv.net/dev/install.php?err=t11037
Source: pvextra.exe, 00000003.00000002.2276030070.0000024B76E40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pairv.net/dev/install.php?err=t11037:
Source: pvextra.exe, 00000003.00000002.2275353729.0000024B75259000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pairv.net/dev/install.php?err=t11037Provider
Source: pvextra.exe, 00000003.00000002.2276030070.0000024B76E55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pairv.net/dev/install.php?err=t11037z
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.dr String found in binary or memory: https://pairvpn.com
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.dr String found in binary or memory: https://pairvpn.com%s/%ssvr_btn_offsession_pending_review_numsession_pending_review_msgInvalid
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.dr String found in binary or memory: https://www.google.com/maps/search/?api=1&query=%f%%2C%f
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.dr String found in binary or memory: https://www.google.com/maps/search/?api=1&query=%f%%2C%fcli_txt_clockInvalid
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2071977197.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2071570713.0000000002750000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000000.2073224935.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp.0.dr, is-7A3OK.tmp.2.dr String found in binary or memory: https://www.innosetup.com/
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2368668070.00000000024F3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2366041316.00000000025D3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.pairvpn.com
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2070023257.0000000002750000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2074992354.0000000003490000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.pairvpn.com.https://www.pairvpn.com.https://www.pairvpn.com
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2368668070.00000000024F3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.pairvpn.comQ6O
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2071977197.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2071570713.0000000002750000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000000.2073224935.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp.0.dr, is-7A3OK.tmp.2.dr String found in binary or memory: https://www.remobjects.com/ps
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown HTTPS traffic detected: 45.33.111.235:443 -> 192.168.2.6:49717 version: TLS 1.2
Drops certificate files (DER)
Source: C:\Program Files (x86)\PairVPN\pvextra.exe File created: C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.cat (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\pveth.cat (copy) Jump to dropped file
Source: C:\Program Files (x86)\PairVPN\pvextra.exe File created: C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\SET39C6.tmp Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\SET3B5C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp File created: C:\Program Files (x86)\PairVPN\pveth\pveth.cat (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp File created: C:\Program Files (x86)\PairVPN\pveth\is-5S3BL.tmp Jump to dropped file
Creates files inside the driver directory
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e} Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\FileRepository\pveth.inf_amd64_4d971e32342dbc12 Jump to behavior
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\drvstore.tmp Jump to behavior
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\inf\oem4.inf Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\drvinst.exe File deleted: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\SET3B5C.tmp Jump to behavior
Detected potential crypto function
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B0551710 3_2_00007FF6B0551710
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B0551060 3_2_00007FF6B0551060
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B055C17C 3_2_00007FF6B055C17C
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B0558988 3_2_00007FF6B0558988
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B055BD50 3_2_00007FF6B055BD50
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B05541E0 3_2_00007FF6B05541E0
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B05559B8 3_2_00007FF6B05559B8
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B055FE48 3_2_00007FF6B055FE48
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B0557708 3_2_00007FF6B0557708
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B055DC5C 3_2_00007FF6B055DC5C
Enables driver privileges
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Process token adjusted: Load Driver Jump to behavior
Enables security privileges
Source: C:\Windows\System32\svchost.exe Process token adjusted: Security Jump to behavior
PE file contains executable resources (Code or Archives)
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-7A3OK.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-2PSH3.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=store
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000000.2069736995.00000000004C6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2071977197.000000007FE35000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2368668070.00000000024B8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2071570713.0000000002848000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Binary or memory string: OriginalFileName vs SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: is-UADM2.tmp.2.dr Binary string: \Device\PVETH
Source: classification engine Classification label: sus30.spyw.evad.winEXE@14/32@1/1
