Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe

Overview

General Information

Sample name:SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
Analysis ID:1427216
MD5:35a00ae36ee03f200bad5a922afacd04
SHA1:05dd9e5eae8378394d9426fd97e18d2d485db3fa
SHA256:c99b0aea44483bd5145b0bd811ad6b0fe4b7aa5867a4f12e979fbbea9648ad02
Tags:exe
Infos:

Detection

Score:30
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Antivirus detection for dropped file
Modifies the DNS server
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables driver privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe (PID: 4544 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe" MD5: 35A00AE36EE03F200BAD5A922AFACD04)
    • SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp (PID: 2680 cmdline: "C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp" /SL5="$20404,1488690,832512,C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe" MD5: 74F03B0063ABA7C8CC9A8D4FED6B2381)
      • pvextra.exe (PID: 2912 cmdline: "C:\Program Files (x86)\PairVPN\pvextra.exe" /d MD5: CB12C48A9D14A5018DD07BBB8E71AC9A)
      • netsh.exe (PID: 5236 cmdline: "netsh.exe" advfirewall firewall add rule name="PairVPN" dir=in action=allow program="C:\Program Files (x86)\PairVPN\PairVPN.exe" enable=yes MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 2632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 5328 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • drvinst.exe (PID: 2852 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.inf" "9" "4ec797a8f" "0000000000000100" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\pairvpn\pveth" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
    • drvinst.exe (PID: 6440 cmdline: DrvInst.exe "2" "211" "ROOT\PVETH\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:1f6a2eb20729039e:pveth.ndi:1.8.3.0:pveth," "4ec797a8f" "0000000000000100" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
  • svchost.exe (PID: 2216 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, ProcessId: 5328, ProcessName: svchost.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\Program Files (x86)\PairVPN\is-GAJBA.tmpAvira: detection malicious, Label: HEUR/AGEN.1319028
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.BY CONTINUING THIS INSTALLATION YOU AGREE TO BE BOUND BY ALL THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.SOFTWARE LICENSE AGREEMENTThis Agreement is a license agreement between you and MOBILE COMPANY for the use of the enclosed software (PairVPN). PairVPN is protected by both United States and International copyright law. Therefore you must treat this license and PairVPN just like a book with the following exceptions: you agree pursuant to the license not to rent or lease PairVPN in any form. In addition you may not make any copies of PairVPN except that you may make one archival copy of PairVPN for the sole purpose of backing you your Software and protecting your Investment from loss. This copy must include all copyright notices on PairVPN. By saying "just like a book" MOBILE COMPANY means that PairVPN may be used under the license by any number of people and may be freely moved from one computer location to another so long as there is no possibility of its being used at one location while it is simultaneously used at another. For example just as a book cannot be read by two Different people in two different places at the same time neither can PairVPN be used by used (without violating this agreement) by two different people in two different places at the same time.This license is not a sale. Title and copyrights to PairVPN accompanying Documentation and any copy made by your remain with MOBILE COMPANY. Unauthorized copying of PairVPN or the accompanying Documentation or failure to comply with the above restrictions will result in automatic termination of this license and will make available to MOBILE COMPANY other legal remedies. Upon termination of this license you must return all copies of PairVPN to MOBILE COMPANY and erase any copies from your hard disk.Permitted usesYou may operate PairVPN on a single device provided you do not exceed the quantity of license purchased. Additional device utilizing PairVPN must be licensed by MOBILE COMPANY.Uses not permittedYou may not:Make copies of PairVPN except as permitted in this agreement.Make copies of Related Materials.Alter decompile disassemble or reverse user PairVPN.Remove or alter the MOBILE COMPANY copyright and trademark notices.Remove or alter the icons within PairVPNRent lease sub-license or transfer PairVPN Software copies Related Materials or yourrights under this license without the prior written consent of MOBILE COMPANY.MOBILE COMPANY is not responsible for any charges you may incur from your cellular provider as a result of using PairVPN. MOBILE COMPANY MAKES AND YOU RECEIVE NO WARRANTIES EXPRESS IMPLIED STATUTORY OR IN ANY COMMUNICATION WITH YOU AND MOBILE COMPANY SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.BY CONTINUING THIS INSTALLATION YOU AGREE TO BE BOUND BY ALL THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.SOFTWARE LICENSE AGREEMENTThis Agreement is a license agreement between you and MOBILE COMPANY for the use of the enclosed software (PairVPN). PairVPN is protected by both United States and International copyright law. Therefore you must treat this license and PairVPN just like a book with the following exceptions: you agree pursuant to the license not to rent or lease PairVPN in any form. In addition you may not make any copies of PairVPN except that you may make one archival copy of PairVPN for the sole purpose of backing you your Software and protecting your Investment from loss. This copy must include all copyright notices on PairVPN. By saying "just like a book" MOBILE COMPANY means that PairVPN may be used under the license by any number of people and may be freely moved from one computer location to another so long as there is no possibility of its being used at one location while it is simultaneously used at another. For example just as a book cannot be read by two Different people in two different places at the same time neither can PairVPN be used by used (without violating this agreement) by two different people in two different places at the same time.This license is not a sale. Title and copyrights to PairVPN accompanying Documentation and any copy made by your remain with MOBILE COMPANY. Unauthorized copying of PairVPN or the accompanying Documentation or failure to comply with the above restrictions will result in automatic termination of this license and will make available to MOBILE COMPANY other legal remedies. Upon termination of this license you must return all copies of PairVPN to MOBILE COMPANY and erase any copies from your hard disk.Permitted usesYou may operate PairVPN on a single device provided you do not exceed the quantity of license purchased. Additional device utilizing PairVPN must be licensed by MOBILE COMPANY.Uses not permittedYou may not:Make copies of PairVPN except as permitted in this agreement.Make copies of Related Materials.Alter decompile disassemble or reverse user PairVPN.Remove or alter the MOBILE COMPANY copyright and trademark notices.Remove or alter the icons within PairVPNRent lease sub-license or transfer PairVPN Software copies Related Materials or yourrights under this license without the prior written consent of MOBILE COMPANY.MOBILE COMPANY is not responsible for any charges you may incur from your cellular provider as a result of using PairVPN. MOBILE COMPANY MAKES AND YOU RECEIVE NO WARRANTIES EXPRESS IMPLIED STATUTORY OR IN ANY COMMUNICATION WITH YOU AND MOBILE COMPANY SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.BY CONTINUING THIS INSTALLATION YOU AGREE TO BE BOUND BY ALL THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.SOFTWARE LICENSE AGREEMENTThis Agreement is a license agreement between you and MOBILE COMPANY for the use of the enclosed software (PairVPN). PairVPN is protected by both United States and International copyright law. Therefore you must treat this license and PairVPN just like a book with the following exceptions: you agree pursuant to the license not to rent or lease PairVPN in any form. In addition you may not make any copies of PairVPN except that you may make one archival copy of PairVPN for the sole purpose of backing you your Software and protecting your Investment from loss. This copy must include all copyright notices on PairVPN. By saying "just like a book" MOBILE COMPANY means that PairVPN may be used under the license by any number of people and may be freely moved from one computer location to another so long as there is no possibility of its being used at one location while it is simultaneously used at another. For example just as a book cannot be read by two Different people in two different places at the same time neither can PairVPN be used by used (without violating this agreement) by two different people in two different places at the same time.This license is not a sale. Title and copyrights to PairVPN accompanying Documentation and any copy made by your remain with MOBILE COMPANY. Unauthorized copying of PairVPN or the accompanying Documentation or failure to comply with the above restrictions will result in automatic termination of this license and will make available to MOBILE COMPANY other legal remedies. Upon termination of this license you must return all copies of PairVPN to MOBILE COMPANY and erase any copies from your hard disk.Permitted usesYou may operate PairVPN on a single device provided you do not exceed the quantity of license purchased. Additional device utilizing PairVPN must be licensed by MOBILE COMPANY.Uses not permittedYou may not:Make copies of PairVPN except as permitted in this agreement.Make copies of Related Materials.Alter decompile disassemble or reverse user PairVPN.Remove or alter the MOBILE COMPANY copyright and trademark notices.Remove or alter the icons within PairVPNRent lease sub-license or transfer PairVPN Software copies Related Materials or yourrights under this license without the prior written consent of MOBILE COMPANY.MOBILE COMPANY is not responsible for any charges you may incur from your cellular provider as a result of using PairVPN. MOBILE COMPANY MAKES AND YOU RECEIVE NO WARRANTIES EXPRESS IMPLIED STATUTORY OR IN ANY COMMUNICATION WITH YOU AND MOBILE COMPANY SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeStatic PE information: certificate valid
Source: unknownHTTPS traffic detected: 45.33.111.235:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\vmware\AllPairVPNGit\Windows\pvextra\x64\Release\pvextra.pdb source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, pvextra.exe, 00000003.00000000.2189765772.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, pvextra.exe, 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, is-GAJBA.tmp.2.dr
Source: Binary string: NetSetupuser.pdb source: service.0.etl.8.dr
Source: Binary string: NetSetupSvc.pdb source: service.0.etl.8.dr
Source: Binary string: NetSetupApi.pdb source: service.0.etl.8.dr
Source: Binary string: C:\vmware\AllPairVPNGit\Windows\pvservice\x64\Release\pvservice.pdb"" source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000002.2367358119.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-A2FHO.tmp.2.dr
Source: Binary string: C:\vmware\AllPairVPNGit\Windows\PairVPN2_Windows\Release\PairVPN2.pdb source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.dr
Source: Binary string: C:\vmware\AllPairVPNGit\Windows\pvservice\x64\Release\pvservice.pdb source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000002.2367358119.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-A2FHO.tmp.2.dr
Source: Binary string: Z:\AllPairVPNGit\Windows\pveth\60\x64\Release\pveth.pdb source: pvextra.exe, 00000003.00000003.2258632091.0000024B76E41000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000005.00000003.2201598405.00000201173FA000.00000004.00000020.00020000.00000000.sdmp, SET39E7.tmp.3.dr, SET3B7E.tmp.5.dr, is-UADM2.tmp.2.dr
Source: Binary string: NetSetupApi.pdbdb source: service.0.etl.8.dr
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B0558988 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,3_2_00007FF6B0558988
Source: global trafficHTTP traffic detected: GET /dev/install.php?err=t11037 HTTP/1.1Host: pairv.netCache-Control: no-cache
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /dev/install.php?err=t11037 HTTP/1.1Host: pairv.netCache-Control: no-cache
Source: unknownDNS traffic detected: queries for: pairv.net
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: is-2PSH3.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/transfer/Get
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/04/discovery
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/devprof
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, is-2PSH3.tmp.2.drString found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: pvextra.exe, 00000003.00000002.2276030070.0000024B76E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pairv.net/
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, pvextra.exe, pvextra.exe, 00000003.00000000.2189765772.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, pvextra.exe, 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, is-GAJBA.tmp.2.drString found in binary or memory: https://pairv.net/dev/install.php?err=t%d
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, pvextra.exe, 00000003.00000000.2189765772.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, pvextra.exe, 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, is-GAJBA.tmp.2.drString found in binary or memory: https://pairv.net/dev/install.php?err=t%d/uPairVPN_cls/twintrust.dllCryptCATAdminAcquireContext2
Source: pvextra.exe, 00000003.00000002.2275353729.0000024B75259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pairv.net/dev/install.php?err=t11037
Source: pvextra.exe, 00000003.00000002.2276030070.0000024B76E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pairv.net/dev/install.php?err=t11037:
Source: pvextra.exe, 00000003.00000002.2275353729.0000024B75259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pairv.net/dev/install.php?err=t11037Provider
Source: pvextra.exe, 00000003.00000002.2276030070.0000024B76E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pairv.net/dev/install.php?err=t11037z
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drString found in binary or memory: https://pairvpn.com
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drString found in binary or memory: https://pairvpn.com%s/%ssvr_btn_offsession_pending_review_numsession_pending_review_msgInvalid
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drString found in binary or memory: https://www.google.com/maps/search/?api=1&query=%f%%2C%f
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drString found in binary or memory: https://www.google.com/maps/search/?api=1&query=%f%%2C%fcli_txt_clockInvalid
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2071977197.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2071570713.0000000002750000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000000.2073224935.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp.0.dr, is-7A3OK.tmp.2.drString found in binary or memory: https://www.innosetup.com/
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2368668070.00000000024F3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2366041316.00000000025D3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.pairvpn.com
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2070023257.0000000002750000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2074992354.0000000003490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.pairvpn.com.https://www.pairvpn.com.https://www.pairvpn.com
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2368668070.00000000024F3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.pairvpn.comQ6O
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2071977197.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2071570713.0000000002750000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000000.2073224935.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp.0.dr, is-7A3OK.tmp.2.drString found in binary or memory: https://www.remobjects.com/ps
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownHTTPS traffic detected: 45.33.111.235:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: C:\Program Files (x86)\PairVPN\pvextra.exeFile created: C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.cat (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\pveth.cat (copy)Jump to dropped file
Source: C:\Program Files (x86)\PairVPN\pvextra.exeFile created: C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\SET39C6.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\SET3B5C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpFile created: C:\Program Files (x86)\PairVPN\pveth\pveth.cat (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpFile created: C:\Program Files (x86)\PairVPN\pveth\is-5S3BL.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}Jump to behavior
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\FileRepository\pveth.inf_amd64_4d971e32342dbc12Jump to behavior
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\drvstore.tmpJump to behavior
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\inf\oem4.infJump to behavior
Source: C:\Windows\System32\drvinst.exeFile deleted: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\SET3B5C.tmpJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B05517103_2_00007FF6B0551710
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B05510603_2_00007FF6B0551060
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B055C17C3_2_00007FF6B055C17C
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B05589883_2_00007FF6B0558988
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B055BD503_2_00007FF6B055BD50
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B05541E03_2_00007FF6B05541E0
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B05559B83_2_00007FF6B05559B8
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B055FE483_2_00007FF6B055FE48
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B05577083_2_00007FF6B0557708
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B055DC5C3_2_00007FF6B055DC5C
Source: C:\Program Files (x86)\PairVPN\pvextra.exeProcess token adjusted: Load DriverJump to behavior
Source: C:\Windows\System32\svchost.exeProcess token adjusted: SecurityJump to behavior
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-7A3OK.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-2PSH3.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=store
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000000.2069736995.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2071977197.000000007FE35000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2368668070.00000000024B8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2071570713.0000000002848000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeBinary or memory string: OriginalFileName vs SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: is-UADM2.tmp.2.drBinary string: \Device\PVETH
Source: classification engineClassification label: sus30.spyw.evad.winEXE@14/32@1/1
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpFile created: C:\Program Files (x86)\PairVPNJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Windows\System32\drvinst.exeMutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2632:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeFile created: C:\Users\user\AppData\Local\Temp\is-83J31.tmpJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: pvextra.exeString found in binary or memory: https://pairv.net/dev/install.php?err=t%d
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe "C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeProcess created: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp "C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp" /SL5="$20404,1488690,832512,C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe"
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess created: C:\Program Files (x86)\PairVPN\pvextra.exe "C:\Program Files (x86)\PairVPN\pvextra.exe" /d
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.inf" "9" "4ec797a8f" "0000000000000100" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\pairvpn\pveth"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\PVETH\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:1f6a2eb20729039e:pveth.ndi:1.8.3.0:pveth," "4ec797a8f" "0000000000000100"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess created: C:\Windows\SysWOW64\netsh.exe "netsh.exe" advfirewall firewall add rule name="PairVPN" dir=in action=allow program="C:\Program Files (x86)\PairVPN\PairVPN.exe" enable=yes
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeProcess created: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp "C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp" /SL5="$20404,1488690,832512,C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess created: C:\Program Files (x86)\PairVPN\pvextra.exe "C:\Program Files (x86)\PairVPN\pvextra.exe" /dJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess created: C:\Windows\SysWOW64\netsh.exe "netsh.exe" advfirewall firewall add rule name="PairVPN" dir=in action=allow program="C:\Program Files (x86)\PairVPN\PairVPN.exe" enable=yesJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.inf" "9" "4ec797a8f" "0000000000000100" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\pairvpn\pveth"Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\PVETH\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:1f6a2eb20729039e:pveth.ndi:1.8.3.0:pveth," "4ec797a8f" "0000000000000100"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: msftedit.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: windows.globalization.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: globinputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: newdev.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: wininet.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: devobj.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: spinf.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: drvstore.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: schannel.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpnpmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: drvstore.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: drvstore.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\drvinst.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netsetupsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netsetupapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netsetupuser.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: implatsetup.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: spinf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: drvstore.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpWindow found: window name: TMainFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.BY CONTINUING THIS INSTALLATION YOU AGREE TO BE BOUND BY ALL THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.SOFTWARE LICENSE AGREEMENTThis Agreement is a license agreement between you and MOBILE COMPANY for the use of the enclosed software (PairVPN). PairVPN is protected by both United States and International copyright law. Therefore you must treat this license and PairVPN just like a book with the following exceptions: you agree pursuant to the license not to rent or lease PairVPN in any form. In addition you may not make any copies of PairVPN except that you may make one archival copy of PairVPN for the sole purpose of backing you your Software and protecting your Investment from loss. This copy must include all copyright notices on PairVPN. By saying "just like a book" MOBILE COMPANY means that PairVPN may be used under the license by any number of people and may be freely moved from one computer location to another so long as there is no possibility of its being used at one location while it is simultaneously used at another. For example just as a book cannot be read by two Different people in two different places at the same time neither can PairVPN be used by used (without violating this agreement) by two different people in two different places at the same time.This license is not a sale. Title and copyrights to PairVPN accompanying Documentation and any copy made by your remain with MOBILE COMPANY. Unauthorized copying of PairVPN or the accompanying Documentation or failure to comply with the above restrictions will result in automatic termination of this license and will make available to MOBILE COMPANY other legal remedies. Upon termination of this license you must return all copies of PairVPN to MOBILE COMPANY and erase any copies from your hard disk.Permitted usesYou may operate PairVPN on a single device provided you do not exceed the quantity of license purchased. Additional device utilizing PairVPN must be licensed by MOBILE COMPANY.Uses not permittedYou may not:Make copies of PairVPN except as permitted in this agreement.Make copies of Related Materials.Alter decompile disassemble or reverse user PairVPN.Remove or alter the MOBILE COMPANY copyright and trademark notices.Remove or alter the icons within PairVPNRent lease sub-license or transfer PairVPN Software copies Related Materials or yourrights under this license without the prior written consent of MOBILE COMPANY.MOBILE COMPANY is not responsible for any charges you may incur from your cellular provider as a result of using PairVPN. MOBILE COMPANY MAKES AND YOU RECEIVE NO WARRANTIES EXPRESS IMPLIED STATUTORY OR IN ANY COMMUNICATION WITH YOU AND MOBILE COMPANY SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.BY CONTINUING THIS INSTALLATION YOU AGREE TO BE BOUND BY ALL THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.SOFTWARE LICENSE AGREEMENTThis Agreement is a license agreement between you and MOBILE COMPANY for the use of the enclosed software (PairVPN). PairVPN is protected by both United States and International copyright law. Therefore you must treat this license and PairVPN just like a book with the following exceptions: you agree pursuant to the license not to rent or lease PairVPN in any form. In addition you may not make any copies of PairVPN except that you may make one archival copy of PairVPN for the sole purpose of backing you your Software and protecting your Investment from loss. This copy must include all copyright notices on PairVPN. By saying "just like a book" MOBILE COMPANY means that PairVPN may be used under the license by any number of people and may be freely moved from one computer location to another so long as there is no possibility of its being used at one location while it is simultaneously used at another. For example just as a book cannot be read by two Different people in two different places at the same time neither can PairVPN be used by used (without violating this agreement) by two different people in two different places at the same time.This license is not a sale. Title and copyrights to PairVPN accompanying Documentation and any copy made by your remain with MOBILE COMPANY. Unauthorized copying of PairVPN or the accompanying Documentation or failure to comply with the above restrictions will result in automatic termination of this license and will make available to MOBILE COMPANY other legal remedies. Upon termination of this license you must return all copies of PairVPN to MOBILE COMPANY and erase any copies from your hard disk.Permitted usesYou may operate PairVPN on a single device provided you do not exceed the quantity of license purchased. Additional device utilizing PairVPN must be licensed by MOBILE COMPANY.Uses not permittedYou may not:Make copies of PairVPN except as permitted in this agreement.Make copies of Related Materials.Alter decompile disassemble or reverse user PairVPN.Remove or alter the MOBILE COMPANY copyright and trademark notices.Remove or alter the icons within PairVPNRent lease sub-license or transfer PairVPN Software copies Related Materials or yourrights under this license without the prior written consent of MOBILE COMPANY.MOBILE COMPANY is not responsible for any charges you may incur from your cellular provider as a result of using PairVPN. MOBILE COMPANY MAKES AND YOU RECEIVE NO WARRANTIES EXPRESS IMPLIED STATUTORY OR IN ANY COMMUNICATION WITH YOU AND MOBILE COMPANY SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.BY CONTINUING THIS INSTALLATION YOU AGREE TO BE BOUND BY ALL THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT.SOFTWARE LICENSE AGREEMENTThis Agreement is a license agreement between you and MOBILE COMPANY for the use of the enclosed software (PairVPN). PairVPN is protected by both United States and International copyright law. Therefore you must treat this license and PairVPN just like a book with the following exceptions: you agree pursuant to the license not to rent or lease PairVPN in any form. In addition you may not make any copies of PairVPN except that you may make one archival copy of PairVPN for the sole purpose of backing you your Software and protecting your Investment from loss. This copy must include all copyright notices on PairVPN. By saying "just like a book" MOBILE COMPANY means that PairVPN may be used under the license by any number of people and may be freely moved from one computer location to another so long as there is no possibility of its being used at one location while it is simultaneously used at another. For example just as a book cannot be read by two Different people in two different places at the same time neither can PairVPN be used by used (without violating this agreement) by two different people in two different places at the same time.This license is not a sale. Title and copyrights to PairVPN accompanying Documentation and any copy made by your remain with MOBILE COMPANY. Unauthorized copying of PairVPN or the accompanying Documentation or failure to comply with the above restrictions will result in automatic termination of this license and will make available to MOBILE COMPANY other legal remedies. Upon termination of this license you must return all copies of PairVPN to MOBILE COMPANY and erase any copies from your hard disk.Permitted usesYou may operate PairVPN on a single device provided you do not exceed the quantity of license purchased. Additional device utilizing PairVPN must be licensed by MOBILE COMPANY.Uses not permittedYou may not:Make copies of PairVPN except as permitted in this agreement.Make copies of Related Materials.Alter decompile disassemble or reverse user PairVPN.Remove or alter the MOBILE COMPANY copyright and trademark notices.Remove or alter the icons within PairVPNRent lease sub-license or transfer PairVPN Software copies Related Materials or yourrights under this license without the prior written consent of MOBILE COMPANY.MOBILE COMPANY is not responsible for any charges you may incur from your cellular provider as a result of using PairVPN. MOBILE COMPANY MAKES AND YOU RECEIVE NO WARRANTIES EXPRESS IMPLIED STATUTORY OR IN ANY COMMUNICATION WITH YOU AND MOBILE COMPANY SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeStatic PE information: certificate valid
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeStatic file information: File size 2341000 > 1048576
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\vmware\AllPairVPNGit\Windows\pvextra\x64\Release\pvextra.pdb source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, pvextra.exe, 00000003.00000000.2189765772.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, pvextra.exe, 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, is-GAJBA.tmp.2.dr
Source: Binary string: NetSetupuser.pdb source: service.0.etl.8.dr
Source: Binary string: NetSetupSvc.pdb source: service.0.etl.8.dr
Source: Binary string: NetSetupApi.pdb source: service.0.etl.8.dr
Source: Binary string: C:\vmware\AllPairVPNGit\Windows\pvservice\x64\Release\pvservice.pdb"" source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000002.2367358119.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-A2FHO.tmp.2.dr
Source: Binary string: C:\vmware\AllPairVPNGit\Windows\PairVPN2_Windows\Release\PairVPN2.pdb source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.dr
Source: Binary string: C:\vmware\AllPairVPNGit\Windows\pvservice\x64\Release\pvservice.pdb source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000002.2367358119.000000000018C000.00000004.00000010.00020000.00000000.sdmp, is-A2FHO.tmp.2.dr
Source: Binary string: Z:\AllPairVPNGit\Windows\pveth\60\x64\Release\pveth.pdb source: pvextra.exe, 00000003.00000003.2258632091.0000024B76E41000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000005.00000003.2201598405.00000201173FA000.00000004.00000020.00020000.00000000.sdmp, SET39E7.tmp.3.dr, SET3B7E.tmp.5.dr, is-UADM2.tmp.2.dr
Source: Binary string: NetSetupApi.pdbdb source: service.0.etl.8.dr
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B0551710 lstrcmpiW,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,LoadLibraryW,GetProcAddress,FreeLibrary,GetModuleFileNameW,PathRemoveFileSpecW,InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetCloseHandle,lstrcmpiW,FindWindowW,PostMessageW,Sleep,lstrcmpiW,CreateFileW,CloseHandle,3_2_00007FF6B0551710
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeStatic PE information: section name: .didata
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp.0.drStatic PE information: section name: .didata
Source: is-7A3OK.tmp.2.drStatic PE information: section name: .didata
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpFile created: C:\Program Files (x86)\PairVPN\unins000.exe (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\pveth.sys (copy)Jump to dropped file
Source: C:\Program Files (x86)\PairVPN\pvextra.exeFile created: C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\SET39E7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpFile created: C:\Program Files (x86)\PairVPN\is-7A3OK.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpFile created: C:\Program Files (x86)\PairVPN\pveth\is-UADM2.tmpJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeFile created: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpFile created: C:\Program Files (x86)\PairVPN\pveth\pveth.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpFile created: C:\Program Files (x86)\PairVPN\pvextra.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpFile created: C:\Program Files (x86)\PairVPN\is-2PSH3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpFile created: C:\Program Files (x86)\PairVPN\PairVPN.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpFile created: C:\Program Files (x86)\PairVPN\is-A2FHO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpFile created: C:\Program Files (x86)\PairVPN\is-GAJBA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpFile created: C:\Users\user\AppData\Local\Temp\is-J5BNJ.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\PairVPN\pvextra.exeFile created: C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.sys (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\SET3B7E.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\pveth.sys (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\SET3B7E.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pvethJump to behavior
Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\LinkageJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B0551290 SetupDiGetClassDevsW,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,wcsstr,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,CM_Get_DevNode_Status,SetupDiSetSelectedDevice,SetupDiCallClassInstaller,SetupDiDestroyDeviceInfoList,3_2_00007FF6B0551290
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpDropped PE file which has not been started: C:\Program Files (x86)\PairVPN\unins000.exe (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\pveth.sys (copy)Jump to dropped file
Source: C:\Program Files (x86)\PairVPN\pvextra.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\SET39E7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpDropped PE file which has not been started: C:\Program Files (x86)\PairVPN\is-7A3OK.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpDropped PE file which has not been started: C:\Program Files (x86)\PairVPN\pveth\is-UADM2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpDropped PE file which has not been started: C:\Program Files (x86)\PairVPN\pveth\pveth.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpDropped PE file which has not been started: C:\Program Files (x86)\PairVPN\is-2PSH3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpDropped PE file which has not been started: C:\Program Files (x86)\PairVPN\PairVPN.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpDropped PE file which has not been started: C:\Program Files (x86)\PairVPN\is-A2FHO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J5BNJ.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\PairVPN\pvextra.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.sys (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\SET3B7E.tmpJump to dropped file
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B0558988 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,3_2_00007FF6B0558988
Source: setupapi.dev.log.3.drBinary or memory string: set: BIOS Vendor: VMware, Inc.
Source: setupapi.dev.log.3.drBinary or memory string: sig: Key = vmci.inf
Source: setupapi.dev.log.3.drBinary or memory string: dvs: {Driver Setup Import Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.178
Source: setupapi.dev.log.3.drBinary or memory string: idb: Activating driver package 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.3.drBinary or memory string: cpy: Published 'vmci.inf_amd64_68ed49469341f563\vmci.inf' to 'oem2.inf'.
Source: setupapi.dev.log.3.drBinary or memory string: inf: {Add Service: vmci}
Source: setupapi.dev.log.3.drBinary or memory string: inf: Created new service 'vmci'.
Source: is-A2FHO.tmp.2.drBinary or memory string: C:\vmware\AllPairVPNGit\Windows\pvservice\x64\Release\pvservice.pdb""
Source: setupapi.dev.log.3.drBinary or memory string: inf: Display Name = VMware VMCI Bus Driver
Source: setupapi.dev.log.3.drBinary or memory string: set: PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3F -> Configured [oem2.inf:PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD,vmci.install.x64.NT] and started (ConfigFlags = 0x00000000).
Source: setupapi.dev.log.3.drBinary or memory string: inf: Service Name = vmci
Source: setupapi.dev.log.3.drBinary or memory string: set: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000 -> Configured [disk.inf:GenDisk,disk_install.NT] and started (ConfigFlags = 0x00000000).
Source: pvextra.exe, 00000003.00000002.2276030070.0000024B76E40000.00000004.00000020.00020000.00000000.sdmp, pvextra.exe, 00000003.00000002.2276030070.0000024B76E68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: setupapi.dev.log.3.drBinary or memory string: idb: {Publish Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: setupapi.dev.log.3.drBinary or memory string: idb: Indexed 4 device IDs for 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.3.drBinary or memory string: utl: Driver INF - oem2.inf (C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf)
Source: setupapi.dev.log.3.drBinary or memory string: set: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000 -> Configured [cdrom.inf:GenCdRom,cdrom_install] and started (ConfigFlags = 0x00000000).
Source: setupapi.dev.log.3.drBinary or memory string: set: System Product Name: VMware20,1
Source: setupapi.dev.log.3.drBinary or memory string: sto: {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf}
Source: is-A2FHO.tmp.2.drBinary or memory string: C:\vmware\AllPairVPNGit\Windows\pvservice\x64\Release\pvservice.pdb
Source: setupapi.dev.log.3.drBinary or memory string: sto: {Stage Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.634
Source: setupapi.dev.log.3.drBinary or memory string: sig: Installed catalog 'vmci.cat' as 'oem2.cat'.
Source: is-GAJBA.tmp.2.drBinary or memory string: C:\vmware\AllPairVPNGit\Windows\pvextra\x64\Release\pvextra.pdb
Source: setupapi.dev.log.3.drBinary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.inf' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf'.
Source: setupapi.dev.log.3.drBinary or memory string: cpy: Target Path = C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563
Source: setupapi.dev.log.3.drBinary or memory string: sig: FilePath = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf
Source: setupapi.dev.log.3.drBinary or memory string: inf: {Configure Driver Configuration: vmci.install.x64.NT}
Source: svchost.exe, 00000008.00000003.2257828864.00000171C8917000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @ethernetwlanppipvmnetextension98}
Source: setupapi.dev.log.3.drBinary or memory string: idb: Created driver package object 'vmci.inf_amd64_68ed49469341f563' in SYSTEM database node.
Source: setupapi.dev.log.3.drBinary or memory string: inf: Image Path = System32\drivers\vmci.sys
Source: setupapi.dev.log.3.drBinary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.cat' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat'.
Source: setupapi.dev.log.3.drBinary or memory string: sig: Catalog = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat
Source: setupapi.dev.log.3.drBinary or memory string: inf: Section Name = vmci.install.x64.NT
Source: setupapi.dev.log.3.drBinary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.sys' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.sys'.
Source: setupapi.dev.log.3.drBinary or memory string: idb: Registered driver package 'vmci.inf_amd64_68ed49469341f563' with 'oem2.inf'.
Source: svchost.exe, 00000008.00000003.2256266081.00000171C891D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @vmnetextension
Source: setupapi.dev.log.3.drBinary or memory string: inf: Driver package 'vmci.inf' is configurable.
Source: setupapi.dev.log.3.drBinary or memory string: inf: {Configure Driver: VMware VMCI Bus Device}
Source: is-2PSH3.tmp.2.drBinary or memory string: C:\vmware\AllPairVPNGit\Windows\PairVPN2_Windows\Release\PairVPN2.pdb
Source: pvextra.exe, 00000003.00000002.2276030070.0000024B76E68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
Source: setupapi.dev.log.3.drBinary or memory string: inf: {Query Configurability: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.636
Source: setupapi.dev.log.3.drBinary or memory string: sto: {Core Driver Package Import: vmci.inf_amd64_68ed49469341f563} 11:48:39.704
Source: setupapi.dev.log.3.drBinary or memory string: idb: {Register Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: setupapi.dev.log.3.drBinary or memory string: flq: Copying 'C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.sys' to 'C:\Windows\System32\drivers\vmci.sys'.
Source: setupapi.dev.log.3.drBinary or memory string: set: System Manufacturer: VMware, Inc.
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B05521F0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF6B05521F0
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B0551710 lstrcmpiW,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,LoadLibraryW,GetProcAddress,FreeLibrary,GetModuleFileNameW,PathRemoveFileSpecW,InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetCloseHandle,lstrcmpiW,FindWindowW,PostMessageW,Sleep,lstrcmpiW,CreateFileW,CloseHandle,3_2_00007FF6B0551710
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B055ADEC GetProcessHeap,3_2_00007FF6B055ADEC
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B05521F0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF6B05521F0
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B05563A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF6B05563A0
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B05523D4 SetUnhandledExceptionFilter,3_2_00007FF6B05523D4
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B0551CA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00007FF6B0551CA0
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B055F970 cpuid 3_2_00007FF6B055F970
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B0551290 SetupDiGetClassDevsW,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,wcsstr,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,CM_Get_DevNode_Status,SetupDiSetSelectedDevice,SetupDiCallClassInstaller,SetupDiDestroyDeviceInfoList,3_2_00007FF6B0551290
Source: C:\Program Files (x86)\PairVPN\pvextra.exeQueries volume information: C:\Program Files (x86)\PairVPN\pveth\pveth.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\pveth.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Program Files (x86)\PairVPN\pvextra.exeCode function: 3_2_00007FF6B05520D0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_00007FF6B05520D0
Source: C:\Program Files (x86)\PairVPN\pvextra.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies the windows firewall
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess created: C:\Windows\SysWOW64\netsh.exe "netsh.exe" advfirewall firewall add rule name="PairVPN" dir=in action=allow program="C:\Program Files (x86)\PairVPN\PairVPN.exe" enable=yes
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmpProcess created: C:\Windows\SysWOW64\netsh.exe "netsh.exe" advfirewall firewall add rule name="PairVPN" dir=in action=allow program="C:\Program Files (x86)\PairVPN\PairVPN.exe" enable=yes

