Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
tier2tickets-1.1.2.30.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Tier2Tickets
1.1.2.30, Subject: Tier2Tickets, Author: Tier2 Technologies, Keywords: Installer, Comments: The perfect ticket, every time.,
Template: Intel;1033, Revision Number: {849F6498-E493-4377-A6FB-B41A2AD9FF3E}, Create Time/Date: Wed Apr 10 10:26:06 2019,
Last Saved Time/Date: Wed Apr 10 10:26:06 2019, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI
Wrapper (9.0.30.0), Security: 2
|
initial sample
|
||
|
C:\Config.Msi\6bac17.rbs
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files.cab
|
Microsoft Cabinet archive data, Windows 2000/XP setup, 57205123 bytes, 1 file, at 0x2c +A "buttonInst.exe", ID 51466, number
1, 1746 datablocks, 0 compression
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\1e940d3d81264ae2b69b6193605488f3$dpx$.tmp\b1735a914504ec48bfb96ea649d26c3b.tmp
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe (copy)
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\msiwrapper.ini
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\is-T7HL2.tmp\_isetup\_setup64.tmp
|
PE32+ executable (console) x86-64, for MS Windows
|
dropped
|
||
|
C:\Windows\Installer\6bac16.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Tier2Tickets
1.1.2.30, Subject: Tier2Tickets, Author: Tier2 Technologies, Keywords: Installer, Comments: The perfect ticket, every time.,
Template: Intel;1033, Revision Number: {849F6498-E493-4377-A6FB-B41A2AD9FF3E}, Create Time/Date: Wed Apr 10 10:26:06 2019,
Last Saved Time/Date: Wed Apr 10 10:26:06 2019, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI
Wrapper (9.0.30.0), Security: 2
|
dropped
|
||
|
C:\Windows\Installer\MSIB4EF.tmp
|
data
|
dropped
|
||
|
C:\Windows\Installer\MSIB4F0.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Windows\Installer\MSICD3C.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
modified
|
||
|
C:\Windows\Installer\SourceHash{4B54AF2C-B71A-4EDB-A1D3-129A563F1F1E}
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Installer\inprogressinstallinfo.ipi
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Logs\DPX\setupact.log
|
CSV text
|
dropped
|
||
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
|
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
dropped
|
||
|
C:\Windows\Temp\~DF0A30F811EA05CE4B.TMP
|
data
|
dropped
|
||
|
C:\Windows\Temp\~DF752AA580B45876F3.TMP
|
data
|
dropped
|
||
|
C:\Windows\Temp\~DFDD82B8D98C0DD2B5.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Temp\~DFEC9C4299B9F15C7A.TMP
|
data
|
dropped
|
||
|
\Device\ConDrv
|
ASCII text, with CRLF, CR, LF line terminators
|
dropped
|
There are 11 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\msiexec.exe
|
"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\tier2tickets-1.1.2.30.msi"
|
||
|
C:\Windows\System32\msiexec.exe
|
C:\Windows\system32\msiexec.exe /V
|
||
|
C:\Windows\SysWOW64\msiexec.exe
|
C:\Windows\syswow64\MsiExec.exe -Embedding D5AA1D4C0851ABEA04E1CC15902CBDFB
|
||
|
C:\Windows\SysWOW64\expand.exe
|
"C:\Windows\System32\expand.exe" -R files.cab -F:* files
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\SysWOW64\msiexec.exe
|
C:\Windows\syswow64\MsiExec.exe -Embedding 55D4CA002D50B566F8BA4629CEE5F1B2 E Global\MSI0000
|
||
|
C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe
|
"C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe" /NORESTART /RESTARTEXITCODE=1234
|
||
|
C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp
|
"C:\Users\user\AppData\Local\Temp\is-G8DB8.tmp\buttonInst.tmp" /SL5="$50374,56324545,951808,C:\Users\user\AppData\Local\Temp\MW-42c5c097-66b2-4a17-9dd2-0346b4e139e5\files\buttonInst.exe"
