Windows Analysis Report
msgtopstdemo.exe

Overview

General Information

Sample name:	msgtopstdemo.exe
Analysis ID:	1525130
MD5:	fa7fccb539f58ea32e2a92a0a32af286
SHA1:	1ba6a04fe2d9ebf47d97f2c6b295c33ad5803a3e
SHA256:	ee8fc4c0c9cb55699ef0bf026d5af42e7bb82d535ac8d84c8480569040f27257
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Uses 32bit PE files

Source: msgtopstdemo.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.SOFTWARE LICENSE AGREEMENT This Software License Agreement is a legal agreement between you (an individual) and the www.datavare.com software product identified above which includes computer software and may include associated media printed materials or electronic documentation ("SOFTWARE PRODUCT"). With the instalment copying or using the Datavare Software and Services LLP PRODUCT indicates that you are agree to the terms of this AGREEMENT. In case you are not agree to the Agreement terms and conditions it is better to not to install or run the "www.datavare.com" SOFTWARE PRODUCTS; you may however return it to the right place (the seller) for getting a full refund.www.datavare.com PRODUCT LICENSE:The SOFTWARE PRODUCT is fully protected by copyright laws and international copyright treaties as well as other intellectual property laws and treaties. It is for licensed not for selling.Termination. Without prejudice to any other rights www.datavare.com may terminate this AGREEMENT if you fail to comply with the terms and conditions of this AGREEMENT. In such event you must destroy all copies of the SOFTWARE PRODUCT and all of its component parts.CHECK OUT OTHER RIGHTS AND LIMITATIONSClients cannot Resale Software. You might not resell or otherwise transfer for value the SOFTWARE PRODUCT.LICENSE - It is a Trial license that signifies you are permitted to use this trial version of "Datavare Software and Services LLP". Once the usage is over you can able to apply for getting the registration key that will eliminate the trial limitation and allow you to use a copy of "Datavare Software and Services LLP" on one computer. In case you wish to apply for multiple licenses it is must to get request for multiple registration keys where one for each user. www.datavare.com might also offer you with one key with multiple licenses.OWNERSHIP - This Software is copyrighted and owned by www.datavare.com. Your license confers no ownership or title in the Software. You can make a copy of this software solely for the purpose of back up. But License shall not modify copy duplicate reproduce license or sub license the Software or transfer or convey the Software or any right in the Software to anyone else without the prior written consent of Developer.LIMITED WARRANTY- www.datavare.com confirms that any type of implied warranty is concerned for only thirty (30) days. Warranty for the Software will perform substantially according to the user documentation for thirty (30) days from the day of receipt. CUSTOMER REMEDIES - In case the program fails to meet with www.datavare.com limited warranty a consumer can ask to refund the purchasing amount but it should be within 30 days of the shopping. This limited warranty is void if failure of the Software has resulted from abu
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.SOFTWARE LICENSE AGREEMENT This Software License Agreement is a legal agreement between you (an individual) and the www.datavare.com software product identified above which includes computer software and may include associated media printed materials or electronic documentation ("SOFTWARE PRODUCT"). With the instalment copying or using the Datavare Software and Services LLP PRODUCT indicates that you are agree to the terms of this AGREEMENT. In case you are not agree to the Agreement terms and conditions it is better to not to install or run the "www.datavare.com" SOFTWARE PRODUCTS; you may however return it to the right place (the seller) for getting a full refund.www.datavare.com PRODUCT LICENSE:The SOFTWARE PRODUCT is fully protected by copyright laws and international copyright treaties as well as other intellectual property laws and treaties. It is for licensed not for selling.Termination. Without prejudice to any other rights www.datavare.com may terminate this AGREEMENT if you fail to comply with the terms and conditions of this AGREEMENT. In such event you must destroy all copies of the SOFTWARE PRODUCT and all of its component parts.CHECK OUT OTHER RIGHTS AND LIMITATIONSClients cannot Resale Software. You might not resell or otherwise transfer for value the SOFTWARE PRODUCT.LICENSE - It is a Trial license that signifies you are permitted to use this trial version of "Datavare Software and Services LLP". Once the usage is over you can able to apply for getting the registration key that will eliminate the trial limitation and allow you to use a copy of "Datavare Software and Services LLP" on one computer. In case you wish to apply for multiple licenses it is must to get request for multiple registration keys where one for each user. www.datavare.com might also offer you with one key with multiple licenses.OWNERSHIP - This Software is copyrighted and owned by www.datavare.com. Your license confers no ownership or title in the Software. You can make a copy of this software solely for the purpose of back up. But License shall not modify copy duplicate reproduce license or sub license the Software or transfer or convey the Software or any right in the Software to anyone else without the prior written consent of Developer.LIMITED WARRANTY- www.datavare.com confirms that any type of implied warranty is concerned for only thirty (30) days. Warranty for the Software will perform substantially according to the user documentation for thirty (30) days from the day of receipt. CUSTOMER REMEDIES - In case the program fails to meet with www.datavare.com limited warranty a consumer can ask to refund the purchasing amount but it should be within 30 days of the shopping. This limited warranty is void if failure of the Software has resulted from abu