Stealing of Sensitive Information

barindex
Modifies the DNS server
Source: C:\Windows\System32\svchost.exeRegistry value created: Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		2
Windows Service		2
Windows Service		32
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		1
LSASS Driver		1
Process Injection		2
Disable or Modify Tools		LSASS Memory1
Query Registry		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		1
LSASS Driver		1
Process Injection		Security Account Manager21
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
DLL Side-Loading		NTDS1
Process Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
File Deletion		LSA Secrets2
System Owner/User Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync33
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427216 Sample: SecuriteInfo.com.Heuristic.... Startdate: 17/04/2024 Architecture: WINDOWS Score: 30 51 pairv.net 2->51 59 Antivirus detection for dropped file 2->59 9 SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe 2 2->9         started        12 svchost.exe 2 2->12         started        14 svchost.exe 60 2->14         started        signatures3 process4 file5 45 SecuriteInfo.com.H...028.18822.21071.tmp, PE32 9->45 dropped 17 SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp 5 22 9->17         started        21 drvinst.exe 12 12->21         started        23 drvinst.exe 24 12->23         started        61 Modifies the DNS server 14->61 signatures6 process7 file8 33 C:\...\unins000.exe (copy), PE32 17->33 dropped 35 C:\Program Files (x86)\...\pvextra.exe (copy), PE32+ 17->35 dropped 37 C:\Program Files (x86)\...\pveth.sys (copy), PE32+ 17->37 dropped 43 7 other files (6 malicious) 17->43 dropped 55 Uses netsh to modify the Windows network and firewall settings 17->55 57 Modifies the windows firewall 17->57 25 pvextra.exe 1 13 17->25         started        29 netsh.exe 2 17->29         started        39 C:\Windows\System32\...\pveth.sys (copy), PE32+ 21->39 dropped 41 C:\Windows\System32\...\SET3B7E.tmp, PE32+ 21->41 dropped signatures9 process10 dnsIp11 53 pairv.net 45.33.111.235, 443, 49717 LINODE-APLinodeLLCUS United States 25->53 47 C:\Users\user\AppData\...\pveth.sys (copy), PE32+ 25->47 dropped 49 C:\Users\user\AppData\Local\...\SET39E7.tmp, PE32+ 25->49 dropped 31 conhost.exe 29->31         started        file12 process13

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe3%ReversingLabs
SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe3%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\PairVPN\is-GAJBA.tmp100%AviraHEUR/AGEN.1319028
C:\Program Files (x86)\PairVPN\PairVPN.exe (copy)0%ReversingLabs
C:\Program Files (x86)\PairVPN\PairVPN.exe (copy)0%VirustotalBrowse
C:\Program Files (x86)\PairVPN\is-2PSH3.tmp0%ReversingLabs
C:\Program Files (x86)\PairVPN\is-2PSH3.tmp0%VirustotalBrowse
C:\Program Files (x86)\PairVPN\is-7A3OK.tmp0%ReversingLabs
C:\Program Files (x86)\PairVPN\is-7A3OK.tmp0%VirustotalBrowse
C:\Program Files (x86)\PairVPN\is-A2FHO.tmp0%ReversingLabs
C:\Program Files (x86)\PairVPN\is-A2FHO.tmp3%VirustotalBrowse
C:\Program Files (x86)\PairVPN\is-GAJBA.tmp0%ReversingLabs
C:\Program Files (x86)\PairVPN\is-GAJBA.tmp0%VirustotalBrowse
C:\Program Files (x86)\PairVPN\pveth\is-UADM2.tmp0%ReversingLabs
C:\Program Files (x86)\PairVPN\pveth\is-UADM2.tmp0%VirustotalBrowse
C:\Program Files (x86)\PairVPN\pveth\pveth.sys (copy)0%ReversingLabs
C:\Program Files (x86)\PairVPN\pveth\pveth.sys (copy)0%VirustotalBrowse
C:\Program Files (x86)\PairVPN\pvextra.exe (copy)0%ReversingLabs
C:\Program Files (x86)\PairVPN\pvextra.exe (copy)0%VirustotalBrowse
C:\Program Files (x86)\PairVPN\unins000.exe (copy)0%ReversingLabs
C:\Program Files (x86)\PairVPN\unins000.exe (copy)0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-J5BNJ.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-J5BNJ.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\SET39E7.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\SET39E7.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.sys (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.sys (copy)0%VirustotalBrowse
C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\SET3B7E.tmp0%ReversingLabs
C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\SET3B7E.tmp0%VirustotalBrowse
C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\pveth.sys (copy)0%ReversingLabs
C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\pveth.sys (copy)0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.remobjects.com/ps0%URL Reputationsafe
https://www.remobjects.com/ps0%URL Reputationsafe
https://pairv.net/dev/install.php?err=t%d0%VirustotalBrowse
https://www.innosetup.com/1%VirustotalBrowse
https://pairvpn.com0%VirustotalBrowse
https://www.pairvpn.com0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
pairv.net
45.33.111.235
truefalse
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://pairv.net/dev/install.php?err=t11037false
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://www.google.com/maps/search/?api=1&query=%f%%2C%fcli_txt_clockInvalidSecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drfalse
        		high
        https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUSecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exefalse
          		high
          https://pairv.net/dev/install.php?err=t%dSecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, pvextra.exe, pvextra.exe, 00000003.00000000.2189765772.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, pvextra.exe, 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, is-GAJBA.tmp.2.drfalseunknown
          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousSecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drfalse
            		high
            https://www.remobjects.com/psSecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2071977197.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2071570713.0000000002750000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000000.2073224935.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp.0.dr, is-7A3OK.tmp.2.drfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://pairvpn.comSecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drfalseunknown
            https://www.innosetup.com/SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2071977197.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2071570713.0000000002750000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000000.2073224935.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp.0.dr, is-7A3OK.tmp.2.drfalseunknown
            http://schemas.xmlsoap.org/ws/2006/02/devprofSecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drfalse
              		high
              https://pairv.net/dev/install.php?err=t11037Providerpvextra.exe, 00000003.00000002.2275353729.0000024B75259000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://pairv.net/pvextra.exe, 00000003.00000002.2276030070.0000024B76E55000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/04/discovery/ProbeSecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drfalse
                    		high
                    https://www.google.com/maps/search/?api=1&query=%f%%2C%fSecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drfalse
                      		high
                      https://www.pairvpn.comSecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2368668070.00000000024F3000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2366041316.00000000025D3000.00000004.00001000.00020000.00000000.sdmpfalseunknown
                      https://pairv.net/dev/install.php?err=t%d/uPairVPN_cls/twintrust.dllCryptCATAdminAcquireContext2SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, pvextra.exe, 00000003.00000000.2189765772.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, pvextra.exe, 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmp, is-GAJBA.tmp.2.drfalse
                        		unknown
                        https://www.pairvpn.com.https://www.pairvpn.com.https://www.pairvpn.comSecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2070023257.0000000002750000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2074992354.0000000003490000.00000004.00001000.00020000.00000000.sdmpfalse
                          		unknown
                          https://www.pairvpn.comQ6OSecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe, 00000000.00000003.2368668070.00000000024F3000.00000004.00001000.00020000.00000000.sdmpfalse
                            		unknown
                            https://pairv.net/dev/install.php?err=t11037:pvextra.exe, 00000003.00000002.2276030070.0000024B76E40000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://pairv.net/dev/install.php?err=t11037zpvextra.exe, 00000003.00000002.2276030070.0000024B76E55000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://pairvpn.com%s/%ssvr_btn_offsession_pending_review_numsession_pending_review_msgInvalidSecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drfalse
                                  		low
                                  http://schemas.xmlsoap.org/ws/2004/09/transfer/GetSecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/04/discoverySecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp, 00000002.00000003.2363811966.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, is-2PSH3.tmp.2.drfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      45.33.111.235
                                      		pairv.netUnited States
                                      		63949LINODE-APLinodeLLCUSfalse

                                      General Information

                                      Joe Sandbox version:40.0.0 Tourmaline
                                      Analysis ID:1427216
                                      Start date and time:2024-04-17 09:34:07 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 6m 6s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:13
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
                                      Detection:SUS
                                      Classification:sus30.spyw.evad.winEXE@14/32@1/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 97%
                                      • Number of executed functions: 9
                                      • Number of non-executed functions: 26
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      LINODE-APLinodeLLCUSfile.exeGet hashmaliciousFormBookBrowse
                                      • 45.33.2.79
                                      Ud310iQZnO.elfGet hashmaliciousMiraiBrowse
                                      • 104.237.154.16
                                      https://flow.page/ciminelli.usGet hashmaliciousHTMLPhisherBrowse
                                      • 139.162.156.108
                                      https://preview.webflow.com/preview/2024-project?utm_medium=preview_link&utm_source=designer&utm_content=2024-project&preview=2bf57169f6b59ecf9c01ab696f7c3560&workflow=previewGet hashmaliciousHTMLPhisherBrowse
                                      • 45.79.157.59
                                      http://45.79.163.53Get hashmaliciousUnknownBrowse
                                      • 45.79.163.53
                                      https://yesterwebring.neocities.orgGet hashmaliciousPhisherBrowse
                                      • 173.230.140.214
                                      2AJt0uG0mS.elfGet hashmaliciousMiraiBrowse
                                      • 23.239.26.100
                                      POR5tal0Pt.elfGet hashmaliciousMiraiBrowse
                                      • 172.104.45.76
                                      UksgYUGMnj.elfGet hashmaliciousMiraiBrowse
                                      • 104.237.129.85
                                      QMrtQYunxY.exeGet hashmaliciousFormBookBrowse
                                      • 74.207.249.179

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      37f463bf4616ecd445d4a1937da06e19install_numarkidjliveii.exeGet hashmaliciousUnknownBrowse
                                      • 45.33.111.235
                                      TNT Invoicing_pdf.vbsGet hashmaliciousFormBookBrowse
                                      • 45.33.111.235
                                      Credit_Details21367163050417024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 45.33.111.235
                                      2llKbb9pR7.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoaderBrowse
                                      • 45.33.111.235
                                      MdeeRbWvqe.exeGet hashmaliciousLummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoaderBrowse
                                      • 45.33.111.235
                                      SecuriteInfo.com.Trojan.Inject4.54824.15312.17403.exeGet hashmaliciousUnknownBrowse
                                      • 45.33.111.235
                                      file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                      • 45.33.111.235
                                      E1rGkXuAld.exeGet hashmaliciousMars Stealer, VidarBrowse
                                      • 45.33.111.235
                                      zquitaxghu.exeGet hashmaliciousMars Stealer, VidarBrowse
                                      • 45.33.111.235
                                      OjYcipehXr.exeGet hashmaliciousMars Stealer, VidarBrowse
                                      • 45.33.111.235

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Program Files (x86)\PairVPN\PairVPN.exe (copy)

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1147952
                                      Entropy (8bit):6.867356772385916
                                      Encrypted:false
                                      SSDEEP:24576:rMm0VNf2bNbdCEszQ/23xJGHFDStnlDDZI8AcnqYPADBA:+QVurGHFDQNlIPcnqAABA
                                      MD5:9A8840D016500E85FB5EC944E743687C
                                      SHA1:9315AD7A9CC23E8B071473C6954473039D6B0D11
                                      SHA-256:874A5D1DB2C90D051E02EE5F5C166553E9B0C628506995F776D99A1431536C71
                                      SHA-512:403FAAC4B1DF344C64A75444FD833969159CFAA9065254D367C0096B6EBD82337BC95872E523F626B3D49D50084CE4FC911F208A9598E8A15134AA11294EB00B
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......77B.sV,EsV,EsV,E.0/DgV,E.0)D.V,E!>/DjV,E!>)D.V,E!>(DPV,E.0(DRV,E.0*DrV,E.0-DnV,EsV-EVW,E.?%DIV,E.?.ErV,E.?.DrV,ERichsV,E........................PE..L.....e..........................................@..................................Y....@.................................t.......................^..0&...p..@....O..p....................P.......O..@...............D............................text...1........................... ..`.rdata...D.......F..................@..@.data...$.... ......................@....rsrc...............*..............@..@.reloc..@....p......................@..B........................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\PairVPN\is-2PSH3.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1147952
                                      Entropy (8bit):6.867356772385916
                                      Encrypted:false
                                      SSDEEP:24576:rMm0VNf2bNbdCEszQ/23xJGHFDStnlDDZI8AcnqYPADBA:+QVurGHFDQNlIPcnqAABA
                                      MD5:9A8840D016500E85FB5EC944E743687C
                                      SHA1:9315AD7A9CC23E8B071473C6954473039D6B0D11
                                      SHA-256:874A5D1DB2C90D051E02EE5F5C166553E9B0C628506995F776D99A1431536C71
                                      SHA-512:403FAAC4B1DF344C64A75444FD833969159CFAA9065254D367C0096B6EBD82337BC95872E523F626B3D49D50084CE4FC911F208A9598E8A15134AA11294EB00B
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......77B.sV,EsV,EsV,E.0/DgV,E.0)D.V,E!>/DjV,E!>)D.V,E!>(DPV,E.0(DRV,E.0*DrV,E.0-DnV,EsV-EVW,E.?%DIV,E.?.ErV,E.?.DrV,ERichsV,E........................PE..L.....e..........................................@..................................Y....@.................................t.......................^..0&...p..@....O..p....................P.......O..@...............D............................text...1........................... ..`.rdata...D.......F..................@..@.data...$.... ......................@....rsrc...............*..............@..@.reloc..@....p......................@..B........................................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\PairVPN\is-7A3OK.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3223613
                                      Entropy (8bit):6.312185805413268
                                      Encrypted:false
                                      SSDEEP:49152:OWGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbQ333TYj:CtLutqgwh4NYxtJpkxhGj333TG
                                      MD5:5AF6B7226BB688D27B4A5B9BF16C0A9B
                                      SHA1:A85775EE3158F2E4F7F301467C060592010C9767
                                      SHA-256:E22CDD8D9A9732AFC9DC52A07CDD20A38EE1C5381C201652D054E32033224F33
                                      SHA-512:20DB8EEE3B47DE4EA28344C15EA564FFEF49DD1DE6D276747DDDD5D83EA6CF3F02CD20CCBA9AED6D3A5892B26310B34CB118077B205D2E4EE2966E5573C645BE
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Reputation:low
                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................1...........@......@....................-.......-..9...................................................................................-.......-......................text.... ,......",................. ..`.itext...(...@,..*...&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......*-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc.................-.............@..@..............1.......0.............@..@........................................................

