Edit tour

Windows Analysis Report
tier2tickets-1.1.2.30.msi

Overview

General Information

Sample name:	tier2tickets-1.1.2.30.msi
Analysis ID:	1431851
MD5:	730ea796a4ff8f3089f6e705899ce8fd
SHA1:	4d9ae22f1a6e701107c56b48b8a9306d169c6bdb
SHA256:	1c085dbabf6f11a9429e70a282635f911a2ad70e8aba561032a193afee8325bb
Infos:

Detection

Score:	6
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Adds / modifies Windows certificates

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64_ra

msiexec.exe (PID: 6276 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\tier2tickets-1.1.2.30.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6324 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 2200 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D5AA1D4C0851ABEA04E1CC15902CBDFB MD5: 9D09DC1EDA745A5F87553048E57620CF)

expand.exe (PID: 5504 cmdline: "C:\Windows\System32\expand.exe" -R files.cab -F:* files MD5: 544B0DBFF3F393BCE8BB9D815F532D51)

conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 3020 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 55D4CA002D50B566F8BA4629CEE5F1B2 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

buttonInst.exe (PID: 6948 cmdline: "C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe" /NORESTART /RESTARTEXITCODE=1234 MD5: D599A693E02EFB8AC51F3D338F49CD00)

buttonInst.tmp (PID: 6288 cmdline: "C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp" /SL5="$50374,56324545,951808,C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe" /NORESTART /RESTARTEXITCODE=1234 MD5: 11EAA1FC1DF81C0847576F864B0E152D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.TIER2TICKETS SOFTWARE LICENSE TERMSThis Application (or Component) uses Sciter Engine (http://sciter.com/) copyright Terra Informatica Software Inc.These license terms are an agreement between Tier2Technologies and you. Please read them. They apply to the software you are downloading from helpdeskbuttons.com which includes the media on which you received it if any. The terms also apply to any Tier2Tickets updates supplements Internet-based services and support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below. 1. INSTALLATION AND USE RIGHTS You may install and use any number of copies of the software on your devices. 2. Scope of License The software is licensed not sold. This agreement only gives you some rights to use the software. Tier2Technologies reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not work around any technical limitations in the binary versions of the software; reverse engineer decompile or disassemble the binary versions of the software except and only to the extent that applicable law expressly permits despite this limitation; make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation; publish the software for others to copy; rent lease or lend the software; transfer the software or this agreement to any third party; or use the software for commercial software hosting services. 3. SENSITIVE INFORMATION Please be aware that similar to other debug tools that capture "process state" information files saved by Tier2Tickets software may include personally identifiable or other sensitive information (such as usernames passwords paths to files accessed and paths to registry accessed). By using this software you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Tier2Technologies or any other party through your use of the software. 4. DOCUMENTATION Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes. 6. Export Restrictions The software is subject to United States export laws
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.TIER2TICKETS SOFTWARE LICENSE TERMSThis Application (or Component) uses Sciter Engine (http://sciter.com/) copyright Terra Informatica Software Inc.These license terms are an agreement between Tier2Technologies and you. Please read them. They apply to the software you are downloading from helpdeskbuttons.com which includes the media on which you received it if any. The terms also apply to any Tier2Tickets updates supplements Internet-based services and support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below. 1. INSTALLATION AND USE RIGHTS You may install and use any number of copies of the software on your devices. 2. Scope of License The software is licensed not sold. This agreement only gives you some rights to use the software. Tier2Technologies reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not work around any technical limitations in the binary versions of the software; reverse engineer decompile or disassemble the binary versions of the software except and only to the extent that applicable law expressly permits despite this limitation; make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation; publish the software for others to copy; rent lease or lend the software; transfer the software or this agreement to any third party; or use the software for commercial software hosting services. 3. SENSITIVE INFORMATION Please be aware that similar to other debug tools that capture "process state" information files saved by Tier2Tickets software may include personally identifiable or other sensitive information (such as usernames passwords paths to files accessed and paths to registry accessed). By using this software you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Tier2Technologies or any other party through your use of the software. 4. DOCUMENTATION Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes. 6. Export Restrictions The software is subject to United States export laws
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.TIER2TICKETS SOFTWARE LICENSE TERMSThis Application (or Component) uses Sciter Engine (http://sciter.com/) copyright Terra Informatica Software Inc.These license terms are an agreement between Tier2Technologies and you. Please read them. They apply to the software you are downloading from helpdeskbuttons.com which includes the media on which you received it if any. The terms also apply to any Tier2Tickets updates supplements Internet-based services and support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below. 1. INSTALLATION AND USE RIGHTS You may install and use any number of copies of the software on your devices. 2. Scope of License The software is licensed not sold. This agreement only gives you some rights to use the software. Tier2Technologies reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not work around any technical limitations in the binary versions of the software; reverse engineer decompile or disassemble the binary versions of the software except and only to the extent that applicable law expressly permits despite this limitation; make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation; publish the software for others to copy; rent lease or lend the software; transfer the software or this agreement to any third party; or use the software for commercial software hosting services. 3. SENSITIVE INFORMATION Please be aware that similar to other debug tools that capture "process state" information files saved by Tier2Tickets software may include personally identifiable or other sensitive information (such as usernames passwords paths to files accessed and paths to registry accessed). By using this software you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Tier2Technologies or any other party through your use of the software. 4. DOCUMENTATION Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes. 6. Export Restrictions The software is subject to United States export laws

