tigerVPN_Win_v3.1.0.exe
This report is generated from a file or URL submitted to this webservice on May 1st 2017 20:43:36 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.40 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
- Persistence
- Modifies System Certificates Settings
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Additional Context
Related Sandbox Artifacts
- Associated URLs
- hxxps://cdn2-tigervpn.netdna-ssl.com/assets/apps/tigerVPN_Win_v3.1.0.exe
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
General
-
The input sample is signed with an invalid certificate
- details
- Error: Not implemented (0x80004001)
- source
- Certificate Data
- relevance
- 10/10
-
The input sample is signed with an invalid certificate
-
System Security
-
Modifies System Certificates Settings
- details
-
"msiexec.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES"; Key: "AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4")
"msiexec.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4"; Key: "BLOB") - source
- Registry Access
- relevance
- 8/10
-
Modifies System Certificates Settings
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 23
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "<Input Sample>" at 00014502-00002884-00000105-40726755
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Contains ability to query CPU information
- details
- cpuid from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query CPU information
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
FindResourceW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
FindResourceExW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
FindResourceW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
FindResourceW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
FindResourceW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
FindResourceW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%TEMP%\{DBCB670D-C70C-406C-8F67-2AFE1E912CF3}\Setup.INI"
"<Input Sample>" read file "%TEMP%\{DBCB670D-C70C-406C-8F67-2AFE1E912CF3}\_ISMSIDEL.INI"
"<Input Sample>" read file "%TEMP%\{DBCB670D-C70C-406C-8F67-2AFE1E912CF3}\0x0409.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
- "MSIC293.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"4.05.0.0"
"2.9.0.0"
"2.5.4.3"
"2.5.4.11"
"2.5.4.10"
Heuristic match: ",,--4L-(-4-@-L-X-d-p-|---- -!-"-#-$-%-&-'.).*.+$.
0.-H./T.2`.4l.5x.6.7.8.9.:.;.>.?.@.A.C.D/E /F
/G8/ID/JP/K\/Lh/Nt/O/P/R/V/W/Z/e/k/l//0@0 0", Heuristic match: "ScriptVer=1.0.0.1" - source
- String
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "Fp.VsI2J5CInMvnc_A7J9b_IzjW=5$hU%c7Wa0" (Indicator for product: Generic VNC)
- source
- String
- relevance
- 10/10
-
Contains a remote desktop related string
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
- CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to enumerate processes/modules/threads
-
System Destruction
-
Marks file for deletion
- details
-
"C:\tigerVPN_Win_v3.1.0.exe" marked "%TEMP%\_MSI5166._IS" for deletion
"C:\tigerVPN_Win_v3.1.0.exe" marked "%TEMP%\~3DC1.tmp" for deletion
"C:\tigerVPN_Win_v3.1.0.exe" marked "%TEMP%\~3DCC.tmp" for deletion
"C:\tigerVPN_Win_v3.1.0.exe" marked "%TEMP%\~41FC.tmp" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\_MSI5166._IS" with delete access
"<Input Sample>" opened "%TEMP%\~3DC1.tmp" with delete access
"<Input Sample>" opened "%TEMP%\~3DCC.tmp" with delete access
"<Input Sample>" opened "%TEMP%\~41FC.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
- SetSecurityDescriptorDacl@ADVAPI32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Output" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "CopyFile" which indicates: "May copy a file"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command" - source
- String
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
RegCreateKeyW
RegOpenKeyExW
RegDeleteKeyW
SetSecurityDescriptorDacl
OpenProcessToken
RegEnumKeyW
RegOpenKeyW
RegDeleteValueW
RegEnumKeyExW
GetDriveTypeW
GetFileAttributesW
UnhandledExceptionFilter
GetThreadContext
FindResourceExW
CopyFileW
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
LoadLibraryExA
LoadLibraryExW
CreateThread
ExitThread
TerminateProcess
GetModuleHandleExW
CreateToolhelp32Snapshot
LoadLibraryW
GetVersionExW
GetTickCount
VirtualProtect
GetFileSize
WriteProcessMemory
OpenProcess
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetProcAddress
VirtualProtectEx
GetTempFileNameW
CreateFileMappingW
WriteFile
FindNextFileW
FindFirstFileW
CreateFileW
FindResourceW
Process32NextW
LockResource
GetCommandLineW
Process32FirstW
MapViewOfFile
GetModuleHandleW
GetTempPathW
CreateProcessW
Sleep
ShellExecuteW
ShellExecuteExW
FindWindowExW
FindWindowW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
- "msiexec.exe" wrote bytes "4053ed765858ee76186aee76653cef760000000000bf36750000000056cc3675000000007cca36750000000037682a756a2cef76d62def760000000020692a750000000029a6367500000000a48d2a7500000000f70e367500000000" to virtual address "0x76FE1000" (part of module "NSI.DLL")
- source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Contains embedded string with suspicious keywords
-
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 23
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetLocalTime@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetLocalTime@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetLocalTime@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetVersion@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetVersion@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetVersionExW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetVersionExW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetVersionExW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetVersionExW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetVersionExW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetVersionExW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetVersionExW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetVersionExW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetVersionExW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceExW@KERNELBASE.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.dll (Target: "tigerVPN_Win_v3.1.0.exe.bin"; Stream UID: "27553-11130-0047609C")
which is directly followed by "cmp eax, 80000000h" and "jbe 004763C6h". See related instructions: "...