                                      C:\Program Files (x86)\PairVPN\is-A2FHO.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):16896
                                      Entropy (8bit):4.945465874670498
                                      Encrypted:false
                                      SSDEEP:192:l93HSIibyW7BXTHLSdKfZQ78Dl1h1LYBb6JWBqI6jmy2E+A+Ye8w/M565tXU/E0G:b3oysBXTHF68p1Lv28woY50pY1
                                      MD5:60801C3073EA6124FE5948FDE22934E9
                                      SHA1:30990A0B53734A6F3B0976A915D05EA9EE6625F1
                                      SHA-256:5A7D1665F480E526D9C8E6930099B28CB2ED8DB75BFBB9B39E05820B53A217D2
                                      SHA-512:4E705767888B97B4FFE9B87851837360EA4FDC1B4E78B7CDA6E587B76AEB637052DD7446189B768EAECD040135CC6FC7B5A69EA56A7FB4FBCD7D423A572FB50D
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 3%, Browse
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.V...8S..8S..8Sv..Su.8S-.=Rh.8S-.<Ru.8S-.;R}.8S-.9R{.8S..9Rz.8S..9S4.8S..1R~.8S...S~.8S..:R~.8SRich..8S........PE..d.....U^.........."..........*.................@..........................................`..................................................>.......p.......`..p...............D...`5..p............................5...............0..X............................text...D........................... ..`.rdata.......0......................@..@.data...0....P.......8..............@....pdata..p....`.......:..............@..@.rsrc........p.......>..............@..@.reloc..D............@..............@..B................................................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\PairVPN\is-GAJBA.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):209408
                                      Entropy (8bit):5.533872822447219
                                      Encrypted:false
                                      SSDEEP:1536:8lKrqE8q6Sha/8IL316xl2Fnux90csWK5d9msWB7vdP9dlIgVqGpWtWC:vrqEZa8S316xlsnc90cbKNWFvu1uWMC
                                      MD5:CB12C48A9D14A5018DD07BBB8E71AC9A
                                      SHA1:8F19EB07279994DE814DADF70A8E2D09498907E3
                                      SHA-256:03922C20C2704C1B6359493BF310B4E00E902A3F4521864B2BC7F848FE833E7B
                                      SHA-512:B7C2DED22BBCAC15FF67FACBA985671B2A9FF929CA920D4C29BC607EECA9153011C2A5D786EE496100DE4154B41EF2A6F1375AE5F8D81ABF5D47A155897FA5F4
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.).P.z.P.z.P.z.6.{.P.z.6.{.P.z.6.{AP.z.8.{.P.z.8.{.P.z.8.{.P.z.6.{.P.z.P.z.P.zR9.{.P.zR9tz.P.z.P.z.P.zR9.{.P.zRich.P.z................PE..d.....O_.........."..........H.................@.............................p............`..............................................................q...................`......@...p............................................... ............................text............................... ..`.rdata..F...........................@..@.data...............................@....pdata..............................@..@.rsrc....q.......r..................@..@.reloc.......`.......*..............@..B........................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\PairVPN\pveth\is-4G4HM.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp
                                      File Type:Windows setup INFormation
                                      Category:dropped
                                      Size (bytes):2711
                                      Entropy (8bit):5.036760290988427
                                      Encrypted:false
                                      SSDEEP:48:BqdTNZJhkQRUHyb1hdDOYQzPX6WOudD4NDfaibY1ywuHIRM+le6L1DkdjovY7pBL:kTNZ3XGHm1hdDkTSUM+fDk9WYKE
                                      MD5:3EC4D1E00F0735F5C53AEA8F19A03C59
                                      SHA1:F2F32A3F0F66923F998CFB2E6A8741E79126E473
                                      SHA-256:00006A2871E3A29BBE60E3F7447748DC9E91B5BE5E5D55D8C0C7098F31D209D9
                                      SHA-512:F39F23E0F5AFC9E781764AF48CBF15DDEC02B39E01D87A8711C9724A2F9D4DB90784336C76AAC6609A31FAC37E95D4AF0B50D2269C074F5250970BD7DDEBF6F0
                                      Malicious:false
                                      Preview:;-------------------------------------------------------------------------------..; pveth.INF..;..; PairVPN Network Driver 1.8.3.0..;..; Copyright (c) Mobile Company. All rights reserved.......[version]..Signature = "$Windows NT$"..Class = Net..ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}..Provider = %moco%..DriverVer =09/01/2020,1.8.3.0..PnpLockDown = 1..CatalogFile = pveth.cat....[ControlFlags]..ExcludeFromSelect={b85b7c50-6a01-11d2-b841-00c04fad5171}\pveth....[Manufacturer]..%moco% = moco,NTx86,NTamd64....;For WinXP and later....[moco.NTx86]..%pveth.DeviceDesc% = pveth.ndi, pveth ; Root enumerated ....[moco.NTamd64]..%pveth.DeviceDesc% = pveth.ndi, pveth ; Root enumerated ....[pveth.ndi]..Characteristics = 0x1 ; NCF_VIRTUAL..*IfType = 0x6 ; IF_TYPE_ETHERNET_CSMACD..*MediaType = 0x0 ; NdisMedium802_3..*PhysicalMediaType = 14 ; NdisPhysicalMedium802_3..AddReg = pveth.Reg..CopyFiles = pveth.CopyFiles....[pveth.ndi.S

                                      C:\Program Files (x86)\PairVPN\pveth\is-5S3BL.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):10666
                                      Entropy (8bit):7.23347759596793
                                      Encrypted:false
                                      SSDEEP:192:fzhggOvGJC2p5UEwQl/WGhYCBsjoIVFWSqnajKsuNq:CGbpzlnh3BeoiFWSlGsuNq
                                      MD5:D33544EEFF39BC7FEC9FB5867DFD4B30
                                      SHA1:28C3FC36F1CE70971DB9E61774DC103B82F7CFCE
                                      SHA-256:0CA6761C7014FCF7DCB249FDE196A7D22C49C1F0648792BEA2992ECA602FD15F
                                      SHA-512:3F8216FF9D86AD88064A8516365F1DD8A37F993D602F813FF920BA7D2A3C015385C78A8C72A7BEDA948755DECEFEB83A7CF2F2EB28566D555CA68DFABC2DBF0E
                                      Malicious:false
                                      Preview:0.)...*.H........).0.)....1.0...`.H.e......0.....+.....7......0...0...+.....7.....j'..im.D....."....200902174831Z0...+.....7.....0..?0... ..j(q..`..DwH....^]U.....1...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..j(q..`..DwH....^]U.....1...0.... eX.&.....R.|.z.`..j:.B(.....0.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... eX.&.....R.|.z.`..j:.B(.....0.0......*?.f.?....j.A.&.s1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...i.n.f...0......n..d....dKW@0....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...s.y.s......u0..q0....+.....7......0.....S.u.

                                      C:\Program Files (x86)\PairVPN\pveth\is-UADM2.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp
                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):44544
                                      Entropy (8bit):6.370268922030891
                                      Encrypted:false
                                      SSDEEP:768:9ppWW+HjJRJhulHYUloSWJhTABDpk5p33AHP8:ZWWAil4DWBNk5tu8
                                      MD5:7463FB1A145EB8518CFE98CA0F116604
                                      SHA1:765DF430641F55FE196185635F75F732CF4ABC4B
                                      SHA-256:9138ADCF80DBB919EB5C85C5745B7DB25C6FF60919DFBC5EC8B8D64FB0411071
                                      SHA-512:E8A6327844A89C9A668DAA2DA3F38999E9AEB4E2FE7477E1A2BDDCFA15B4CAF247A7F8FB072AB6C2C33209293A7D56936077E9ECB0BD6A773FDE42886E8EEF68
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}.{_}.{_}.{_}.z_?.{_..z^x.{_...^x.{_..x^y.{_...^z.{_.._|.{_..y^|.{_Rich}.{_........PE..d....O_.........."......l... .................@....................................q.....`A................................................P...<.......X....p...........$...... ...0S..8...........................pS...............P.. ............................text....5.......6.................. ..h.rdata.......P.......:..............@..H.data........`.......F..............@....pdata.......p.......H..............@..HPAGE.....&.......(...N.............. ..`INIT....~............v.............. ..b.rsrc...X...........................@..B.reloc.. ...........................@..B........................................................................................................................................................................................................

                                      C:\Program Files (x86)\PairVPN\pveth\pveth.cat (copy)

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):10666
                                      Entropy (8bit):7.23347759596793
                                      Encrypted:false
                                      SSDEEP:192:fzhggOvGJC2p5UEwQl/WGhYCBsjoIVFWSqnajKsuNq:CGbpzlnh3BeoiFWSlGsuNq
                                      MD5:D33544EEFF39BC7FEC9FB5867DFD4B30
                                      SHA1:28C3FC36F1CE70971DB9E61774DC103B82F7CFCE
                                      SHA-256:0CA6761C7014FCF7DCB249FDE196A7D22C49C1F0648792BEA2992ECA602FD15F
                                      SHA-512:3F8216FF9D86AD88064A8516365F1DD8A37F993D602F813FF920BA7D2A3C015385C78A8C72A7BEDA948755DECEFEB83A7CF2F2EB28566D555CA68DFABC2DBF0E
                                      Malicious:false
                                      Preview:0.)...*.H........).0.)....1.0...`.H.e......0.....+.....7......0...0...+.....7.....j'..im.D....."....200902174831Z0...+.....7.....0..?0... ..j(q..`..DwH....^]U.....1...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..j(q..`..DwH....^]U.....1...0.... eX.&.....R.|.z.`..j:.B(.....0.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... eX.&.....R.|.z.`..j:.B(.....0.0......*?.f.?....j.A.&.s1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...i.n.f...0......n..d....dKW@0....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...s.y.s......u0..q0....+.....7......0.....S.u.

                                      C:\Program Files (x86)\PairVPN\pveth\pveth.inf (copy)

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp
                                      File Type:Windows setup INFormation
                                      Category:dropped
                                      Size (bytes):2711
                                      Entropy (8bit):5.036760290988427
                                      Encrypted:false
                                      SSDEEP:48:BqdTNZJhkQRUHyb1hdDOYQzPX6WOudD4NDfaibY1ywuHIRM+le6L1DkdjovY7pBL:kTNZ3XGHm1hdDkTSUM+fDk9WYKE
                                      MD5:3EC4D1E00F0735F5C53AEA8F19A03C59
                                      SHA1:F2F32A3F0F66923F998CFB2E6A8741E79126E473
                                      SHA-256:00006A2871E3A29BBE60E3F7447748DC9E91B5BE5E5D55D8C0C7098F31D209D9
                                      SHA-512:F39F23E0F5AFC9E781764AF48CBF15DDEC02B39E01D87A8711C9724A2F9D4DB90784336C76AAC6609A31FAC37E95D4AF0B50D2269C074F5250970BD7DDEBF6F0
                                      Malicious:false
                                      Preview:;-------------------------------------------------------------------------------..; pveth.INF..;..; PairVPN Network Driver 1.8.3.0..;..; Copyright (c) Mobile Company. All rights reserved.......[version]..Signature = "$Windows NT$"..Class = Net..ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}..Provider = %moco%..DriverVer =09/01/2020,1.8.3.0..PnpLockDown = 1..CatalogFile = pveth.cat....[ControlFlags]..ExcludeFromSelect={b85b7c50-6a01-11d2-b841-00c04fad5171}\pveth....[Manufacturer]..%moco% = moco,NTx86,NTamd64....;For WinXP and later....[moco.NTx86]..%pveth.DeviceDesc% = pveth.ndi, pveth ; Root enumerated ....[moco.NTamd64]..%pveth.DeviceDesc% = pveth.ndi, pveth ; Root enumerated ....[pveth.ndi]..Characteristics = 0x1 ; NCF_VIRTUAL..*IfType = 0x6 ; IF_TYPE_ETHERNET_CSMACD..*MediaType = 0x0 ; NdisMedium802_3..*PhysicalMediaType = 14 ; NdisPhysicalMedium802_3..AddReg = pveth.Reg..CopyFiles = pveth.CopyFiles....[pveth.ndi.S

                                      C:\Program Files (x86)\PairVPN\pveth\pveth.sys (copy)

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp
                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):44544
                                      Entropy (8bit):6.370268922030891
                                      Encrypted:false
                                      SSDEEP:768:9ppWW+HjJRJhulHYUloSWJhTABDpk5p33AHP8:ZWWAil4DWBNk5tu8
                                      MD5:7463FB1A145EB8518CFE98CA0F116604
                                      SHA1:765DF430641F55FE196185635F75F732CF4ABC4B
                                      SHA-256:9138ADCF80DBB919EB5C85C5745B7DB25C6FF60919DFBC5EC8B8D64FB0411071
                                      SHA-512:E8A6327844A89C9A668DAA2DA3F38999E9AEB4E2FE7477E1A2BDDCFA15B4CAF247A7F8FB072AB6C2C33209293A7D56936077E9ECB0BD6A773FDE42886E8EEF68
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}.{_}.{_}.{_}.z_?.{_..z^x.{_...^x.{_..x^y.{_...^z.{_.._|.{_..y^|.{_Rich}.{_........PE..d....O_.........."......l... .................@....................................q.....`A................................................P...<.......X....p...........$...... ...0S..8...........................pS...............P.. ............................text....5.......6.................. ..h.rdata.......P.......:..............@..H.data........`.......F..............@....pdata.......p.......H..............@..HPAGE.....&.......(...N.............. ..`INIT....~............v.............. ..b.rsrc...X...........................@..B.reloc.. ...........................@..B........................................................................................................................................................................................................

                                      C:\Program Files (x86)\PairVPN\pvextra.exe (copy)

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp
                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):209408
                                      Entropy (8bit):5.533872822447219
                                      Encrypted:false
                                      SSDEEP:1536:8lKrqE8q6Sha/8IL316xl2Fnux90csWK5d9msWB7vdP9dlIgVqGpWtWC:vrqEZa8S316xlsnc90cbKNWFvu1uWMC
                                      MD5:CB12C48A9D14A5018DD07BBB8E71AC9A
                                      SHA1:8F19EB07279994DE814DADF70A8E2D09498907E3
                                      SHA-256:03922C20C2704C1B6359493BF310B4E00E902A3F4521864B2BC7F848FE833E7B
                                      SHA-512:B7C2DED22BBCAC15FF67FACBA985671B2A9FF929CA920D4C29BC607EECA9153011C2A5D786EE496100DE4154B41EF2A6F1375AE5F8D81ABF5D47A155897FA5F4
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.).P.z.P.z.P.z.6.{.P.z.6.{.P.z.6.{AP.z.8.{.P.z.8.{.P.z.8.{.P.z.6.{.P.z.P.z.P.zR9.{.P.zR9tz.P.z.P.z.P.zR9.{.P.zRich.P.z................PE..d.....O_.........."..........H.................@.............................p............`..............................................................q...................`......@...p............................................... ............................text............................... ..`.rdata..F...........................@..@.data...............................@....pdata..............................@..@.rsrc....q.......r..................@..@.reloc.......`.......*..............@..B........................................................................................................................................................................................................................................

                                      C:\Program Files (x86)\PairVPN\unins000.exe (copy)

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3223613
                                      Entropy (8bit):6.312185805413268
                                      Encrypted:false
                                      SSDEEP:49152:OWGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbQ333TYj:CtLutqgwh4NYxtJpkxhGj333TG
                                      MD5:5AF6B7226BB688D27B4A5B9BF16C0A9B
                                      SHA1:A85775EE3158F2E4F7F301467C060592010C9767
                                      SHA-256:E22CDD8D9A9732AFC9DC52A07CDD20A38EE1C5381C201652D054E32033224F33
                                      SHA-512:20DB8EEE3B47DE4EA28344C15EA564FFEF49DD1DE6D276747DDDD5D83EA6CF3F02CD20CCBA9AED6D3A5892B26310B34CB118077B205D2E4EE2966E5573C645BE
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................1...........@......@....................-.......-..9...................................................................................-.......-......................text.... ,......",................. ..`.itext...(...@,..*...&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......*-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc.................-.............@..@..............1.......0.............@..@........................................................

                                      C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3199488
                                      Entropy (8bit):6.3250653227668945
                                      Encrypted:false
                                      SSDEEP:49152:2WGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbQ333TY:6tLutqgwh4NYxtJpkxhGj333T
                                      MD5:74F03B0063ABA7C8CC9A8D4FED6B2381
                                      SHA1:7296C58160C9CC7C45313E4064BAB6CE265D0285
                                      SHA-256:A610FC722A9A367897078807925DE65C8F286DA2C1CADB18989AE0C34306046A
                                      SHA-512:05B408070DCF76C72E4664CCC57367F421034C8C4A3AB00A849A2B2794A64DCC753390B7F54D8C2CAB31BFFB6C575E5B61BC810B5989D9158CFED04072C5467C
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................1...........@......@....................-.......-..9...................................................................................-.......-......................text.... ,......",................. ..`.itext...(...@,..*...&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......*-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc.................-.............@..@..............1.......0.............@..@........................................................

                                      C:\Users\user\AppData\Local\Temp\is-J5BNJ.tmp\_isetup\_setup64.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):6144
                                      Entropy (8bit):4.720366600008286
                                      Encrypted:false
                                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\SET39C6.tmp

                                      Download File
                                      Process:C:\Program Files (x86)\PairVPN\pvextra.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):10666
                                      Entropy (8bit):7.23347759596793
                                      Encrypted:false
                                      SSDEEP:192:fzhggOvGJC2p5UEwQl/WGhYCBsjoIVFWSqnajKsuNq:CGbpzlnh3BeoiFWSlGsuNq
                                      MD5:D33544EEFF39BC7FEC9FB5867DFD4B30
                                      SHA1:28C3FC36F1CE70971DB9E61774DC103B82F7CFCE
                                      SHA-256:0CA6761C7014FCF7DCB249FDE196A7D22C49C1F0648792BEA2992ECA602FD15F
                                      SHA-512:3F8216FF9D86AD88064A8516365F1DD8A37F993D602F813FF920BA7D2A3C015385C78A8C72A7BEDA948755DECEFEB83A7CF2F2EB28566D555CA68DFABC2DBF0E
                                      Malicious:false
                                      Preview:0.)...*.H........).0.)....1.0...`.H.e......0.....+.....7......0...0...+.....7.....j'..im.D....."....200902174831Z0...+.....7.....0..?0... ..j(q..`..DwH....^]U.....1...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..j(q..`..DwH....^]U.....1...0.... eX.&.....R.|.z.`..j:.B(.....0.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... eX.&.....R.|.z.`..j:.B(.....0.0......*?.f.?....j.A.&.s1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...i.n.f...0......n..d....dKW@0....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...s.y.s......u0..q0....+.....7......0.....S.u.

                                      C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\SET39D7.tmp

                                      Download File
                                      Process:C:\Program Files (x86)\PairVPN\pvextra.exe
                                      File Type:Windows setup INFormation
                                      Category:dropped
                                      Size (bytes):2711
                                      Entropy (8bit):5.036760290988427
                                      Encrypted:false
                                      SSDEEP:48:BqdTNZJhkQRUHyb1hdDOYQzPX6WOudD4NDfaibY1ywuHIRM+le6L1DkdjovY7pBL:kTNZ3XGHm1hdDkTSUM+fDk9WYKE
                                      MD5:3EC4D1E00F0735F5C53AEA8F19A03C59
                                      SHA1:F2F32A3F0F66923F998CFB2E6A8741E79126E473
                                      SHA-256:00006A2871E3A29BBE60E3F7447748DC9E91B5BE5E5D55D8C0C7098F31D209D9
                                      SHA-512:F39F23E0F5AFC9E781764AF48CBF15DDEC02B39E01D87A8711C9724A2F9D4DB90784336C76AAC6609A31FAC37E95D4AF0B50D2269C074F5250970BD7DDEBF6F0
                                      Malicious:false
                                      Preview:;-------------------------------------------------------------------------------..; pveth.INF..;..; PairVPN Network Driver 1.8.3.0..;..; Copyright (c) Mobile Company. All rights reserved.......[version]..Signature = "$Windows NT$"..Class = Net..ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}..Provider = %moco%..DriverVer =09/01/2020,1.8.3.0..PnpLockDown = 1..CatalogFile = pveth.cat....[ControlFlags]..ExcludeFromSelect={b85b7c50-6a01-11d2-b841-00c04fad5171}\pveth....[Manufacturer]..%moco% = moco,NTx86,NTamd64....;For WinXP and later....[moco.NTx86]..%pveth.DeviceDesc% = pveth.ndi, pveth ; Root enumerated ....[moco.NTamd64]..%pveth.DeviceDesc% = pveth.ndi, pveth ; Root enumerated ....[pveth.ndi]..Characteristics = 0x1 ; NCF_VIRTUAL..*IfType = 0x6 ; IF_TYPE_ETHERNET_CSMACD..*MediaType = 0x0 ; NdisMedium802_3..*PhysicalMediaType = 14 ; NdisPhysicalMedium802_3..AddReg = pveth.Reg..CopyFiles = pveth.CopyFiles....[pveth.ndi.S

                                      C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\SET39E7.tmp

                                      Download File
                                      Process:C:\Program Files (x86)\PairVPN\pvextra.exe
                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):44544
                                      Entropy (8bit):6.370268922030891
                                      Encrypted:false
                                      SSDEEP:768:9ppWW+HjJRJhulHYUloSWJhTABDpk5p33AHP8:ZWWAil4DWBNk5tu8
                                      MD5:7463FB1A145EB8518CFE98CA0F116604
                                      SHA1:765DF430641F55FE196185635F75F732CF4ABC4B
                                      SHA-256:9138ADCF80DBB919EB5C85C5745B7DB25C6FF60919DFBC5EC8B8D64FB0411071
                                      SHA-512:E8A6327844A89C9A668DAA2DA3F38999E9AEB4E2FE7477E1A2BDDCFA15B4CAF247A7F8FB072AB6C2C33209293A7D56936077E9ECB0BD6A773FDE42886E8EEF68
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}.{_}.{_}.{_}.z_?.{_..z^x.{_...^x.{_..x^y.{_...^z.{_.._|.{_..y^|.{_Rich}.{_........PE..d....O_.........."......l... .................@....................................q.....`A................................................P...<.......X....p...........$...... ...0S..8...........................pS...............P.. ............................text....5.......6.................. ..h.rdata.......P.......:..............@..H.data........`.......F..............@....pdata.......p.......H..............@..HPAGE.....&.......(...N.............. ..`INIT....~............v.............. ..b.rsrc...X...........................@..B.reloc.. ...........................@..B........................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.cat (copy)

                                      Download File
                                      Process:C:\Program Files (x86)\PairVPN\pvextra.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):10666
                                      Entropy (8bit):7.23347759596793
                                      Encrypted:false
                                      SSDEEP:192:fzhggOvGJC2p5UEwQl/WGhYCBsjoIVFWSqnajKsuNq:CGbpzlnh3BeoiFWSlGsuNq
                                      MD5:D33544EEFF39BC7FEC9FB5867DFD4B30
                                      SHA1:28C3FC36F1CE70971DB9E61774DC103B82F7CFCE
                                      SHA-256:0CA6761C7014FCF7DCB249FDE196A7D22C49C1F0648792BEA2992ECA602FD15F
                                      SHA-512:3F8216FF9D86AD88064A8516365F1DD8A37F993D602F813FF920BA7D2A3C015385C78A8C72A7BEDA948755DECEFEB83A7CF2F2EB28566D555CA68DFABC2DBF0E
                                      Malicious:false
                                      Preview:0.)...*.H........).0.)....1.0...`.H.e......0.....+.....7......0...0...+.....7.....j'..im.D....."....200902174831Z0...+.....7.....0..?0... ..j(q..`..DwH....^]U.....1...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..j(q..`..DwH....^]U.....1...0.... eX.&.....R.|.z.`..j:.B(.....0.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... eX.&.....R.|.z.`..j:.B(.....0.0......*?.f.?....j.A.&.s1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...i.n.f...0......n..d....dKW@0....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...s.y.s......u0..q0....+.....7......0.....S.u.

                                      C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.inf (copy)

                                      Download File
                                      Process:C:\Program Files (x86)\PairVPN\pvextra.exe
                                      File Type:Windows setup INFormation
                                      Category:dropped
                                      Size (bytes):2711
                                      Entropy (8bit):5.036760290988427
                                      Encrypted:false
                                      SSDEEP:48:BqdTNZJhkQRUHyb1hdDOYQzPX6WOudD4NDfaibY1ywuHIRM+le6L1DkdjovY7pBL:kTNZ3XGHm1hdDkTSUM+fDk9WYKE
                                      MD5:3EC4D1E00F0735F5C53AEA8F19A03C59
                                      SHA1:F2F32A3F0F66923F998CFB2E6A8741E79126E473
                                      SHA-256:00006A2871E3A29BBE60E3F7447748DC9E91B5BE5E5D55D8C0C7098F31D209D9
                                      SHA-512:F39F23E0F5AFC9E781764AF48CBF15DDEC02B39E01D87A8711C9724A2F9D4DB90784336C76AAC6609A31FAC37E95D4AF0B50D2269C074F5250970BD7DDEBF6F0
                                      Malicious:false
                                      Preview:;-------------------------------------------------------------------------------..; pveth.INF..;..; PairVPN Network Driver 1.8.3.0..;..; Copyright (c) Mobile Company. All rights reserved.......[version]..Signature = "$Windows NT$"..Class = Net..ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}..Provider = %moco%..DriverVer =09/01/2020,1.8.3.0..PnpLockDown = 1..CatalogFile = pveth.cat....[ControlFlags]..ExcludeFromSelect={b85b7c50-6a01-11d2-b841-00c04fad5171}\pveth....[Manufacturer]..%moco% = moco,NTx86,NTamd64....;For WinXP and later....[moco.NTx86]..%pveth.DeviceDesc% = pveth.ndi, pveth ; Root enumerated ....[moco.NTamd64]..%pveth.DeviceDesc% = pveth.ndi, pveth ; Root enumerated ....[pveth.ndi]..Characteristics = 0x1 ; NCF_VIRTUAL..*IfType = 0x6 ; IF_TYPE_ETHERNET_CSMACD..*MediaType = 0x0 ; NdisMedium802_3..*PhysicalMediaType = 14 ; NdisPhysicalMedium802_3..AddReg = pveth.Reg..CopyFiles = pveth.CopyFiles....[pveth.ndi.S

                                      C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.sys (copy)

                                      Download File
                                      Process:C:\Program Files (x86)\PairVPN\pvextra.exe
                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):44544
                                      Entropy (8bit):6.370268922030891
                                      Encrypted:false
                                      SSDEEP:768:9ppWW+HjJRJhulHYUloSWJhTABDpk5p33AHP8:ZWWAil4DWBNk5tu8
                                      MD5:7463FB1A145EB8518CFE98CA0F116604
                                      SHA1:765DF430641F55FE196185635F75F732CF4ABC4B
                                      SHA-256:9138ADCF80DBB919EB5C85C5745B7DB25C6FF60919DFBC5EC8B8D64FB0411071
                                      SHA-512:E8A6327844A89C9A668DAA2DA3F38999E9AEB4E2FE7477E1A2BDDCFA15B4CAF247A7F8FB072AB6C2C33209293A7D56936077E9ECB0BD6A773FDE42886E8EEF68
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}.{_}.{_}.{_}.z_?.{_..z^x.{_...^x.{_..x^y.{_...^z.{_.._|.{_..y^|.{_Rich}.{_........PE..d....O_.........."......l... .................@....................................q.....`A................................................P...<.......X....p...........$...... ...0S..8...........................pS...............P.. ............................text....5.......6.................. ..h.rdata.......P.......:..............@..H.data........`.......F..............@....pdata.......p.......H..............@..HPAGE.....&.......(...N.............. ..`INIT....~............v.............. ..b.rsrc...X...........................@..B.reloc.. ...........................@..B........................................................................................................................................................................................................