/NORESTART /RESTARTEXITCODE=1234
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://www.innosetup.com/
|
unknown
|
||
|
https://www.tier2.tech/
|
unknown
|
||
|
https://www.tier2.tech/03c
|
unknown
|
||
|
http://sciter.com/
|
unknown
|
||
|
http://www.remobjects.com/ps
|
unknown
|
||
|
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
|
unknown
|
||
|
http://www.tier2tickets.com/
|
unknown
|
||
|
http://sciter.com/)
|
unknown
|
||
|
http://www.tier2tickets.com/8http://www.tier2tickets.com/
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4CDD51A3D1F5203214B0C6C532230391C746426D
|
Blob
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4CDD51A3D1F5203214B0C6C532230391C746426D
|
Blob
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Owner
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
SessionHash
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Sequence
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Config.Msi\
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
|
C:\Config.Msi\6bac17.rbs
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
|
C:\Config.Msi\6bac17.rbsLow
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C6F01EDE4F03AC245B7CDA9B504EB5CF
|
C2FA45B4A17BBDE41A3D21A965F3F1E1
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
2570000
|
direct allocation
|
page read and write
|
||
|
23A6000
|
direct allocation
|
page read and write
|
||
|
353C000
|
heap
|
page read and write
|
||
|
2863000
|
heap
|
page read and write
|
||
|
2616000
|
direct allocation
|
page read and write
|
||
|
2398000
|
direct allocation
|
page read and write
|
||
|
260F000
|
direct allocation
|
page read and write
|
||
|
2388000
|
direct allocation
|
page read and write
|
||
|
920000
|
heap
|
page read and write
|
||
|
2568000
|
direct allocation
|
page read and write
|
||
|
25C4000
|
direct allocation
|
page read and write
|
||
|
19A000
|
stack
|
page read and write
|
||
|
352B000
|
heap
|
page read and write
|
||
|
304B000
|
direct allocation
|
page read and write
|
||
|
3508000
|
heap
|
page read and write
|
||
|
835000
|
heap
|
page read and write
|
||
|
2F6E000
|
stack
|
page read and write
|
||
|
64E000
|
unkown
|
page write copy
|
||
|
2342000
|
direct allocation
|
page read and write
|
||
|
3526000
|
heap
|
page read and write
|
||
|
25F8000
|
direct allocation
|
page read and write
|
||
|
23AD000
|
direct allocation
|
page read and write
|
||
|
4A9000
|
unkown
|
page write copy
|
||
|
233B000
|
direct allocation
|
page read and write
|
||
|
22DC000
|
direct allocation
|
page read and write
|
||
|
3538000
|
heap
|
page read and write
|
||
|
3059000
|
direct allocation
|
page read and write
|
||
|
25B3000
|
direct allocation
|
page read and write
|
||
|
29E0000
|
heap
|
page read and write
|
||
|
931000
|
heap
|
page read and write
|
||
|
25A7000
|
direct allocation
|
page read and write
|
||
|
3530000
|
heap
|
page read and write
|
||
|
2FA3000
|
direct allocation
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
25A0000
|
direct allocation
|
page read and write
|
||
|
25BD000
|
direct allocation
|
page read and write
|
||
|
2850000
|
direct allocation
|
page read and write
|
||
|
2660000
|
direct allocation
|
page read and write
|
||
|
3539000
|
heap
|
page read and write
|
||
|
CE0000
|
direct allocation
|
page execute and read and write
|
||
|
32C0000
|
heap
|
page read and write
|
||
|
341E000
|
stack
|
page read and write
|
||
|
22BC000
|
direct allocation
|
page read and write
|
||
|
22EA000
|
direct allocation
|
page read and write
|
||
|
2350000
|
direct allocation
|
page read and write
|
||
|
353B000
|
heap
|
page read and write
|
||
|
3530000
|
heap
|
page read and write
|
||
|
3541000
|
heap
|
page read and write
|
||
|
22D5000