+754 call dword ptr [004EE1A0h] ;GetVersion
+760 cmp eax, 80000000h
+765 jbe 004763C6h" ... (Show Stream)
Found API call GetVersionExW@KERNEL32.dll (Target: "tigerVPN_Win_v3.1.0.exe.bin"; Stream UID: "27553-8475-00470B97")
which is directly followed by "cmp dword ptr [ebp-00000108h], ebx" and "jne 00470C26h". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000118h
+9 mov eax, dword ptr [00531350h]
+14 xor eax, ebp
+16 mov dword ptr [ebp-04h], eax
+19 mov eax, dword ptr [ebp+08h]
+22 push ebx
+23 xor ecx, ecx
+25 push esi
+26 mov esi, dword ptr [ebp+0Ch]
+29 mov dword ptr [eax], ecx
+31 lea eax, dword ptr [ebp-00000118h]
+37 push eax
+38 mov dword ptr [esi], ecx
+40 mov dword ptr [ebp-00000118h], 00000114h
+50 call dword ptr [004EE2FCh] ;GetVersionExW
+56 xor ebx, ebx
+58 inc ebx
+59 cmp dword ptr [ebp-00000108h], ebx
+65 jne 00470C26h" ... (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "tigerVPN_Win_v3.1.0.exe"; Stream UID: "00014502-00002884-40231-1080-0047C920")
which is directly followed by "cmp ecx, eax" and "ret ". See related instructions: "...
+0 call dword ptr [004EE1A0h] ;GetVersion
+6 mov ecx, 80000000h
+11 cmp ecx, eax
+13 sbb eax, eax
+15 neg eax
+17 ret " ... from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "tigerVPN_Win_v3.1.0.exe"; Stream UID: "00014502-00002884-40231-1369-0044EDCA")
which is directly followed by "cmp ecx, eax" and "ret ". See related instructions: "...
+0 call dword ptr [004EE1A0h] ;GetVersion
+6 mov ecx, 80000000h
+11 cmp ecx, eax
+13 sbb eax, eax
+15 neg eax
+17 ret " ... from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "tigerVPN_Win_v3.1.0.exe"; Stream UID: "00014502-00002884-40231-1261-00434CFE")
which is directly followed by "cmp word ptr [ebp-00000CE4h], ax" and "jnc 00434DA4h". See related instructions: "...
+174 lea eax, dword ptr [ebp-00000DF8h]
+180 push eax
+181 mov dword ptr [ebp-00000DF8h], 0000011Ch
+191 call dword ptr [004EE2FCh] ;GetVersionExW
+197 xor eax, eax
+199 inc eax
+200 cmp word ptr [ebp-00000CE4h], ax
+207 jnc 00434DA4h" ... from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "tigerVPN_Win_v3.1.0.exe"; Stream UID: "00014502-00002884-40231-1281-00437C73")
which is directly followed by "cmp dword ptr [ebp-000001E8h], 05h" and "jne 00437E23h". See related instructions: "...
+10 call 004A3A31h
+15 mov ebx, ecx
+17 mov dword ptr [ebp-000001F8h], ebx
+23 mov edi, dword ptr [ebp+08h]
+26 lea eax, dword ptr [ebp-000001ECh]
+32 push eax
+33 mov dword ptr [ebp-000001ECh], 0000011Ch
+43 call dword ptr [004EE2FCh] ;GetVersionExW
+49 cmp dword ptr [ebp-000001E8h], 05h
+56 jne 00437E23h" ... from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "tigerVPN_Win_v3.1.0.exe"; Stream UID: "00014502-00002884-40231-5099-00470B97")
which is directly followed by "cmp dword ptr [ebp-00000108h], ebx" and "jne 00470C26h". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000118h
+9 mov eax, dword ptr [00531350h]
+14 xor eax, ebp
+16 mov dword ptr [ebp-04h], eax
+19 mov eax, dword ptr [ebp+08h]
+22 push ebx
+23 xor ecx, ecx
+25 push esi
+26 mov esi, dword ptr [ebp+0Ch]
+29 mov dword ptr [eax], ecx
+31 lea eax, dword ptr [ebp-00000118h]
+37 push eax
+38 mov dword ptr [esi], ecx
+40 mov dword ptr [ebp-00000118h], 00000114h
+50 call dword ptr [004EE2FCh] ;GetVersionExW
+56 xor ebx, ebx
+58 inc ebx
+59 cmp dword ptr [ebp-00000108h], ebx
+65 jne 00470C26h" ... from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "tigerVPN_Win_v3.1.0.exe"; Stream UID: "00014502-00002884-40231-7750-0047609C")
which is directly followed by "cmp eax, 80000000h" and "jbe 004763C6h". See related instructions: "...