Source:

Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: tier2tickets-1.1.2.30.msi

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: buttonInst.exe, 00000010.00000003.1313689616.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.exe, 00000010.00000002.2470220175.0000000002350000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000002.2471305078.00000000025B3000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000003.1319359338.0000000002D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sciter.com/
Source: buttonInst.exe, 00000010.00000003.1313689616.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.exe, 00000010.00000002.2470220175.0000000002350000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000002.2471305078.000000000257E000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000003.1319359338.0000000002D70000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000002.2470121064.000000000093A000.00000004.00000020.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000002.2470121064.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sciter.com/)
Source: buttonInst.exe, 00000010.00000003.1315479302.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, buttonInst.exe, 00000010.00000003.1314801953.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000000.1317703515.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: buttonInst.exe, 00000010.00000000.1313063987.0000000000401000.00000020.00000001.01000000.00000008.sdmp, tier2tickets-1.1.2.30.msi, files.cab.5.dr, b1735a914504ec48bfb96ea649d26c3b.tmp.13.dr	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: buttonInst.exe, 00000010.00000003.1315479302.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, buttonInst.exe, 00000010.00000003.1314801953.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000000.1317703515.0000000000401000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: buttonInst.exe, 00000010.00000002.2470220175.00000000023BC000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000002.2471305078.000000000262C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.tier2tickets.com/
Source: buttonInst.exe, 00000010.00000003.1313689616.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000003.1319359338.0000000002D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.tier2tickets.com/8http://www.tier2tickets.com/
Source: buttonInst.exe, 00000010.00000003.1313689616.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.exe, 00000010.00000002.2470220175.00000000023CA000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000003.1319359338.0000000002D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.tier2.tech/
Source: buttonInst.tmp, 00000011.00000002.2471305078.000000000262C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.tier2.tech/03c

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6bac16.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{4B54AF2C-B71A-4EDB-A1D3-129A563F1F1E}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB4EF.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB4F0.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICD3C.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIB4F0.tmp

Jump to behavior

Source: buttonInst.tmp.16.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: buttonInst.tmp.16.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: tier2tickets-1.1.2.30.msi

Binary or memory string: OriginalFileName vs tier2tickets-1.1.2.30.msi

Source: classification engine

Classification label: clean6.winMSI@13/20@0/0

Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFEC9C4299B9F15C7A.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\msiwrapper.ini

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\tier2tickets-1.1.2.30.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D5AA1D4C0851ABEA04E1CC15902CBDFB
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\System32\expand.exe" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 55D4CA002D50B566F8BA4629CEE5F1B2 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe "C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe" /NORESTART /RESTARTEXITCODE=1234
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe	Process created: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp "C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp" /SL5="$50374,56324545,951808,C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe" /NORESTART /RESTARTEXITCODE=1234
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D5AA1D4C0851ABEA04E1CC15902CBDFB	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 55D4CA002D50B566F8BA4629CEE5F1B2 E Global\MSI0000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\System32\expand.exe" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe "C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe" /NORESTART /RESTARTEXITCODE=1234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe	Process created: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp "C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp" /SL5="$50374,56324545,951808,C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe" /NORESTART /RESTARTEXITCODE=1234	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\msiwrapper.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp

Window found: window name: TMainForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.TIER2TICKETS SOFTWARE LICENSE TERMSThis Application (or Component) uses Sciter Engine (http://sciter.com/) copyright Terra Informatica Software Inc.These license terms are an agreement between Tier2Technologies and you. Please read them. They apply to the software you are downloading from helpdeskbuttons.com which includes the media on which you received it if any. The terms also apply to any Tier2Tickets updates supplements Internet-based services and support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below. 1. INSTALLATION AND USE RIGHTS You may install and use any number of copies of the software on your devices. 2. Scope of License The software is licensed not sold. This agreement only gives you some rights to use the software. Tier2Technologies reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not work around any technical limitations in the binary versions of the software; reverse engineer decompile or disassemble the binary versions of the software except and only to the extent that applicable law expressly permits despite this limitation; make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation; publish the software for others to copy; rent lease or lend the software; transfer the software or this agreement to any third party; or use the software for commercial software hosting services. 3. SENSITIVE INFORMATION Please be aware that similar to other debug tools that capture "process state" information files saved by Tier2Tickets software may include personally identifiable or other sensitive information (such as usernames passwords paths to files accessed and paths to registry accessed). By using this software you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Tier2Technologies or any other party through your use of the software. 4. DOCUMENTATION Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes. 6. Export Restrictions The software is subject to United States export laws
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.TIER2TICKETS SOFTWARE LICENSE TERMSThis Application (or Component) uses Sciter Engine (http://sciter.com/) copyright Terra Informatica Software Inc.These license terms are an agreement between Tier2Technologies and you. Please read them. They apply to the software you are downloading from helpdeskbuttons.com which includes the media on which you received it if any. The terms also apply to any Tier2Tickets updates supplements Internet-based services and support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below. 1. INSTALLATION AND USE RIGHTS You may install and use any number of copies of the software on your devices. 2. Scope of License The software is licensed not sold. This agreement only gives you some rights to use the software. Tier2Technologies reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not work around any technical limitations in the binary versions of the software; reverse engineer decompile or disassemble the binary versions of the software except and only to the extent that applicable law expressly permits despite this limitation; make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation; publish the software for others to copy; rent lease or lend the software; transfer the software or this agreement to any third party; or use the software for commercial software hosting services. 3. SENSITIVE INFORMATION Please be aware that similar to other debug tools that capture "process state" information files saved by Tier2Tickets software may include personally identifiable or other sensitive information (such as usernames passwords paths to files accessed and paths to registry accessed). By using this software you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Tier2Technologies or any other party through your use of the software. 4. DOCUMENTATION Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes. 6. Export Restrictions The software is subject to United States export laws
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.TIER2TICKETS SOFTWARE LICENSE TERMSThis Application (or Component) uses Sciter Engine (http://sciter.com/) copyright Terra Informatica Software Inc.These license terms are an agreement between Tier2Technologies and you. Please read them. They apply to the software you are downloading from helpdeskbuttons.com which includes the media on which you received it if any. The terms also apply to any Tier2Tickets updates supplements Internet-based services and support servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.If you comply with these license terms you have the rights below. 1. INSTALLATION AND USE RIGHTS You may install and use any number of copies of the software on your devices. 2. Scope of License The software is licensed not sold. This agreement only gives you some rights to use the software. Tier2Technologies reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not work around any technical limitations in the binary versions of the software; reverse engineer decompile or disassemble the binary versions of the software except and only to the extent that applicable law expressly permits despite this limitation; make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation; publish the software for others to copy; rent lease or lend the software; transfer the software or this agreement to any third party; or use the software for commercial software hosting services. 3. SENSITIVE INFORMATION Please be aware that similar to other debug tools that capture "process state" information files saved by Tier2Tickets software may include personally identifiable or other sensitive information (such as usernames passwords paths to files accessed and paths to registry accessed). By using this software you acknowledge that you are aware of this and take sole responsibility for any personally identifiable or other sensitive information provided to Tier2Technologies or any other party through your use of the software. 4. DOCUMENTATION Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes. 6. Export Restrictions The software is subject to United States export laws