                                      C:\Windows\INF\oem4.inf

                                      Download File
                                      Process:C:\Windows\System32\drvinst.exe
                                      File Type:Windows setup INFormation
                                      Category:dropped
                                      Size (bytes):2711
                                      Entropy (8bit):5.036760290988427
                                      Encrypted:false
                                      SSDEEP:48:BqdTNZJhkQRUHyb1hdDOYQzPX6WOudD4NDfaibY1ywuHIRM+le6L1DkdjovY7pBL:kTNZ3XGHm1hdDkTSUM+fDk9WYKE
                                      MD5:3EC4D1E00F0735F5C53AEA8F19A03C59
                                      SHA1:F2F32A3F0F66923F998CFB2E6A8741E79126E473
                                      SHA-256:00006A2871E3A29BBE60E3F7447748DC9E91B5BE5E5D55D8C0C7098F31D209D9
                                      SHA-512:F39F23E0F5AFC9E781764AF48CBF15DDEC02B39E01D87A8711C9724A2F9D4DB90784336C76AAC6609A31FAC37E95D4AF0B50D2269C074F5250970BD7DDEBF6F0
                                      Malicious:false
                                      Preview:;-------------------------------------------------------------------------------..; pveth.INF..;..; PairVPN Network Driver 1.8.3.0..;..; Copyright (c) Mobile Company. All rights reserved.......[version]..Signature = "$Windows NT$"..Class = Net..ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}..Provider = %moco%..DriverVer =09/01/2020,1.8.3.0..PnpLockDown = 1..CatalogFile = pveth.cat....[ControlFlags]..ExcludeFromSelect={b85b7c50-6a01-11d2-b841-00c04fad5171}\pveth....[Manufacturer]..%moco% = moco,NTx86,NTamd64....;For WinXP and later....[moco.NTx86]..%pveth.DeviceDesc% = pveth.ndi, pveth ; Root enumerated ....[moco.NTamd64]..%pveth.DeviceDesc% = pveth.ndi, pveth ; Root enumerated ....[pveth.ndi]..Characteristics = 0x1 ; NCF_VIRTUAL..*IfType = 0x6 ; IF_TYPE_ETHERNET_CSMACD..*MediaType = 0x0 ; NdisMedium802_3..*PhysicalMediaType = 14 ; NdisPhysicalMedium802_3..AddReg = pveth.Reg..CopyFiles = pveth.CopyFiles....[pveth.ndi.S

                                      C:\Windows\INF\setupapi.dev.log

                                      Download File
                                      Process:C:\Program Files (x86)\PairVPN\pvextra.exe
                                      File Type:Generic INItialization configuration [BeginLog]
                                      Category:dropped
                                      Size (bytes):58199
                                      Entropy (8bit):5.2147776008671105
                                      Encrypted:false
                                      SSDEEP:384:OGdni80C/8g0atRf7yr14ujuNY9AZi3Z/oUtwrzUQ5SE2e36tpzOxLiQRAjv:Own95cdyYloiwnlz2e6z2aL
                                      MD5:539418DB80E0FBE8F3A6E0F71E0C7310
                                      SHA1:6D7FAB7C91A753F7FDD402CDD20C059D377F4C35
                                      SHA-256:DE293582225E4E44FB7EE61ACF3A21A170ADCD96DF136A187B630990DEE55389
                                      SHA-512:3636CE5426DD8CFBFD720735C7BA61463517A3B9FB57D36CAC776AA801CEF5A379C8F1C6B5EE7F84EBD3C6B62FC08F7CC87596613AA1316A891F6D1BB2A3A885
                                      Malicious:false
                                      Preview:[Device Install Log].. OS Version = 10.0.19045.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2023/10/03 09:57:02.288]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2023/10/03 09:57:37.904.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.19041.1806.. inf: Catalog File: prnms009.cat.. ump: Import flags: 0x0000000D.. pol: {Driver package policy check} 09:57:37.920.. pol: {Driver package policy check - exit(0x00000000)} 09:57:37.920.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf:

                                      C:\Windows\Logs\NetSetup\service.0.etl

                                      Download File
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):524288
                                      Entropy (8bit):0.424521281982306
                                      Encrypted:false
                                      SSDEEP:192:aL/zm8DmT1xMS92sICkjd0x5AUko5HOLboAcKYzFlgbmku0L:aL/ZM7mjhRoZO/oAPbL
                                      MD5:B8E18274226C4067BECF6D8EBFB6B092
                                      SHA1:022F4A8AF4C34FA3EFD49F868CF118897BCCF4D7
                                      SHA-256:54770652DACDE2D5A50CC7F16EBCAB5389B058D655D0A8AEE87AEBE6581EEA29
                                      SHA-512:C2F22CF11A46E0C3FBD1C69B21D9B4593A2A53F0FEFEEFCF3A3A22C1F31C696C7318A4ED00416666FBE0128207C7DDF56B9B61E8592691432B8399942F60EDB3
                                      Malicious:false
                                      Preview:....8...8...........................................!....................................?......................eJ......y......Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.6.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.6.1...........................................................@K5..............?..............N.e.t.C.f.g.T.r.a.c.e...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.N.e.t.S.e.t.u.p.\.s.e.r.v.i.c.e...0...e.t.l.........P.P..........?..................................................................8.B..?......19041.1.amd64fre.vb_release.191206-1406.....7.@..?.......I.[.8+m.!N8$......NetSetupuser.pdb......4.@..?.........>*.....Nr8..a....NetSetupApi.pdb.db......4.@..?.........E_iC...F........NetSetupSvc.pdb.........4.@..?.........E_iC...F........NetSetupSvc.pdb.............................................................................................................................................................

                                      C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\SET3B5C.tmp

                                      Download File
                                      Process:C:\Windows\System32\drvinst.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):10666
                                      Entropy (8bit):7.23347759596793
                                      Encrypted:false
                                      SSDEEP:192:fzhggOvGJC2p5UEwQl/WGhYCBsjoIVFWSqnajKsuNq:CGbpzlnh3BeoiFWSlGsuNq
                                      MD5:D33544EEFF39BC7FEC9FB5867DFD4B30
                                      SHA1:28C3FC36F1CE70971DB9E61774DC103B82F7CFCE
                                      SHA-256:0CA6761C7014FCF7DCB249FDE196A7D22C49C1F0648792BEA2992ECA602FD15F
                                      SHA-512:3F8216FF9D86AD88064A8516365F1DD8A37F993D602F813FF920BA7D2A3C015385C78A8C72A7BEDA948755DECEFEB83A7CF2F2EB28566D555CA68DFABC2DBF0E
                                      Malicious:false
                                      Preview:0.)...*.H........).0.)....1.0...`.H.e......0.....+.....7......0...0...+.....7.....j'..im.D....."....200902174831Z0...+.....7.....0..?0... ..j(q..`..DwH....^]U.....1...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..j(q..`..DwH....^]U.....1...0.... eX.&.....R.|.z.`..j:.B(.....0.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... eX.&.....R.|.z.`..j:.B(.....0.0......*?.f.?....j.A.&.s1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...i.n.f...0......n..d....dKW@0....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...s.y.s......u0..q0....+.....7......0.....S.u.

                                      C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\SET3B6D.tmp

                                      Download File
                                      Process:C:\Windows\System32\drvinst.exe
                                      File Type:Windows setup INFormation
                                      Category:dropped
                                      Size (bytes):2711
                                      Entropy (8bit):5.036760290988427
                                      Encrypted:false
                                      SSDEEP:48:BqdTNZJhkQRUHyb1hdDOYQzPX6WOudD4NDfaibY1ywuHIRM+le6L1DkdjovY7pBL:kTNZ3XGHm1hdDkTSUM+fDk9WYKE
                                      MD5:3EC4D1E00F0735F5C53AEA8F19A03C59
                                      SHA1:F2F32A3F0F66923F998CFB2E6A8741E79126E473
                                      SHA-256:00006A2871E3A29BBE60E3F7447748DC9E91B5BE5E5D55D8C0C7098F31D209D9
                                      SHA-512:F39F23E0F5AFC9E781764AF48CBF15DDEC02B39E01D87A8711C9724A2F9D4DB90784336C76AAC6609A31FAC37E95D4AF0B50D2269C074F5250970BD7DDEBF6F0
                                      Malicious:false
                                      Preview:;-------------------------------------------------------------------------------..; pveth.INF..;..; PairVPN Network Driver 1.8.3.0..;..; Copyright (c) Mobile Company. All rights reserved.......[version]..Signature = "$Windows NT$"..Class = Net..ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}..Provider = %moco%..DriverVer =09/01/2020,1.8.3.0..PnpLockDown = 1..CatalogFile = pveth.cat....[ControlFlags]..ExcludeFromSelect={b85b7c50-6a01-11d2-b841-00c04fad5171}\pveth....[Manufacturer]..%moco% = moco,NTx86,NTamd64....;For WinXP and later....[moco.NTx86]..%pveth.DeviceDesc% = pveth.ndi, pveth ; Root enumerated ....[moco.NTamd64]..%pveth.DeviceDesc% = pveth.ndi, pveth ; Root enumerated ....[pveth.ndi]..Characteristics = 0x1 ; NCF_VIRTUAL..*IfType = 0x6 ; IF_TYPE_ETHERNET_CSMACD..*MediaType = 0x0 ; NdisMedium802_3..*PhysicalMediaType = 14 ; NdisPhysicalMedium802_3..AddReg = pveth.Reg..CopyFiles = pveth.CopyFiles....[pveth.ndi.S

                                      C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\SET3B7E.tmp

                                      Download File
                                      Process:C:\Windows\System32\drvinst.exe
                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):44544
                                      Entropy (8bit):6.370268922030891
                                      Encrypted:false
                                      SSDEEP:768:9ppWW+HjJRJhulHYUloSWJhTABDpk5p33AHP8:ZWWAil4DWBNk5tu8
                                      MD5:7463FB1A145EB8518CFE98CA0F116604
                                      SHA1:765DF430641F55FE196185635F75F732CF4ABC4B
                                      SHA-256:9138ADCF80DBB919EB5C85C5745B7DB25C6FF60919DFBC5EC8B8D64FB0411071
                                      SHA-512:E8A6327844A89C9A668DAA2DA3F38999E9AEB4E2FE7477E1A2BDDCFA15B4CAF247A7F8FB072AB6C2C33209293A7D56936077E9ECB0BD6A773FDE42886E8EEF68
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}.{_}.{_}.{_}.z_?.{_..z^x.{_...^x.{_..x^y.{_...^z.{_.._|.{_..y^|.{_Rich}.{_........PE..d....O_.........."......l... .................@....................................q.....`A................................................P...<.......X....p...........$...... ...0S..8...........................pS...............P.. ............................text....5.......6.................. ..h.rdata.......P.......:..............@..H.data........`.......F..............@....pdata.......p.......H..............@..HPAGE.....&.......(...N.............. ..`INIT....~............v.............. ..b.rsrc...X...........................@..B.reloc.. ...........................@..B........................................................................................................................................................................................................

                                      C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\pveth.cat (copy)

                                      Download File
                                      Process:C:\Windows\System32\drvinst.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):10666
                                      Entropy (8bit):7.23347759596793
                                      Encrypted:false
                                      SSDEEP:192:fzhggOvGJC2p5UEwQl/WGhYCBsjoIVFWSqnajKsuNq:CGbpzlnh3BeoiFWSlGsuNq
                                      MD5:D33544EEFF39BC7FEC9FB5867DFD4B30
                                      SHA1:28C3FC36F1CE70971DB9E61774DC103B82F7CFCE
                                      SHA-256:0CA6761C7014FCF7DCB249FDE196A7D22C49C1F0648792BEA2992ECA602FD15F
                                      SHA-512:3F8216FF9D86AD88064A8516365F1DD8A37F993D602F813FF920BA7D2A3C015385C78A8C72A7BEDA948755DECEFEB83A7CF2F2EB28566D555CA68DFABC2DBF0E
                                      Malicious:false
                                      Preview:0.)...*.H........).0.)....1.0...`.H.e......0.....+.....7......0...0...+.....7.....j'..im.D....."....200902174831Z0...+.....7.....0..?0... ..j(q..`..DwH....^]U.....1...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..j(q..`..DwH....^]U.....1...0.... eX.&.....R.|.z.`..j:.B(.....0.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... eX.&.....R.|.z.`..j:.B(.....0.0......*?.f.?....j.A.&.s1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...i.n.f...0......n..d....dKW@0....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........p.v.e.t.h...s.y.s......u0..q0....+.....7......0.....S.u.

                                      C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\pveth.inf (copy)

                                      Download File
                                      Process:C:\Windows\System32\drvinst.exe
                                      File Type:Windows setup INFormation
                                      Category:dropped
                                      Size (bytes):2711
                                      Entropy (8bit):5.036760290988427
                                      Encrypted:false
                                      SSDEEP:48:BqdTNZJhkQRUHyb1hdDOYQzPX6WOudD4NDfaibY1ywuHIRM+le6L1DkdjovY7pBL:kTNZ3XGHm1hdDkTSUM+fDk9WYKE
                                      MD5:3EC4D1E00F0735F5C53AEA8F19A03C59
                                      SHA1:F2F32A3F0F66923F998CFB2E6A8741E79126E473
                                      SHA-256:00006A2871E3A29BBE60E3F7447748DC9E91B5BE5E5D55D8C0C7098F31D209D9
                                      SHA-512:F39F23E0F5AFC9E781764AF48CBF15DDEC02B39E01D87A8711C9724A2F9D4DB90784336C76AAC6609A31FAC37E95D4AF0B50D2269C074F5250970BD7DDEBF6F0
                                      Malicious:false
                                      Preview:;-------------------------------------------------------------------------------..; pveth.INF..;..; PairVPN Network Driver 1.8.3.0..;..; Copyright (c) Mobile Company. All rights reserved.......[version]..Signature = "$Windows NT$"..Class = Net..ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}..Provider = %moco%..DriverVer =09/01/2020,1.8.3.0..PnpLockDown = 1..CatalogFile = pveth.cat....[ControlFlags]..ExcludeFromSelect={b85b7c50-6a01-11d2-b841-00c04fad5171}\pveth....[Manufacturer]..%moco% = moco,NTx86,NTamd64....;For WinXP and later....[moco.NTx86]..%pveth.DeviceDesc% = pveth.ndi, pveth ; Root enumerated ....[moco.NTamd64]..%pveth.DeviceDesc% = pveth.ndi, pveth ; Root enumerated ....[pveth.ndi]..Characteristics = 0x1 ; NCF_VIRTUAL..*IfType = 0x6 ; IF_TYPE_ETHERNET_CSMACD..*MediaType = 0x0 ; NdisMedium802_3..*PhysicalMediaType = 14 ; NdisPhysicalMedium802_3..AddReg = pveth.Reg..CopyFiles = pveth.CopyFiles....[pveth.ndi.S

                                      C:\Windows\System32\DriverStore\Temp\{52c0b4ce-4a56-b642-98c5-a3179f85b29e}\pveth.sys (copy)

                                      Download File
                                      Process:C:\Windows\System32\drvinst.exe
                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):44544
                                      Entropy (8bit):6.370268922030891
                                      Encrypted:false
                                      SSDEEP:768:9ppWW+HjJRJhulHYUloSWJhTABDpk5p33AHP8:ZWWAil4DWBNk5tu8
                                      MD5:7463FB1A145EB8518CFE98CA0F116604
                                      SHA1:765DF430641F55FE196185635F75F732CF4ABC4B
                                      SHA-256:9138ADCF80DBB919EB5C85C5745B7DB25C6FF60919DFBC5EC8B8D64FB0411071
                                      SHA-512:E8A6327844A89C9A668DAA2DA3F38999E9AEB4E2FE7477E1A2BDDCFA15B4CAF247A7F8FB072AB6C2C33209293A7D56936077E9ECB0BD6A773FDE42886E8EEF68
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}.{_}.{_}.{_}.z_?.{_..z^x.{_...^x.{_..x^y.{_...^z.{_.._|.{_..y^|.{_Rich}.{_........PE..d....O_.........."......l... .................@....................................q.....`A................................................P...<.......X....p...........$...... ...0S..8...........................pS...............P.. ............................text....5.......6.................. ..h.rdata.......P.......:..............@..H.data........`.......F..............@....pdata.......p.......H..............@..HPAGE.....&.......(...N.............. ..`INIT....~............v.............. ..b.rsrc...X...........................@..B.reloc.. ...........................@..B........................................................................................................................................................................................................

                                      C:\Windows\System32\catroot2\dberr.txt

                                      Download File
                                      Process:C:\Windows\System32\drvinst.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):3474
                                      Entropy (8bit):5.365681392567107
                                      Encrypted:false
                                      SSDEEP:96:QO00eO00erMwUgWUg0B1kE3ZhpJp8ZpkRepk3s5pmspmZp:QO00eO00erMwmkB1kAf
                                      MD5:D506C8E42202131C1BD3E6641AD304ED
                                      SHA1:C7F77095E1DB8EFDE53AEBFC20C3D0D0B6AD8B17
                                      SHA-256:4C4B89F08299EB005070E05FA9813ABF1E0FAF485D6A5186FE998075E8F3AD78
                                      SHA-512:51B37D3AA7A7623A59A9F10BB246C4701D3574A85DC13690E491814A75834D08C1FDBCA2A74288AA96961D8FAF7C3EACC16E533BFE6F2F66A7B2C9A8CC7F1F36
                                      Malicious:false
                                      Preview:CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2083 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2459 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: SyncAllDBs Corruption or Schema Change..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #891 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #1307 encountered JET error -1601..CatalogDB: 08:57:12 03/10/2023: SyncDB:: Sync sta

                                      \Device\ConDrv

                                      Download File
                                      Process:C:\Windows\SysWOW64\netsh.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):7
                                      Entropy (8bit):2.2359263506290326
                                      Encrypted:false
                                      SSDEEP:3:t:t
                                      MD5:F1CA165C0DA831C9A17D08C4DECBD114
                                      SHA1:D750F8260312A40968458169B496C40DACC751CA
                                      SHA-256:ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
                                      SHA-512:052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
                                      Malicious:false
                                      Preview:Ok.....

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.649182860235832
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 98.04%
                                      • Inno Setup installer (109748/4) 1.08%
                                      • InstallShield setup (43055/19) 0.42%
                                      • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                      File name:SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
                                      File size:2'341'000 bytes
                                      MD5:35a00ae36ee03f200bad5a922afacd04
                                      SHA1:05dd9e5eae8378394d9426fd97e18d2d485db3fa
                                      SHA256:c99b0aea44483bd5145b0bd811ad6b0fe4b7aa5867a4f12e979fbbea9648ad02
                                      SHA512:23b48e6a66b9baa94b08c714b4a651d4f7af8559069549b757d6f9e821bee5e9089c5e41798031b39553b1b247de9f9577d5577e853270f888bae3de80923e5a
                                      SSDEEP:49152:bBuZrEU4IQC1zVoxHUmQ+KIy029s4C1eH99:tkL0C1Box0mzt29s4C1eH99
                                      TLSH:2BB5D03BF268A13EC56A1B3245B38350997BBA61B81A8C1F07FC344DCF765601E3B656
                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                      File Icon

                                      Icon Hash:0c0c2d33ceec80aa

                                      Static PE Info

                                      General

                                      Entrypoint:0x4b5eec
                                      Entrypoint Section:.itext
                                      Digitally signed:true
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x63ECF218 [Wed Feb 15 14:54:16 2023 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:1
                                      File Version Major:6
                                      File Version Minor:1
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:1
                                      Import Hash:e569e6f445d32ba23766ad67d1e3787f

                                      Authenticode Signature

                                      Signature Valid:true
                                      Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                      Signature Validation Error:The operation completed successfully
                                      Error Number:0
                                      Not Before, Not After
                                      • 10/01/2024 01:00:00 21/09/2026 01:59:59
                                      Subject Chain
                                      • CN=Mobile Company, O=Mobile Company, L=Fairfax, S=Virginia, C=US, SERIALNUMBER=08270787, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Virginia, OID.1.3.6.1.4.1.311.60.2.1.3=US
                                      Version:3
                                      Thumbprint MD5:2427B570B6089CC2FA6B28C8DCB2E44E
                                      Thumbprint SHA-1:E8849BF543ABA361317805613C4B8CD1C7580C8D
                                      Thumbprint SHA-256:1EB9167DE385E7FCDBEC78FA18F6238ECDDAA7D4405D257B9918AEF7E8B9D9B4
                                      Serial:08A121027C5108C62F730F074FDD83D0

                                      Entrypoint Preview

                                      Instruction
                                      push ebp
                                      mov ebp, esp
                                      add esp, FFFFFFA4h
                                      push ebx
                                      push esi
                                      push edi
                                      xor eax, eax
                                      mov dword ptr [ebp-3Ch], eax
                                      mov dword ptr [ebp-40h], eax
                                      mov dword ptr [ebp-5Ch], eax
                                      mov dword ptr [ebp-30h], eax
                                      mov dword ptr [ebp-38h], eax
                                      mov dword ptr [ebp-34h], eax
                                      mov dword ptr [ebp-2Ch], eax
                                      mov dword ptr [ebp-28h], eax
                                      mov dword ptr [ebp-14h], eax
                                      mov eax, 004B14B8h
                                      call 00007F5989726BE5h
                                      xor eax, eax
                                      push ebp
                                      push 004B65E2h
                                      push dword ptr fs:[eax]
                                      mov dword ptr fs:[eax], esp
                                      xor edx, edx
                                      push ebp
                                      push 004B659Eh
                                      push dword ptr fs:[edx]
                                      mov dword ptr fs:[edx], esp
                                      mov eax, dword ptr [004BE634h]
                                      call 00007F59897C96D7h
                                      call 00007F59897C922Ah
                                      lea edx, dword ptr [ebp-14h]
                                      xor eax, eax
                                      call 00007F598973C684h
                                      mov edx, dword ptr [ebp-14h]
                                      mov eax, 004C1D84h
                                      call 00007F59897217D7h
                                      push 00000002h
                                      push 00000000h
                                      push 00000001h
                                      mov ecx, dword ptr [004C1D84h]
                                      mov dl, 01h
                                      mov eax, dword ptr [004238ECh]
                                      call 00007F598973D807h
                                      mov dword ptr [004C1D88h], eax
                                      xor edx, edx
                                      push ebp
                                      push 004B654Ah
                                      push dword ptr fs:[edx]
                                      mov dword ptr fs:[edx], esp
                                      call 00007F59897C975Fh
                                      mov dword ptr [004C1D90h], eax
                                      mov eax, dword ptr [004C1D90h]
                                      cmp dword ptr [eax+0Ch], 01h
                                      jne 00007F59897CF97Ah
                                      mov eax, dword ptr [004C1D90h]
                                      mov edx, 00000028h
                                      call 00007F598973E0FCh
                                      mov edx, dword ptr [004C1D90h]