+754 call dword ptr [004EE1A0h] ;GetVersion
+760 cmp eax, 80000000h
+765 jbe 004763C6h" ... from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetProcessHeap@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream)
GetProcessHeap@KERNEL32.DLL from tigerVPN_Win_v3.1.0.exe (PID: 2884) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/60 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contains PDB pathways
- details
-
"C:\CodeBases\isdev\redist\Language Independent\i386\setupPreReq.pdb"
")91999A9I9Q9Y9a9i9q9y9; 1&C+19.D.M.l.#u.+.3.;.Cu.K.S.[.c.k.s)5<Module>System.IOmscorlibget_MessageConsoleWriteLineCombineDeleteGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeUninstallHelper.exeSystem.Runtime.VersioningGetFolderPathProgramSystemMainSystem.ReflectionExceptionSpecialFolderUninstallHelper.ctorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesDebuggingModesargsObjectEnvironmentDirectoryTigerVPNTiger_At_WorkCL]UyR M z\V4TWrapNonExceptionThrowsUninstallHelperCopyright 2017)$b6f452b0-b161-4158-a99e-4081276482581.0.0.0M.NETFramework,Version=v4.5.2TFrameworkDisplayName.NET Framework 4.5.2Xot'tRSDSxV:CFiD:\Workspace\tigervpn-windows\TigerVPN\UninstallHelper\obj\Release\UninstallHelper.pdb(%( (_CorExeMainmscoree.dll% @ P8h@LL4VS_VERSION_INFO?DVarFileInfo$TranslationStringFileInfo000004b0Comments"CompanyNameHFileDescriptionUninstallHelper0FileVersion1.0.0.0HInternalNameUninstallHelper.exeHLegalCopyrightCopyright 2017*LegalTrademarksPOriginalFilenameUninstallHelper.exe@ProductNameUninstallHelper4ProductVersion1.0.0.08Assembly Version1.0.0.0C<?xml version="1.-s' 0U0U00U%0"
"3F,j;lZWCjW'K*7A7UPq+pSD2!EV:VeHW:vv70("
_-M%67E=H"IHE6rGd&G"%?{JV~`fbW2;s@#|D]Q@d. xMqb:w0HN7'V^_6VP%QT;.t93X%@}{Om*md}K*Px"xfJ(HU$Rm'R\0t)jaxjEgT?]35>+T.pDBt({Y2Bmk<yEb2:,))VSQ6UbGUKhcn5-X$>)u@z v~'wqZDx)@v&R=Q<n@" - source
- String
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "%TEMP%\{DBCB670D-C70C-406C-8F67-2AFE1E912CF3}\Setup.INI"
"<Input Sample>" created file "%TEMP%\{DBCB670D-C70C-406C-8F67-2AFE1E912CF3}\_ISMSIDEL.INI"
"<Input Sample>" created file "%TEMP%\{DBCB670D-C70C-406C-8F67-2AFE1E912CF3}\0x0409.ini"
"<Input Sample>" created file "%TEMP%\~3DC1.tmp"
"<Input Sample>" created file "%TEMP%\~3DCC.tmp"
"<Input Sample>" created file "%TEMP%\{DBCB670D-C70C-406C-8F67-2AFE1E912CF3}\Microsoft .NET Framework 4.5.2 Web.prq"
"<Input Sample>" created file "%TEMP%\{DBCB670D-C70C-406C-8F67-2AFE1E912CF3}\TigerVPN.msi"
"<Input Sample>" created file "%TEMP%\~41FC.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
- "\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
- source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "MSIC293.tmp" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "MSIEXEC.EXE /i "%LOCALAPPDATA%\Downloaded Installations\{17DEC333-A214-4080-AD95-ECD171029F2E}\TigerVPN.msi" SETUPEXEDIR="C:" SETUPEXENAME="tigerVPN_Win_v3.1.0.exe"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA" (SHA1: 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1; see report for more information)
The input sample is signed with a certificate issued by "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US" (SHA1: 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4; see report for more information)
The input sample is signed with a certificate issued by "CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: A5:61:63:98:1B:3A:FB:56:2A:C8:94:97:41:89:3E:39:F1:8A:78:3D; see report for more information)
