Windows Analysis Report
tier2tickets-1.1.2.30.msi

Overview

General Information

Sample name: tier2tickets-1.1.2.30.msi
Analysis ID: 1431851
MD5: 730ea796a4ff8f3089f6e705899ce8fd
SHA1: 4d9ae22f1a6e701107c56b48b8a9306d169c6bdb
SHA256: 1c085dbabf6f11a9429e70a282635f911a2ad70e8aba561032a193afee8325bb
Infos:

Detection

Score: 6
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.**TIER2TICKETS SOFTWARE LICENSE TERMS**This Application (or Component) uses Sciter Engine (http://sciter.com/) copyright Terra Informatica Software Inc.These license terms are an agreement between Tier2Technologies and you. Please read them. They apply to the software you are downloading from helpdeskbuttons.com which includes the media on which you received it if any. The terms also apply to any Tier2Tickets updates supplements Internet-based services and support servicesfor this software unless other terms accompany those items. If so those terms apply.**BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.****If you comply with these license terms you have the rights below.** 1. **INSTALLATION AND USE RIGHTS** You may install and use any number of copies of the software on your devices. 2. **Scope of License** The software is licensed not sold. This agreement only gives you some rights to use the software. Tier2Technologies reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not work around any technical limitations in the binary versions of the software; reverse engineer decompile or disassemble the binary versions of the software except and only to the extent that applicable law expressly permits despite this limitation; make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation; publish the software for others to copy; rent lease or lend the software; transfer the software or this agreement to any third party; or use the software for commercial software hosting services. 3. **SENSITIVE INFORMATION** Please be aware that similar to other debug tools that capture "process state" information files saved by Tier2Tickets software may include personally identifiable or other sensitive information (such as usernames passwords paths to files accessed and paths to registry accessed). By using this software you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Tier2Technologies or any other party through your use of the software. 4. **DOCUMENTATION** Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes. 6. **Export Restrictions** The software is subject to United States export laws
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.**TIER2TICKETS SOFTWARE LICENSE TERMS**This Application (or Component) uses Sciter Engine (http://sciter.com/) copyright Terra Informatica Software Inc.These license terms are an agreement between Tier2Technologies and you. Please read them. They apply to the software you are downloading from helpdeskbuttons.com which includes the media on which you received it if any. The terms also apply to any Tier2Tickets updates supplements Internet-based services and support servicesfor this software unless other terms accompany those items. If so those terms apply.**BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.****If you comply with these license terms you have the rights below.** 1. **INSTALLATION AND USE RIGHTS** You may install and use any number of copies of the software on your devices. 2. **Scope of License** The software is licensed not sold. This agreement only gives you some rights to use the software. Tier2Technologies reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not work around any technical limitations in the binary versions of the software; reverse engineer decompile or disassemble the binary versions of the software except and only to the extent that applicable law expressly permits despite this limitation; make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation; publish the software for others to copy; rent lease or lend the software; transfer the software or this agreement to any third party; or use the software for commercial software hosting services. 3. **SENSITIVE INFORMATION** Please be aware that similar to other debug tools that capture "process state" information files saved by Tier2Tickets software may include personally identifiable or other sensitive information (such as usernames passwords paths to files accessed and paths to registry accessed). By using this software you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Tier2Technologies or any other party through your use of the software. 4. **DOCUMENTATION** Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes. 6. **Export Restrictions** The software is subject to United States export laws
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.**TIER2TICKETS SOFTWARE LICENSE TERMS**This Application (or Component) uses Sciter Engine (http://sciter.com/) copyright Terra Informatica Software Inc.These license terms are an agreement between Tier2Technologies and you. Please read them. They apply to the software you are downloading from helpdeskbuttons.com which includes the media on which you received it if any. The terms also apply to any Tier2Tickets updates supplements Internet-based services and support servicesfor this software unless other terms accompany those items. If so those terms apply.**BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.****If you comply with these license terms you have the rights below.** 1. **INSTALLATION AND USE RIGHTS** You may install and use any number of copies of the software on your devices. 2. **Scope of License** The software is licensed not sold. This agreement only gives you some rights to use the software. Tier2Technologies reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not work around any technical limitations in the binary versions of the software; reverse engineer decompile or disassemble the binary versions of the software except and only to the extent that applicable law expressly permits despite this limitation; make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation; publish the software for others to copy; rent lease or lend the software; transfer the software or this agreement to any third party; or use the software for commercial software hosting services. 3. **SENSITIVE INFORMATION** Please be aware that similar to other debug tools that capture "process state" information files saved by Tier2Tickets software may include personally identifiable or other sensitive information (such as usernames passwords paths to files accessed and paths to registry accessed). By using this software you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Tier2Technologies or any other party through your use of the software. 4. **DOCUMENTATION** Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes. 6. **Export Restrictions** The software is subject to United States export laws
Source: Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: tier2tickets-1.1.2.30.msi
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: buttonInst.exe, 00000010.00000003.1313689616.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.exe, 00000010.00000002.2470220175.0000000002350000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000002.2471305078.00000000025B3000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000003.1319359338.0000000002D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://sciter.com/