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xfdc.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x11000.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x2392580x2630
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0xc22f40x254.idata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000xb39e40xb3a0043af0a9476ca224d8e8461f1e22c94daFalse0.34525867693110646data6.357635049994181IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .itext0xb50000x16880x1800185e04b9a1f554e31f7f848515dc890cFalse0.54443359375data5.971425428435973IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .data0xb70000x37a40x3800cab2107c933b696aa5cf0cc6c3fd3980False0.36097935267857145data5.048648594372454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .bss0xbb0000x6de80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata0xc20000xfdc0x1000e7d1635e2624b124cfdce6c360ac21cdFalse0.3798828125data5.029087481102678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .didata0xc30000x1a40x2008ced971d8a7705c98b173e255d8c9aa7False0.345703125data2.7509822285969876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .edata0xc40000x9a0x2008d4e1e508031afe235bf121c80fd7d5fFalse0.2578125data1.877162954504408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .tls0xc50000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rdata0xc60000x5d0x2008f2f090acd9622c88a6a852e72f94e96False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .rsrc0xc70000x110000x110001c4b537707205f00cfb869176c700f60False0.18593462775735295data3.69437967057622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0xc76780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                      RT_ICON0xc80e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                      RT_ICON0xc87480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                      RT_ICON0xc8a300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                      RT_ICON0xc8b580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                      RT_ICON0xca1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                      RT_ICON0xcb0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                      RT_ICON0xcb8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                      RT_ICON0xcbe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                      RT_ICON0xcd1200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                      RT_ICON0xd13480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                      RT_ICON0xd38f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                      RT_ICON0xd49980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                      RT_STRING0xd4e000x360data0.34375
                                      RT_STRING0xd51600x260data0.3256578947368421
                                      RT_STRING0xd53c00x45cdata0.4068100358422939
                                      RT_STRING0xd581c0x40cdata0.3754826254826255
                                      RT_STRING0xd5c280x2d4data0.39226519337016574
                                      RT_STRING0xd5efc0xb8data0.6467391304347826
                                      RT_STRING0xd5fb40x9cdata0.6410256410256411
                                      RT_STRING0xd60500x374data0.4230769230769231
                                      RT_STRING0xd63c40x398data0.3358695652173913
                                      RT_STRING0xd675c0x368data0.3795871559633027
                                      RT_STRING0xd6ac40x2a4data0.4275147928994083
                                      RT_RCDATA0xd6d680x10data1.5
                                      RT_RCDATA0xd6d780x2c4data0.6384180790960452
                                      RT_RCDATA0xd703c0x2cdata1.2045454545454546
                                      RT_GROUP_ICON0xd70680xbcdataEnglishUnited States0.6170212765957447
                                      RT_VERSION0xd71240x584dataEnglishUnited States0.26345609065155806
                                      RT_MANIFEST0xd76a80x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                      Imports

                                      DLLImport
                                      kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                      comctl32.dllInitCommonControls
                                      version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                      user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                      oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                      netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                      advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                                      Exports

                                      NameOrdinalAddress
                                      TMethodImplementationIntercept30x4541a8
                                      __dbk_fcall_wrapper20x40d0a0
                                      dbkFCallWrapperAddr10x4be63c

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 17, 2024 09:35:15.773260117 CEST49717443192.168.2.645.33.111.235
                                      Apr 17, 2024 09:35:15.773291111 CEST4434971745.33.111.235192.168.2.6
                                      Apr 17, 2024 09:35:15.773401022 CEST49717443192.168.2.645.33.111.235
                                      Apr 17, 2024 09:35:15.787539959 CEST49717443192.168.2.645.33.111.235
                                      Apr 17, 2024 09:35:15.787553072 CEST4434971745.33.111.235192.168.2.6
                                      Apr 17, 2024 09:35:16.263715029 CEST4434971745.33.111.235192.168.2.6
                                      Apr 17, 2024 09:35:16.263798952 CEST49717443192.168.2.645.33.111.235
                                      Apr 17, 2024 09:35:16.272125006 CEST49717443192.168.2.645.33.111.235
                                      Apr 17, 2024 09:35:16.272150040 CEST4434971745.33.111.235192.168.2.6
                                      Apr 17, 2024 09:35:16.272356987 CEST4434971745.33.111.235192.168.2.6
                                      Apr 17, 2024 09:35:16.272417068 CEST49717443192.168.2.645.33.111.235
                                      Apr 17, 2024 09:35:16.273943901 CEST49717443192.168.2.645.33.111.235
                                      Apr 17, 2024 09:35:16.320123911 CEST4434971745.33.111.235192.168.2.6
                                      Apr 17, 2024 09:35:16.430519104 CEST4434971745.33.111.235192.168.2.6
                                      Apr 17, 2024 09:35:16.430677891 CEST4434971745.33.111.235192.168.2.6
                                      Apr 17, 2024 09:35:16.430717945 CEST49717443192.168.2.645.33.111.235
                                      Apr 17, 2024 09:35:16.430738926 CEST49717443192.168.2.645.33.111.235
                                      Apr 17, 2024 09:35:16.430998087 CEST49717443192.168.2.645.33.111.235
                                      Apr 17, 2024 09:35:16.431015015 CEST4434971745.33.111.235192.168.2.6
                                      Apr 17, 2024 09:35:16.432127953 CEST49717443192.168.2.645.33.111.235
                                      Apr 17, 2024 09:35:16.432127953 CEST49717443192.168.2.645.33.111.235

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 17, 2024 09:35:15.632772923 CEST6086753192.168.2.61.1.1.1
                                      Apr 17, 2024 09:35:15.768356085 CEST53608671.1.1.1192.168.2.6

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Apr 17, 2024 09:35:15.632772923 CEST192.168.2.61.1.1.10x96a0Standard query (0)pairv.netA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Apr 17, 2024 09:35:15.768356085 CEST1.1.1.1192.168.2.60x96a0No error (0)pairv.net45.33.111.235A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • pairv.net

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.64971745.33.111.2354432912C:\Program Files (x86)\PairVPN\pvextra.exe
                                      TimestampBytes transferredDirectionData
                                      2024-04-17 07:35:16 UTC86OUTGET /dev/install.php?err=t11037 HTTP/1.1
                                      Host: pairv.net
                                      Cache-Control: no-cache
                                      2024-04-17 07:35:16 UTC236INHTTP/1.1 200 OK
                                      Date: Wed, 17 Apr 2024 07:12:15 GMT
                                      Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_qos/11.64 PHP/5.4.16
                                      X-Powered-By: PHP/5.4.16
                                      Content-Length: 0
                                      Connection: close
                                      Content-Type: text/html; charset=UTF-8


