Windows Analysis Report
thunderbird-to-outlook-converter.exe

Overview

General Information

Sample name: thunderbird-to-outlook-converter.exe
Analysis ID: 1545749
MD5: ed6c1f0e4bc19623cbbad48cf84ab099
SHA1: ea54f4b7f52c6948c102d452a615671738427bce
SHA256: 28923cdeb17db6f79d0f7c134daa9343cb99253921c1f4054d201b1e242305ca
Infos:

Detection

Score: 36
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Compliance

Score: 32
Range: 0 - 100

Signatures

.NET source code contains potential unpacker
Yara detected Generic Downloader
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

EXE planting / hijacking vulnerabilities found
Source: C:\Windows\System32\msiexec.exe EXE: C:\Users\user\AppData\Roaming\Microsoft\Installer\{7A41F43B-6BBA-41C2-9302-0BDDEBBC038C}\_853F67D554F05449430E7E.exe Jump to behavior
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe EXE: msiexec.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe EXE: C:\Users\user\AppData\Roaming\Microsoft\Installer\{7A41F43B-6BBA-41C2-9302-0BDDEBBC038C}\_039DBA7754DFCAABD648C2.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe EXE: C:\Users\user\AppData\Roaming\Microsoft\Installer\{7A41F43B-6BBA-41C2-9302-0BDDEBBC038C}\_59A44D4F4928D847AB3E43.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe EXE: C:\Users\user\AppData\Roaming\Microsoft\Installer\{7A41F43B-6BBA-41C2-9302-0BDDEBBC038C}\_1ABCAD378361F678050DB6.exe Jump to behavior

Compliance
barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Windows\System32\msiexec.exe EXE: C:\Users\user\AppData\Roaming\Microsoft\Installer\{7A41F43B-6BBA-41C2-9302-0BDDEBBC038C}\_853F67D554F05449430E7E.exe Jump to behavior
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe EXE: msiexec.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe EXE: C:\Users\user\AppData\Roaming\Microsoft\Installer\{7A41F43B-6BBA-41C2-9302-0BDDEBBC038C}\_039DBA7754DFCAABD648C2.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe EXE: C:\Users\user\AppData\Roaming\Microsoft\Installer\{7A41F43B-6BBA-41C2-9302-0BDDEBBC038C}\_59A44D4F4928D847AB3E43.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe EXE: C:\Users\user\AppData\Roaming\Microsoft\Installer\{7A41F43B-6BBA-41C2-9302-0BDDEBBC038C}\_1ABCAD378361F678050DB6.exe Jump to behavior
Uses 32bit PE files
Source: thunderbird-to-outlook-converter.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\MailsDaddy Software (P) Ltd\MailsDaddy Thunderbird to Outlook Converter\License Agreement.rtf Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\MailsDaddy Software (P) Ltd\MailsDaddy Thunderbird to Outlook Converter\License Agreement.rtf Jump to behavior
Source: thunderbird-to-outlook-converter.exe Static PE information: certificate valid
Source: Binary string: F:\gs1\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: thunderbird-to-outlook-converter.exe, MSI36CB.tmp.2.dr, MSI3739.tmp.2.dr, 5d34b7.msi.2.dr, MSIF618.tmp.0.dr, 5d34b9.msi.2.dr, MSIF8D8.tmp.1.dr, MSIF85A.tmp.1.dr
Source: Binary string: e:\Develope\msi2exe\release\msi2exestub.pdb source: thunderbird-to-outlook-converter.exe
Source: Binary string: F:\gs1\VS\out\binaries\x86ret\bin\i386\DPCA.pdb? source: thunderbird-to-outlook-converter.exe, MSI36CB.tmp.2.dr, MSI3739.tmp.2.dr, 5d34b7.msi.2.dr, MSIF618.tmp.0.dr, 5d34b9.msi.2.dr, MSIF8D8.tmp.1.dr, MSIF85A.tmp.1.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer\{7A41F43B-6BBA-41C2-9302-0BDDEBBC038C} Jump to behavior