Source: tier2tickets-1.1.2.30.msi

Static file information: File size 57679872 > 1048576

Source:

Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: tier2tickets-1.1.2.30.msi

Source: b1735a914504ec48bfb96ea649d26c3b.tmp.13.dr	Static PE information: section name: .didata
Source: buttonInst.tmp.16.dr	Static PE information: section name: .didata

Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	File created: C:\Users\user\AppData\Local\Temp\is-T7HL2.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe	File created: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICD3C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB4F0.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\1e940d3d81264ae2b69b6193605488f3$dpx$.tmp\b1735a914504ec48bfb96ea649d26c3b.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICD3C.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB4F0.tmp			Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-T7HL2.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSICD3C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB4F0.tmp	Jump to dropped file

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\System32\expand.exe" -R files.cab -F:* files			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe "C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe" /NORESTART /RESTARTEXITCODE=1234			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\expand.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4CDD51A3D1F5203214B0C6C532230391C746426D Blob

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	21 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	2 System Owner/User Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-T7HL2.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIB4F0.tmp	0%	ReversingLabs
C:\Windows\Installer\MSICD3C.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.remobjects.com/ps	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
http://www.innosetup.com/	0%	Avira URL Cloud	safe
https://www.tier2.tech/	0%	Avira URL Cloud	safe
http://sciter.com/	0%	Avira URL Cloud	safe
https://www.tier2.tech/03c	0%	Avira URL Cloud	safe
http://www.tier2tickets.com/	0%	Avira URL Cloud	safe
http://www.innosetup.com/	2%	Virustotal		Browse
http://www.tier2tickets.com/8http://www.tier2tickets.com/	0%	Avira URL Cloud	safe
http://sciter.com/)	0%	Avira URL Cloud	safe
http://www.tier2tickets.com/	0%	Virustotal		Browse
http://sciter.com/	1%	Virustotal		Browse
https://www.tier2.tech/	0%	Virustotal		Browse
http://sciter.com/)	1%	Virustotal		Browse
http://www.tier2tickets.com/8http://www.tier2tickets.com/	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	buttonInst.exe, 00000010.00000003.1315479302.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, buttonInst.exe, 00000010.00000003.1314801953.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000000.1317703515.0000000000401000.00000020.00000001.01000000.00000009.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.tier2.tech/	buttonInst.exe, 00000010.00000003.1313689616.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.exe, 00000010.00000002.2470220175.00000000023CA000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000003.1319359338.0000000002D70000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.tier2.tech/03c	buttonInst.tmp, 00000011.00000002.2471305078.000000000262C000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://sciter.com/	buttonInst.exe, 00000010.00000003.1313689616.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.exe, 00000010.00000002.2470220175.0000000002350000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000002.2471305078.00000000025B3000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000003.1319359338.0000000002D70000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.remobjects.com/ps	buttonInst.exe, 00000010.00000003.1315479302.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, buttonInst.exe, 00000010.00000003.1314801953.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000000.1317703515.0000000000401000.00000020.00000001.01000000.00000009.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	buttonInst.exe, 00000010.00000000.1313063987.0000000000401000.00000020.00000001.01000000.00000008.sdmp, tier2tickets-1.1.2.30.msi, files.cab.5.dr, b1735a914504ec48bfb96ea649d26c3b.tmp.13.dr	false		high
http://www.tier2tickets.com/	buttonInst.exe, 00000010.00000002.2470220175.00000000023BC000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000002.2471305078.000000000262C000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://sciter.com/)	buttonInst.exe, 00000010.00000003.1313689616.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.exe, 00000010.00000002.2470220175.0000000002350000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000002.2471305078.000000000257E000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000003.1319359338.0000000002D70000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000002.2470121064.000000000093A000.00000004.00000020.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000002.2470121064.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.tier2tickets.com/8http://www.tier2tickets.com/	buttonInst.exe, 00000010.00000003.1313689616.0000000002660000.00000004.00001000.00020000.00000000.sdmp, buttonInst.tmp, 00000011.00000003.1319359338.0000000002D70000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431851
Start date and time:	2024-04-25 21:41:29 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tier2tickets-1.1.2.30.msi
Detection:	CLEAN
Classification:	clean6.winMSI@13/20@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-T7HL2.tmp\_isetup\_setup64.tmp	SecuriteInfo.com.Program.Unwanted.5215.4772.1835.exe	Get hash	malicious	PureLog Stealer	Browse
	SecuriteInfo.com.Program.Unwanted.5215.4772.1835.exe	Get hash	malicious	PureLog Stealer	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	PDFXVwer.zip	Get hash	malicious	Unknown	Browse
	Git-2.44.0-64-bit.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse
	SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse

Created / dropped Files

C:\Config.Msi\6bac17.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	547
Entropy (8bit):	5.380902041267027
Encrypted:	false
SSDEEP:	12:EgcBR3mXJ7YlPWd+dj//orfN2zWotPtnLxqGmXt4FV8Un:UBtJedIjd6yQG04P8Un
MD5:	04EDB2F70FBE28D6305E56A2F43C8E30
SHA1:	68FF27342C6AD21DC5322D94DF26B022DD45FCC9
SHA-256:	A2A467D0203636FF27C5BA8F2DD768590279EBCCD18FF6D5BB3C55301037E48B
SHA-512:	DA356D1690679BF1BF26DE5163456D2F64F9AB1B37E190507DE3DF529F096472F16A6C0E9C760F2B11CE2D966A3499205D345D7E30FC540A2704B693EB632E92
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@H..X.@.....@.....@.....@.....@.....@......&.{4B54AF2C-B71A-4EDB-A1D3-129A563F1F1E}..Tier2Tickets..tier2tickets-1.1.2.30.msi.@.....@.....@.....@......ProductIcon..&.{849F6498-E493-4377-A6FB-B41A2AD9FF3E}.....@.....@.....@.....@.......@.....@.....@.......@......Tier2Tickets......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{EDE10F6C-30F4-42CA-B5C7-ADB905E45BFC}&.{4B54AF2C-B71A-4EDB-A1D3-129A563F1F1E}.@........bz.LateInstallFinish1

C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files.cab

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 57205123 bytes, 1 file, at 0x2c +A "buttonInst.exe", ID 51466, number 1, 1746 datablocks, 0 compression
Category:	dropped
Size (bytes):	57205123
Entropy (8bit):	7.995997070204551
Encrypted:	true
SSDEEP:	1572864:0YYLVJgEDEiD3/D4O/bxTXhSJmibz6fj9XkOJg:0RLViER3/8O/d8J7o3Jg
MD5:	1ED1440463BB3083C3996B3070686467
SHA1:	E9810D0EDB39E08B0196ED6FCDE1318D0A71E997
SHA-256:	144A96F41FC2691EAD87C3490D893EFECB250689FABA5D6533463E159D46B830
SHA-512:	C0F4A169C84AFA2AABEB7A106240AB27817195DEE6EB69B7C231A771934147D821E41136AAFEE63A8C38E8B75717C2499622CEF0BD48F70A5BDCFF099D119546
Malicious:	false
Reputation:	low
Preview:	MSCF......h.....,...................K.........h........X8. .buttonInst.exe..".7....MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...3..\.................j...........~............@..........................`......].h...@......@...................`.......@.......................h..............................................................B..@....P.......................text....P.......R.................. ..`.itext..h....p.......V.............. ..`.data....7.......8...n..............@....bss....lg...............................idata.......@......................@....didata......P......................@....edata.......`......................@..@.tls.........p...........................rdata..]...........................@..@.rsrc...............................@..@.............

C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\1e940d3d81264ae2b69b6193605488f3$dpx$.tmp\b1735a914504ec48bfb96ea649d26c3b.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57191080
Entropy (8bit):	7.996073085031995
Encrypted:	true
SSDEEP:	1572864:DAOTswhEODgxzhV28sLcKJxCvyvpnlvYTJFX3t:DPTswE1zhU8sA7vSqT3t
MD5:	D599A693E02EFB8AC51F3D338F49CD00
SHA1:	B16DD87F6734990E5FD9C31648DFB85A2E84DEC0
SHA-256:	DE32A590B3C5C7CE7D39A8F2BDBBE9E08E1BE79B0175425C5D92CA648924CFAF
SHA-512:	EBCD00CB00E0BAC3C291D403F3D106A4334BFA1D3D0217C9B5D1E2D57300B691D054EF4051FC701FDC8E1333551BD2FEB15B7DA67C9E6B639E9FB235BD533072
Malicious:	false
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...3..\.................j...........~............@..........................`......].h...@......@...................`.......@.......................h..............................................................B..@....P.......................text....P.......R.................. ..`.itext..h....p.......V.............. ..`.data....7.......8...n..............@....bss....lg...............................idata.......@......................@....didata......P......................@....edata.......`......................@..@.tls.........p...........................rdata..]...........................@..@.rsrc...............................@..@....................................@..@........................................................