Source: buttonInst.exe, 00000010.00000003.1313689616.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.exe, 00000010.00000002.2470220175.0000000002350000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000002.2471305078.000000000257E000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000003.1319359338.0000000002D70000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000002.2470121064.000000000093A000.00000004.00000020.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000002.2470121064.0000000000947000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sciter.com/)
Source: buttonInst.exe, 00000010.00000003.1315479302.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, buttonInst.exe, 00000010.00000003.1314801953.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000000.1317703515.0000000000401000.00000020.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.innosetup.com/
Source: buttonInst.exe, 00000010.00000000.1313063987.0000000000401000.00000020.00000001.01000000.00000008.sdmp, tier2tickets-1.1.2.30.msi, files.cab.5.dr, b1735a914504ec48bfb96ea649d26c3b.tmp.13.dr String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: buttonInst.exe, 00000010.00000003.1315479302.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, buttonInst.exe, 00000010.00000003.1314801953.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000000.1317703515.0000000000401000.00000020.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.remobjects.com/ps
Source: buttonInst.exe, 00000010.00000002.2470220175.00000000023BC000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000002.2471305078.000000000262C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.tier2tickets.com/
Source: buttonInst.exe, 00000010.00000003.1313689616.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000003.1319359338.0000000002D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.tier2tickets.com/8http://www.tier2tickets.com/
Source: buttonInst.exe, 00000010.00000003.1313689616.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.exe, 00000010.00000002.2470220175.00000000023CA000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000003.1319359338.0000000002D70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.tier2.tech/
Source: buttonInst.tmp, 00000011.00000002.2471305078.000000000262C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.tier2.tech/03c
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6bac16.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{4B54AF2C-B71A-4EDB-A1D3-129A563F1F1E} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB4EF.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB4F0.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICD3C.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSIB4F0.tmp Jump to behavior
PE file contains executable resources (Code or Archives)
Source: buttonInst.tmp.16.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: buttonInst.tmp.16.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Sample file is different than original file name gathered from version info
Source: tier2tickets-1.1.2.30.msi Binary or memory string: OriginalFileName vs tier2tickets-1.1.2.30.msi
Source: classification engine Classification label: clean6.winMSI@13/20@0/0
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DFEC9C4299B9F15C7A.TMP Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File read: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\msiwrapper.ini Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\tier2tickets-1.1.2.30.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D5AA1D4C0851ABEA04E1CC15902CBDFB
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\System32\expand.exe" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 55D4CA002D50B566F8BA4629CEE5F1B2 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe "C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe" /NORESTART /RESTARTEXITCODE=1234
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe Process created: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp "C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp" /SL5="$50374,56324545,951808,C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe" /NORESTART /RESTARTEXITCODE=1234
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D5AA1D4C0851ABEA04E1CC15902CBDFB Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 55D4CA002D50B566F8BA4629CEE5F1B2 E Global\MSI0000 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\System32\expand.exe" -R files.cab -F:* files Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe "C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe" /NORESTART /RESTARTEXITCODE=1234 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe Process created: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp "C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp" /SL5="$50374,56324545,951808,C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe" /NORESTART /RESTARTEXITCODE=1234 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Section loaded: dpx.dll Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Section loaded: wdscore.dll Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: msftedit.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: globinputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: windows.ui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: inputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File written: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\msiwrapper.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Window found: window name: TMainForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.**TIER2TICKETS SOFTWARE LICENSE TERMS**This Application (or Component) uses Sciter Engine (http://sciter.com/) copyright Terra Informatica Software Inc.These license terms are an agreement between Tier2Technologies and you. Please read them. They apply to the software you are downloading from helpdeskbuttons.com which includes the media on which you received it if any. The terms also apply to any Tier2Tickets updates supplements Internet-based services and support servicesfor this software unless other terms accompany those items. If so those terms apply.**BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.****If you comply with these license terms you have the rights below.** 1. **INSTALLATION AND USE RIGHTS** You may install and use any number of copies of the software on your devices. 2. **Scope of License** The software is licensed not sold. This agreement only gives you some rights to use the software. Tier2Technologies reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not work around any technical limitations in the binary versions of the software; reverse engineer decompile or disassemble the binary versions of the software except and only to the extent that applicable law expressly permits despite this limitation; make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation; publish the software for others to copy; rent lease or lend the software; transfer the software or this agreement to any third party; or use the software for commercial software hosting services. 3. **SENSITIVE INFORMATION** Please be aware that similar to other debug tools that capture "process state" information files saved by Tier2Tickets software may include personally identifiable or other sensitive information (such as usernames passwords paths to files accessed and paths to registry accessed). By using this software you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Tier2Technologies or any other party through your use of the software. 4. **DOCUMENTATION** Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes. 6. **Export Restrictions** The software is subject to United States export laws