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp File created: C:\Program Files (x86)\PairVPN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Windows\System32\drvinst.exe Mutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2632:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe File created: C:\Users\user\AppData\Local\Temp\is-83J31.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: pvextra.exe String found in binary or memory: https://pairv.net/dev/install.php?err=t%d
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe "C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Process created: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp "C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp" /SL5="$20404,1488690,832512,C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe"
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process created: C:\Program Files (x86)\PairVPN\pvextra.exe "C:\Program Files (x86)\PairVPN\pvextra.exe" /d
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.inf" "9" "4ec797a8f" "0000000000000100" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\pairvpn\pveth"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\PVETH\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:1f6a2eb20729039e:pveth.ndi:1.8.3.0:pveth," "4ec797a8f" "0000000000000100"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process created: C:\Windows\SysWOW64\netsh.exe "netsh.exe" advfirewall firewall add rule name="PairVPN" dir=in action=allow program="C:\Program Files (x86)\PairVPN\PairVPN.exe" enable=yes
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Process created: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp "C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp" /SL5="$20404,1488690,832512,C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process created: C:\Program Files (x86)\PairVPN\pvextra.exe "C:\Program Files (x86)\PairVPN\pvextra.exe" /d Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process created: C:\Windows\SysWOW64\netsh.exe "netsh.exe" advfirewall firewall add rule name="PairVPN" dir=in action=allow program="C:\Program Files (x86)\PairVPN\PairVPN.exe" enable=yes Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.inf" "9" "4ec797a8f" "0000000000000100" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\pairvpn\pveth" Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\PVETH\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:1f6a2eb20729039e:pveth.ndi:1.8.3.0:pveth," "4ec797a8f" "0000000000000100" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: msftedit.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: globinputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: windows.ui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: inputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: newdev.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: spinf.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: drvstore.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpnpmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: drvstore.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: drvstore.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netsetupsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netsetupuser.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: implatsetup.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: spinf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: drvstore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Window found: window name: TMainForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.BY CONTINUING THIS INSTALLATION YOU AGREE TO BE BOUND BY ALL THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.SOFTWARE LICENSE AGREEMENTThis Agreement is a license agreement between you and MOBILE COMPANY for the use of the enclosed software (PairVPN). PairVPN is protected by both United States and International copyright law. Therefore you must treat this license and PairVPN just like a book with the following exceptions: you agree pursuant to the license not to rent or lease PairVPN in any form. In addition you may not make any copies of PairVPN except that you may make one archival copy of PairVPN for the sole purpose of backing you your Software and protecting your Investment from loss. This copy must include all copyright notices on PairVPN. By saying "just like a book" MOBILE COMPANY means that PairVPN may be used under the license by any number of people and may be freely moved from one computer location to another so long as there is no possibility of its being used at one location while it is simultaneously used at another. For example just as a book cannot be read by two Different people in two different places at the same time neither can PairVPN be used by used (without violating this agreement) by two different people in two different places at the same time.This license is not a sale. Title and copyrights to PairVPN accompanying Documentation and any copy made by your remain with MOBILE COMPANY. Unauthorized copying of PairVPN or the accompanying Documentation or failure to comply with the above restrictions will result in automatic termination of this license and will make available to MOBILE COMPANY other legal remedies. Upon termination of this license you must return all copies of PairVPN to MOBILE COMPANY and erase any copies from your hard disk.Permitted usesYou may operate PairVPN on a single device provided you do not exceed the quantity of license purchased. Additional device utilizing PairVPN must be licensed by MOBILE COMPANY.Uses not permittedYou may not:Make copies of PairVPN except as permitted in this agreement.Make copies of Related Materials.Alter decompile disassemble or reverse user PairVPN.Remove or alter the MOBILE COMPANY copyright and trademark notices.Remove or alter the icons within PairVPNRent lease sub-license or transfer PairVPN Software copies Related Materials or yourrights under this license without the prior written consent of MOBILE COMPANY.MOBILE COMPANY is not responsible for any charges you may incur from your cellular provider as a result of using PairVPN. MOBILE COMPANY MAKES AND YOU RECEIVE NO WARRANTIES EXPRESS