C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe (copy)

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57191080
Entropy (8bit):	7.996073085031995
Encrypted:	true
SSDEEP:	1572864:DAOTswhEODgxzhV28sLcKJxCvyvpnlvYTJFX3t:DPTswE1zhU8sA7vSqT3t
MD5:	D599A693E02EFB8AC51F3D338F49CD00
SHA1:	B16DD87F6734990E5FD9C31648DFB85A2E84DEC0
SHA-256:	DE32A590B3C5C7CE7D39A8F2BDBBE9E08E1BE79B0175425C5D92CA648924CFAF
SHA-512:	EBCD00CB00E0BAC3C291D403F3D106A4334BFA1D3D0217C9B5D1E2D57300B691D054EF4051FC701FDC8E1333551BD2FEB15B7DA67C9E6B639E9FB235BD533072
Malicious:	false
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...3..\.................j...........~............@..........................`......].h...@......@...................`.......@.......................h..............................................................B..@....P.......................text....P.......R.................. ..`.itext..h....p.......V.............. ..`.data....7.......8...n..............@....bss....lg...............................idata.......@......................@....didata......P......................@....edata.......`......................@..@.tls.........p...........................rdata..]...........................@..@.rsrc...............................@..@....................................@..@........................................................

C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\msiwrapper.ini

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	533
Entropy (8bit):	5.450534315589838
Encrypted:	false
SSDEEP:	12:bsP6MCA6q5IkMqGl1QqEAmr4Ixt5+pz11QqJJeIh4:gP6vA5U1f+1DO51/eF
MD5:	CB05DC913B6354EB0A795264459FE0B9
SHA1:	809FA1110C580778BF087E1CFF9741681B08D03B
SHA-256:	B05DCB2E4BEB370B34B3C54065D8990E77C293C7F514949248F7B017C46C3C10
SHA-512:	F7D4FB465FAE64A5FBC112F4170158A4DC21E696AA99C3B55C5B50F3B038811D6C2EA6FCCA97DE583E326E5308082A032F6230D253BFA95F52B645225026439E
Malicious:	false
Reputation:	low
Preview:	[MSI Wrapper]..WrappedApplicationId=helpDeskButtons.com_main_is1..InstallSuccessCodes=0,1234=3010..ElevationMode=always..SetupFileName=C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe..SetupParameters= /NORESTART /RESTARTEXITCODE=1234 ..WorkingDir=..CurrentDir=SOURCEDIR..UILevel=5..Focus=yes..FilesDir=C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\..RunBeforeInstallFile=..RunBeforeInstallParameters=..RunAfterInstallFile=..RunAfterInstallParameters=..

C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2762240
Entropy (8bit):	6.355121756859024
Encrypted:	false
SSDEEP:	49152:rdrGT9oY0SAQ4+YI1Qb1oWGxblxZa0o857j/hn:rFGTv1QtGxHZabu
MD5:	11EAA1FC1DF81C0847576F864B0E152D
SHA1:	FE1AE61C7BE2581B17B13D02D10BCF1B72DEA77F
SHA-256:	9765B010F59E05D201F2679E3FC3E8DFAA53AF0F5BD145A3C9130D104269D3D6
SHA-512:	561199D5A30B2F9C8A6E519C20F4E8B1A25FB50A094A343E830FB2A389C90CA6B373A0E3DA1A32802DF862107000F80ECD7A313364DEE8DEDB333B806C471A91
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...4..\..................$..f........$.......$...@...........................+...........@......@....................&.......%..5...@&......................................................0&.....................D.%.@.....&......................text...(.$.......$................. ..`.itext...&....$..(....$............. ..`.data...4Z....$..\....$.............@....bss.....q...@%..........................idata...5....%..6....%.............@....didata.......&......R%.............@....edata........&......\%.............@..@.tls....D.... &..........................rdata..]....0&......^%.............@..@.rsrc........@&......`%.............@..@..............'.......&.............@..@........................................................