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.**TIER2TICKETS SOFTWARE LICENSE TERMS**This Application (or Component) uses Sciter Engine (http://sciter.com/) copyright Terra Informatica Software Inc.These license terms are an agreement between Tier2Technologies and you. Please read them. They apply to the software you are downloading from helpdeskbuttons.com which includes the media on which you received it if any. The terms also apply to any Tier2Tickets updates supplements Internet-based services and support servicesfor this software unless other terms accompany those items. If so those terms apply.**BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.****If you comply with these license terms you have the rights below.** 1. **INSTALLATION AND USE RIGHTS** You may install and use any number of copies of the software on your devices. 2. **Scope of License** The software is licensed not sold. This agreement only gives you some rights to use the software. Tier2Technologies reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not work around any technical limitations in the binary versions of the software; reverse engineer decompile or disassemble the binary versions of the software except and only to the extent that applicable law expressly permits despite this limitation; make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation; publish the software for others to copy; rent lease or lend the software; transfer the software or this agreement to any third party; or use the software for commercial software hosting services. 3. **SENSITIVE INFORMATION** Please be aware that similar to other debug tools that capture "process state" information files saved by Tier2Tickets software may include personally identifiable or other sensitive information (such as usernames passwords paths to files accessed and paths to registry accessed). By using this software you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Tier2Technologies or any other party through your use of the software. 4. **DOCUMENTATION** Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes. 6. **Export Restrictions** The software is subject to United States export laws
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.**TIER2TICKETS SOFTWARE LICENSE TERMS**This Application (or Component) uses Sciter Engine (http://sciter.com/) copyright Terra Informatica Software Inc.These license terms are an agreement between Tier2Technologies and you. Please read them. They apply to the software you are downloading from helpdeskbuttons.com which includes the media on which you received it if any. The terms also apply to any Tier2Tickets updates supplements Internet-based services and support servicesfor this software unless other terms accompany those items. If so those terms apply.**BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.****If you comply with these license terms you have the rights below.** 1. **INSTALLATION AND USE RIGHTS** You may install and use any number of copies of the software on your devices. 2. **Scope of License** The software is licensed not sold. This agreement only gives you some rights to use the software. Tier2Technologies reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not work around any technical limitations in the binary versions of the software; reverse engineer decompile or disassemble the binary versions of the software except and only to the extent that applicable law expressly permits despite this limitation; make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation; publish the software for others to copy; rent lease or lend the software; transfer the software or this agreement to any third party; or use the software for commercial software hosting services. 3. **SENSITIVE INFORMATION** Please be aware that similar to other debug tools that capture "process state" information files saved by Tier2Tickets software may include personally identifiable or other sensitive information (such as usernames passwords paths to files accessed and paths to registry accessed). By using this software you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Tier2Technologies or any other party through your use of the software. 4. **DOCUMENTATION** Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes. 6. **Export Restrictions** The software is subject to United States export laws
Source: tier2tickets-1.1.2.30.msi Static file information: File size 57679872 > 1048576
Source: Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: tier2tickets-1.1.2.30.msi
PE file contains sections with non-standard names
Source: b1735a914504ec48bfb96ea649d26c3b.tmp.13.dr Static PE information: section name: .didata
Source: buttonInst.tmp.16.dr Static PE information: section name: .didata
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp File created: C:\Users\user\AppData\Local\Temp\is-T7HL2.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe File created: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICD3C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB4F0.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe File created: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe File created: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\1e940d3d81264ae2b69b6193605488f3$dpx$.tmp\b1735a914504ec48bfb96ea649d26c3b.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICD3C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB4F0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-T7HL2.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSICD3C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIB4F0.tmp Jump to dropped file
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\System32\expand.exe" -R files.cab -F:* files Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe "C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe" /NORESTART /RESTARTEXITCODE=1234 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Adds / modifies Windows certificates
Source: C:\Windows\System32\msiexec.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4CDD51A3D1F5203214B0C6C532230391C746426D Blob Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431851 Sample: tier2tickets-1.1.2.30.msi Startdate: 25/04/2024 Architecture: WINDOWS Score: 6 7 msiexec.exe 7 18 2->7         started        10 msiexec.exe 5 2->10         started        file3 34 C:\Windows\Installer\MSICD3C.tmp, PE32 7->34 dropped 36 C:\Windows\Installer\MSIB4F0.tmp, PE32 7->36 dropped 12 msiexec.exe 3 7->12         started        14 msiexec.exe 5 7->14         started        process4 process5 16 buttonInst.exe 2 12->16         started        19 expand.exe 4 14->19         started        file6 26 C:\Users\user\AppData\...\buttonInst.tmp, PE32 16->26 dropped 21 buttonInst.tmp 10 16->21         started        28 C:\Users\user\...\buttonInst.exe (copy), PE32 19->28 dropped 30 C:\...\b1735a914504ec48bfb96ea649d26c3b.tmp, PE32 19->30 dropped 24 conhost.exe 19->24         started        process7 file8 32 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->32 dropped
No contacted IP infos