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:09:34:54
                                      Start date:17/04/2024
                                      Path:C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe"
                                      Imagebase:0x400000
                                      File size:2'341'000 bytes
                                      MD5 hash:35A00AE36EE03F200BAD5A922AFACD04
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:09:34:55
                                      Start date:17/04/2024
                                      Path:C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-83J31.tmp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.tmp" /SL5="$20404,1488690,832512,C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1319028.18822.21071.exe"
                                      Imagebase:0x400000
                                      File size:3'199'488 bytes
                                      MD5 hash:74F03B0063ABA7C8CC9A8D4FED6B2381
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      • Detection: 0%, Virustotal, Browse
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:09:35:06
                                      Start date:17/04/2024
                                      Path:C:\Program Files (x86)\PairVPN\pvextra.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files (x86)\PairVPN\pvextra.exe" /d
                                      Imagebase:0x7ff6b0550000
                                      File size:209'408 bytes
                                      MD5 hash:CB12C48A9D14A5018DD07BBB8E71AC9A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:09:35:07
                                      Start date:17/04/2024
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
                                      Imagebase:0x7ff7403e0000
                                      File size:55'320 bytes
                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:5
                                      Start time:09:35:07
                                      Start date:17/04/2024
                                      Path:C:\Windows\System32\drvinst.exe
                                      Wow64 process (32bit):false
                                      Commandline:DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{c8205cf6-48e0-7848-82c9-7c315d28ffc2}\pveth.inf" "9" "4ec797a8f" "0000000000000100" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\pairvpn\pveth"
                                      Imagebase:0x7ff70fbb0000
                                      File size:337'920 bytes
                                      MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:09:35:12
                                      Start date:17/04/2024
                                      Path:C:\Windows\System32\drvinst.exe
                                      Wow64 process (32bit):false
                                      Commandline:DrvInst.exe "2" "211" "ROOT\PVETH\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:1f6a2eb20729039e:pveth.ndi:1.8.3.0:pveth," "4ec797a8f" "0000000000000100"
                                      Imagebase:0x7ff70fbb0000
                                      File size:337'920 bytes
                                      MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:09:35:13
                                      Start date:17/04/2024
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
                                      Imagebase:0x7ff7403e0000
                                      File size:55'320 bytes
                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:09:35:22
                                      Start date:17/04/2024
                                      Path:C:\Windows\SysWOW64\netsh.exe
                                      Wow64 process (32bit):true
                                      Commandline:"netsh.exe" advfirewall firewall add rule name="PairVPN" dir=in action=allow program="C:\Program Files (x86)\PairVPN\PairVPN.exe" enable=yes
                                      Imagebase:0xa60000
                                      File size:82'432 bytes
                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:09:35:22
                                      Start date:17/04/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff66e660000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:6%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:14.8%
                                        Total number of Nodes:1069
                                        Total number of Limit Nodes:22
                                        execution_graph 6633 7ff6b055ec1b 6634 7ff6b055ec5b 6633->6634 6635 7ff6b055eec0 6633->6635 6634->6635 6637 7ff6b055eea2 6634->6637 6638 7ff6b055ec8f 6634->6638 6636 7ff6b055eeb6 6635->6636 6640 7ff6b055f9e0 _log10_special 23 API calls 6635->6640 6641 7ff6b055f9e0 6637->6641 6640->6636 6644 7ff6b055fa00 6641->6644 6645 7ff6b055fa1a 6644->6645 6646 7ff6b055f9fb 6645->6646 6648 7ff6b055f82c 6645->6648 6646->6636 6649 7ff6b055f86c _handle_error 6648->6649 6652 7ff6b055f8d8 _handle_error 6649->6652 6659 7ff6b055fe20 6649->6659 6651 7ff6b055f915 6666 7ff6b0560158 6651->6666 6652->6651 6653 7ff6b055f8e5 6652->6653 6662 7ff6b055f708 6653->6662 6656 7ff6b055f913 _handle_error 6657 7ff6b0551a10 _handle_error 8 API calls 6656->6657 6658 7ff6b055f93d 6657->6658 6658->6646 6672 7ff6b055fe48 6659->6672 6663 7ff6b055f74c _handle_error 6662->6663 6664 7ff6b055f761 6663->6664 6665 7ff6b0560158 _set_errno_from_matherr 14 API calls 6663->6665 6664->6656 6665->6664 6667 7ff6b0560176 6666->6667 6668 7ff6b0560161 6666->6668 6669 7ff6b0556934 _set_fmode 14 API calls 6667->6669 6670 7ff6b0556934 _set_fmode 14 API calls 6668->6670 6671 7ff6b056016e 6668->6671 6669->6671 6670->6671 6671->6656 6673 7ff6b055fe87 _raise_exc _clrfp 6672->6673 6674 7ff6b056009c RaiseException 6673->6674 6675 7ff6b055fe42 6674->6675 6675->6652 5759 7ff6b0551b18 5780 7ff6b0551e58 5759->5780 5762 7ff6b0551c64 5831 7ff6b05521f0 IsProcessorFeaturePresent 5762->5831 5763 7ff6b0551b34 __scrt_acquire_startup_lock 5765 7ff6b0551c6e 5763->5765 5772 7ff6b0551b52 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 5763->5772 5766 7ff6b05521f0 __scrt_fastfail 7 API calls 5765->5766 5768 7ff6b0551c79 pre_c_initialization 5766->5768 5767 7ff6b0551b77 5769 7ff6b0551bfd 5788 7ff6b055233c 5769->5788 5771 7ff6b0551c02 5791 7ff6b0551710 lstrcmpiW 5771->5791 5772->5767 5772->5769 5820 7ff6b0555764 5772->5820 5777 7ff6b0551c25 5777->5768 5827 7ff6b055203c 5777->5827 5781 7ff6b0551e7a __scrt_initialize_crt 5780->5781 5838 7ff6b0552a48 5781->5838 5786 7ff6b0551b2c 5786->5762 5786->5763 5918 7ff6b0552ad0 5788->5918 5792 7ff6b055174a memcpy_s 5791->5792 5793 7ff6b0551938 lstrcmpiW 5791->5793 5796 7ff6b0551778 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 5792->5796 5794 7ff6b055194c FindWindowW 5793->5794 5795 7ff6b0551998 lstrcmpiW 5793->5795 5797 7ff6b055197f 5794->5797 5798 7ff6b0551960 PostMessageW Sleep 5794->5798 5799 7ff6b05519ac 5795->5799 5800 7ff6b05519f8 5795->5800 5801 7ff6b05517ea LoadLibraryW 5796->5801 5802 7ff6b0551855 GetModuleFileNameW PathRemoveFileSpecW 5796->5802 5949 7ff6b0551290 5797->5949 5798->5797 5804 7ff6b0551290 17 API calls 5799->5804 5806 7ff6b0551827 5801->5806 5807 7ff6b05517ff GetProcAddress FreeLibrary 5801->5807 5808 7ff6b0551885 5802->5808 5805 7ff6b05519bb CreateFileW 5804->5805 5805->5800 5810 7ff6b05519ef CloseHandle 5805->5810 5940 7ff6b0551a10 5806->5940 5807->5802 5807->5806 5808->5808 5920 7ff6b0551060 SetupDiCreateDeviceInfoList 5808->5920 5810->5800 5814 7ff6b05518bc 5815 7ff6b0551931 5814->5815 5816 7ff6b05518d6 InternetOpenA 5814->5816 5815->5793 5816->5815 5817 7ff6b05518f9 InternetOpenUrlA 5816->5817 5818 7ff6b0551928 InternetCloseHandle 5817->5818 5819 7ff6b055191f InternetCloseHandle 5817->5819 5818->5815 5819->5818 5821 7ff6b055579a 5820->5821 5822 7ff6b0555788 5820->5822 5980 7ff6b0555eb4 5821->5980 5822->5769 5825 7ff6b0552380 GetModuleHandleW 5826 7ff6b0552391 5825->5826 5826->5777 5829 7ff6b055204d __scrt_uninitialize_crt 5827->5829 5828 7ff6b0551c3c 5828->5767 5829->5828 5830 7ff6b0552a7c __vcrt_uninitialize 8 API calls 5829->5830 5830->5828 5832 7ff6b0552215 __scrt_fastfail memcpy_s 5831->5832 5833 7ff6b0552234 RtlCaptureContext RtlLookupFunctionEntry 5832->5833 5834 7ff6b055225d RtlVirtualUnwind 5833->5834 5835 7ff6b0552299 memcpy_s 5833->5835 5834->5835 5836 7ff6b05522cb IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5835->5836 5837 7ff6b055231d __scrt_fastfail 5836->5837 5837->5765 5839 7ff6b0552a51 __vcrt_initialize_winapi_thunks __vcrt_initialize 5838->5839 5858 7ff6b0552dec 5839->5858 5844 7ff6b0551e7f 5844->5786 5846 7ff6b0555e68 5844->5846 5847 7ff6b055ae14 5846->5847 5848 7ff6b0551e8c 5847->5848 5894 7ff6b0558734 5847->5894 5848->5786 5850 7ff6b0552a7c 5848->5850 5851 7ff6b0552a84 5850->5851 5852 7ff6b0552a95 5850->5852 5906 7ff6b0552dc8 5851->5906 5852->5786 5855 7ff6b0552e34 __vcrt_uninitialize_locks DeleteCriticalSection 5856 7ff6b0552a8e 5855->5856 5910 7ff6b05531bc 5856->5910 5859 7ff6b0552df4 5858->5859 5861 7ff6b0552e25 5859->5861 5863 7ff6b0552a5b 5859->5863 5875 7ff6b0553128 5859->5875 5862 7ff6b0552e34 __vcrt_uninitialize_locks DeleteCriticalSection 5861->5862 5862->5863 5863->5844 5864 7ff6b0552d74 5863->5864 5890 7ff6b0553044 5864->5890 5880 7ff6b0552e6c 5875->5880 5878 7ff6b0553168 5878->5859 5879 7ff6b0553173 InitializeCriticalSectionAndSpinCount 5879->5878 5881 7ff6b0552ec8 try_get_function 5880->5881 5882 7ff6b0552ecd 5880->5882 5881->5882 5883 7ff6b0552efc LoadLibraryExW 5881->5883 5886 7ff6b0552fb0 5881->5886 5888 7ff6b0552f95 FreeLibrary 5881->5888 5889 7ff6b0552f57 LoadLibraryExW 5881->5889 5882->5878 5882->5879 5883->5881 5884 7ff6b0552f1d GetLastError 5883->5884 5884->5881 5885 7ff6b0552fbe GetProcAddress 5887 7ff6b0552fcf 5885->5887 5886->5882 5886->5885 5887->5882 5888->5881 5889->5881 5891 7ff6b0552e6c try_get_function 5 API calls 5890->5891 5892 7ff6b0553069 TlsAlloc 5891->5892 5905 7ff6b0559b50 EnterCriticalSection 5894->5905 5896 7ff6b0558744 5897 7ff6b0559cf4 32 API calls 5896->5897 5898 7ff6b055874d 5897->5898 5899 7ff6b055875b 5898->5899 5901 7ff6b0558538 34 API calls 5898->5901 5900 7ff6b0559ba4 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 5899->5900 5902 7ff6b0558767 5900->5902 5903 7ff6b0558756 5901->5903 5902->5847 5904 7ff6b0558628 GetStdHandle GetFileType 5903->5904 5904->5899 5907 7ff6b0552dd7 5906->5907 5908 7ff6b0552a89 5906->5908 5914 7ff6b055308c 5907->5914 5908->5855 5911 7ff6b05531f4 5910->5911 5913 7ff6b05531c0 5910->5913 5911->5852 5912 7ff6b05531da FreeLibrary 5912->5913 5913->5911 5913->5912 5915 7ff6b0552e6c try_get_function 5 API calls 5914->5915 5916 7ff6b05530b3 TlsFree 5915->5916 5919 7ff6b0552353 GetStartupInfoW 5918->5919 5919->5771 5921 7ff6b05510c5 GetLastError 5920->5921 5922 7ff6b05510d0 SetupDiCreateDeviceInfoW 5920->5922 5923 7ff6b055125a 5921->5923 5924 7ff6b055110b GetLastError 5922->5924 5925 7ff6b0551118 lstrlenW SetupDiSetDeviceRegistryPropertyW 5922->5925 5928 7ff6b0551a10 _handle_error 8 API calls 5923->5928 5926 7ff6b055124f SetupDiDestroyDeviceInfoList 5924->5926 5925->5924 5927 7ff6b055114e SetupDiRegisterDeviceInfo 5925->5927 5926->5923 5927->5924 5929 7ff6b055116f UpdateDriverForPlugAndPlayDevicesW 5927->5929 5930 7ff6b0551269 5928->5930 5931 7ff6b05511b3 5929->5931 5932 7ff6b0551194 GetLastError SetupDiCallClassInstaller 5929->5932 5930->5814 5933 7ff6b05511b8 5931->5933 5963 7ff6b0551410 RegOpenKeyExA 5931->5963 5932->5926 5933->5926 5936 7ff6b0551290 17 API calls 5937 7ff6b0551201 CreateFileW 5936->5937 5937->5933 5939 7ff6b0551246 CloseHandle 5937->5939 5939->5926 5941 7ff6b0551a1a 5940->5941 5942 7ff6b0551cd4 IsProcessorFeaturePresent 5941->5942 5943 7ff6b0551844 5941->5943 5944 7ff6b0551ceb 5942->5944 5943->5825 5975 7ff6b0551da8 RtlCaptureContext 5944->5975 5950 7ff6b05512c4 SetupDiGetClassDevsW 5949->5950 5952 7ff6b05512e8 SetupDiEnumDeviceInfo 5950->5952 5953 7ff6b05512e1 5950->5953 5954 7ff6b0551372 SetupDiDestroyDeviceInfoList 5952->5954 5958 7ff6b055130e wcsstr 5952->5958 5955 7ff6b0551a10 _handle_error 8 API calls 5953->5955 5954->5953 5957 7ff6b0551395 5955->5957 5956 7ff6b0551310 SetupDiGetDeviceRegistryPropertyW 5956->5954 5956->5958 5957->5795 5958->5956 5959 7ff6b055135c SetupDiEnumDeviceInfo 5958->5959 5960 7ff6b05513a6 CM_Get_DevNode_Status 5958->5960 5959->5954 5959->5956 5961 7ff6b05513d2 SetupDiSetSelectedDevice SetupDiCallClassInstaller 5960->5961 5962 7ff6b05513f3 SetupDiDestroyDeviceInfoList 5960->5962 5961->5962 5962->5953 5966 7ff6b055149d 5963->5966 5970 7ff6b055147f 5963->5970 5964 7ff6b05514c0 RegEnumKeyExA 5964->5966 5965 7ff6b0551a10 _handle_error 8 API calls 5967 7ff6b05511d0 5965->5967 5966->5964 5968 7ff6b055153a RegOpenKeyExA 5966->5968 5972 7ff6b05515e4 RegOpenKeyExA 5966->5972 5974 7ff6b0551675 5966->5974 5967->5926 5967->5936 5968->5966 5969 7ff6b055156e RegQueryValueExA RegCloseKey 5968->5969 5969->5966 5970->5965 5971 7ff6b0551694 RegCloseKey 5971->5970 5972->5966 5973 7ff6b0551610 RegQueryValueExA RegCloseKey 5972->5973 5973->5966 5973->5974 5974->5970 5974->5971 5976 7ff6b0551dc2 RtlLookupFunctionEntry 5975->5976 5977 7ff6b0551dd8 RtlVirtualUnwind 5976->5977 5978 7ff6b0551cfe 5976->5978 5977->5976 5977->5978 5979 7ff6b0551ca0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5978->5979 5985 7ff6b05573f8 GetLastError 5980->5985 5986 7ff6b055741a 5985->5986 5987 7ff6b055741f 5985->5987 6021 7ff6b055aab0 5986->6021 6009 7ff6b0557427 SetLastError 5987->6009 6025 7ff6b055aaf8 5987->6025 5993 7ff6b05574c6 5998 7ff6b0555f48 pre_c_initialization 32 API calls 5993->5998 5994 7ff6b0555ebd 6012 7ff6b0555f48 5994->6012 5996 7ff6b0557473 6001 7ff6b055aaf8 _set_fmode 6 API calls 5996->6001 5997 7ff6b0557463 5999 7ff6b055aaf8 _set_fmode 6 API calls 5997->5999 6000 7ff6b05574cb 5998->6000 6002 7ff6b055746a 5999->6002 6003 7ff6b055747b 6001->6003 6037 7ff6b0556954 6002->6037 6004 7ff6b055747f 6003->6004 6005 7ff6b0557491 6003->6005 6007 7ff6b055aaf8 _set_fmode 6 API calls 6004->6007 6043 7ff6b05571a8 6005->6043 6007->6002 6009->5993 6009->5994 6097 7ff6b055af84 6012->6097 6022 7ff6b055a7f8 try_get_function 5 API calls 6021->6022 6023 7ff6b055aad7 TlsGetValue 6022->6023 6026 7ff6b055a7f8 try_get_function 5 API calls 6025->6026 6027 7ff6b055ab26 6026->6027 6028 7ff6b055ab38 TlsSetValue 6027->6028 6029 7ff6b0557442 6027->6029 6028->6029 6029->6009 6030 7ff6b05588fc 6029->6030 6035 7ff6b055890d _set_fmode 6030->6035 6031 7ff6b055895e 6051 7ff6b0556934 6031->6051 6032 7ff6b0558942 RtlAllocateHeap 6033 7ff6b0557455 6032->6033 6032->6035 6033->5996 6033->5997 6035->6031 6035->6032 6048 7ff6b055aed8 6035->6048 6038 7ff6b0556959 HeapFree 6037->6038 6039 7ff6b0556989 __free_lconv_mon 6037->6039 6038->6039 6040 7ff6b0556974 6038->6040 6039->6009 6041 7ff6b0556934 _set_fmode 12 API calls 6040->6041 6042 7ff6b0556979 GetLastError 6041->6042 6042->6039 6083 7ff6b0557080 6043->6083 6054 7ff6b055af08 6048->6054 6060 7ff6b0557574 GetLastError 6051->6060 6053 7ff6b055693d 6053->6033 6059 7ff6b0559b50 EnterCriticalSection 6054->6059 6061 7ff6b0557596 6060->6061 6062 7ff6b055759b 6060->6062 6064 7ff6b055aab0 _set_fmode 6 API calls 6061->6064 6063 7ff6b055aaf8 _set_fmode 6 API calls 6062->6063 6066 7ff6b05575a3 SetLastError 6062->6066 6065 7ff6b05575be 6063->6065 6064->6062 6065->6066 6068 7ff6b05588fc _set_fmode 12 API calls 6065->6068 6066->6053 6069 7ff6b05575d1 6068->6069 6070 7ff6b05575ef 6069->6070 6071 7ff6b05575df 6069->6071 6072 7ff6b055aaf8 _set_fmode 6 API calls 6070->6072 6073 7ff6b055aaf8 _set_fmode 6 API calls 6071->6073 6074 7ff6b05575f7 6072->6074 6075 7ff6b05575e6 6073->6075 6076 7ff6b05575fb 6074->6076 6077 7ff6b055760d 6074->6077 6080 7ff6b0556954 __free_lconv_mon 12 API calls 6075->6080 6078 7ff6b055aaf8 _set_fmode 6 API calls 6076->6078 6079 7ff6b05571a8 _set_fmode 12 API calls 6077->6079 6078->6075 6081 7ff6b0557615 6079->6081 6080->6066 6082 7ff6b0556954 __free_lconv_mon 12 API calls 6081->6082 6082->6066 6095 7ff6b0559b50 EnterCriticalSection 6083->6095 6131 7ff6b055af3c 6097->6131 6136 7ff6b0559b50 EnterCriticalSection 6131->6136 6676 7ff6b0553718 6677 7ff6b0553757 6676->6677 6678 7ff6b055376f 6676->6678 6679 7ff6b0556934 _set_fmode 14 API calls 6677->6679 6678->6677 6680 7ff6b0553779 6678->6680 6681 7ff6b055375c 6679->6681 6682 7ff6b0553b28 34 API calls 6680->6682 6683 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6681->6683 6684 7ff6b055378a memcpy_s 6682->6684 6689 7ff6b0553767 6683->6689 6691 7ff6b0553d44 6684->6691 6685 7ff6b0551a10 _handle_error 8 API calls 6686 7ff6b05538b1 6685->6686 6688 7ff6b0556954 __free_lconv_mon 14 API calls 6688->6689 6689->6685 6692 7ff6b0553f3a 6691->6692 6693 7ff6b0553d67 6691->6693 6695 7ff6b0556934 _set_fmode 14 API calls 6692->6695 6694 7ff6b0553d6e 6693->6694 6704 7ff6b0553d85 6693->6704 6696 7ff6b0556934 _set_fmode 14 API calls 6694->6696 6697 7ff6b0553f3f 6695->6697 6698 7ff6b0553d73 6696->6698 6700 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6697->6700 6701 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6698->6701 6699 7ff6b0553829 6699->6688 6700->6699 6701->6699 6704->6692 6704->6699 6707 7ff6b05541e0 6704->6707 6723 7ff6b055406c 6704->6723 6745 7ff6b0553ca0 6704->6745 6753 7ff6b0553f50 6704->6753 6708 7ff6b0554267 6707->6708 6718 7ff6b0554211 6707->6718 6709 7ff6b055426b 6708->6709 6710 7ff6b05542e6 6708->6710 6712 7ff6b05542cc 6709->6712 6717 7ff6b0554273 6709->6717 6779 7ff6b05544c0 6710->6779 6764 7ff6b0554900 6712->6764 6713 7ff6b0554249 6722 7ff6b05542ef 6713->6722 6760 7ff6b055467c 6713->6760 6720 7ff6b0554258 6717->6720 6717->6722 6770 7ff6b0554738 6717->6770 6718->6710 6718->6713 6718->6717 6719 7ff6b055423d 6718->6719 6718->6720 6718->6722 6719->6710 6719->6713 6719->6720 6720->6722 6787 7ff6b0554a74 6720->6787 6722->6704 6724 7ff6b0554077 6723->6724 6725 7ff6b0554090 6723->6725 6727 7ff6b05540b4 6724->6727 6728 7ff6b0554267 6724->6728 6740 7ff6b0554211 6724->6740 6726 7ff6b0556934 _set_fmode 14 API calls 6725->6726 6725->6727 6729 7ff6b05540a9 6726->6729 6727->6704 6730 7ff6b055426b 6728->6730 6731 7ff6b05542e6 6728->6731 6732 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6729->6732 6734 7ff6b05542cc 6730->6734 6739 7ff6b0554273 6730->6739 6733 7ff6b05544c0 39 API calls 6731->6733 6732->6727 6742 7ff6b0554258 6733->6742 6737 7ff6b0554900 31 API calls 6734->6737 6735 7ff6b0554249 6736 7ff6b055467c 36 API calls 6735->6736 6744 7ff6b05542ef 6735->6744 6736->6742 6737->6742 6738 7ff6b0554738 32 API calls 6738->6742 6739->6738 6739->6742 6739->6744 6740->6731 6740->6735 6740->6739 6741 7ff6b055423d 6740->6741 6740->6742 6740->6744 6741->6731 6741->6735 6741->6742 6743 7ff6b0554a74 36 API calls 6742->6743 6742->6744 6743->6744 6744->6704 6746 7ff6b0553cc6 6745->6746 6747 7ff6b0553cc1 6745->6747 7056 7ff6b05569f4 6746->7056 6748 7ff6b0556934 _set_fmode 14 API calls 6747->6748 6748->6746 6751 7ff6b0556934 _set_fmode 14 API calls 6752 7ff6b0553d03 6751->6752 6752->6704 7081 7ff6b0553fc4 6753->7081 6756 7ff6b0556934 _set_fmode 14 API calls 6757 7ff6b0553fb1 6756->6757 6758 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6757->6758 6759 7ff6b0553f64 6758->6759 6759->6704 6761 7ff6b055468d 6760->6761 6763 7ff6b05546e8 6761->6763 6793 7ff6b0556d44 6761->6793 6763->6720 6767 7ff6b0554928 6764->6767 6765 7ff6b0556934 _set_fmode 14 API calls 6766 7ff6b0554931 6765->6766 6768 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6766->6768 6767->6765 6769 7ff6b055493c 6767->6769 6768->6769 6769->6720 6771 7ff6b055476a 6770->6771 6772 7ff6b05547a5 6771->6772 6773 7ff6b05547e4 6771->6773 6774 7ff6b0556934 _set_fmode 14 API calls 6772->6774 6778 7ff6b05547b5 6773->6778 6825 7ff6b05538e4 6773->6825 6776 7ff6b05547aa 6774->6776 6777 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6776->6777 6777->6778 6778->6720 6780 7ff6b05544d8 6779->6780 6781 7ff6b05538e4 15 API calls 6780->6781 6782 7ff6b055451e 6781->6782 6835 7ff6b05580dc 6782->6835 6786 7ff6b0554608 6786->6720 6791 7ff6b0554b01 6787->6791 6792 7ff6b0554a9b 6787->6792 6788 7ff6b0551a10 _handle_error 8 API calls 6790 7ff6b0554b39 6788->6790 6789 7ff6b0556d44 36 API calls 6789->6792 6790->6722 6791->6788 6792->6789 6792->6791 6796 7ff6b0556ba4 6793->6796 6797 7ff6b0556bc7 6796->6797 6798 7ff6b0556beb 6797->6798 6799 7ff6b0556c01 6797->6799 6815 7ff6b0556bcc 6797->6815 6800 7ff6b0556934 _set_fmode 14 API calls 6798->6800 6801 7ff6b0553b28 34 API calls 6799->6801 6803 7ff6b0556bf0 6800->6803 6802 7ff6b0556c0e 6801->6802 6804 7ff6b0556c4c 6802->6804 6805 7ff6b0556c1d 6802->6805 6806 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6803->6806 6808 7ff6b0556c56 6804->6808 6811 7ff6b05599d0 WideCharToMultiByte 6804->6811 6821 7ff6b055bbac 6805->6821 6806->6815 6810 7ff6b0556c64 memcpy_s 6808->6810 6816 7ff6b0556caa memcpy_s 6808->6816 6813 7ff6b0556934 _set_fmode 14 API calls 6810->6813 6810->6815 6812 7ff6b0556cf0 6811->6812 6812->6810 6814 7ff6b0556d05 GetLastError 6812->6814 6813->6815 6814->6810 6814->6816 6815->6763 6816->6815 6818 7ff6b0556934 _set_fmode 14 API calls 6816->6818 6817 7ff6b0556934 _set_fmode 14 API calls 6817->6815 6819 7ff6b0556d30 6818->6819 6820 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6819->6820 6820->6815 6822 7ff6b0556c33 6821->6822 6823 7ff6b055bbc4 6821->6823 6822->6815 6822->6817 6823->6822 6824 7ff6b0556934 _set_fmode 14 API calls 6823->6824 6824->6822 6826 7ff6b055390a 6825->6826 6827 7ff6b0553919 6825->6827 6828 7ff6b0556934 _set_fmode 14 API calls 6826->6828 6829 7ff6b055390f 6827->6829 6830 7ff6b0556994 _onexit 15 API calls 6827->6830 6828->6829 6829->6778 6831 7ff6b0553946 6830->6831 6832 7ff6b055395a 6831->6832 6834 7ff6b0556954 __free_lconv_mon 14 API calls 6831->6834 6833 7ff6b0556954 __free_lconv_mon 14 API calls 6832->6833 6833->6829 6834->6832 6836 7ff6b055811a 6835->6836 6837 7ff6b0558102 6835->6837 6836->6837 6840 7ff6b0558131 6836->6840 6838 7ff6b0556934 _set_fmode 14 API calls 6837->6838 6839 7ff6b0558107 6838->6839 6841 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6839->6841 6842 7ff6b0558177 6840->6842 6847 7ff6b05581d4 6840->6847 6851 7ff6b05545eb 6841->6851 6867 7ff6b0557fa0 6842->6867 6843 7ff6b0558316 6843->6851 6960 7ff6b0557708 6843->6960 6844 7ff6b05582dd 6953 7ff6b0557a78 6844->6953 6847->6843 6847->6844 6848 7ff6b0558253 6847->6848 6852 7ff6b0558217 6847->6852 6855 7ff6b0558209 6847->6855 6910 7ff6b055c17c 6848->6910 6851->6786 6860 7ff6b0553c30 6851->6860 6900 7ff6b0557e6c 6852->6900 6855->6844 6857 7ff6b0558212 6855->6857 6857->6848 6857->6852 6858 7ff6b05582aa 6858->6851 6950 7ff6b0557d28 6858->6950 7011 7ff6b0556850 6860->7011 6862 7ff6b0553c48 6863 7ff6b0553c5c 6862->6863 7015 7ff6b055661c 6862->7015 6865 7ff6b0556850 39 API calls 6863->6865 6866 7ff6b0553c64 6865->6866 6866->6786 6868 7ff6b0557fce 6867->6868 6870 7ff6b0557fec 6867->6870 6869 7ff6b0551a10 _handle_error 8 API calls 6868->6869 6871 7ff6b0557fe3 6869->6871 6970 7ff6b0555ee8 6870->6970 6871->6851 6874 7ff6b05580c6 6875 7ff6b05565d4 _invalid_parameter_noinfo 17 API calls 6874->6875 6877 7ff6b05580db 6875->6877 6876 7ff6b0558102 6878 7ff6b0556934 _set_fmode 14 API calls 6876->6878 6877->6876 6881 7ff6b0558131 6877->6881 6879 7ff6b0558107 6878->6879 6880 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6879->6880 6891 7ff6b0558113 6880->6891 6882 7ff6b0558177 6881->6882 6883 7ff6b05581d4 6881->6883 6887 7ff6b0557fa0 34 API calls 6882->6887 6884 7ff6b0558316 6883->6884 6885 7ff6b05582dd 6883->6885 6888 7ff6b0558253 6883->6888 6892 7ff6b0558217 6883->6892 6895 7ff6b0558209 6883->6895 6886 7ff6b0557708 34 API calls 6884->6886 6884->6891 6889 7ff6b0557a78 34 API calls 6885->6889 6886->6891 6887->6891 6890 7ff6b055c17c 31 API calls 6888->6890 6889->6891 6894 7ff6b055827d 6890->6894 6891->6851 6893 7ff6b0557e6c 34 API calls 6892->6893 6893->6891 6896 7ff6b055bc64 31 API calls 6894->6896 6895->6885 6897 7ff6b0558212 6895->6897 6898 7ff6b05582aa 6896->6898 6897->6888 6897->6892 6898->6891 6899 7ff6b0557d28 34 API calls 6898->6899 6899->6891 6901 7ff6b055c17c 31 API calls 6900->6901 6902 7ff6b0557eb0 6901->6902 6903 7ff6b055bc64 31 API calls 6902->6903 6904 7ff6b0557ee9 6903->6904 6905 7ff6b0557f46 6904->6905 6907 7ff6b0557f09 6904->6907 6909 7ff6b0557eed 6904->6909 6979 7ff6b0557b54 6905->6979 6908 7ff6b0557d28 34 