C:\Users\user\AppData\Local\Temp\is-T7HL2.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Program.Unwanted.5215.4772.1835.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Program.Unwanted.5215.4772.1835.exe, Detection: malicious, Browse Filename: MBSetup.exe, Detection: malicious, Browse Filename: MBSetup.exe, Detection: malicious, Browse Filename: PDFXVwer.zip, Detection: malicious, Browse Filename: Git-2.44.0-64-bit.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\6bac16.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Tier2Tickets 1.1.2.30, Subject: Tier2Tickets, Author: Tier2 Technologies, Keywords: Installer, Comments: The perfect ticket, every time., Template: Intel;1033, Revision Number: {849F6498-E493-4377-A6FB-B41A2AD9FF3E}, Create Time/Date: Wed Apr 10 10:26:06 2019, Last Saved Time/Date: Wed Apr 10 10:26:06 2019, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (9.0.30.0), Security: 2
Category:	dropped
Size (bytes):	57679872
Entropy (8bit):	7.991679729550703
Encrypted:	true
SSDEEP:	1572864:8YYLVJgEDEiD3/D4O/bxTXhSJmibz6fj9XkOJX:8RLViER3/8O/d8J7o3JX
MD5:	730EA796A4FF8F3089F6E705899CE8FD
SHA1:	4D9AE22F1A6E701107C56B48B8A9306D169C6BDB
SHA-256:	1C085DBABF6F11A9429E70A282635F911A2AD70E8ABA561032A193AFEE8325BB
SHA-512:	E963C66C5A6DDF60CA0CB9ABE04E820863FE2D8804BD6A12D63634750B1D86FD8BF35225102542C5D0AF1A6CE3B6C1E9B8674C7869B20A3A81C0510336110840
Malicious:	false
Preview:	......................>........................6...........6...............6...6...6...6...6...6...6...6...6...6...6...6...6...7......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIB4EF.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	500060
Entropy (8bit):	5.992586416235528
Encrypted:	false
SSDEEP:	6144:X/tWxOo6HFxhXv/tWxOo6HFxhX9vD/EzasP:XFWxOo6lvFWxOo6l9b/Ez7P
MD5:	19CA9A25D174E50303C6FEFABA49F4EF
SHA1:	DB8E8D61AFA4A5B59C5D5CE08254AFEF9971FA08
SHA-256:	834A786962947040FF3B90A821EDDEA961990F796A2443F70B6086CE9C8B5383
SHA-512:	7BD3A6BCDE2DCB623C547168548B4A9521D50F4431BD7979724B5F1C7947DEB10155FAA06A0FD889C2245F0077630CEACAEF6BC676D32592797FD0FDE000C5EA
Malicious:	false
Preview:	...@IXOS.@.....@E..X.@.....@.....@.....@.....@.....@......&.{4B54AF2C-B71A-4EDB-A1D3-129A563F1F1E}..Tier2Tickets..tier2tickets-1.1.2.30.msi.@.....@.....@.....@......ProductIcon..&.{849F6498-E493-4377-A6FB-B41A2AD9FF3E}.....@.....@.....@.....@.......@.....@.....@.......@......Tier2Tickets......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{EDE10F6C-30F4-42CA-B5C7-ADB905E45BFC}T.02:\SOFTWARE\EXEMSI.COM\MSI Wrapper\Installed\helpDeskButtons.com_main_is1\LogonUser.@.......@.....@.....@........bz.LateInstallFinish1....J...bz.LateInstallFinish1.@..........MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..v)zz%)zz%)zz%7(.%.zz%7(.%8zz%7(.%Vzz%...%&zz%)z{%.zz%7(.%*zz%7(.%(zz%7(.%(zz%Rich)zz%........................PE..L......\...........!.....f......................................

C:\Windows\Installer\MSIB4F0.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	131584
Entropy (8bit):	6.341761260198238
Encrypted:	false
SSDEEP:	1536:Uap3yqfujzpU9YLJcTHVKcnXbe9ud6dYV7k8apkAlSQvqR86s2HlxIz3d/X89Zkk:Mjds/tkhnxOlW6QTuFtFQYOEfI5Qcq
MD5:	BD237AAC254BD2285AA3B2D9023BEEDC
SHA1:	3D2715C92A301DCAD0D3D4683D559886202DEC37
SHA-256:	B126B59C75F9E3CA19BD5F901C462325E954BAF5719765BB0EA4A6E09B6B6B69
SHA-512:	72E912C23B6D3220B0B8D4FF262A28797ECC163449221ED5E5E047C3B0706F4B85211E74E61A3AC0EF6B1D5DDA35EB341E2528A607AC3FCA883C1D60967FAA0A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..v)zz%)zz%)zz%7(.%.zz%7(.%8zz%7(.%Vzz%...%&zz%)z{%.zz%7(.%*zz%7(.%(zz%7(.%(zz%Rich)zz%........................PE..L......\...........!.....f...................................................P......4l....@.........................`...]...\|........ .......................0......p...................................@...............(............................text...2d.......f.................. ..`.rdata...d.......f...j..............@..@.data...<,..........................@....rsrc........ ......................@..@.reloc.......0... ..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSICD3C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	131584
Entropy (8bit):	6.341761260198238
Encrypted:	false
SSDEEP:	1536:Uap3yqfujzpU9YLJcTHVKcnXbe9ud6dYV7k8apkAlSQvqR86s2HlxIz3d/X89Zkk:Mjds/tkhnxOlW6QTuFtFQYOEfI5Qcq
MD5:	BD237AAC254BD2285AA3B2D9023BEEDC
SHA1:	3D2715C92A301DCAD0D3D4683D559886202DEC37
SHA-256:	B126B59C75F9E3CA19BD5F901C462325E954BAF5719765BB0EA4A6E09B6B6B69
SHA-512:	72E912C23B6D3220B0B8D4FF262A28797ECC163449221ED5E5E047C3B0706F4B85211E74E61A3AC0EF6B1D5DDA35EB341E2528A607AC3FCA883C1D60967FAA0A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..v)zz%)zz%)zz%7(.%.zz%7(.%8zz%7(.%Vzz%...%&zz%)z{%.zz%7(.%*zz%7(.%(zz%7(.%(zz%Rich)zz%........................PE..L......\...........!.....f...................................................P......4l....@.........................`...]...\|........ .......................0......p...................................@...............(............................text...2d.......f.................. ..`.rdata...d.......f...j..............@..@.data...<,..........................@....rsrc........ ......................@..@.reloc.......0... ..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{4B54AF2C-B71A-4EDB-A1D3-129A563F1F1E}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7718637693230657
Encrypted:	false
SSDEEP:	12:JSbX72FjsFGiAGiLIlHVRpuBh/7777777777777777777777777vDHFQ9AqRR4li:JSFJQI58/Ip2DF
MD5:	05EF4D838EE22D21BC9E738CE2B48BC9
SHA1:	24BFC58987234C1B314FEF3D6024FD5234466213
SHA-256:	E3380B7238CCCA766549156C1DC47B29331063E5AD6FA3D2902A4DDA3AA5B55D
SHA-512:	883C69303012223440DB4E1172ECAD3E25F173092FC3568F7538FCACDFFA2414F987DDFD87AC50D0382E105B254FB1CDF2161EBFDA4C8B05DD1C724FE9BEF8C1
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2116976668899655
Encrypted:	false
SSDEEP:	48:gLiu4PveFXJFT5gcddSP3rNddSB4rVyG:ii4tTGqgq1
MD5:	BDC8FEFAB2C24C4C1EDDD66328A24CAD
SHA1:	EB273A1C1912A7235EA03AD070BFE032241B8901
SHA-256:	2B132EFE758B807E7883857C1AFD606FCD6898AA18B1DDF7DDBFA170D35A7DDD
SHA-512:	8024516877037B347153A164697800457B27EAD02E8DA9503F2C8B5E06450674F9816FD0ED19D39A808B37410CC7143D557A801F1D131AA2CBC6874661B24031
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Logs\DPX\setupact.log