IMPLIED STATUTORY OR IN ANY COMMUNICATION WITH YOU AND MOBILE COMPANY SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.BY CONTINUING THIS INSTALLATION YOU AGREE TO BE BOUND BY ALL THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.SOFTWARE LICENSE AGREEMENTThis Agreement is a license agreement between you and MOBILE COMPANY for the use of the enclosed software (PairVPN). PairVPN is protected by both United States and International copyright law. Therefore you must treat this license and PairVPN just like a book with the following exceptions: you agree pursuant to the license not to rent or lease PairVPN in any form. In addition you may not make any copies of PairVPN except that you may make one archival copy of PairVPN for the sole purpose of backing you your Software and protecting your Investment from loss. This copy must include all copyright notices on PairVPN. By saying "just like a book" MOBILE COMPANY means that PairVPN may be used under the license by any number of people and may be freely moved from one computer location to another so long as there is no possibility of its being used at one location while it is simultaneously used at another. For example just as a book cannot be read by two Different people in two different places at the same time neither can PairVPN be used by used (without violating this agreement) by two different people in two different places at the same time.This license is not a sale. Title and copyrights to PairVPN accompanying Documentation and any copy made by your remain with MOBILE COMPANY. Unauthorized copying of PairVPN or the accompanying Documentation or failure to comply with the above restrictions will result in automatic termination of this license and will make available to MOBILE COMPANY other legal remedies. Upon termination of this license you must return all copies of PairVPN to MOBILE COMPANY and erase any copies from your hard disk.Permitted usesYou may operate PairVPN on a single device provided you do not exceed the quantity of license purchased. Additional device utilizing PairVPN must be licensed by MOBILE COMPANY.Uses not permittedYou may not:Make copies of PairVPN except as permitted in this agreement.Make copies of Related Materials.Alter decompile disassemble or reverse user PairVPN.Remove or alter the MOBILE COMPANY copyright and trademark notices.Remove or alter the icons within PairVPNRent lease sub-license or transfer PairVPN Software copies Related Materials or yourrights under this license without the prior written consent of MOBILE COMPANY.MOBILE COMPANY is not responsible for any charges you may incur from your cellular provider as a result of using PairVPN. MOBILE COMPANY MAKES AND YOU RECEIVE NO WARRANTIES EXPRESS IMPLIED STATUTORY OR IN ANY COMMUNICATION WITH YOU AND MOBILE COMPANY SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.BY CONTINUING THIS INSTALLATION YOU AGREE TO BE BOUND BY ALL THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.SOFTWARE LICENSE AGREEMENTThis Agreement is a license agreement between you and MOBILE COMPANY for the use of the enclosed software (PairVPN). PairVPN is protected by both United States and International copyright law. Therefore you must treat this license and PairVPN just like a book with the following exceptions: you agree pursuant to the license not to rent or lease PairVPN in any form. In addition you may not make any copies of PairVPN except that you may make one archival copy of PairVPN for the sole purpose of backing you your Software and protecting your Investment from loss. This copy must include all copyright notices on PairVPN. By saying "just like a book" MOBILE COMPANY means that PairVPN may be used under the license by any number of people and may be freely moved from one computer location to another so long as there is no possibility of its being used at one location while it is simultaneously used at another. For example just as a book cannot be read by two Different people in two different places at the same time neither can PairVPN be used by used (without violating this agreement) by two different people in two different places at the same time.This license is not a sale. Title and copyrights to PairVPN accompanying Documentation and any copy made by your remain with MOBILE COMPANY. Unauthorized copying of PairVPN or the accompanying Documentation or failure to comply with the above restrictions will result in automatic termination of this license and will make available to MOBILE COMPANY other legal remedies. Upon termination of this license you must return all copies of PairVPN to MOBILE COMPANY and erase any copies from your hard disk.Permitted usesYou may operate PairVPN on a single device provided you do not exceed the quantity of license purchased. Additional device utilizing PairVPN must be licensed by MOBILE COMPANY.Uses not permittedYou may not:Make copies of PairVPN except as permitted in this agreement.Make copies of Related Materials.Alter decompile disassemble or reverse user PairVPN.Remove or alter the MOBILE COMPANY copyright and trademark notices.Remove or alter the icons within PairVPNRent lease sub-license or transfer PairVPN Software copies Related Materials or yourrights under this license without the prior written consent of MOBILE COMPANY.MOBILE COMPANY is not responsible for any charges you may incur from your cellular provider as a result of using PairVPN. MOBILE COMPANY MAKES AND YOU RECEIVE NO WARRANTIES EXPRESS IMPLIED STATUTORY OR IN ANY COMMUNICATION WITH YOU AND MOBILE COMPANY SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Static file information: File size 2341000 > 1048576
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\vmware\AllPairVPNGit\Windows\pvextra\x64\Release\pvextra.pdb source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, pvextra.exe, 00000003.00000000.2189765772.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, pvextra.exe, 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, is-GAJBA.tmp.2.dr