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: C:\Program Files (x86)\MailsDaddy Software (P) Ltd\MailsDaddy Thunderbird to Outlook Converter\TreeksLicensingLibrary2.DLL, type: DROPPED
Source: Aspose.Email.DLL.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Aspose.Email.DLL.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: thunderbird-to-outlook-converter.exe String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: thunderbird-to-outlook-converter.exe String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: thunderbird-to-outlook-converter.exe String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: thunderbird-to-outlook-converter.exe String found in binary or memory: http://certs.starfieldtech.com/repository/1402
Source: TreeksLicensingLibrary2.DLL.2.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: TreeksLicensingLibrary2.DLL.2.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: thunderbird-to-outlook-converter.exe String found in binary or memory: http://crl.godaddy.com/gdig2s5-5.crl0
Source: thunderbird-to-outlook-converter.exe String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: Aspose.Email.DLL.2.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: thunderbird-to-outlook-converter.exe String found in binary or memory: http://crl.starfieldtech.com/repository/0
Source: thunderbird-to-outlook-converter.exe String found in binary or memory: http://crl.starfieldtech.com/repository/masterstarfield2issuing.crl0P
Source: thunderbird-to-outlook-converter.exe String found in binary or memory: http://crl.starfieldtech.com/repository/sf_issuing_ca-g2.crt0T
Source: thunderbird-to-outlook-converter.exe String found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
Source: TreeksLicensingLibrary2.DLL.2.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Aspose.Email.DLL.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Aspose.Email.DLL.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Aspose.Email.DLL.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Aspose.Email.DLL.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Aspose.Email.DLL.2.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: TreeksLicensingLibrary2.DLL.2.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: Aspose.Email.DLL.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Aspose.Email.DLL.2.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: thunderbird-to-outlook-converter.exe String found in binary or memory: http://ocsp.godaddy.com/0
Source: thunderbird-to-outlook-converter.exe String found in binary or memory: http://ocsp.godaddy.com/05
Source: Aspose.Email.DLL.2.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: thunderbird-to-outlook-converter.exe String found in binary or memory: http://ocsp.starfieldtech.com/0;
Source: thunderbird-to-outlook-converter.exe String found in binary or memory: http://ocsp.starfieldtech.com/0H
Source: TreeksLicensingLibrary2.DLL.2.dr String found in binary or memory: http://ocsp.thawte.com0
Source: TreeksLicensingLibrary2.DLL.2.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: TreeksLicensingLibrary2.DLL.2.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: TreeksLicensingLibrary2.DLL.2.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: thunderbird-to-outlook-converter.exe String found in binary or memory: https://certs.godaddy.com/repository/0
Source: thunderbird-to-outlook-converter.exe String found in binary or memory: https://certs.starfieldtech.com/repository/0
Source: MailsdaddyThunderbirdToOutlookConverter.exe.2.dr String found in binary or memory: https://purchase.aspose.com/policies/use-license
Source: Aspose.Email.DLL.2.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: Aspose.Email.DLL.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5d34b7.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI36CB.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3739.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{7A41F43B-6BBA-41C2-9302-0BDDEBBC038C} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI37A7.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5d34b9.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5d34b9.msi Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI36CB.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe Code function: 0_2_00404C68 0_2_00404C68
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe Code function: 0_2_00402F70 0_2_00402F70
Sample file is different than original file name gathered from version info
Source: thunderbird-to-outlook-converter.exe Binary or memory string: OriginalFilename vs thunderbird-to-outlook-converter.exe
Source: thunderbird-to-outlook-converter.exe, 00000000.00000002.1707192629.0000000000412000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDPCA.DLLT vs thunderbird-to-outlook-converter.exe
Source: thunderbird-to-outlook-converter.exe Binary or memory string: OriginalFilenameDPCA.DLLT vs thunderbird-to-outlook-converter.exe
Uses 32bit PE files
Source: thunderbird-to-outlook-converter.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: TreeksLicensingLibrary2.DLL.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: sus36.troj.evad.winEXE@8/40@0/0
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe Code function: 0_2_0040134E __EH_prolog3_catch,_memset,_memset,GetTempPathW,GetTempFileNameW,__CxxThrowException@8,FindResourceW,SizeofResource,LoadResource,LockResource,CreateFileW,ShowWindow,ShowWindow,WriteFile,InvalidateRect,ShowWindow,CloseHandle,_swprintf,_memset,CreateProcessW,ExitProcess, 0_2_0040134E
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\MailsDaddy Software (P) Ltd Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CML3822.tmp Jump to behavior
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe File created: C:\Users\user\AppData\Local\Temp\MSIF618.tmp Jump to behavior
Source: thunderbird-to-outlook-converter.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\msiexec.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe "C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe"
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i C:\Users\user\AppData\Local\Temp\MSIF618.tmp
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7290A6845925C195E7014D9F7E4EB858 C
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C3F8760112445D68E9871B76E5B0FA05