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	345727
Entropy (8bit):	4.386442656001503
Encrypted:	false
SSDEEP:	192:0K9KmK9KIK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7Y:9
MD5:	B69BE1578208668443767796243E6724
SHA1:	37748DB7CBE8E6AB545F53493AD65A3B0D6C43C7
SHA-256:	88D07E96CC18C73982A591A49511DC9108A6760A3E8CEA0DBEC0E4C239C4A34A
SHA-512:	AAF2746DB9D0CD255510BF618E47AB627E90B8DFE519B9ADCEB8B211309D0659FB463E5F7BEF8CDBE7613789C951112EFE42CF39513112750B245EA1AF3D6351
Malicious:	false
Preview:	.2023-10-03 11:48:47, Info DPX Started DPX phase: Resume and Download Job..2023-10-03 11:48:47, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX CJob::Resume completed with status: 0x0..2023-10-03 11:48:47, Info DPX Ended DPX phase: Resume and Download Job..2023-10-03 11:48:49, Info DPX Started DPX phase: Resume and Download Job..2023-10-03 11:48:49, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:49, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:49, Info

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	454234
Entropy (8bit):	5.356163729868745
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaux:zTtbmkExhMJCIpEG90D5JG81IIgMU
MD5:	7D775A32F7669E9EB56DB031C448C389
SHA1:	0056AD186E67084B1A3E32E80C04D583FAE00E0F
SHA-256:	643807AFC4CD5A2F5228C056F0604C01D177893CBF7DFE15A14303634E5202CE
SHA-512:	94B91B2658904B4FA66EDB84A5176776DBB561E6BF4981918C937872689B003BE10027389DEADB832045B8D60223AC573FCC6E5254888F6425A4A8C0AA6E5B5B
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF0A30F811EA05CE4B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	0.10446030578342254
Encrypted:	false
SSDEEP:	24:9yGrVJfAebfddipV7qddipVdVKwGElrkg9SD+:9yGhrfddSBqddSP3rK
MD5:	634B5B5D3CBDC6BC73BD47F1ED37B1DF
SHA1:	E5111B9FFCFB29A8D7D7008E60079198E3C63184
SHA-256:	07AD5FB1FAF47FAFA312887E8124C19E7758350CEDC165C7A6DB00BFC88258D6
SHA-512:	DD80D62D21E62C9B34F1F03B1604D616C96BD8E65814027AD9C0C112635D0E1AF43F5659E5A2426978885BB69C0F4A07D80DF9BFB8C55D61AA544E054279033E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF752AA580B45876F3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDD82B8D98C0DD2B5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2116976668899655
Encrypted:	false
SSDEEP:	48:gLiu4PveFXJFT5gcddSP3rNddSB4rVyG:ii4tTGqgq1
MD5:	BDC8FEFAB2C24C4C1EDDD66328A24CAD
SHA1:	EB273A1C1912A7235EA03AD070BFE032241B8901
SHA-256:	2B132EFE758B807E7883857C1AFD606FCD6898AA18B1DDF7DDBFA170D35A7DDD
SHA-512:	8024516877037B347153A164697800457B27EAD02E8DA9503F2C8B5E06450674F9816FD0ED19D39A808B37410CC7143D557A801F1D131AA2CBC6874661B24031
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEC9C4299B9F15C7A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07608537758805417
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOQ9XQedRRBWlkDyVky6lX:2F0i8n0itFzDHFQ9AqRR4l+X
MD5:	B9587EA4DC71716D664143A9CC734B30
SHA1:	00640E4B66DB32D6A947E911EBBB6194298A26C1
SHA-256:	2E7925E3DFB987ACF527AC68B3E50797D62A5B874D9A5209705598B687988765
SHA-512:	E9D80308112E8149F88AC5CA179388586A22352A193C8B9F49B1BCADE7AECA0190F6E7EB030B35F002FDA4D5C6A8C2CBE06F42B17A8C4513E256AE5C38966328
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	ASCII text, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	230
Entropy (8bit):	4.7473325523440435
Encrypted:	false
SSDEEP:	6:zx3MmSLQHtBXVNsRDQtRQHwDvFvAy0w2DIZJQn:zK/0HtBFNEDAQQDdeDYJQn
MD5:	9AD56516FB016C153BE24A2B1D891FAD
SHA1:	42B8F7EE0AF21E6C03582BCA212566E867B9AE11
SHA-256:	D370FF4EB8E5706B2218A0E9F91A611A40D13F045FE47BB0B3159BD556BE0D86
SHA-512:	4DABDA6F196A598B249377101D1FB4E4E310DA48821EBC5617D500AD55A04AA2D61E24E87DDB931BB8EA1EBF890BFE07E8B04940B714472E80F7D0C8A4DB1E98
Malicious:	false
Preview:	Microsoft (R) File Expansion Utility..Copyright (c) Microsoft Corporation. All rights reserved.....Adding files\buttonInst.exe to Extraction Queue....Expanding Files ......Progress: 0 out of 1 files..Expanding Files Complete .....