Source: Binary string: NetSetupuser.pdb source: service.0.etl.8.dr
Source: Binary string: NetSetupSvc.pdb source: service.0.etl.8.dr
Source: Binary string: NetSetupApi.pdb source: service.0.etl.8.dr
Source: Binary string: C:\vmware\AllPairVPNGit\Windows\pvservice\x64\Release\pvservice.pdb"" source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000002.2367358119.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-A2FHO.tmp.2.dr
Source: Binary string: C:\vmware\AllPairVPNGit\Windows\PairVPN2_Windows\Release\PairVPN2.pdb source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.dr
Source: Binary string: C:\vmware\AllPairVPNGit\Windows\pvservice\x64\Release\pvservice.pdb source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000002.2367358119.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-A2FHO.tmp.2.dr
Source: Binary string: Z:\AllPairVPNGit\Windows\pveth\60\x64\Release\pveth.pdb source: pvextra.exe, 00000003.00000003.2258632091.0000024B76E41000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000005.00000003.2201598405.00000201173FA000.00000004.00000020.00020000.00000000.sdmp, SET39E7.tmp.3.dr, SET3B7E.tmp.5.dr, is-UADM2.tmp.2.dr
Source: Binary string: NetSetupApi.pdbdb source: service.0.etl.8.dr
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B0551710 lstrcmpiW,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,LoadLibraryW,GetProcAddress,FreeLibrary,GetModuleFileNameW,PathRemoveFileSpecW,InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetCloseHandle,lstrcmpiW,FindWindowW,PostMessageW,Sleep,lstrcmpiW,CreateFileW,CloseHandle, 3_2_00007FF6B0551710
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Static PE information: section name: .didata
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp.0.dr Static PE information: section name: .didata
Source: is-7A3OK.tmp.2.dr Static PE information: section name: .didata
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp File created: C:\Program Files (x86)\PairVPN\unins000.exe (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\pveth.sys (copy) Jump to dropped file
Source: C:\Program Files (x86)\PairVPN\pvextra.exe File created: C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\SET39E7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp File created: C:\Program Files (x86)\PairVPN\is-7A3OK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp File created: C:\Program Files (x86)\PairVPN\pveth\is-UADM2.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe File created: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp File created: C:\Program Files (x86)\PairVPN\pveth\pveth.sys (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp File created: C:\Program Files (x86)\PairVPN\pvextra.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp File created: C:\Program Files (x86)\PairVPN\is-2PSH3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp File created: C:\Program Files (x86)\PairVPN\PairVPN.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp File created: C:\Program Files (x86)\PairVPN\is-A2FHO.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp File created: C:\Program Files (x86)\PairVPN\is-GAJBA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp File created: C:\Users\user\AppData\Local\Temp\is-J5BNJ.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Program Files (x86)\PairVPN\pvextra.exe File created: C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.sys (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\SET3B7E.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\pveth.sys (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\SET3B7E.tmp Jump to dropped file
Creates or modifies windows services
Source: C:\Windows\System32\drvinst.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pveth Jump to behavior
Modifies existing windows services
Source: C:\Windows\System32\svchost.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to read device registry values (via SetupAPI)
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B0551290 SetupDiGetClassDevsW,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,wcsstr,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,CM_Get_DevNode_Status,SetupDiSetSelectedDevice,SetupDiCallClassInstaller,SetupDiDestroyDeviceInfoList, 3_2_00007FF6B0551290
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PairVPN\unins000.exe (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\pveth.sys (copy) Jump to dropped file
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\SET39E7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PairVPN\is-7A3OK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PairVPN\pveth\is-UADM2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PairVPN\pveth\pveth.sys (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PairVPN\is-2PSH3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PairVPN\PairVPN.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PairVPN\is-A2FHO.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J5BNJ.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.sys (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\SET3B7E.tmp Jump to dropped file
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B0558988 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 3_2_00007FF6B0558988
Source: setupapi.dev.log.3.dr Binary or memory string: set: BIOS Vendor: VMware, Inc.
Source: setupapi.dev.log.3.dr Binary or memory string: sig: Key = vmci.inf
Source: setupapi.dev.log.3.dr Binary or memory string: dvs: {Driver Setup Import Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.178
Source: setupapi.dev.log.3.dr Binary or memory string: idb: Activating driver package 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.3.dr Binary or memory string: cpy: Published 'vmci.inf_amd64_68ed49469341f563\vmci.inf' to 'oem2.inf'.
Source: setupapi.dev.log.3.dr Binary or memory string: inf: {Add Service: vmci}
Source: setupapi.dev.log.3.dr Binary or memory string: inf: Created new service 'vmci'.