The input sample is signed with a certificate issued by "CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4; see report for more information)
The input sample is signed with a certificate issued by "CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: B6:9E:75:2B:BE:88:B4:45:82:00:A7:C0:F4:F5:B3:CC:E6:F3:5B:47; see report for more information) - source
- Certificate Data
- relevance
- 10/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"Tar5D85.tmp" has type "data"
"TigerVPN.msi" has type "Composite Document File V2 Document Can't read SAT"
"Setup.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"Microsoft .NET Framework 4.5.2 Web.prq" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with CRLF line terminators"
"Tar7263.tmp" has type "data"
"94308059B57B3142E455B38A6EB92015" has type "data"
"D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_7CD99609C7409BE30F57B2D32BFAA6A5" has type "data"
"Cab5DA4.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
"MSIC293.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"~3DC1.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7" has type "data"
"_ISMSIDEL.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"Tar5DA5.tmp" has type "data"
"~41FC.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"~3DCC.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"Cab5D84.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
"94308059B57B3142E455B38A6EB92015" has type "Microsoft Cabinet archive data 52608 bytes 1 file" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"<Input Sample>" touched file "%WINDIR%\system32\rsaenh.dll"
"<Input Sample>" touched file "%WINDIR%\system32\msiexec.exe"
"<Input Sample>" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Templates"
"msiexec.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Templates" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "]/S.Ls.kp"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "https://secure.comodo.net/CPS0C"
Pattern match: "crl.comodoca.com/COMODORSACodeSigningCA.crl0t"
Pattern match: "crt.comodoca.com/COMODORSACodeSigningCA.crt0$"
Pattern match: "http://ocsp.comodoca.com0$"
Pattern match: "http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q"
Pattern match: "http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$"
Pattern match: "http://ocsp.comodoca.com0"
Pattern match: "http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Pattern match: "www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Pattern match: "http://download.microsoft.com/download/B/4/1/B4119C11-0423-477B-80EE-7A474314B347/NDP452-KB2901954-Web.exe"
Pattern match: "http://saturn.installshield.com/is/prerequisites/Microsoft"
Pattern match: "Qr.Je/EY0@N0;C18=27:257233322321321321321320321321321321321233.F"
Pattern match: "FY.DV/DT/BO/BN/@K0@I0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://secure.comodo.net/CPS0CU"
Pattern match: "crl.comodoca.com/COMODORSACodeSigningCA.crl0t+h0f0"
Pattern match: "crt.comodoca.com/COMODORSACodeSigningCA.crt0$+0http://ocsp.comodoca.com0$U0sebastian@tigeratwork.com0"
Pattern match: "http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q+e0c0;+0/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$+0http://ocsp.comodoca.com0"