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i C:\Users\user\AppData\Local\Temp\MSIF618.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7290A6845925C195E7014D9F7E4EB858 C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C3F8760112445D68E9871B76E5B0FA05 Jump to behavior
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sxs.dll Jump to behavior
Source: Mailsdaddy Thunderbird To Outlook Converter.lnk.2.dr LNK file: ..\..\..\Users\user\AppData\Roaming\Microsoft\Installer\{7A41F43B-6BBA-41C2-9302-0BDDEBBC038C}\_039DBA7754DFCAABD648C2.exe
Source: Mailsdaddy Thunderbird To Outlook Converter.lnk0.2.dr LNK file: ..\..\..\..\Installer\{7A41F43B-6BBA-41C2-9302-0BDDEBBC038C}\_59A44D4F4928D847AB3E43.exe
Source: Mailsdaddy Thunderbird To Outlook Converter.lnk1.2.dr LNK file: ..\AppData\Roaming\Microsoft\Installer\{7A41F43B-6BBA-41C2-9302-0BDDEBBC038C}\_1ABCAD378361F678050DB6.exe
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: I Agree
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: thunderbird-to-outlook-converter.exe Static PE information: certificate valid
Source: thunderbird-to-outlook-converter.exe Static file information: File size 8612560 > 1048576
Source: thunderbird-to-outlook-converter.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x825000
Source: thunderbird-to-outlook-converter.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: F:\gs1\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: thunderbird-to-outlook-converter.exe, MSI36CB.tmp.2.dr, MSI3739.tmp.2.dr, 5d34b7.msi.2.dr, MSIF618.tmp.0.dr, 5d34b9.msi.2.dr, MSIF8D8.tmp.1.dr, MSIF85A.tmp.1.dr
Source: Binary string: e:\Develope\msi2exe\release\msi2exestub.pdb source: thunderbird-to-outlook-converter.exe
Source: Binary string: F:\gs1\VS\out\binaries\x86ret\bin\i386\DPCA.pdb? source: thunderbird-to-outlook-converter.exe, MSI36CB.tmp.2.dr, MSI3739.tmp.2.dr, 5d34b7.msi.2.dr, MSIF618.tmp.0.dr, 5d34b9.msi.2.dr, MSIF8D8.tmp.1.dr, MSIF85A.tmp.1.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: TreeksLicensingLibrary2.DLL.2.dr, --.cs .Net Code: _0002 System.Reflection.Assembly.Load(byte[])
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe Code function: 0_2_004065BA LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson, 0_2_004065BA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe Code function: 0_2_00402F51 push ecx; ret 0_2_00402F64
Source: TreeksLicensingLibrary2.DLL.2.dr Static PE information: section name: .text entropy: 7.909684201630082
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\MailsDaddy Software (P) Ltd\MailsDaddy Thunderbird to Outlook Converter\MailsdaddyThunderbirdToOutlookConverter.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI36CB.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\MailsDaddy Software (P) Ltd\MailsDaddy Thunderbird to Outlook Converter\TreeksLicensingLibrary2.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3739.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\MailsDaddy Software (P) Ltd\MailsDaddy Thunderbird to Outlook Converter\Aspose.Email.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIF8D8.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIF85A.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI36CB.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3739.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\MailsDaddy Software (P) Ltd\MailsDaddy Thunderbird to Outlook Converter\License Agreement.rtf Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\MailsDaddy Software (P) Ltd\MailsDaddy Thunderbird to Outlook Converter\License Agreement.rtf Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MailsDaddy Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MailsDaddy\Mailsdaddy Thunderbird To Outlook Converter.lnk Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\MailsDaddy Software (P) Ltd\MailsDaddy Thunderbird to Outlook Converter\MailsdaddyThunderbirdToOutlookConverter.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI36CB.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3739.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\MailsDaddy Software (P) Ltd\MailsDaddy Thunderbird to Outlook Converter\TreeksLicensingLibrary2.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\MailsDaddy Software (P) Ltd\MailsDaddy Thunderbird to Outlook Converter\Aspose.Email.DLL Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF8D8.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF85A.tmp Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer\{7A41F43B-6BBA-41C2-9302-0BDDEBBC038C} Jump to behavior
Source: Aspose.Email.DLL.2.dr Binary or memory string: #=zGCaIGGoy1$NUKmG_CsftXG5sKlnzNzvmCIEDug0mz3qn
Source: Aspose.Email.DLL.2.dr Binary or memory string: #=z5_Nge9eohgfsrfkPRCICQG$IG0R7
Source: Aspose.Email.DLL.2.dr Binary or memory string: #=zoIn7JTGecCpYn2AbMCMTDb_46$hGFSZ5oQ==
Source: Aspose.Email.DLL.2.dr Binary or memory string: #=zi0jHgfsah8Ev
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe Code function: 0_2_00401A49 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00401A49
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe Code function: 0_2_004065BA LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson, 0_2_004065BA
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe Code function: 0_2_00401A49 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00401A49
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe Code function: 0_2_0040214A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040214A
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\thunderbird-to-outlook-converter.exe Code function: 0_2_00404A38 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00404A38
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545749 Sample: thunderbird-to-outlook-conv... Startdate: 30/10/2024 Architecture: WINDOWS Score: 36 30 .NET source code contains potential unpacker 2->30 32 Yara detected Generic Downloader 2->32 6 msiexec.exe 121 65 2->6         started        9 thunderbird-to-outlook-converter.exe 1 2->9         started        process3 file4 18 C:\...\TreeksLicensingLibrary2.DLL, PE32 6->18 dropped 20 C:\Windows\Installer\MSI3739.tmp, PE32 6->20 dropped 22 C:\Windows\Installer\MSI36CB.tmp, PE32 6->22 dropped 24 2 other files (none is malicious) 6->24 dropped 11 msiexec.exe 89 1 6->11         started        13 msiexec.exe 1 6->13         started        15 msiexec.exe 5 9->15         started        process5 file6 26 C:\Users\user\AppData\Local\...\MSIF8D8.tmp, PE32 15->26 dropped 28 C:\Users\user\AppData\Local\...\MSIF85A.tmp, PE32 15->28 dropped
No contacted IP infos