|
direct allocation
|
page read and write
|
||
|
2349000
|
direct allocation
|
page read and write
|
||
|
327C000
|
stack
|
page read and write
|
||
|
33DE000
|
stack
|
page read and write
|
||
|
92B000
|
heap
|
page read and write
|
||
|
620000
|
heap
|
page read and write
|
||
|
663000
|
unkown
|
page readonly
|
||
|
2FFC000
|
direct allocation
|
page read and write
|
||
|
31CF000
|
stack
|
page read and write
|
||
|
2598000
|
direct allocation
|
page read and write
|
||
|
26D5000
|
direct allocation
|
page read and write
|
||
|
4A9000
|
unkown
|
page read and write
|
||
|
255A000
|
direct allocation
|
page read and write
|
||
|
3530000
|
heap
|
page read and write
|
||
|
4D2000
|
unkown
|
page readonly
|
||
|
323C000
|
stack
|
page read and write
|
||
|
2381000
|
direct allocation
|
page read and write
|
||
|
92B000
|
heap
|
page read and write
|
||
|
26CB000
|
direct allocation
|
page read and write
|
||
|
306E000
|
direct allocation
|
page read and write
|
||
|
4E20000
|
trusted library allocation
|
page read and write
|
||
|
7F0000
|
heap
|
page read and write
|
||
|
2553000
|
direct allocation
|
page read and write
|
||
|
640000
|
heap
|
page read and write
|
||
|
25CC000
|
direct allocation
|
page read and write
|
||
|
8D0000
|
heap
|
page read and write
|
||
|
25E2000
|
direct allocation
|
page read and write
|
||
|
2FBA000
|
direct allocation
|
page read and write
|
||
|
3541000
|
heap
|
page read and write
|
||
|
917000
|
heap
|
page read and write
|
||
|
2324000
|
direct allocation
|
page read and write
|
||
|
2D70000
|
direct allocation
|
page read and write
|
||
|
4B8000
|
unkown
|
page readonly
|
||
|
232B000
|
direct allocation
|
page read and write
|
||
|
347E000
|
stack
|
page read and write
|
||
|
34FE000
|
stack
|
page read and write
|
||
|
231C000
|
direct allocation
|
page read and write
|
||
|
7F8000
|
heap
|
page read and write
|
||
|
26E3000
|
direct allocation
|
page read and write
|
||
|
19D000
|
stack
|
page read and write
|
||
|
8E7000
|
heap
|
page read and write
|
||
|
2D70000
|
heap
|
page read and write
|
||
|
2510000
|
direct allocation
|
page read and write
|
||
|
352C000
|
heap
|
page read and write
|
||
|
7E0000
|
heap
|
page read and write
|
||
|
944000
|
heap
|
page read and write
|
||
|
65C000
|
unkown
|
page write copy
|
||
|
2577000
|
direct allocation
|
page read and write
|
||
|
257E000
|
direct allocation
|
page read and write
|
||
|
23C3000
|
direct allocation
|
page read and write
|
||
|
22F1000
|
direct allocation
|
page read and write
|
||
|
3524000
|
heap
|
page read and write
|
||
|
363E000
|
stack
|
page read and write
|
||
|
23D1000
|
direct allocation
|
page read and write
|
||
|
353E000
|
heap
|
page read and write
|
||
|
25B6000
|
direct allocation
|
page read and write
|
||
|
2FB2000
|
direct allocation
|
page read and write
|
||
|
3500000
|
heap
|
page read and write
|
||
|
67F000
|
unkown
|
page readonly
|
||
|
4AB000
|
unkown
|
page read and write
|
||
|
2333000
|
direct allocation
|
page read and write
|
||
|
68D000
|
unkown
|
page readonly
|
||
|
25EA000
|
direct allocation
|
page read and write
|
||
|
3524000
|
heap
|
page read and write
|
||
|
2361000
|
direct allocation
|
page read and write
|
||
|
2FAB000
|
direct allocation
|
page read and write
|
||
|
2840000
|
heap
|
page read and write
|
||
|
2FED000
|
direct allocation
|
page read and write
|
||
|
2FD3000
|
direct allocation
|
page read and write
|
||
|
2FE1000
|
direct allocation
|
page read and write
|
||
|
354A000
|
heap
|
page read and write
|
||
|
830000
|
heap
|
page read and write
|
||
|
23D8000
|
direct allocation
|
page read and write
|
||
|
2536000
|
direct allocation
|
page read and write
|
||
|
22E3000
|
direct allocation