Pattern match: "http://logo.verisign.com/vslogo.gif0Ue0C93130"
Pattern match: "http://sv.symcb.com/sv.crl0fU"
Pattern match: "https://d.symcb.com/cps0%+0https://d.symcb.com/rpa0U%0"
Pattern match: "sv.symcb.com/sv.crt0U#0;Sy3}.+rf0UF'Sbk!,0`HB0"
Pattern match: "http://www.symauth.com/cps0(+0http://www.symauth.com/rpa00U)0'0%#!http://s1.symcb.com/pca3-g5.crl0U%0++0U0"
Pattern match: "https://W%NV4%NVl&NV88%toys::file"
Pattern match: "PW2PV5jEflVu.ujVV/jh@V0E"
Pattern match: "http://nsis.sf.net/NSIS_ErrorError"
Pattern match: "Cr.Dh/2u|dw71x6.gc!:pv.]DsGM\&jTkUH2i/}p&vr\^=]&xoeq7lE&X#0SxtaWbLwqu.NY%vW"
Heuristic match: "&.sc"
Pattern match: "y5.tT/,,&r"
Heuristic match: "{qEJ%(`^9EwhZx0{xfrQl(TP!$74/c^.T-.vI"
Pattern match: "crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0"
Pattern match: "https://www.digicert.com/CPS0d+0VRAny"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDCA-1.crl08642http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w+k0i0$+0http://ocsp.digicert.com0A+05http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0"
Pattern match: "http://www.digicert.com/ssl-cps-repository.htm0d+0VRAny"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0Uz0x0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:864http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0U{h"
Pattern match: "http://crl3.digicert.com/assured-cs-2011a.crl031/-http://crl4.digicert.com/assured-cs-2011a.crl0U"
Pattern match: "http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0U00"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0Uz0x0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:864http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0U+W"
Pattern match: "crl3.digicert.com/EVCodeSigningSHA2-g1.crl07531http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0KU"
Pattern match: "https://www.digicert.com/CPS0g0~+r0p0$+0http://ocsp.digicert.com0H+0"
Pattern match: "http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0U00"
Pattern match: "http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0U00@"
Pattern match: "http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0@"
Pattern match: "http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0U"
Pattern match: "http://crl3.digicert.com/sha2-assured-ts.crl020.,http://crl4.digicert.com/sha2-assured-ts.crl0+y0w0$+0http://ocsp.digicert.com0O+0Chttp://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0Uz0x0:864http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0PU"
Pattern match: "https://www.digicert.com/CPS0`Hl0"
Pattern match: "ns.adobe.com/xap/1.0/sType/ResourceRef#"
Pattern match: "http://purl.org/dc/elements/1.1/"
Pattern match: "http://ns.adobe.com/photoshop/1.0/"
Pattern match: "www.usertrust.com10UUTN-USERFirst-Object0"
Pattern match: "crl.usertrust.com/UTN-USERFirst-Object.crl05+"
Pattern match: "www.usertrust.com10UUTN-USERFirst-Object9%^ci930+]0*H"
Pattern match: ".21.2.exe/Aw?CK}xo7iM"
Heuristic match: ")wo@OK_9e&Gz*{ >-2d<u?`(YK;`e>rhfP>)jD!EP!E`DPdDECH,VK*Vv@g12R_` 8j ;rq7+? blR$l?XrGN$}6*-QeMP)kTgCSc2Qh:U67hXU/;;LdZy=.kP"
Heuristic match: "P^^&aTZSrlqIH`v7*O?[GvU}5jsDd5aE5Y8dLo)<3xdgwtsNstZ`M^}LMLqVUEN>~Rw4#,.-c~GSA<P/ki:Z.CR"
Pattern match: "qA.yY/`$hZOOW+@'YZo^?Q9*"
Pattern match: "xiC.AnY/ob^f.vP[3G|"
Pattern match: "Vs-jf.jFTJ/P[e[r_"
Heuristic match: "xx~6.fm"
Pattern match: "qh.od/Y%[FxuUzyF4`Z\Ov#J-$-j2KtJXyjUBTQs"