Source: is-A2FHO.tmp.2.dr Binary or memory string: C:\vmware\AllPairVPNGit\Windows\pvservice\x64\Release\pvservice.pdb""
Source: setupapi.dev.log.3.dr Binary or memory string: inf: Display Name = VMware VMCI Bus Driver
Source: setupapi.dev.log.3.dr Binary or memory string: set: PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3F -> Configured [oem2.inf:PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD,vmci.install.x64.NT] and started (ConfigFlags = 0x00000000).
Source: setupapi.dev.log.3.dr Binary or memory string: inf: Service Name = vmci
Source: setupapi.dev.log.3.dr Binary or memory string: set: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000 -> Configured [disk.inf:GenDisk,disk_install.NT] and started (ConfigFlags = 0x00000000).
Source: pvextra.exe, 00000003.00000002.2276030070.0000024B76E40000.00000004.00000020.00020000.00000000.sdmp, pvextra.exe, 00000003.00000002.2276030070.0000024B76E68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: setupapi.dev.log.3.dr Binary or memory string: idb: {Publish Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: setupapi.dev.log.3.dr Binary or memory string: idb: Indexed 4 device IDs for 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.3.dr Binary or memory string: utl: Driver INF - oem2.inf (C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf)
Source: setupapi.dev.log.3.dr Binary or memory string: set: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000 -> Configured [cdrom.inf:GenCdRom,cdrom_install] and started (ConfigFlags = 0x00000000).
Source: setupapi.dev.log.3.dr Binary or memory string: set: System Product Name: VMware20,1
Source: setupapi.dev.log.3.dr Binary or memory string: sto: {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf}
Source: is-A2FHO.tmp.2.dr Binary or memory string: C:\vmware\AllPairVPNGit\Windows\pvservice\x64\Release\pvservice.pdb
Source: setupapi.dev.log.3.dr Binary or memory string: sto: {Stage Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.634
Source: setupapi.dev.log.3.dr Binary or memory string: sig: Installed catalog 'vmci.cat' as 'oem2.cat'.
Source: is-GAJBA.tmp.2.dr Binary or memory string: C:\vmware\AllPairVPNGit\Windows\pvextra\x64\Release\pvextra.pdb
Source: setupapi.dev.log.3.dr Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.inf' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf'.
Source: setupapi.dev.log.3.dr Binary or memory string: cpy: Target Path = C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563
Source: setupapi.dev.log.3.dr Binary or memory string: sig: FilePath = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf
Source: setupapi.dev.log.3.dr Binary or memory string: inf: {Configure Driver Configuration: vmci.install.x64.NT}
Source: svchost.exe, 00000008.00000003.2257828864.00000171C8917000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @ethernetwlanppipvmnetextension98}
Source: setupapi.dev.log.3.dr Binary or memory string: idb: Created driver package object 'vmci.inf_amd64_68ed49469341f563' in SYSTEM database node.
Source: setupapi.dev.log.3.dr Binary or memory string: inf: Image Path = System32\drivers\vmci.sys
Source: setupapi.dev.log.3.dr Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.cat' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat'.
Source: setupapi.dev.log.3.dr Binary or memory string: sig: Catalog = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat
Source: setupapi.dev.log.3.dr Binary or memory string: inf: Section Name = vmci.install.x64.NT
Source: setupapi.dev.log.3.dr Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.sys' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.sys'.
Source: setupapi.dev.log.3.dr Binary or memory string: idb: Registered driver package 'vmci.inf_amd64_68ed49469341f563' with 'oem2.inf'.
Source: svchost.exe, 00000008.00000003.2256266081.00000171C891D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @vmnetextension
Source: setupapi.dev.log.3.dr Binary or memory string: inf: Driver package 'vmci.inf' is configurable.
Source: setupapi.dev.log.3.dr Binary or memory string: inf: {Configure Driver: VMware VMCI Bus Device}
Source: is-2PSH3.tmp.2.dr Binary or memory string: C:\vmware\AllPairVPNGit\Windows\PairVPN2_Windows\Release\PairVPN2.pdb
Source: pvextra.exe, 00000003.00000002.2276030070.0000024B76E68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: setupapi.dev.log.3.dr Binary or memory string: inf: {Query Configurability: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.636
Source: setupapi.dev.log.3.dr Binary or memory string: sto: {Core Driver Package Import: vmci.inf_amd64_68ed49469341f563} 11:48:39.704
Source: setupapi.dev.log.3.dr Binary or memory string: idb: {Register Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: setupapi.dev.log.3.dr Binary or memory string: flq: Copying 'C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.sys' to 'C:\Windows\System32\drivers\vmci.sys'.