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Tier2Tickets 1.1.2.30, Subject: Tier2Tickets, Author: Tier2 Technologies, Keywords: Installer, Comments: The perfect ticket, every time., Template: Intel;1033, Revision Number: {849F6498-E493-4377-A6FB-B41A2AD9FF3E}, Create Time/Date: Wed Apr 10 10:26:06 2019, Last Saved Time/Date: Wed Apr 10 10:26:06 2019, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (9.0.30.0), Security: 2
Entropy (8bit):	7.991679729550703
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	tier2tickets-1.1.2.30.msi
File size:	57'679'872 bytes
MD5:	730ea796a4ff8f3089f6e705899ce8fd
SHA1:	4d9ae22f1a6e701107c56b48b8a9306d169c6bdb
SHA256:	1c085dbabf6f11a9429e70a282635f911a2ad70e8aba561032a193afee8325bb
SHA512:	e963c66c5a6ddf60ca0cb9abe04e820863fe2d8804bd6a12d63634750b1d86fd8bf35225102542c5d0af1a6ce3b6c1e9b8674c7869b20a3a81c0510336110840
SSDEEP:	1572864:8YYLVJgEDEiD3/D4O/bxTXhSJmibz6fj9XkOJX:8RLViER3/8O/d8J7o3JX
TLSH:	85C733E3E9BDD2AAC0482E394562D2340EB26D3DA5137C4F66BCE5C8FA32180DD35675
File Content Preview:	........................>........................6...........6...............6...6...6...6...6...6...6...6...6...6...6...6...6...7.............................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Target ID:	1
Start time:	21:42:05
Start date:	25/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\tier2tickets-1.1.2.30.msi"
Imagebase:	0x7ff67a860000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	21:42:05
Start date:	25/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff67a860000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	21:42:08
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding D5AA1D4C0851ABEA04E1CC15902CBDFB
Imagebase:	0xdb0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	21:42:12
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\expand.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\expand.exe" -R files.cab -F:* files
Imagebase:	0x740000
File size:	53'248 bytes
MD5 hash:	544B0DBFF3F393BCE8BB9D815F532D51
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	21:42:12
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	21:42:14
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 55D4CA002D50B566F8BA4629CEE5F1B2 E Global\MSI0000
Imagebase:	0xdb0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	21:42:15
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe" /NORESTART /RESTARTEXITCODE=1234
Imagebase:	0x400000
File size:	57'191'080 bytes
MD5 hash:	D599A693E02EFB8AC51F3D338F49CD00
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	21:42:15
Start date:	25/04/2024
Path:	C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp" /SL5="$50374,56324545,951808,C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe" /NORESTART /RESTARTEXITCODE=1234
Imagebase:	0x400000
File size:	2'762'240 bytes
MD5 hash:	11EAA1FC1DF81C0847576F864B0E152D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 2%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tier2tickets-1.1.2.30.msi

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\6bac17.rbs

C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files.cab

C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\1e940d3d81264ae2b69b6193605488f3$dpx$.tmp\b1735a914504ec48bfb96ea649d26c3b.tmp

C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe (copy)

C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\msiwrapper.ini

C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp

C:\Users\user\AppData\Local\Temp\is-T7HL2.tmp\_isetup\_setup64.tmp

C:\Windows\Installer\6bac16.msi

C:\Windows\Installer\MSIB4EF.tmp

C:\Windows\Installer\MSIB4F0.tmp

C:\Windows\Installer\MSICD3C.tmp

C:\Windows\Installer\SourceHash{4B54AF2C-B71A-4EDB-A1D3-129A563F1F1E}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Logs\DPX\setupact.log

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF0A30F811EA05CE4B.TMP

C:\Windows\Temp\~DF752AA580B45876F3.TMP

C:\Windows\Temp\~DFDD82B8D98C0DD2B5.TMP

C:\Windows\Temp\~DFEC9C4299B9F15C7A.TMP

\Device\ConDrv

Static File Info

General

File Icon

Network Behavior

Windows Analysis Report
tier2tickets-1.1.2.30.msi