Heuristic match: "x#?q=9!;ueyq@3u1GD>VZaRDr0@MJLF>w8(5t69zH ):3?nSeY6[A.TsE;'ZgD@xsXYZXPvduQZs?E/-DmOo\Wo>h]7Qx\bl.CM"
Pattern match: "Jzpy8.Vl/3e"
Pattern match: "gA.Jou//+-'wyBD6ftnj8Fo9b'_36~=.U"
Heuristic match: "ubUGyfqHu1TQS]:,OOSVR3q(^%]OrN7lqqKm`]k@!D-K%Ra-D9TKG=x!|~;$\N>M4Aq;Y>Dcs*lC_*Z-hC5lUg,<jf_39s*DY&>] 5yN;n*.Ke"
Heuristic match: "v7=8DQ*>NL^>GXW<J.KR"
Pattern match: "Sb.bHof/~4,{2+NIv"
Pattern match: "RG.dX/2in*"
Pattern match: "4.lML/o^}1x@?ejMyrJ@^OaZCf@Z;4@0m8DbKgP#&|v"
Pattern match: "3nwcc5i.UWf/XW'VFOK=SXA$"
Heuristic match: "!,/M]@t0jz(1OWS1**hJC8\4i\\y=x4Ytw6j[xFG[}JK@eb/XkKQ=>I.aE"
Pattern match: "Gp.Kanp/QFG=BB@q"
Heuristic match: "5_? we^|.vg"
Pattern match: "MB.ohs/!LUlm=Z#sPc!&gZJ;Y:Br{@+I}D[h&so"
Pattern match: "S.yU/gu#j9"
Pattern match: "8sF.LqlA/;Z6&{="
Pattern match: "X.jNEW/5A9?l"
Heuristic match: "}wI_KAUX78zCSqw*NQ8Sv&3+1+b~}]!}_>U7s'?;~nxw*|kXq_jxx7uVo[m2G#/jyBfW37 ]jk?3m9+xvecU9#f\Z!?bs.`T^ZsA]j*L2O-blq5sI_Q#A$.gt"
Heuristic match: "9PrEN`\.Bg"
Pattern match: "hwQVwE.yO/l,Rh"
Pattern match: "j7V4bjX.hAs/?3"
Pattern match: "xP5.zK/j+KLkiP|"
Pattern match: "J.ox/I8#M;qtb`#BWY-t$N3'2=f+P"
Pattern match: "9.zi/N;tw6"
Heuristic match: "{tvLzL<hLGNF|0-$KG.mk"
Pattern match: "yl.kU/[[RKd18?bRdt@ay(H;2.c:$AikdOw)&jh"
Pattern match: "qiQ.LQ/1'CzT"
Pattern match: "o1nXE.mEC/peww"
Pattern match: "Qc.jmn/',1L*K+#K;!EAly*kq"
Heuristic match: "aW:?>~-9fx0x&A&; !'_YUF]O0FE4+frdC8%p#|W Vt6`LWQs0r]YFC&..E>G`U;>%IQi,#k~e&Me7 !ijGEdJILooF-\.pr"
Heuristic match: "OxFC`u9Fg<6 g%2Bcb$|zJr&;9b!Be0vDw|xO;YX7^?nO%sKvOG1sjwLv^.D(a:\;9;vneDo#O1YpDy|R{U|4{a<o@c]Ds0NMa]x3Ta\/<~V~B2?6iVoUx:?.gO_~zVFMmSl;I7_n<cO8oG-E25=M{@m/`6OLd6C102V]CwuIeve \W+7m2]~PF8)3ozy3~3@6O.br"
Heuristic match: "?(7`?>>J>.aw"
Heuristic match: "^IdIFxi!MrZO9{i$/%[B/B1sF,s1I'>OJIv$yuYXJ(]T{(/.CX"
Pattern match: "7.sY/`o"
Pattern match: "6-s.Oui/OZ}r"
Pattern match: "DJL.IcO/mi"
Pattern match: "D.Eu/I^z.T#+^W5z^uB{fiF8?#W"
Pattern match: "H.oJX/3D@Y8{@&^&Br!~z"
Heuristic match: ">(J8bTS0|`E\DX,R0Bj(/s(bhEi`64M&,,SK%~e,|ru*9fYmF*v9INQkt.AR"
Heuristic match: ")TcrsnACjtMbb'}efZeJx[Gy}B2I\tG?%^aoc|$7_g' Frl~YI6kd9$@6@dsH7W#+m9vbdBJ'@*f=HlRH6MmH.je9m$JU7qr&e s,@DV:) ~;AD1(k(([-Jo5N* 7l$jbK>l6Y%.zA"
Pattern match: "M0oK7J.fl/a\07a1aS9"
Heuristic match: "lDReW:qZ@@(gY.,+e;fL @xPU=YJ<PNLFsb'.=Xo\#xxxz:{=>o]V!(]JxOxPb-Cy=Bo,7~ln;X+hbvqhLKc,VVYY`v;xRe2V;;2tR,E=f[~t{%6[@#%;jQlbv+T*P&gB,6-xqTX.UG"
Heuristic match: "Dg }I}IfrH#1uX28OB!&{H@$)I?rl_@M=D^ Q$&{crr@Z.AD"
Pattern match: "D.Vf/bE+rlR74sY!.`KP*Yx\Q]l" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "tigerVPN_Win_v3.1.0.exe.bin" was detected as "VC8 -> Microsoft Corporation"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
tigerVPN_Win_v3.1.0.exe
- Filename
- tigerVPN_Win_v3.1.0.exe
- Size
- 5.6MiB (5824696 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 4053f835dac39dfe88d70608063ae5aa4d2c01f916346f08402476f12778b754
- MD5
- f592bc0a447b12c443b19696f8596f32
- SHA1
- 1a3179c5a08b5d554e8f29d41d7d0210a44d1418
- ssdeep
- 98304:O/cG0DNRxIzUR8V9401IB1PMFdygA5vo16L4NwcJZlzpDbU6680R0bhM:lG0DNwzUw40sEPygAdo16Lpc/NFs2dM
- imphash
- 57d5188803a6fbcf0352c0e2b516f8a0
- authentihash
- d707d2ed4a1d7167907a49e546c5965d7e5d3a14adc11e4a6e8fbe6efa5d5fd8
- Compiler/Packer
- VC8 -> Microsoft Corporation
Version Info
- LegalCopyright
- Copyright (c) 2015 Flexera Software LLC. All Rights Reserved.