Source: msgtopstdemo.exe

Static PE information: certificate valid

Source: msgtopstdemo.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: _c:\Users\test\Desktop\datavare products\DEMO-Datavare-MsgToPst\MsgToPst\MsgToPst\obj\x86\Debug\MsgToPst.pdb source: msgtopstdemo.tmp, 00000001.00000003.2027572801.0000000004948000.00000004.00001000.00020000.00000000.sdmp, MsgToPst.exe, 00000005.00000000.2026456010.000000000076A000.00000002.00000001.01000000.0000000A.sdmp, is-4FDGP.tmp.1.dr, is-01BK0.tmp.1.dr
Source:	Binary string: d:\Bjornar\SVN\istool\isxdl\trunk\source\Release\isxdl.pdb source: msgtopstdemo.tmp, 00000001.00000003.2027572801.0000000004987000.00000004.00001000.00020000.00000000.sdmp, isxdl.dll.1.dr
Source:	Binary string: c:\Users\test\Desktop\datavare products\DEMO-Datavare-MsgToPst\MsgToPst\MsgToPst\obj\x86\Debug\MsgToPst.pdb source: msgtopstdemo.tmp, 00000001.00000003.2027572801.0000000004948000.00000004.00001000.00020000.00000000.sdmp, MsgToPst.exe, 00000005.00000000.2026456010.000000000076A000.00000002.00000001.01000000.0000000A.sdmp, is-4FDGP.tmp.1.dr, is-01BK0.tmp.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00476120 FindFirstFileA,FindNextFileA,FindClose,	1_2_00476120
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004531A4 FindFirstFileA,GetLastError,	1_2_004531A4
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004648D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004648D0
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00464D4C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464D4C
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00463344 FindFirstFileA,FindNextFileA,FindClose,	1_2_00463344
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0049998C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_0049998C