|
page read and write
|
||
|
2544000
|
direct allocation
|
page read and write
|
||
|
23BC000
|
direct allocation
|
page read and write
|
||
|
2860000
|
heap
|
page read and write
|
||
|
7FBA0000
|
direct allocation
|
page read and write
|
||
|
354B000
|
heap
|
page read and write
|
||
|
254C000
|
direct allocation
|
page read and write
|
||
|
3660000
|
heap
|
page read and write
|
||
|
301D000
|
direct allocation
|
page read and write
|
||
|
2300000
|
direct allocation
|
page read and write
|
||
|
2D70000
|
direct allocation
|
page read and write
|
||
|
4B2000
|
unkown
|
page read and write
|
||
|
93A000
|
heap
|
page read and write
|
||
|
3542000
|
heap
|
page read and write
|
||
|
23CA000
|
direct allocation
|
page read and write
|
||
|
926000
|
heap
|
page read and write
|
||
|
34BE000
|
stack
|
page read and write
|
||
|
23B4000
|
direct allocation
|
page read and write
|
||
|
659000
|
unkown
|
page read and write
|
||
|
3016000
|
direct allocation
|
page read and write
|
||
|
237A000
|
direct allocation
|
page read and write
|
||
|
4E0000
|
unkown
|
page readonly
|
||
|
352B000
|
heap
|
page read and write
|
||
|
2371000
|
direct allocation
|
page read and write
|
||
|
929000
|
heap
|
page read and write
|
||
|
354A000
|
heap
|
page read and write
|
||
|
25DB000
|
direct allocation
|
page read and write
|
||
|
22F8000
|
direct allocation
|
page read and write
|
||
|
650000
|
heap
|
page read and write
|
||
|
7FE1F000
|
direct allocation
|
page read and write
|
||
|
3539000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
64E000
|
unkown
|
page read and write
|
||
|
3044000
|
direct allocation
|
page read and write
|
||
|
3524000
|
heap
|
page read and write
|
||
|
353B000
|
heap
|
page read and write
|
||
|
354A000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
239F000
|
direct allocation
|
page read and write
|
||
|
2850000
|
direct allocation
|
page read and write
|
||
|
253D000
|
direct allocation
|
page read and write
|
||
|
4B4000
|
unkown
|
page write copy
|
||
|
3420000
|
heap
|
page read and write
|
||
|
3068000
|
direct allocation
|
page read and write
|
||
|
2561000
|
direct allocation
|
page read and write
|
||
|
3528000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
2660000
|
direct allocation
|
page read and write
|
||
|
931000
|
heap
|
page read and write
|
||
|
2FC3000
|
direct allocation
|
page read and write
|
||
|
3430000
|
heap
|
page read and write
|
||
|
947000
|
heap
|
page read and write
|
||
|
3528000
|
heap
|
page read and write
|
||
|
2315000
|
direct allocation
|
page read and write
|
||
|
25F1000
|
direct allocation
|
page read and write
|
||
|
354C000
|
heap
|
page read and write
|
||
|
660000
|
unkown
|
page read and write
|
||
|
95F000
|
heap
|
page read and write
|
||
|
4B6000
|
unkown
|
page readonly
|
||
|
330F000
|
stack
|
page read and write
|
||
|
2608000
|
direct allocation
|
page read and write
|
||
|
3530000
|
heap
|
page read and write
|
||
|
93000
|
stack
|
page read and write
|
||
|
500000
|
heap
|
page read and write
|
||
|
2F9B000
|
direct allocation
|
page read and write
|
||
|
661000
|
unkown
|
page readonly
|
||
|
7FE11000
|
direct allocation
|
page read and write
|
||
|
2307000
|
direct allocation
|
page read and write
|
||
|
D65000
|
heap
|
page read and write
|
||
|
8E0000
|
heap
|
page read and write
|
||
|
D60000
|
heap
|
page read and write
|
||
|
9B000
|
stack
|
page read and write
|
||
|
6C0000
|
heap
|
page read and write
|
||
|
320E000
|
stack
|
page read and write
|
||
|
262C000
|
direct allocation
|
page read and write
|
||
|
230E000
|
direct allocation
|
page read and write
|
||
|
3538000
|
heap
|
page read and write
|
There are 189 hidden memdumps, click here to show them.