- ISInternalVersion
- 22.0.347
- InternalName
- Setup
- FileVersion
- 3.1.0
- CompanyName
- Tiger At Work
- Internal Build Number
- 158438
- ProductName
- TigerVPN
- ProductVersion
- 3.1.0
- FileDescription
- Setup Launcher Unicode
- ISInternalDescription
- Setup Launcher Unicode
- OriginalFilename
- InstallShield Setup.exe
- Translation
- 0x0409 0x04b0
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
File Certificates
Error validating certificate: Not implemented (0x80004001)
Download Certificate File (7.2KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US | CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Serial: 7e93ebfb7cc64e59ea4b9a77d406fc3b |
12/21/2012 01:00:00 12/31/2020 00:59:59 |
7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1 |
CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US | CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US Serial: ecff438c8febf356e04d86a981b1a50 |
10/18/2012 01:00:00 12/30/2020 00:59:59 |
08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4 |
CN=Tiger At Work & Co. k. s., O=Tiger At Work & Co. k. s., STREET=Karadzicova 8A, L=Bratislava, ST=Bratislava, OID.2.5.4.17=82108, C=US | CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 7a5de96818fb5151679cbcbe66f00672 |
03/03/2016 01:00:00 08/07/2017 00:59:59 |
24:77:26:9B:28:26:53:40:FF:82:AD:D6:90:DB:71:97 A5:61:63:98:1B:3A:FB:56:2A:C8:94:97:41:89:3E:39:F1:8A:78:3D |
CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 4caaf9cadb636fe01ff74ed85b03869d |
01/19/2010 01:00:00 01/19/2038 00:59:59 |
1B:31:B0:71:40:36:CC:14:36:91:AD:C4:3E:FD:EC:18 AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4 |
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 2e7c87cc0e934a52fe94fd1cb7cd34af |
05/09/2013 01:00:00 05/09/2028 00:59:59 |
AA:37:4C:C0:0B:ED:2E:1E:A6:91:EF:41:5B:80:8F:E1 B6:9E:75:2B:BE:88:B4:45:82:00:A7:C0:F4:F5:B3:CC:E6:F3:5B:47 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
tigerVPN_Win_v3.1.0.exe
(PID: 2884)
- msiexec.exe MSIEXEC.EXE /i "%LOCALAPPDATA%\Downloaded Installations\{17DEC333-A214-4080-AD95-ECD171029F2E}\TigerVPN.msi" SETUPEXEDIR="C:" SETUPEXENAME="tigerVPN_Win_v3.1.0.exe" (PID: 3012)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
3.0.0.0 | Domain/IP reference | 00014502-00002884-40231-1259-0043B056 |
2.0.0.0 | Domain/IP reference | 00014502-00002884-40231-1259-0043B056 |
2.5.4.3 | Domain/IP reference | 00014502-00002884-40231-5537-00482178 |
2.9.0.0 | Domain/IP reference | 00014502-00002884-40231-1260-0044ED79 |
2.5.4.11 | Domain/IP reference | 00014502-00002884-40231-5537-00482178 |
2.5.4.10 | Domain/IP reference | 00014502-00002884-40231-5537-00482178 |
49.1.9.1 | Domain/IP reference | 00014502-00002884-40231-5537-00482178 |
http://www.installshield.com/isetup/proerrorcentral.asp?errorcode | Domain/IP reference | 00014502-00002884-40231-1586-00419D54 |
Extracted Strings
Extracted Files
Displaying 19 extracted file(s). The remaining 3 file(s) are available in the full version and XML/JSON reports.
-
Clean 1
-
-
MSIC293.tmp
- Size
- 103KiB (105704 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/73
- Runtime Process
- msiexec.exe (PID: 3012)
- MD5
- 04289ede648990e01435a99f616c8fdf
- SHA1
- bc81ff546d812d0f88ed7a98717e77d5e34b61fb
- SHA256
- 6629a2fe72efaded5d12e072a18b0cf065b2c9600a6401645ca1d7804f7edd14
-
-
Informative Selection 4
-
-
TigerVPN.msi
- Size
- 5MiB (5239204 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- tigerVPN_Win_v3.1.0.exe (PID: 2884)
- MD5
- f2c0dfd07d70bf9264f76303c98cb03d
- SHA1
- a036ab19ddcda39106c07ae3f3fb868e7285ee61
- SHA256
- c5dcdbc584b81f87f7a2868f1010162268c3f9a488a6e6b0523732d4c637f8fc
-
~3DC1.tmp
- Size
- 5.3KiB (5436 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- tigerVPN_Win_v3.1.0.exe (PID: 2884)
- MD5
- 232bbfb3ca48c28e12077a8ddf955c1a
- SHA1
- ec158520da2a4f98425d79d968c34e3539b51895
- SHA256
- 272af5d72df6af63c3dfdc79e3c8ce7138503ac6f11d94166c6154745d897159
-
~3DCC.tmp
- Size
- 5.3KiB (5436 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- tigerVPN_Win_v3.1.0.exe (PID: 2884)
- MD5
- 232bbfb3ca48c28e12077a8ddf955c1a
- SHA1
- ec158520da2a4f98425d79d968c34e3539b51895
- SHA256
- 272af5d72df6af63c3dfdc79e3c8ce7138503ac6f11d94166c6154745d897159
-
~41FC.tmp
- Size
- 5.3KiB (5436 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- tigerVPN_Win_v3.1.0.exe (PID: 2884)
- MD5
- 232bbfb3ca48c28e12077a8ddf955c1a
- SHA1
- ec158520da2a4f98425d79d968c34e3539b51895
- SHA256
- 272af5d72df6af63c3dfdc79e3c8ce7138503ac6f11d94166c6154745d897159
-
-