Source: msgtopstdemo.exe	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: msgtopstdemo.exe	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: msgtopstdemo.exe	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: msgtopstdemo.exe	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: msgtopstdemo.exe	String found in binary or memory: http://crl.godaddy.com/gdig2s5-2.crl0
Source: msgtopstdemo.exe	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: msgtopstdemo.exe	String found in binary or memory: http://crl.starfieldtech.com/repository/0
Source: msgtopstdemo.exe	String found in binary or memory: http://crl.starfieldtech.com/repository/sfsroot.crl0P
Source: MsgToPst.exe, 00000005.00000002.2952651282.00000000012F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.ado
Source: msgtopstdemo.exe	String found in binary or memory: http://ocsp.godaddy.com/0
Source: msgtopstdemo.exe	String found in binary or memory: http://ocsp.godaddy.com/05
Source: msgtopstdemo.exe	String found in binary or memory: http://ocsp.starfieldtech.com/0D
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: msgtopstdemo.tmp, 00000001.00000003.1701151209.000000000215C000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.tmp, 00000001.00000003.1701048720.0000000003130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.datavare.com/
Source: msgtopstdemo.tmp, 00000001.00000003.2029636409.0000000002168000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.tmp, 00000001.00000003.1701151209.000000000215C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.datavare.com/B
Source: msgtopstdemo.tmp, 00000001.00000003.2027572801.0000000004948000.00000004.00001000.00020000.00000000.sdmp, MsgToPst.exe, 00000005.00000000.2026456010.000000000076A000.00000002.00000001.01000000.0000000A.sdmp, is-4FDGP.tmp.1.dr, is-01BK0.tmp.1.dr	String found in binary or memory: http://www.datavare.com/contact-us.html
Source: msgtopstdemo.tmp, 00000001.00000003.2027572801.0000000004948000.00000004.00001000.00020000.00000000.sdmp, MsgToPst.exe, 00000005.00000000.2026456010.000000000076A000.00000002.00000001.01000000.0000000A.sdmp, is-4FDGP.tmp.1.dr, is-01BK0.tmp.1.dr	String found in binary or memory: http://www.datavare.com/software/order/msg-to-pst-expert.html
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: msgtopstdemo.tmp, msgtopstdemo.tmp, 00000001.00000000.1700355107.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-0L47Q.tmp.1.dr, msgtopstdemo.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: isxdl.dll.1.dr	String found in binary or memory: http://www.istool.org/
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: msgtopstdemo.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: msgtopstdemo.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: msgtopstdemo.exe, 00000000.00000003.1699783757.0000000002370000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.exe, 00000000.00000003.1699586406.0000000002470000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.tmp, msgtopstdemo.tmp, 00000001.00000000.1700355107.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-0L47Q.tmp.1.dr, msgtopstdemo.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: msgtopstdemo.exe, 00000000.00000003.1699783757.0000000002370000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.exe, 00000000.00000003.1699586406.0000000002470000.00000004.00001000.00020000.00000000.sdmp, msgtopstdemo.tmp, 00000001.00000000.1700355107.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-0L47Q.tmp.1.dr, msgtopstdemo.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/psU
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: MsgToPst.exe, 00000005.00000002.2954898074.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: msgtopstdemo.exe	String found in binary or memory: https://certs.godaddy.com/repository/0

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00423FD4 NtdllDefWindowProc_A,	1_2_00423FD4
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00412A28 NtdllDefWindowProc_A,	1_2_00412A28
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0042F9C0 NtdllDefWindowProc_A,	1_2_0042F9C0
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00479D08 NtdllDefWindowProc_A,	1_2_00479D08
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00457D90 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_00457D90

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Code function: 1_2_0042ED84: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042ED84

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_004098E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_004098E8
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00455D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00455D80

Detected potential crypto function

Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_00408888	0_2_00408888
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00468034	1_2_00468034
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00471688	1_2_00471688
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0048F6BC	1_2_0048F6BC
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00435768	1_2_00435768
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00488030	1_2_00488030
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0046A088	1_2_0046A088
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00452100	1_2_00452100
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0043E1F0	1_2_0043E1F0
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004307FC	1_2_004307FC
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00444968	1_2_00444968
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00434A64	1_2_00434A64
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00444F10	1_2_00444F10
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00488F90	1_2_00488F90
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00431388	1_2_00431388
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00445608	1_2_00445608
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0045F8C0	1_2_0045F8C0
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0045B970	1_2_0045B970
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00445A14	1_2_00445A14
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Code function: 5_2_00DCDCF4	5_2_00DCDCF4

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00446274 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00453AAC appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 0043497C appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00458718 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 0040905C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00407D44 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00446544 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 0045850C appears 100 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 0040357C appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00406F14 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: String function: 00403684 appears 229 times

PE file contains executable resources (Code or Archives)

Source: msgtopstdemo.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: msgtopstdemo.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: msgtopstdemo.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-0L47Q.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-0L47Q.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-0L47Q.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Sample file is different than original file name gathered from version info

Source: msgtopstdemo.exe, 00000000.00000003.1699586406.000000000254A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs msgtopstdemo.exe
Source: msgtopstdemo.exe, 00000000.00000003.1699783757.0000000002446000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs msgtopstdemo.exe

Uses 32bit PE files

Source: msgtopstdemo.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean5.winEXE@5/14@0/0

Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_004098E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_004098E8
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00455D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00455D80

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Code function: 1_2_004565A8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,

1_2_004565A8

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

Code function: 1_2_00456DD4 CoCreateInstance,CoCreateInstance,SysFreeString,SysFreeString,