Source: setupapi.dev.log.3.dr Binary or memory string: set: System Manufacturer: VMware, Inc.
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B05521F0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FF6B05521F0
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B0551710 lstrcmpiW,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,LoadLibraryW,GetProcAddress,FreeLibrary,GetModuleFileNameW,PathRemoveFileSpecW,InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetCloseHandle,lstrcmpiW,FindWindowW,PostMessageW,Sleep,lstrcmpiW,CreateFileW,CloseHandle, 3_2_00007FF6B0551710
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B055ADEC GetProcessHeap, 3_2_00007FF6B055ADEC
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B05521F0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FF6B05521F0
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B05563A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FF6B05563A0
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B05523D4 SetUnhandledExceptionFilter, 3_2_00007FF6B05523D4
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B0551CA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FF6B0551CA0
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B055F970 cpuid 3_2_00007FF6B055F970
Queries device information via Setup API
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B0551290 SetupDiGetClassDevsW,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,wcsstr,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,CM_Get_DevNode_Status,SetupDiSetSelectedDevice,SetupDiCallClassInstaller,SetupDiDestroyDeviceInfoList, 3_2_00007FF6B0551290
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Queries volume information: C:\Program Files (x86)\PairVPN\pveth\pveth.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\drvinst.exe Queries volume information: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\pveth.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Code function: 3_2_00007FF6B05520D0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_00007FF6B05520D0
Source: C:\Program Files (x86)\PairVPN\pvextra.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the windows firewall
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process created: C:\Windows\SysWOW64\netsh.exe "netsh.exe" advfirewall firewall add rule name="PairVPN" dir=in action=allow program="C:\Program Files (x86)\PairVPN\PairVPN.exe" enable=yes
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp Process created: C:\Windows\SysWOW64\netsh.exe "netsh.exe" advfirewall firewall add rule name="PairVPN" dir=in action=allow program="C:\Program Files (x86)\PairVPN\PairVPN.exe" enable=yes

Stealing of Sensitive Information
barindex
Modifies the DNS server
Source: C:\Windows\System32\svchost.exe Registry value created: Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427216 Sample: SecuriteInfo.com.Heuristic.... Startdate: 17/04/2024 Architecture: WINDOWS Score: 30 51 pairv.net 2->51 59 Antivirus detection for dropped file 2->59 9 SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe 2 2->9         started        12 svchost.exe 2 2->12         started        14 svchost.exe 60 2->14         started        signatures3 process4 file5 45 SecuriteInfo.com.H...028.18822.21071.tmp, PE32 9->45 dropped 17 SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp 5 22 9->17         started        21 drvinst.exe 12 12->21         started        23 drvinst.exe 24 12->23         started        61 Modifies the DNS server 14->61 signatures6 process7 file8 33 C:\...\unins000.exe (copy), PE32 17->33 dropped 35 C:\Program Files (x86)\...\pvextra.exe (copy), PE32+ 17->35 dropped 37 C:\Program Files (x86)\...\pveth.sys (copy), PE32+ 17->37 dropped 43 7 other files (6 malicious) 17->43 dropped 55 Uses netsh to modify the Windows network and firewall settings 17->55 57 Modifies the windows firewall 17->57 25 pvextra.exe 1 13 17->25         started        29 netsh.exe 2 17->29         started        39 C:\Windows\System32\...\pveth.sys (copy), PE32+ 21->39 dropped 41 C:\Windows\System32\...\SET3B7E.tmp, PE32+ 21->41 dropped signatures9 process10 dnsIp11 53 pairv.net 45.33.111.235, 443, 49717 LINODE-APLinodeLLCUS United States 25->53 47 C:\Users\user\AppData\...\pveth.sys (copy), PE32+ 25->47 dropped 49 C:\Users\user\AppData\Local\...\SET39E7.tmp, PE32+ 25->49 dropped 31 conhost.exe 29->31         started        file12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.33.111.235
 pairv.net United States
63949 LINODE-APLinodeLLCUS false

Contacted Domains

Name IP Active
pairv.net 45.33.111.235 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://pairv.net/dev/install.php?err=t11037 false
    		unknown