Informative 14
-
-
5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7
- Size
- 404B (404 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3012)
- MD5
- 79173d4b9288a647623a5600572213c8
- SHA1
- adc03775a41bd2074769a4d42fdb8d397922f59a
- SHA256
- 58e6563f86822ce70eafefb97c013e9aacdba3fdfe2edc13c05bad2448ab631d
-
94308059B57B3142E455B38A6EB92015
- Size
- 51KiB (52608 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 52608 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 3012)
- MD5
- ff9672cd98bf5d41722d2d1207344c67
- SHA1
- 98ebe6d49d1d9d4add4bf9219fe2ded40cba33f3
- SHA256
- 756f4d557302e49bce6623db9bd324c7b05c36b8bb884bbefbbe6b7f53422a54
-
D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_7CD99609C7409BE30F57B2D32BFAA6A5
- Size
- 471B (471 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3012)
- MD5
- 61369f8c4eff45f15824ff911c09bd12
- SHA1
- f327644f4a34bc5c19a769ebd9c1876d4d0e9eb5
- SHA256
- 098b2f600384d92f05142c405ba580f9ff1c1486475ddf20a186fa5c2d9a0a60
-
Cab5D84.tmp
- Size
- 50KiB (50939 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 50939 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 3012)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
Cab5DA4.tmp
- Size
- 50KiB (50939 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 50939 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 3012)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
Cab7262.tmp
- Size
- 51KiB (52608 bytes)
- Runtime Process
- msiexec.exe (PID: 3012)
- MD5
- ff9672cd98bf5d41722d2d1207344c67
- SHA1
- 98ebe6d49d1d9d4add4bf9219fe2ded40cba33f3
- SHA256
- 756f4d557302e49bce6623db9bd324c7b05c36b8bb884bbefbbe6b7f53422a54
-
MSIB097.tmp
- Size
- 153KiB (156888 bytes)
- Runtime Process
- msiexec.exe (PID: 3012)
- MD5
- c90f51e8f8c547ce8a48c22ecdcf5304
- SHA1
- b7a5831e3678693ebb254b5720a58020c0772551
- SHA256
- 226f3e224bfc7d77afff0f3d9048d1727eea7aa5e2e443f8cc55baa7dc5c6473
-
Tar5D85.tmp
- Size
- 118KiB (120573 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3012)
- MD5
- 179d2951034116b184198e0bf26daa47
- SHA1
- b76bf79e7fa15491075c3bd9ec569e1c8540174b
- SHA256
- 7e58975a4e1e86940f84e744709426939b85ae174dbbf020da3c893a54fd1da2
-
Tar5DA5.tmp
- Size
- 118KiB (120573 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3012)
- MD5
- 179d2951034116b184198e0bf26daa47
- SHA1
- b76bf79e7fa15491075c3bd9ec569e1c8540174b
- SHA256
- 7e58975a4e1e86940f84e744709426939b85ae174dbbf020da3c893a54fd1da2
-
Tar7263.tmp
- Size
- 122KiB (125286 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3012)
- MD5
- 8237156ad13c2cd7c5cc2faa6969fd86
- SHA1
- e5481457795650900ee04db955c87224e2db32f0
- SHA256
- 1a9094d2695f9bfbbf047639227e94f9e838cb0bee18e14b1aed00054faef825
-
0x0409.ini
- Size
- 22KiB (22490 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- tigerVPN_Win_v3.1.0.exe (PID: 2884)
- MD5
- 8586214463bd73e1c2716113e5bd3e13
- SHA1
- f02e3a76fd177964a846d4aa0a23f738178db2be
- SHA256
- 089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54
-
Microsoft .NET Framework 4.5.2 Web.prq
- Size
- 1.9KiB (1966 bytes)
- Type
- text
- Description
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
- Runtime Process
- tigerVPN_Win_v3.1.0.exe (PID: 2884)
- MD5
- a84f994d78120bdb03c90414e57e5ab3
- SHA1
- dbd15428e0d058e870a28bacf1a4e6c71918451f
- SHA256
- a751411d0987b2c3a87a84210e1deaaef7504d50e1d74856c30ede5580adbae6
-
Setup.INI
- Size
- 5.3KiB (5436 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- tigerVPN_Win_v3.1.0.exe (PID: 2884)
- MD5
- 232bbfb3ca48c28e12077a8ddf955c1a
- SHA1
- ec158520da2a4f98425d79d968c34e3539b51895
- SHA256
- 272af5d72df6af63c3dfdc79e3c8ce7138503ac6f11d94166c6154745d897159
-
_ISMSIDEL.INI
- Size
- 920B (920 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- tigerVPN_Win_v3.1.0.exe (PID: 2884)
- MD5
- b9284508e9557ae2970e4b09c1dc0987
- SHA1
- f61684ea1df5977ab61eb5df304c5fc4f1d09f28
- SHA256
- 3f82ae970860ddc228e149bb9bdfb18ab801c299e1ef45ce048cf5b82477554f
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Although all strings were processed, but some are hidden from the report in order to reduce the overall size
- Extracted file "TigerVPN.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/c5dcdbc584b81f87f7a2868f1010162268c3f9a488a6e6b0523732d4c637f8fc/analysis/1493668281/")
- Not all sources for signature ID "api-6" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "stream-3" are available in the report
- Not all sources for signature ID "string-21" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report