1_2_00456DD4

Source: C:\Users\user\Desktop\msgtopstdemo.exe

Code function: 0_2_0040A0D4 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_0040A0D4

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp

File created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version

Source: msgtopstdemo.exe	String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: msgtopstdemo.exe	String found in binary or memory: /LOADINF="filename"

Source: unknown	Process created: C:\Users\user\Desktop\msgtopstdemo.exe "C:\Users\user\Desktop\msgtopstdemo.exe"
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Process created: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp "C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp" /SL5="$20450,2062666,288768,C:\Users\user\Desktop\msgtopstdemo.exe"
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe "C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe"
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Process created: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp "C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp" /SL5="$20450,2062666,288768,C:\Users\user\Desktop\msgtopstdemo.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe "C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe"	Jump to behavior

Source: C:\Users\user\Desktop\msgtopstdemo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Automated click: I accept the agreement

Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_00406A18 push 00406A55h; ret	0_2_00406A4D
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_004093B4 push 004093E7h; ret	0_2_004093DF
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: 0_2_00408580 push ecx; mov dword ptr [esp], eax	0_2_00408585
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00409D9C push 00409DD9h; ret	1_2_00409DD1
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0041A078 push ecx; mov dword ptr [esp], ecx	1_2_0041A07D
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00452100 push ecx; mov dword ptr [esp], eax	1_2_00452105
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0040A273 push ds; ret	1_2_0040A29D
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004062C4 push ecx; mov dword ptr [esp], eax	1_2_004062C5
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0040A29F push ds; ret	1_2_0040A2A0
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00460518 push ecx; mov dword ptr [esp], ecx	1_2_0046051C
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00496594 push ecx; mov dword ptr [esp], ecx	1_2_00496599
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004587B4 push 004587ECh; ret	1_2_004587E4
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00410930 push ecx; mov dword ptr [esp], edx	1_2_00410935
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00486A94 push ecx; mov dword ptr [esp], ecx	1_2_00486A99
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00478D50 push ecx; mov dword ptr [esp], edx	1_2_00478D51
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00412D78 push 00412DDBh; ret	1_2_00412DD3
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0040D288 push ecx; mov dword ptr [esp], edx	1_2_0040D28A
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0040F7E8 push ecx; mov dword ptr [esp], edx	1_2_0040F7EA
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004438E0 push ecx; mov dword ptr [esp], ecx	1_2_004438E4
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00459ACC push 00459B10h; ret	1_2_00459B08
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0049BD44 pushad ; retf	1_2_0049BD53

Source: C:\Users\user\Desktop\msgtopstdemo.exe	File created: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0CF57.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0CF57.tmp\isxdl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\Aspose.Email.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-4FDGP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-01BK0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-4AED4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-0L47Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	File created: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0042405C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_0042405C
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0042405C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_0042405C
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00422CAC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_00422CAC
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0041811E IsIconic,SetWindowPos,	1_2_0041811E
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00418120 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00418120
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004245E4 IsIconic,SetActiveWindow,	1_2_004245E4
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0042462C IsIconic,SetActiveWindow,SetFocus,	1_2_0042462C
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004187D4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_004187D4
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_00484D28 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_00484D28
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_0042F71C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	1_2_0042F71C
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: 1_2_004179E8 IsIconic,GetCapture,	1_2_004179E8

Source: C:\Users\user\Desktop\msgtopstdemo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Memory allocated: DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Memory allocated: 2B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe	Memory allocated: 4B10000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0CF57.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0CF57.tmp\isxdl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\Aspose.Email.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-4AED4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-0L47Q.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: GetLocaleInfoA,	0_2_0040565C
Source: C:\Users\user\Desktop\msgtopstdemo.exe	Code function: GetLocaleInfoA,	0_2_004056A8
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: GetLocaleInfoA,	1_2_004089B8
Source: C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	Code function: GetLocaleInfoA,	1_2_00408A04