API calls 6907->6908 6908->6909 6909->6851 6914 7ff6b055c1ca fegetenv 6910->6914 6911 7ff6b055c22b 6912 7ff6b0555ee8 31 API calls 6911->6912 6913 7ff6b055d389 6912->6913 6915 7ff6b055d398 6913->6915 6918 7ff6b055d32a 6913->6918 6914->6911 6925 7ff6b055c2aa memcpy_s 6914->6925 6916 7ff6b05565d4 _invalid_parameter_noinfo 17 API calls 6915->6916 6917 7ff6b055d3ac 6916->6917 6919 7ff6b0551a10 _handle_error 8 API calls 6918->6919 6920 7ff6b055827d 6919->6920 6941 7ff6b055bc64 6920->6941 6921 7ff6b055ccbe 7001 7ff6b055bd50 6921->7001 6923 7ff6b055cbd4 6923->6921 6992 7ff6b055d3b0 6923->6992 6924 7ff6b055c358 memcpy_s 6934 7ff6b055c7ea memcpy_s 6924->6934 6938 7ff6b055ccda memcpy_s 6924->6938 6925->6924 6927 7ff6b0556934 _set_fmode 14 API calls 6925->6927 6928 7ff6b055c7ca 6927->6928 6929 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6928->6929 6929->6924 6931 7ff6b055d3b0 memcpy_s 31 API calls 6935 7ff6b055d1b8 6931->6935 6932 7ff6b0556934 14 API calls _set_fmode 6932->6938 6933 7ff6b0556934 14 API calls _set_fmode 6933->6934 6934->6923 6934->6933 6939 7ff6b05565b4 31 API calls _invalid_parameter_noinfo 6934->6939 6935->6918 6936 7ff6b055bd50 31 API calls 6935->6936 6940 7ff6b055d3b0 memcpy_s 31 API calls 6935->6940 6936->6935 6937 7ff6b05565b4 31 API calls _invalid_parameter_noinfo 6937->6938 6938->6921 6938->6923 6938->6932 6938->6937 6939->6934 6940->6935 6942 7ff6b055bc79 6941->6942 6943 7ff6b055bc91 6941->6943 6944 7ff6b0556934 _set_fmode 14 API calls 6942->6944 6949 7ff6b055bc8a memcpy_s 6942->6949 6943->6942 6945 7ff6b055bcab 6943->6945 6948 7ff6b055bc7e 6944->6948 6946 7ff6b0556934 _set_fmode 14 API calls 6945->6946 6946->6948 6947 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6947->6949 6948->6947 6949->6858 6949->6949 6951 7ff6b0553b28 34 API calls 6950->6951 6952 7ff6b0557d58 memcpy_s 6951->6952 6952->6851 6954 7ff6b055c17c 31 API calls 6953->6954 6955 7ff6b0557ac2 6954->6955 6956 7ff6b055bc64 31 API calls 6955->6956 6957 7ff6b0557af8 6956->6957 6958 7ff6b0557afc 6957->6958 6959 7ff6b0557b54 34 API calls 6957->6959 6958->6851 6959->6958 6961 7ff6b0553b28 34 API calls 6960->6961 6962 7ff6b0557756 6961->6962 6963 7ff6b0557776 6962->6963 6964 7ff6b0557761 6962->6964 6967 7ff6b0557a78 34 API calls 6963->6967 6969 7ff6b0557771 memcpy_s strrchr 6963->6969 6965 7ff6b0556934 _set_fmode 14 API calls 6964->6965 6966 7ff6b0557766 6965->6966 6968 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6966->6968 6967->6969 6968->6969 6969->6851 6971 7ff6b0555ef5 6970->6971 6972 7ff6b0555eff 6970->6972 6971->6972 6975 7ff6b0555f1a 6971->6975 6973 7ff6b0556934 _set_fmode 14 API calls 6972->6973 6974 7ff6b0555f06 6973->6974 6976 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6974->6976 6977 7ff6b0555f12 6975->6977 6978 7ff6b0556934 _set_fmode 14 API calls 6975->6978 6976->6977 6977->6868 6977->6874 6978->6974 6980 7ff6b0557b8b 6979->6980 6981 7ff6b0557bb9 6979->6981 6982 7ff6b0556934 _set_fmode 14 API calls 6980->6982 6983 7ff6b0553b28 34 API calls 6981->6983 6984 7ff6b0557b90 6982->6984 6987 7ff6b0557bcb memcpy_s 6983->6987 6985 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6984->6985 6986 7ff6b0557b9c 6985->6986 6986->6909 6988 7ff6b0555ee8 31 API calls 6987->6988 6991 7ff6b0557c64 memcpy_s 6988->6991 6989 7ff6b05565d4 _invalid_parameter_noinfo 17 API calls 6990 7ff6b0557d25 6989->6990 6991->6989 6995 7ff6b055d3cd memcpy_s 6992->6995 6997 7ff6b055d3d1 memcpy_s 6992->6997 6993 7ff6b055d3d6 6994 7ff6b0556934 _set_fmode 14 API calls 6993->6994 6996 7ff6b055d3db 6994->6996 6995->6921 6998 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6996->6998 6997->6993 6997->6995 6999 7ff6b055d411 6997->6999 6998->6995 6999->6995 7000 7ff6b0556934 _set_fmode 14 API calls 6999->7000 7000->6996 7002 7ff6b055bd78 7001->7002 7010 7ff6b055bdbb 7001->7010 7003 7ff6b055bd9c 7002->7003 7004 7ff6b055bdc2 7002->7004 7002->7010 7005 7ff6b055d3b0 memcpy_s 31 API calls 7003->7005 7006 7ff6b055bdfd 7004->7006 7007 7ff6b055bdc7 7004->7007 7005->7010 7009 7ff6b055d3b0 memcpy_s 31 API calls 7006->7009 7008 7ff6b055d3b0 memcpy_s 31 API calls 7007->7008 7008->7010 7009->7010 7010->6931 7010->6935 7012 7ff6b055685d 7011->7012 7013 7ff6b0556864 7011->7013 7021 7ff6b0556710 7012->7021 7013->6862 7016 7ff6b0556633 7015->7016 7020 7ff6b0556659 7015->7020 7017 7ff6b0553b28 34 API calls 7016->7017 7018 7ff6b055663f 7017->7018 7019 7ff6b055b4ec 37 API calls 7018->7019 7018->7020 7019->7020 7020->6862 7022 7ff6b0553b28 34 API calls 7021->7022 7023 7ff6b055672e 7022->7023 7024 7ff6b0556736 7023->7024 7025 7ff6b055676e 7023->7025 7033 7ff6b05566b0 7024->7033 7027 7ff6b0556793 7025->7027 7039 7ff6b055b5fc 7025->7039 7028 7ff6b0556934 _set_fmode 14 API calls 7027->7028 7031 7ff6b0556797 7027->7031 7028->7031 7029 7ff6b0556741 7029->7013 7032 7ff6b055b960 38 API calls 7031->7032 7032->7029 7034 7ff6b05566e8 7033->7034 7035 7ff6b05566be 7033->7035 7051 7ff6b055a1f8 7034->7051 7038 7ff6b05566d7 7035->7038 7042 7ff6b055b4ec 7035->7042 7038->7029 7040 7ff6b0553b28 34 API calls 7039->7040 7041 7ff6b055b60f 7040->7041 7041->7027 7043 7ff6b0553b28 34 API calls 7042->7043 7044 7ff6b055b526 7043->7044 7045 7ff6b055b5fc 34 API calls 7044->7045 7050 7ff6b055b530 7044->7050 7046 7ff6b055b552 7045->7046 7049 7ff6b055a25c 37 API calls 7046->7049 7047 7ff6b0551a10 _handle_error 8 API calls 7048 7ff6b055b5e2 7047->7048 7048->7038 7049->7050 7050->7047 7052 7ff6b05573f8 pre_c_initialization 34 API calls 7051->7052 7053 7ff6b055a201 7052->7053 7054 7ff6b05576a0 34 API calls 7053->7054 7055 7ff6b055a21a 7054->7055 7055->7038 7057 7ff6b0556a07 7056->7057 7060 7ff6b0555fcc 7057->7060 7061 7ff6b0555ffa 7060->7061 7062 7ff6b055600f 7060->7062 7063 7ff6b0556934 _set_fmode 14 API calls 7061->7063 7062->7061 7064 7ff6b055601d 7062->7064 7065 7ff6b0555fff 7063->7065 7066 7ff6b0553b28 34 API calls 7064->7066 7067 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 7065->7067 7069 7ff6b0556029 7066->7069 7080 7ff6b0553cf2 7067->7080 7068 7ff6b055b4ec 37 API calls 7068->7069 7069->7068 7070 7ff6b055607d 7069->7070 7071 7ff6b05560f9 7070->7071 7072 7ff6b0556934 _set_fmode 14 API calls 7070->7072 7073 7ff6b0556934 _set_fmode 14 API calls 7071->7073 7078 7ff6b05561fc 7071->7078 7074 7ff6b055613d 7072->7074 7076 7ff6b05561f1 7073->7076 7077 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 7074->7077 7075 7ff6b0556934 _set_fmode 14 API calls 7075->7080 7079 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 7076->7079 7077->7071 7078->7075 7078->7080 7079->7078 7080->6751 7080->6752 7083 7ff6b0553fdd 7081->7083 7082 7ff6b0553f60 7082->6756 7082->6759 7083->7082 7084 7ff6b0556934 _set_fmode 14 API calls 7083->7084 7085 7ff6b0554056 7084->7085 7086 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 7085->7086 7086->7082 7214 7ff6b05523e4 7215 7ff6b05523f3 7214->7215 7216 7ff6b055240f 7214->7216 7215->7216 7217 7ff6b0555eb4 34 API calls 7215->7217 7218 7ff6b055241b 7217->7218 7087 7ff6b0556a20 7088 7ff6b0556a48 7087->7088 7095 7ff6b0556a56 7087->7095 7089 7ff6b0553b28 34 API calls 7088->7089 7088->7095 7090 7ff6b0556a72 7089->7090 7091 7ff6b0556aa2 7090->7091 7092 7ff6b0556a80 7090->7092 7094 7ff6b055b5fc 34 API calls 7091->7094 7091->7095 7103 7ff6b055b9f8 7092->7103 7096 7ff6b0556ae2 7094->7096 7097 7ff6b0556ae6 7096->7097 7098 7ff6b0556b38 7096->7098 7099 7ff6b0556b1b 7097->7099 7101 7ff6b0559974 MultiByteToWideChar 7097->7101 7100 7ff6b0559974 MultiByteToWideChar 7098->7100 7099->7095 7102 7ff6b0556934 _set_fmode 14 API calls 7099->7102 7100->7099 7101->7099 7102->7095 7106 7ff6b055e8a8 7103->7106 7108 7ff6b055e905 7106->7108 7111 7ff6b055e911 7106->7111 7107 7ff6b0551a10 _handle_error 8 API calls 7110 7ff6b055ba0b 7107->7110 7108->7107 7109 7ff6b0556934 _set_fmode 14 API calls 7109->7108 7110->7095 7111->7108 7111->7109 7219 7ff6b055fce0 7220 7ff6b055fcf7 7219->7220 7221 7ff6b055fcf1 CloseHandle 7219->7221 7221->7220 6155 7ff6b05584ac 6156 7ff6b05584b7 __scrt_uninitialize_crt 6155->6156 6164 7ff6b055d438 6156->6164 6177 7ff6b0559b50 EnterCriticalSection 6164->6177 7222 7ff6b055adec GetProcessHeap 6357 7ff6b0555868 6360 7ff6b05557ec 6357->6360 6367 7ff6b0559b50 EnterCriticalSection 6360->6367 6368 7ff6b0555d74 6371 7ff6b055538c 6368->6371 6378 7ff6b0555354 6371->6378 6376 7ff6b0555310 14 API calls 6377 7ff6b05553b4 6376->6377 6379 7ff6b0555369 6378->6379 6380 7ff6b0555364 6378->6380 6382 7ff6b0555370 6379->6382 6381 7ff6b0555310 14 API calls 6380->6381 6381->6379 6383 7ff6b0555385 6382->6383 6384 7ff6b0555380 6382->6384 6383->6376 6385 7ff6b0555310 14 API calls 6384->6385 6385->6383 7112 7ff6b0551a34 7113 7ff6b0551a44 pre_c_initialization 7112->7113 7129 7ff6b05557ac 7113->7129 7115 7ff6b0551a50 pre_c_initialization 7135 7ff6b0551ea4 7115->7135 7117 7ff6b05521f0 __scrt_fastfail 7 API calls 7119 7ff6b0551aea __scrt_initialize_default_local_stdio_options 7117->7119 7118 7ff6b0551a69 _RTC_Initialize 7127 7ff6b0551abe pre_c_initialization 7118->7127 7140 7ff6b05520b8 7118->7140 7121 7ff6b0551a7e pre_c_initialization 7143 7ff6b0555010 7121->7143 7127->7117 7128 7ff6b0551ada 7127->7128 7130 7ff6b05557bd 7129->7130 7131 7ff6b05557c5 7130->7131 7132 7ff6b0556934 _set_fmode 14 API calls 7130->7132 7131->7115 7133 7ff6b05557d4 7132->7133 7134 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 7133->7134 7134->7131 7136 7ff6b0551eb9 7135->7136 7139 7ff6b0551ec2 __scrt_initialize_onexit_tables 7135->7139 7137 7ff6b05521f0 __scrt_fastfail 7 API calls 7136->7137 7136->7139 7138 7ff6b0551f7b 7137->7138 7139->7118 7168 7ff6b0552068 7140->7168 7142 7ff6b05520c1 7142->7121 7144 7ff6b0555030 7143->7144 7158 7ff6b0551a8a 7143->7158 7145 7ff6b0555038 7144->7145 7146 7ff6b055504e GetModuleFileNameW 7144->7146 7147 7ff6b0556934 _set_fmode 14 API calls 7145->7147 7150 7ff6b0555079 pre_c_initialization 7146->7150 7148 7ff6b055503d 7147->7148 7149 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 7148->7149 7149->7158 7151 7ff6b0554fb0 pre_c_initialization 14 API calls 7150->7151 7152 7ff6b05550b9 7151->7152 7153 7ff6b05550d9 pre_c_initialization 7152->7153 7154 7ff6b05550c1 7152->7154 7159 7ff6b05550fb 7153->7159 7161 7ff6b0555127 7153->7161 7162 7ff6b0555140 7153->7162 7155 7ff6b0556934 _set_fmode 14 API calls 7154->7155 7156 7ff6b05550c6 7155->7156 7157 7ff6b0556954 __free_lconv_mon 14 API calls 7156->7157 7157->7158 7158->7127 7167 7ff6b0552190 InitializeSListHead 7158->7167 7160 7ff6b0556954 __free_lconv_mon 14 API calls 7159->7160 7160->7158 7163 7ff6b0556954 __free_lconv_mon 14 API calls 7161->7163 7165 7ff6b0556954 __free_lconv_mon 14 API calls 7162->7165 7164 7ff6b0555130 7163->7164 7166 7ff6b0556954 __free_lconv_mon 14 API calls 7164->7166 7165->7159 7166->7158 7169 7ff6b0552097 7168->7169 7171 7ff6b055208d _onexit 7168->7171 7172 7ff6b0555cf4 7169->7172 7171->7142 7175 7ff6b0555940 7172->7175 7182 7ff6b0559b50 EnterCriticalSection 7175->7182 6386 7ff6b056076e 6387 7ff6b056077d 6386->6387 6388 7ff6b0560787 6386->6388 6390 7ff6b0559ba4 LeaveCriticalSection 6387->6390 6391 7ff6b0560670 6394 7ff6b0554bf8 6391->6394 6395 7ff6b0557574 _set_fmode 14 API calls 6394->6395 6396 7ff6b0554c16 6395->6396 6397 7ff6b0558770 6398 7ff6b055877c 6397->6398 6400 7ff6b05587a3 6398->6400 6401 7ff6b0559ca4 6398->6401 6402 7ff6b0559ca9 6401->6402 6406 7ff6b0559ce4 6401->6406 6403 7ff6b0559cca DeleteCriticalSection 6402->6403 6404 7ff6b0559cdc 6402->6404 6403->6403 6403->6404 6405 7ff6b0556954 __free_lconv_mon 14 API calls 6404->6405 6405->6406 6406->6398 6407 7ff6b055283c 6410 7ff6b055286c _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 6407->6410 6408 7ff6b055295d 6409 7ff6b0552928 RtlUnwindEx 6409->6410 6410->6408 6410->6409 7183 7ff6b0551afc 7190 7ff6b05523d4 SetUnhandledExceptionFilter 7183->7190 6178 7ff6b0557278 6179 7ff6b055727d 6178->6179 6183 7ff6b0557292 6178->6183 6184 7ff6b0557298 6179->6184 6185 7ff6b05572da 6184->6185 6186 7ff6b05572e2 6184->6186 6187 7ff6b0556954 __free_lconv_mon 14 API calls 6185->6187 6188 7ff6b0556954 __free_lconv_mon 14 API calls 6186->6188 6187->6186 6189 7ff6b05572ef 6188->6189 6190 7ff6b0556954 __free_lconv_mon 14 API calls 6189->6190 6191 7ff6b05572fc 6190->6191 6192 7ff6b0556954 __free_lconv_mon 14 API calls 6191->6192 6193 7ff6b0557309 6192->6193 6194 7ff6b0556954 __free_lconv_mon 14 API calls 6193->6194 6195 7ff6b0557316 6194->6195 6196 7ff6b0556954 __free_lconv_mon 14 API calls 6195->6196 6197 7ff6b0557323 6196->6197 6198 7ff6b0556954 __free_lconv_mon 14 API calls 6197->6198 6199 7ff6b0557330 6198->6199 6200 7ff6b0556954 __free_lconv_mon 14 API calls 6199->6200 6201 7ff6b055733d 6200->6201 6202 7ff6b0556954 __free_lconv_mon 14 API calls 6201->6202 6203 7ff6b055734d 6202->6203 6204 7ff6b0556954 __free_lconv_mon 14 API calls 6203->6204 6205 7ff6b055735d 6204->6205 6210 7ff6b0557148 6205->6210 6224 7ff6b0559b50 EnterCriticalSection 6210->6224 6411 7ff6b0557640 6418 7ff6b055aa20 6411->6418 6419 7ff6b055a7f8 try_get_function 5 API calls 6418->6419 6420 7ff6b055aa48 TlsAlloc 6419->6420 6422 7ff6b0551c40 6423 7ff6b0552380 __scrt_is_managed_app GetModuleHandleW 6422->6423 6424 7ff6b0551c47 pre_c_initialization 6423->6424 5712 7ff6b05555cc 5713 7ff6b05555e9 GetModuleHandleW 5712->5713 5714 7ff6b0555633 5712->5714 5713->5714 5720 7ff6b05555f6 5713->5720 5722 7ff6b05554c4 5714->5722 5716 7ff6b0555675 5719 7ff6b0555687 5720->5714 5736 7ff6b05556d4 GetModuleHandleExW 5720->5736 5742 7ff6b0559b50 EnterCriticalSection 5722->5742 5724 7ff6b05554e0 5725 7ff6b05554fc 14 API calls 5724->5725 5726 7ff6b05554e9 5725->5726 5727 7ff6b0559ba4 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 5726->5727 5728 7ff6b05554f1 5727->5728 5728->5716 5729 7ff6b0555688 5728->5729 5743 7ff6b0559bc0 5729->5743 5732 7ff6b05556c2 5734 7ff6b05556d4 3 API calls 5732->5734 5733 7ff6b05556b1 GetCurrentProcess TerminateProcess 5733->5732 5735 7ff6b05556c9 ExitProcess 5734->5735 5737 7ff6b05556fa GetProcAddress 5736->5737 5738 7ff6b0555719 5736->5738 5737->5738 5739 7ff6b0555711 5737->5739 5740 7ff6b0555729 5738->5740 5741 7ff6b0555723 FreeLibrary 5738->5741 5739->5738 5740->5714 5741->5740 5744 7ff6b0559bde 5743->5744 5746 7ff6b0555695 5743->5746 5747 7ff6b055a9d0 5744->5747 5746->5732 5746->5733 5750 7ff6b055a7f8 5747->5750 5751 7ff6b055a859 5750->5751 5756 7ff6b055a854 try_get_function 5750->5756 5751->5746 5752 7ff6b055a93c 5752->5751 5755 7ff6b055a94a GetProcAddress 5752->5755 5753 7ff6b055a888 LoadLibraryExW 5754 7ff6b055a8a9 GetLastError 5753->5754 5753->5756 5754->5756 5755->5751 5756->5751 5756->5752 5756->5753 5757 7ff6b055a921 FreeLibrary 5756->5757 5758 7ff6b055a8e3 LoadLibraryExW 5756->5758 5757->5756 5758->5756 6226 7ff6b0551c8c 6229 7ff6b05520d0 6226->6229 6230 7ff6b0551c95 6229->6230 6231 7ff6b05520f3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6229->6231 6231->6230 7191 7ff6b0555e0c 7192 7ff6b0556954 __free_lconv_mon 14 API calls 7191->7192 7193 7ff6b0555e1c 7192->7193 7194 7ff6b0556954 __free_lconv_mon 14 API calls 7193->7194 7195 7ff6b0555e30 7194->7195 7196 7ff6b0556954 __free_lconv_mon 14 API calls 7195->7196 7197 7ff6b0555e44 7196->7197 7198 7ff6b0556954 __free_lconv_mon 14 API calls 7197->7198 7199 7ff6b0555e58 7198->7199 7226 7ff6b0555dcc 7227 7ff6b0555dfd 7226->7227 7228 7ff6b0555de5 7226->7228 7228->7227 7229 7ff6b0556954 __free_lconv_mon 14 API calls 7228->7229 7229->7227 6232 7ff6b055838c 6233 7ff6b05583b6 6232->6233 6234 7ff6b05588fc _set_fmode 14 API calls 6233->6234 6235 7ff6b05583d5 6234->6235 6236 7ff6b0556954 __free_lconv_mon 14 API calls 6235->6236 6237 7ff6b05583e3 6236->6237 6238 7ff6b05588fc _set_fmode 14 API calls 6237->6238 6239 7ff6b055840d 6237->6239 6240 7ff6b05583ff 6238->6240 6243 7ff6b0558416 6239->6243 6244 7ff6b055ab4c 6239->6244 6242 7ff6b0556954 __free_lconv_mon 14 API calls 6240->6242 6242->6239 6245 7ff6b055a7f8 try_get_function 5 API calls 6244->6245 6246 7ff6b055ab82 6245->6246 6247 7ff6b055ab8c 6246->6247 6248 7ff6b055ab97 InitializeCriticalSectionAndSpinCount 6246->6248 6247->6239 6248->6247 6425 7ff6b055994c GetCommandLineA GetCommandLineW 6426 7ff6b0552d47 6427 7ff6b0555eb4 34 API calls 6426->6427 6428 7ff6b0552d4c 6427->6428 6249 7ff6b0558988 6250 7ff6b05589c7 6249->6250 6272 7ff6b05589dd 6249->6272 6251 7ff6b0556934 _set_fmode 14 API calls 6250->6251 6253 7ff6b05589cc 6251->6253 6252 7ff6b0558bd4 6286 7ff6b0554fb0 6252->6286 6254 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6253->6254 6256 7ff6b05589d6 6254->6256 6258 7ff6b0551a10 _handle_error 8 API calls 6256->6258 6257 7ff6b0558c4b 6261 7ff6b0556954 __free_lconv_mon 14 API calls 6257->6261 6259 7ff6b0558d22 6258->6259 6260 7ff6b0558c43 6260->6257 6270 7ff6b0558d3d 6260->6270 6292 7ff6b0558818 6260->6292 6263 7ff6b0558cd5 6261->6263 6262 7ff6b0558ac8 FindFirstFileExW 6262->6272 6265 7ff6b0558d08 6263->6265 6268 7ff6b0556954 __free_lconv_mon 14 API calls 6263->6268 6264 7ff6b0558d54 34 API calls 6264->6272 6266 7ff6b0556954 __free_lconv_mon 14 API calls 6265->6266 6266->6256 6268->6263 6269 7ff6b0558b49 FindNextFileW 6269->6272 6271 7ff6b05565d4 _invalid_parameter_noinfo 17 API calls 6270->6271 6273 7ff6b0558d51 6271->6273 6272->6252 6272->6262 6272->6263 6272->6264 6272->6269 6274 7ff6b0558bab FindClose 6272->6274 6275 7ff6b0558b79 FindClose 6272->6275 6278 7ff6b055d590 6272->6278 6274->6272 6275->6272 6279 7ff6b055d5bd 6278->6279 6280 7ff6b0556934 _set_fmode 14 API calls 6279->6280 6285 7ff6b055d5d2 6279->6285 6281 7ff6b055d5c7 6280->6281 6282 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6281->6282 6282->6285 6283 7ff6b0551a10 _handle_error 8 API calls 6284 7ff6b0558b9d FindClose 6283->6284 6284->6272 6285->6283 6287 7ff6b0554fc8 6286->6287 6288 7ff6b0555000 6286->6288 6287->6288 6289 7ff6b05588fc _set_fmode 14 API calls 6287->6289 6288->6260 6290 7ff6b0554ff6 6289->6290 6291 7ff6b0556954 __free_lconv_mon 14 API calls 6290->6291 6291->6288 6296 7ff6b0558830 6292->6296 6293 7ff6b0558835 6294 7ff6b055884b 6293->6294 6295 7ff6b0556934 _set_fmode 14 API calls 6293->6295 6294->6260 6297 7ff6b055883f 6295->6297 6296->6293 6296->6294 6299 7ff6b055887c 6296->6299 6298 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6297->6298 6298->6294 6299->6294 6300 7ff6b0556934 _set_fmode 14 API calls 6299->6300 6300->6297 7200 7ff6b0559b08 7201 7ff6b0559b10 7200->7201 7202 7ff6b055ab4c 6 API calls 7201->7202 7203 7ff6b0559b41 7201->7203 7205 7ff6b0559b3d 7201->7205 7202->7201 7206 7ff6b0559b6c 7203->7206 7207 7ff6b0559b97 7206->7207 7208 7ff6b0559b9b 7207->7208 7209 7ff6b0559b7a DeleteCriticalSection 7207->7209 7208->7205 7209->7207 6301 7ff6b0555194 6302 7ff6b05551ad 6301->6302 6309 7ff6b05551a9 6301->6309 6311 7ff6b0559a68 GetEnvironmentStringsW 6302->6311 6306 7ff6b05551ba 6308 7ff6b0556954 __free_lconv_mon 14 API calls 6306->6308 6308->6309 6310 7ff6b0556954 __free_lconv_mon 14 API calls 6310->6306 6312 7ff6b0559a8c 6311->6312 6313 7ff6b05551b2 6311->6313 6335 7ff6b0556994 6312->6335 6313->6306 6318 7ff6b05551fc 6313->6318 6315 7ff6b0556954 __free_lconv_mon 14 API calls 6316 7ff6b0559ae6 FreeEnvironmentStringsW 6315->6316 6316->6313 6317 7ff6b0559ac6 memcpy_s 6317->6315 6319 7ff6b0555224 6318->6319 6320 7ff6b05588fc _set_fmode 14 API calls 6319->6320 6327 7ff6b055525f 6320->6327 6321 7ff6b0556954 __free_lconv_mon 14 API calls 6322 7ff6b05551c7 6321->6322 6322->6310 6323 7ff6b05588fc _set_fmode 14 API calls 6323->6327 6324 7ff6b05552c5 6351 7ff6b0555310 6324->6351 6327->6323 6327->6324 6329 7ff6b05552fc 6327->6329 6332 7ff6b0556954 __free_lconv_mon 14 API calls 6327->6332 6333 7ff6b05552d4 6327->6333 6342 7ff6b05587b0 6327->6342 6331 7ff6b05565d4 _invalid_parameter_noinfo 17 API calls 6329->6331 6330 7ff6b0556954 __free_lconv_mon 14 API calls 6330->6333 6334 7ff6b055530e 6331->6334 6332->6327 6333->6321 6336 7ff6b05569df 6335->6336 6341 7ff6b05569a3 _set_fmode 6335->6341 6337 7ff6b0556934 _set_fmode 14 API calls 6336->6337 6339 7ff6b05569dd 6337->6339 6338 7ff6b05569c6 HeapAlloc 6338->6339 6338->6341 6339->6317 6340 7ff6b055aed8 _set_fmode 2 API calls 6340->6341 6341->6336 6341->6338 6341->6340 6344 7ff6b05587bd 6342->6344 6346 7ff6b05587c7 6342->6346 6343 7ff6b0556934 _set_fmode 14 API calls 6345 7ff6b05587cf 6343->6345 6344->6346 6349 7ff6b05587e3 6344->6349 6347 7ff6b05565b4 _invalid_parameter_noinfo 31 API calls 6345->6347 6346->6343 6348 7ff6b05587db 6347->6348 6348->6327 6349->6348 6350 7ff6b0556934 _set_fmode 14 API calls 6349->6350 6350->6345 6352 7ff6b0555315 6351->6352 6353 7ff6b05552cd 6351->6353 6354 7ff6b055533e 6352->6354 6356 7ff6b0556954 __free_lconv_mon 14 API calls 6352->6356 6353->6330 6355 7ff6b0556954 __free_lconv_mon 14 API calls 6354->6355 6355->6353 6356->6352 6429 7ff6b055d950 6432 7ff6b0559614 6429->6432 6433 7ff6b0559666 6432->6433 6434 7ff6b0559621 6432->6434 6438 7ff6b05574cc 6434->6438 6439 7ff6b05574dd 6438->6439 6440 7ff6b05574e2 6438->6440 6442 7ff6b055aab0 _set_fmode 6 API calls 6439->6442 6441 7ff6b055aaf8 _set_fmode 6 API calls 6440->6441 6446 7ff6b05574ea 6440->6446 6443 7ff6b0557501 6441->6443 6442->6440 6444 7ff6b05588fc _set_fmode 14 API calls 6443->6444 6443->6446 6447 7ff6b0557514 6444->6447 6445 7ff6b0555f48 pre_c_initialization 34 API calls 6448 7ff6b0557572 6445->6448 6446->6445 6451 7ff6b0557564 6446->6451 6449 7ff6b0557532 6447->6449 6450 7ff6b0557522 6447->6450 6453 7ff6b055aaf8 _set_fmode 6 API calls 6449->6453 6452 7ff6b055aaf8 _set_fmode 6 API calls 6450->6452 6463 7ff6b0559398 6451->6463 6460 7ff6b0557529 6452->6460 6454 7ff6b055753a 6453->6454 6455 7ff6b055753e 6454->6455 6456 7ff6b0557550 6454->6456 6457 7ff6b055aaf8 _set_fmode 6 API calls 6455->6457 6458 7ff6b05571a8 _set_fmode 14 API calls 6456->6458 6457->6460 6461 7ff6b0557558 6458->6461 6459 7ff6b0556954 __free_lconv_mon 14 API calls 6459->6446 6460->6459 6462 7ff6b0556954 __free_lconv_mon 14 API calls 6461->6462 6462->6446 6481 7ff6b055955c 6463->6481 6468 7ff6b05593db 6468->6433 6469 7ff6b0556994 _onexit 15 API calls 6471 7ff6b05593ec 6469->6471 6470 7ff6b0559487 6472 7ff6b0556954 __free_lconv_mon 14 API calls 6470->6472 6471->6470 6499 7ff6b0559690 6471->6499 6472->6468 6475 7ff6b0559482 6476 7ff6b0556934 _set_fmode 14 API calls 6475->6476 6476->6470 6477 7ff6b05594e4 6477->6470 6510 7ff6b0558ee8 6477->6510 6478 7ff6b05594a7 6478->6477 6479 7ff6b0556954 __free_lconv_mon 14 API calls 6478->6479 6479->6477 6482 7ff6b055957f 6481->6482 6483 7ff6b0559589 6482->6483 6525 7ff6b0559b50 EnterCriticalSection 6482->6525 6485 7ff6b05593c1 6483->6485 6487 7ff6b0555f48 pre_c_initialization 34 API calls 6483->6487 6492 7ff6b05590a4 6485->6492 6489 7ff6b0559613 6487->6489 6526 7ff6b0553b28 6492->6526 6495 7ff6b05590d6 6497 7ff6b05590eb 6495->6497 6498 7ff6b05590db GetACP 6495->6498 6496 7ff6b05590c4 GetOEMCP 6496->6497 6497->6468 6497->6469 6498->6497 6500 7ff6b05590a4 36 API calls 6499->6500 6501 7ff6b05596bb 6500->6501 6502 7ff6b05596f8 IsValidCodePage 6501->6502 6508 7ff6b055973b memcpy_s 6501->6508 6504 7ff6b0559709 6502->6504 6502->6508 6503 7ff6b0551a10 _handle_error 8 API calls 6505 7ff6b055947b 6503->6505 6506 7ff6b0559740 GetCPInfo 6504->6506 6509 7ff6b0559712 memcpy_s 6504->6509 6505->6475 6505->6478 6506->6508 6506->6509 6508->6503 6558 7ff6b05591b4 6509->6558 6632 7ff6b0559b50 EnterCriticalSection 6510->6632 6527 7ff6b0553b4c 6526->6527 6528 7ff6b0553b47 6526->6528 6527->6528 6529 7ff6b05573f8 pre_c_initialization 34 API calls 6527->6529 6528->6495 6528->6496 6530 7ff6b0553b67 6529->6530 6534 7ff6b05576a0 6530->6534 6535 7ff6b0553b8a 6534->6535 6536 7ff6b05576b5 6534->6536 6538 7ff6b05576d4 6535->6538 6536->6535 6542 7ff6b055a720 6536->6542 6539 7ff6b05576fc 6538->6539 6540 7ff6b05576e9 6538->6540 6539->6528 6540->6539 6555 7ff6b0559674 6540->6555 6543 7ff6b05573f8 pre_c_initialization 34 API calls 6542->6543 6544 7ff6b055a72f 6543->6544 6545 7ff6b055a77a 6544->6545 6554 7ff6b0559b50 EnterCriticalSection 6544->6554 6545->6535 6556 7ff6b05573f8 pre_c_initialization 34 API calls 6555->6556 6557 7ff6b055967d 6556->6557 6559 7ff6b05591f1 GetCPInfo 6558->6559 6560 7ff6b05592e9 6558->6560 6559->6560 6562 7ff6b0559204 6559->6562 6561 7ff6b0551a10 _handle_error 8 API calls 6560->6561 6563 7ff6b0559382 6561->6563 6569 7ff6b055a25c 6562->6569 6563->6508 6570 7ff6b0553b28 34 API calls 6569->6570 6571 7ff6b055a29e 6570->6571 6589 7ff6b0559974 6571->6589 6590 7ff6b055997c MultiByteToWideChar 6589->6590 7210 7ff6b055ad10 7211 7ff6b055ad49 7210->7211 7212 7ff6b055ad1a 7210->7212 7212->7211 7213 7ff6b055ad2f FreeLibrary 7212->7213 7213->7212

                                        Executed Functions

                                        Function 00007FF6B0551710 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 166networkstringlibraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: Internet$CloseConditionFileHandleMasklstrcmpi$LibraryOpen$AddressCreateFindFreeInfoLoadMessageModuleNamePathPostProcRemoveSleepSpecVerifyVersionWindow
                                        • String ID: CryptCATAdminAcquireContext2$PairVPN_cls$\\.\PVETH$https://pairv.net/dev/install.php?err=t%d$wintrust.dll
                                        • API String ID: 2313333693-2263244140
                                        • Opcode ID: bb3eec7c3492c672487cd582cc17121aa8502d23b46e23a010ff6af31e45bc6f
                                        • Instruction ID: f63c696deef449dc76503ecf3ff7db6077dc0ca3e8cf745cd4cd58818e6150c7
                                        • Opcode Fuzzy Hash: bb3eec7c3492c672487cd582cc17121aa8502d23b46e23a010ff6af31e45bc6f
                                        • Instruction Fuzzy Hash: 02812636A0C682A2EB608B29E6643BA7B61FF84780F445135CB4DC6F64EF7CD544C704
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B0551060 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 126COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: DeviceInfoSetup$CreateErrorLastList$Destroy
                                        • String ID: \\.\PVETH$pveth$r6M
                                        • API String ID: 239284424-1178298180
                                        • Opcode ID: 5988e6157ca7f7e794a9477beb987d82aacc090ec68ff0316e45f3fed771612b
                                        • Instruction ID: 635053fe7e5fca88cda1842447a4d6a105192e0ae7270b391d2551f10a33f5ce
                                        • Opcode Fuzzy Hash: 5988e6157ca7f7e794a9477beb987d82aacc090ec68ff0316e45f3fed771612b
                                        • Instruction Fuzzy Hash: 5F516D3AA0CA81A6EB608F29EA547A93BA5FB447A4F400231DB4DC2FA4DF3CD544C744
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B0551290 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 90COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: Setup$Device$Info$ClassDestroyEnumList$CallDevsGet_InstallerNode_PropertyRegistrySelectedStatuswcsstr
                                        • String ID: $PairVPN Network Adapter
                                        • API String ID: 95707926-1194100514
                                        • Opcode ID: 0d4d26fc68ed55e62b83b69bf22d34b1c2cab50ff971402166ee3284b4ffea95
                                        • Instruction ID: 11438f5c662b55a39ef4baedfba23c200ce2816e0c86e1a3aef30697a2a3207e
                                        • Opcode Fuzzy Hash: 0d4d26fc68ed55e62b83b69bf22d34b1c2cab50ff971402166ee3284b4ffea95
                                        • Instruction Fuzzy Hash: F241623A60C642A2EB508B29F5643BA7BA0FB85794F541635DB4EC2FA4DF7CD409CB04
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B0551410 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 166registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: Open$CloseQueryValue$Enum
                                        • String ID: %s\%s$@$ComponentId$MacAddress$SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}$dows$pveth
                                        • API String ID: 3519472934-49098168
                                        • Opcode ID: 09a5dbfaf26cdd9eb80a18225455f08190ec77b05c9eb6cb8af91e3218f315f3
                                        • Instruction ID: 3fc00c6fc52a728de31938c0498c30386efac569b70df6b52eb873fd2b3bfcf5
                                        • Opcode Fuzzy Hash: 09a5dbfaf26cdd9eb80a18225455f08190ec77b05c9eb6cb8af91e3218f315f3
                                        • Instruction Fuzzy Hash: 29813F3660CB8196EB208F69E5547AABBA4FB49394F440235DB8D87F68DF7CD184CB04
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B0551B18 Relevance: 15.1, APIs: 10, Instructions: 94COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__scrt_acquire_startup_lock__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                        • String ID:
                                        • API String ID: 1664584033-0
                                        • Opcode ID: 5a7faafd83a74ff8ffc41cf50628bb0aad924412064540e899df9bcfd8de565b
                                        • Instruction ID: d41112e93e0160478c0ac4d41f17e7a31446cf53e8edc0005c820620d5e601a8
                                        • Opcode Fuzzy Hash: 5a7faafd83a74ff8ffc41cf50628bb0aad924412064540e899df9bcfd8de565b
                                        • Instruction Fuzzy Hash: C7314C2BE0C207A5FA14A76D96613BD2E919F45784F844434DB0ECBFF7DE2DA8448348
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B0555688 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: c4e2dc9b7e11eb9aaa1e69c8b109474d117b6f4814dcc67f3ff29f39d74aea43
                                        • Instruction ID: 6cc2ba71ba6caee9ae50c93a67552a23523da468f5b9fb8f7826eb7577a13546
                                        • Opcode Fuzzy Hash: c4e2dc9b7e11eb9aaa1e69c8b109474d117b6f4814dcc67f3ff29f39d74aea43
                                        • Instruction Fuzzy Hash: DAE04825B0C74552FB5467795AA537D36516F44741F144538CB4EC7772CE3DE444C300
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B05555CC Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: HandleModule$AddressFreeLibraryProc
                                        • String ID:
                                        • API String ID: 3947729631-0
                                        • Opcode ID: a5385da17ff3ebcf2e3b17a687684422e28ce26f38e708bc7f901617c0ba32e9
                                        • Instruction ID: 4cbd579ab50751931d802460fe1470d9e757125a6d6063257da28e7328248f76
                                        • Opcode Fuzzy Hash: a5385da17ff3ebcf2e3b17a687684422e28ce26f38e708bc7f901617c0ba32e9
                                        • Instruction Fuzzy Hash: 88216836F09B819AEB108F68C5603AC3AB0EB44708F85453AD70C87B85DF78D485CB80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B0559CF4 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: _invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 3215553584-0
                                        • Opcode ID: d2bb7464af729a4be4a44dba36f005038d02a4d764f8f77bb1a7fb8f863c9a45
                                        • Instruction ID: 8424a9bb2862180eb97070a5d8ef094c4475b27e5b0809ea14f0d83f9febba4c
                                        • Opcode Fuzzy Hash: d2bb7464af729a4be4a44dba36f005038d02a4d764f8f77bb1a7fb8f863c9a45
                                        • Instruction Fuzzy Hash: EA113D3B91C682A6F720AB1CA6402796AB4EB80780F554535D75D87FA6DF3CE8108B40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B05588FC Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6B05575D1,?,?,?,00007FF6B055693D,?,?,?,?,00007FF6B05557D4), ref: 00007FF6B0558951
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 35c93f3c64bc04b3f1fe4ce5a1a65dff6d95e55c0600028538337e8b9ce1f872
                                        • Instruction ID: 079916b74f0be073ae9ef5505027753a79eb94ffe8fcf017b76293c91393aa30
                                        • Opcode Fuzzy Hash: 35c93f3c64bc04b3f1fe4ce5a1a65dff6d95e55c0600028538337e8b9ce1f872
                                        • Instruction Fuzzy Hash: E5F0CD5BB0D20360FE6457AE8B113F82AA02F88B80F0C0434CB0ED6FD2DD2DE4848211
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 00007FF6B055C17C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1207COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                        • API String ID: 808467561-2761157908
                                        • Opcode ID: b550c01877cce58f3d5e3e6964ea04c067201ece84c37d388ad1dcbe12cb6042
                                        • Instruction ID: beaa52e0a9009bcab367266e1c1a603e1cd2c3669e0d952b9941bb37a447da3f
                                        • Opcode Fuzzy Hash: b550c01877cce58f3d5e3e6964ea04c067201ece84c37d388ad1dcbe12cb6042
                                        • Instruction Fuzzy Hash: 1FB2A1BBA1C2829EE7658E6DD6407F92FA1FB44788F505135DB0A97F84DF38A940CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B0558988 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: _invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 3215553584-0
                                        • Opcode ID: e3a581d8e46b80029fb9a2fa56736852ee1f2e022ff00931e9c1985116f6a039
                                        • Instruction ID: 769ce19c62457b8aa1b314de02fc0f3dcd9f68d0a8b42bfd51115176cbfc9497
                                        • Opcode Fuzzy Hash: e3a581d8e46b80029fb9a2fa56736852ee1f2e022ff00931e9c1985116f6a039
                                        • Instruction Fuzzy Hash: E9A1C367B1D68191EA60CB2A96002FA6BA0FB44BE4F444536EF5E97FD4DF3CE4458700
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B05563A0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                        • String ID:
                                        • API String ID: 1239891234-0
                                        • Opcode ID: 402b09af9edbf346ca551e622a0080c31ee747c03ef40c80db943752cf5856cb
                                        • Instruction ID: a9b14008a3f87b2beb2bd860f9c7ad40357a50247e891f2c8747e0e1b39bc263
                                        • Opcode Fuzzy Hash: 402b09af9edbf346ca551e622a0080c31ee747c03ef40c80db943752cf5856cb
                                        • Instruction Fuzzy Hash: 5C315C37618B8196DB608B29E9803AE7BA4FB89794F540135EB9D83BA5DF38C145CB00
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B055DC5C Relevance: 7.8, APIs: 5, Instructions: 325fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastWrite$Console
                                        • String ID:
                                        • API String ID: 786612050-0
                                        • Opcode ID: a0c48ebf1bb9b268af23baad0b1a42c1a50667dbfeb126827b399f1caca8d3ab
                                        • Instruction ID: 57b7e6d4ddf4f117e1320408d38de649297fb77a0ad5db1720c43bc3d47d5547
                                        • Opcode Fuzzy Hash: a0c48ebf1bb9b268af23baad0b1a42c1a50667dbfeb126827b399f1caca8d3ab
                                        • Instruction Fuzzy Hash: 09E1DF77B0CA81AAE714CB68D6442ED7BB1FB44798B540136CB8E87F99DE38E056C300
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B0557708 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: _invalid_parameter_noinfo
                                        • String ID: gfffffff
                                        • API String ID: 3215553584-1523873471
                                        • Opcode ID: e2bbc7d6315dcd47d367a06b7bbfb15a049f77282ba102e80a4de1ae60e43378
                                        • Instruction ID: 15981dac985a87a38c8015f18fdba3368a170a68ad29a060b726fe6848a6428c
                                        • Opcode Fuzzy Hash: e2bbc7d6315dcd47d367a06b7bbfb15a049f77282ba102e80a4de1ae60e43378
                                        • Instruction Fuzzy Hash: BD91166BB0D6C996EB11CB29E1047BD6BA9AB54B80F05C031CB5D87B91EE3DE506C301
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B055BD50 Relevance: 4.8, APIs: 3, Instructions: 317COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: memcpy_s
                                        • String ID:
                                        • API String ID: 1502251526-0
                                        • Opcode ID: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
                                        • Instruction ID: d611eb597cc3e38aa057242e2c4a6f5128895840ee62b93874fd8579b9c229e4
                                        • Opcode Fuzzy Hash: 4ea583caa57715286bcbaff0c0c248d65fdcd68c244adb70adfc071040c02cb8
                                        • Instruction Fuzzy Hash: E7C1A177A1C6869BE724CF19E64876ABB91FB84784F448135DB4A83B84DF3DE841CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B055FE48 Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: ExceptionRaise_clrfp
                                        • String ID:
                                        • API String ID: 15204871-0
                                        • Opcode ID: 3016e5c902860fd6bb847925bff36bb10a0e5324808f9a26888d497749d3215d
                                        • Instruction ID: 3a9940cb49810272a80349f756774b39940b702429886362536a4823c0a52cb8
                                        • Opcode Fuzzy Hash: 3016e5c902860fd6bb847925bff36bb10a0e5324808f9a26888d497749d3215d
                                        • Instruction Fuzzy Hash: 78B16A77604B858BEB55CF2DC9863683BA0F784B88F148922DB5D83BA4CF39D851C710
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B05541E0 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: _invalid_parameter_noinfo
                                        • String ID: 0
                                        • API String ID: 3215553584-4108050209
                                        • Opcode ID: dcd0c2c0282ee3da9c195a7fe8e7928cebb520d42cd6d83034e0b2cbaaefc648
                                        • Instruction ID: e88b240e2441178fe695bd8dbe54170ee64bdf9f6b814acdf99e522bdb21b1de
                                        • Opcode Fuzzy Hash: dcd0c2c0282ee3da9c195a7fe8e7928cebb520d42cd6d83034e0b2cbaaefc648
                                        • Instruction Fuzzy Hash: 6F61F62FA0C25266FA688A2D52023BE5F91AB4274CF441531EF49D7F99CE2DF8478F05
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B055ADEC Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: HeapProcess
                                        • String ID:
                                        • API String ID: 54951025-0
                                        • Opcode ID: b266ade7abc58fac76d1039f40240f4b22a1fc5616c4e4a7c79d11253ef2196f
                                        • Instruction ID: ab873331aaf7ed3285bdd4e84cb1f6156c13d341a0da9db5935b39ddc07c7e49
                                        • Opcode Fuzzy Hash: b266ade7abc58fac76d1039f40240f4b22a1fc5616c4e4a7c79d11253ef2196f
                                        • Instruction Fuzzy Hash: A9B09221E0FA42D2EA482B19AE862282AA47F48750F984039C20CC2720DE2C24E54700
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B05559B8 Relevance: .1, Instructions: 126COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 485612231-0
                                        • Opcode ID: 1b53f613ba489f45d47d26a3481dbb03858e724d308116d12554827087c06a80
                                        • Instruction ID: 5b9ecaddbe16814b8f132773cc3759b0083c6dc011ca80db9b251aead3e63a12
                                        • Opcode Fuzzy Hash: 1b53f613ba489f45d47d26a3481dbb03858e724d308116d12554827087c06a80
                                        • Instruction Fuzzy Hash: E041E227718A5496EF04CF6ADA64269BBA1BB48FE4B099132DF4DC7F58EE3CD0458300
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B055F970 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d4b7c54b43f600f29056c8ef5a348bf2a13cc2d619325a53f76f35e7c0c32b32
                                        • Instruction ID: cfb99ea2a2d9030445e548c44b3ceb98c0b4d56e590704fb7eebf9f4b23d8293
                                        • Opcode Fuzzy Hash: d4b7c54b43f600f29056c8ef5a348bf2a13cc2d619325a53f76f35e7c0c32b32
                                        • Instruction Fuzzy Hash: B8F0EC72A596959AEBA48F2CA9436397BA0F7483C4F908139D69DC2F14DE3C94618F04
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B05523D4 Relevance: .0, Instructions: 2COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d3a7b5f126a6dac3373390c747dea908d47bd7a66998aee05e1c11b553d4ae1a
                                        • Instruction ID: a2322cbe10affbbbc90c9dbc75022bb664bd49374d16bf6b45d68ccb4f4d8e72
                                        • Opcode Fuzzy Hash: d3a7b5f126a6dac3373390c747dea908d47bd7a66998aee05e1c11b553d4ae1a
                                        • Instruction Fuzzy Hash: 24A0012690C906A0E6088B18AAA01702B20AB56340B860436C30DC1A609E3DA505C304
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B0557FA0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 104COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 639 7ff6b0557fa0-7ff6b0557fcc 640 7ff6b0557fec-7ff6b0557fee 639->640 641 7ff6b0557fce-7ff6b0557fd2 639->641 643 7ff6b0557ffe-7ff6b0558090 640->643 644 7ff6b0557ff0-7ff6b0557ffa 640->644 642 7ff6b0557fd7-7ff6b0557feb call 7ff6b0551a10 641->642 646 7ff6b0558095-7ff6b055809d 643->646 644->643 646->646 647 7ff6b055809f-7ff6b05580c0 call 7ff6b0555ee8 646->647 647->642 651 7ff6b05580c6-7ff6b05580d4 647->651 652 7ff6b05580d6 call 7ff6b05565d4 651->652 653 7ff6b05580db-7ff6b0558100 652->653 655 7ff6b055811a-7ff6b055811d 653->655 656 7ff6b0558102-7ff6b0558115 call 7ff6b0556934 call 7ff6b05565b4 653->656 655->656 657 7ff6b055811f-7ff6b0558122 655->657 667 7ff6b055834d-7ff6b0558363 656->667 657->656 659 7ff6b0558124-7ff6b055812f 657->659 659->656 661 7ff6b0558131-7ff6b0558141 659->661 663 7ff6b0558143-7ff6b0558149 661->663 664 7ff6b0558150 661->664 663->664 666 7ff6b055814b-7ff6b055814e 663->666 668 7ff6b0558153-7ff6b055815e 664->668 666->668 669 7ff6b05581d4-7ff6b05581e1 668->669 670 7ff6b0558160-7ff6b0558175 668->670 672 7ff6b05581e7-7ff6b05581f0 669->672 673 7ff6b0558316-7ff6b0558345 669->673 670->669 671 7ff6b0558177-7ff6b0558187 670->671 674 7ff6b0558189-7ff6b055818c 671->674 675 7ff6b05581b5-7ff6b05581cf call 7ff6b0557fa0 671->675 676 7ff6b05582dd-7ff6b0558314 call 7ff6b0557a78 672->676 677 7ff6b05581f6-7ff6b05581f9 672->677 673->667 678 7ff6b0558348 call 7ff6b0557708 673->678 679 7ff6b05581a5-7ff6b05581b1 674->679 680 7ff6b055818e-7ff6b055819b 674->680 675->667 676->667 682 7ff6b05581fb-7ff6b05581fe 677->682 683 7ff6b0558253-7ff6b05582ac call 7ff6b055c17c call 7ff6b055bc64 677->683 678->667 679->675 680->679 685 7ff6b055819d-7ff6b05581a3 680->685 688 7ff6b0558217-7ff6b055824e call 7ff6b0557e6c 682->688 689 7ff6b0558200-7ff6b0558203 682->689 698 7ff6b05582b6-7ff6b05582db call 7ff6b0557d28 683->698 699 7ff6b05582ae-7ff6b05582b1 683->699 685->675 688->667 689->673 693 7ff6b0558209-7ff6b055820c 689->693 693->676 696 7ff6b0558212-7ff6b0558215 693->696 696->683 696->688 698->667 699->667
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: _invalid_parameter_noinfo
                                        • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                        • API String ID: 3215553584-2617248754
                                        • Opcode ID: 3237609d159ab10ba46c234358a695c2e54ff65d7a14f5c5a90dc946218dc2a7
                                        • Instruction ID: 1f5769a94b65ea24d85a40791b3223116a7d578966b181c97906a941e471dadc
                                        • Opcode Fuzzy Hash: 3237609d159ab10ba46c234358a695c2e54ff65d7a14f5c5a90dc946218dc2a7
                                        • Instruction Fuzzy Hash: DB418937B09B85A9E700CF29E9503AD3BA9EB14794F404636EB9C97B98DE3CD525C340
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B055FCFC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                        • String ID: CONOUT$
                                        • API String ID: 3230265001-3130406586
                                        • Opcode ID: 0fe5b4f37c695c0b6f3e2a81311337362fccd03361fac54772e26fa38c741f50
                                        • Instruction ID: e280caa51b436d7e80549dacd140d16863c57a17f14a89127ae5804aa9ff9810
                                        • Opcode Fuzzy Hash: 0fe5b4f37c695c0b6f3e2a81311337362fccd03361fac54772e26fa38c741f50
                                        • Instruction Fuzzy Hash: 48118122A1CA4196E7508B5AE9543397BA0FB88BE4F044234EF5DC7FA4CF7CD4448744
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B05556D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: 020c3e3b8397da258905466786b244da60fa815f70b42cf1ce6b1b270428b315
                                        • Instruction ID: 873d7909fbf227eed8b783ca842c0e10771bc3233792cfa28e11630c44958676
                                        • Opcode Fuzzy Hash: 020c3e3b8397da258905466786b244da60fa815f70b42cf1ce6b1b270428b315
                                        • Instruction Fuzzy Hash: 19F03066B2DA42E1EF544B59E6543782B60EF48794F481435D70FC6B64CE2CE488C704
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B055E5B4 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                        Download Yara Rule
                                        APIs
                                        • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B055E5F5
                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,00007FF6B055E573,00000000,?,?,00007FF6B055B467), ref: 00007FF6B055E6B4
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,00007FF6B055E573,00000000,?,?,00007FF6B055B467), ref: 00007FF6B055E734
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                        • String ID:
                                        • API String ID: 2210144848-0
                                        • Opcode ID: ba599d37922e8b35450661dbd2541b4a2ae53d1d8957be9b2ee07974836a1339
                                        • Instruction ID: 50ad712e653c98cc52f4959f5ccd580867a93a1b3244926e9f16953869339f4f
                                        • Opcode Fuzzy Hash: ba599d37922e8b35450661dbd2541b4a2ae53d1d8957be9b2ee07974836a1339
                                        • Instruction Fuzzy Hash: 3481A12BE2C69269FB589B6996503BD2E60FB48B88F444135DB0F93F91DF3CA481C710
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B055F770 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: _set_statfp
                                        • String ID:
                                        • API String ID: 1156100317-0
                                        • Opcode ID: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                        • Instruction ID: 22cac884e29139ddd12a25ae9e5d1b6322bce222a218d88b97b156b1875c6db3
                                        • Opcode Fuzzy Hash: a2ede21bcdb1ffc6f849cceea62f3b27e54c7ac4f1c2c35b27aa84f998c663a0
                                        • Instruction Fuzzy Hash: AE118F2FE2CA0321F764116CEE563761991AF59374F140634EF6E86FDA9E2CA8824314
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B0553D44 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: _invalid_parameter_noinfo
                                        • String ID: $*
                                        • API String ID: 3215553584-3982473090
                                        • Opcode ID: 5f42d9d014ee1588c64c3ccdc5e5e23c51e44588fa4a3c6a4008550626ce6456
                                        • Instruction ID: 8d219ba2750ee65905f409ab17f145e980f852bcab4725ee775e6497ad7458b4
                                        • Opcode Fuzzy Hash: 5f42d9d014ee1588c64c3ccdc5e5e23c51e44588fa4a3c6a4008550626ce6456
                                        • Instruction Fuzzy Hash: A3614D7B90C682AAE7658E2C825A37C3FE5FB05B48F141135CB4EC6B99CF6CE485C610
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B0557B54 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 134COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: _invalid_parameter_noinfo
                                        • String ID: -$e+000$gfff
                                        • API String ID: 3215553584-2620144452
                                        • Opcode ID: 7af458d71af61469ff462d0940fb275d492fe203a7865171285d0f7806464871
                                        • Instruction ID: 4b46bc438eb594458edaca08f0c9ed9926514033fc5354ec82d17815a2ed37f2
                                        • Opcode Fuzzy Hash: 7af458d71af61469ff462d0940fb275d492fe203a7865171285d0f7806464871
                                        • Instruction Fuzzy Hash: 52510367B1C6CA96E7258F29AA413696E95EB41B90F48D231CB9C87FD5DE2CE440C700
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B0555010 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B0555042
                                          • Part of subcall function 00007FF6B0556954: HeapFree.KERNEL32(?,?,?,00007FF6B055A0D4,?,?,?,00007FF6B055A117,?,?,?,00007FF6B055A640,?,?,?,00007FF6B055A573), ref: 00007FF6B055696A
                                          • Part of subcall function 00007FF6B0556954: GetLastError.KERNEL32(?,?,?,00007FF6B055A0D4,?,?,?,00007FF6B055A117,?,?,?,00007FF6B055A640,?,?,?,00007FF6B055A573), ref: 00007FF6B055697C
                                        • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6B0551A8A), ref: 00007FF6B0555060
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                        • String ID: C:\Program Files (x86)\PairVPN\pvextra.exe
                                        • API String ID: 3580290477-4152167777
                                        • Opcode ID: 829086d5f288950163d6e815c60d8609ef9d20e9991c2d6761801bd4b349b457
                                        • Instruction ID: fe983174c9e7f5c2d9a71616804a52b3366bf978e29077f802898de86769f869
                                        • Opcode Fuzzy Hash: 829086d5f288950163d6e815c60d8609ef9d20e9991c2d6761801bd4b349b457
                                        • Instruction Fuzzy Hash: 69415B3BA0CA42AAEB55DF299A512BD6FA4EF44BC4B444035EB4E83F95DF3DE441C240
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B055E358 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastWrite
                                        • String ID: U
                                        • API String ID: 442123175-4171548499
                                        • Opcode ID: d76e9eb8e4cb4d33fc0e7d841fb88eff722859b8b9ef7c3f9c56f83c400f3ac2
                                        • Instruction ID: 660766dfdd47d80fe78c7fb1521862b78b4d56372f8bebb988b38bb446e55984
                                        • Opcode Fuzzy Hash: d76e9eb8e4cb4d33fc0e7d841fb88eff722859b8b9ef7c3f9c56f83c400f3ac2
                                        • Instruction Fuzzy Hash: CF418263A1CA8192DB208F29E5443BA6B61FB94794F954131EF4EC7B98EF3CD441C740
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B055ABB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: Stringtry_get_function
                                        • String ID: LCMapStringEx
                                        • API String ID: 2588686239-3893581201
                                        • Opcode ID: 638d72dc1494de3329927df1e099a8a615afebceb2dcaae9a00e6920830c51c6
                                        • Instruction ID: 06ed29faa2ec1897d3ba50fdb5516b0d1769e4904412a6ed71597f44ca596c39
                                        • Opcode Fuzzy Hash: 638d72dc1494de3329927df1e099a8a615afebceb2dcaae9a00e6920830c51c6
                                        • Instruction Fuzzy Hash: E311F936A0CB8196D7608B1AF5402AABBA4FB89B90F544136EF8D83F19CF3CD5448B04
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B055AB4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: CountCriticalInitializeSectionSpintry_get_function
                                        • String ID: InitializeCriticalSectionEx
                                        • API String ID: 539475747-3084827643
                                        • Opcode ID: 3a28449e5091563fde798cd67d43612959404555a26bea36366b14b03b30ea30
                                        • Instruction ID: 8a87a21680b56ecc1f8595d5ee42a95578644b741aaa20776bee3801b15b4e94
                                        • Opcode Fuzzy Hash: 3a28449e5091563fde798cd67d43612959404555a26bea36366b14b03b30ea30
                                        • Instruction Fuzzy Hash: F0F0BE2BB0C781B1EB148B4DE2000B82A61BF48B90F484032DB1E83F24CE3CD485C394
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B055AAF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • try_get_function.LIBVCRUNTIME ref: 00007FF6B055AB21
                                        • TlsSetValue.KERNEL32(?,?,?,00007FF6B05575BE,?,?,?,00007FF6B055693D,?,?,?,?,00007FF6B05557D4), ref: 00007FF6B055AB38
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: Valuetry_get_function
                                        • String ID: FlsSetValue
                                        • API String ID: 738293619-3750699315
                                        • Opcode ID: 06aa6bbb2d3b826af3bd25507ce4197e01d196bcdc1a01ed42ab7ec79a7663f7
                                        • Instruction ID: da4aa1d0dd8f8cb3b0bc09a6f69e05406ad36d89ab67ad4a238b39126d07cfd0
                                        • Opcode Fuzzy Hash: 06aa6bbb2d3b826af3bd25507ce4197e01d196bcdc1a01ed42ab7ec79a7663f7
                                        • Instruction Fuzzy Hash: BAE06D77A0C642B1EB045F5DEA011B92A62BF48790F884077DB5E86BA4CE3CE885C300
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B055AC8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: DownlevelLocaleName__crttry_get_function
                                        • String ID: LocaleNameToLCID
                                        • API String ID: 404522899-2050040251
                                        • Opcode ID: 797307345ba7f005f64fd82550ab31a90b4a6bd62e563c7f112acd02ccc99a47
                                        • Instruction ID: 9490bef5991761d8861ed192e11452ded1b04af649e8fc6ceb77c4c0337e307d
                                        • Opcode Fuzzy Hash: 797307345ba7f005f64fd82550ab31a90b4a6bd62e563c7f112acd02ccc99a47
                                        • Instruction Fuzzy Hash: 72E09237B1C682B2FB149B5CE6401F92B61AF88790F585032E71D46F61CE3CE885D300
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00007FF6B05530D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • try_get_function.LIBVCRUNTIME ref: 00007FF6B05530FD
                                        • TlsSetValue.KERNEL32(?,?,?,00007FF6B0552D9D,?,?,?,?,00007FF6B0552A68,?,?,?,?,00007FF6B0551E7F), ref: 00007FF6B0553114
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.2276211450.00007FF6B0551000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6B0550000, based on PE: true
                                        • Associated: 00000003.00000002.2276184090.00007FF6B0550000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276244831.00007FF6B0561000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276275800.00007FF6B056B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                        • Associated: 00000003.00000002.2276300645.00007FF6B056D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff6b0550000_pvextra.jbxd
                                        Similarity
                                        • API ID: Valuetry_get_function
                                        • String ID: FlsSetValue
                                        • API String ID: 738293619-3750699315
                                        • Opcode ID: feb758a2245b8b23874f5e766c6fb482d8e997023c06ae54dbe5c1f330d4ec5e
                                        • Instruction ID: 175f179ba2afb43249c140a681f7eee3073bfb7e4be379a04653a7963e36982e
                                        • Opcode Fuzzy Hash: feb758a2245b8b23874f5e766c6fb482d8e997023c06ae54dbe5c1f330d4ec5e
                                        • Instruction Fuzzy Hash: 9CE06D67E0CA02A1EF045B6AF6011B43A61AF48BD1F4C5032DB1E87B64CE3CE884C314
                                        Uniqueness

                                        Uniqueness Score: -1.00%