ID:	1525130
Product:	CloudBasic
Start time:	18:21:14
Start date:	03.10.2024
Sample:	msgtopstdemo.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	fa7fccb539f58ea32e2a92a0a32af286
SHA1:	1ba6a04fe2d9ebf47d97f2c6b295c33ad5803a3e
SHA256:	ee8fc4c0c9cb55699ef0bf026d5af42e7bb82d535ac8d84c8480569040f27257
Filetype:	Win32 Executable (generic) a (10002005/4) 98.86%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\Aspose.Email.dll (copy)	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C5F5518DD191ECFF9A02E2156A92557D	B3AF400B667AD046CE7A03F443905CACFC9BE45B	DD1659341475958E1880AB344D84C019886ABBF402DAEDCC4104D88F6A01F6B5
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\Config.txt (copy)	data	B2B97996B6AE49DB4D364D53225BDE0E	A04148AB5BAC7F74A08BF796BA321741292497AA	CE71A6C5D871ADD5CC25DC96F485B3E7D5FC557B20881ACD77363B2E22968347
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\MsgToPst.exe (copy)	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	5F741C35077C33000CF0638178E1F070	4C3CB86F34ED823FBFBEDF678DB36434817758ED	547D072A543C0464542E146A95049A999E335E674C147D40878D87A6EA18E252
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-01BK0.tmp	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	5F741C35077C33000CF0638178E1F070	4C3CB86F34ED823FBFBEDF678DB36434817758ED	547D072A543C0464542E146A95049A999E335E674C147D40878D87A6EA18E252
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-0L47Q.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	52414630A8FA97F12AF0F6402915576D	22C9F8629B2A2202DA0C5633C7488C10F0CDFA97	BF8B71C38FA5E2B550A886858C9D23E88C1D2E1B0E5D1DC084032CF640A6F308
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-4AED4.tmp	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C5F5518DD191ECFF9A02E2156A92557D	B3AF400B667AD046CE7A03F443905CACFC9BE45B	DD1659341475958E1880AB344D84C019886ABBF402DAEDCC4104D88F6A01F6B5
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-4FDGP.tmp	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	5F741C35077C33000CF0638178E1F070	4C3CB86F34ED823FBFBEDF678DB36434817758ED	547D072A543C0464542E146A95049A999E335E674C147D40878D87A6EA18E252
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\is-SNPO1.tmp	data	B2B97996B6AE49DB4D364D53225BDE0E	A04148AB5BAC7F74A08BF796BA321741292497AA	CE71A6C5D871ADD5CC25DC96F485B3E7D5FC557B20881ACD77363B2E22968347
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\unins000.dat	InnoSetup Log Datavare MSG to PST Converter - Demo Version {B704DD12-0FC2-4CCC-A183-86D06E9674A6}, version 0x30, 19133 bytes, 216554\user, "C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version"	786D190AA981F1EDB691F798C8C91143	7CCC3EFF1402CA8766C46FAD9721D9BA6B4C62FC	55AAC1D0D1E430338F0229CBEC211A0AEFC225ABC61B92FB133599CC2A5BA2CA
C:\Program Files (x86)\Datavare MSG to PST Converter - Demo Version\unins000.exe (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	52414630A8FA97F12AF0F6402915576D	22C9F8629B2A2202DA0C5633C7488C10F0CDFA97	BF8B71C38FA5E2B550A886858C9D23E88C1D2E1B0E5D1DC084032CF640A6F308
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Datavare MSG to PST Converter - Demo Version.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Oct 3 15:22:35 2024, mtime=Thu Oct 3 15:22:35 2024, atime=Tue Dec 12 18:28:02 2017, length=1021952, window=hide	348597AC50A89FBACB8A494884A0E6C7	D834756538D599EBE9A3F7F060B973938D04996B	EB4BC2B7231B77C2989DA096C4DD3221DB077D736DF737C505D9175463CEC996
C:\Users\user\AppData\Local\Temp\is-0CF57.tmp\_isetup\_setup64.tmp	PE32+ executable (console) x86-64, for MS Windows	E4211D6D009757C078A9FAC7FF4F03D4	019CD56BA687D39D12D4B13991C9A42EA6BA03DA	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
C:\Users\user\AppData\Local\Temp\is-0CF57.tmp\isxdl.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	48AD1A1C893CE7BF456277A0A085ED01	803997EF17EEDF50969115C529A2BF8DE585DC91	B0CC4697B2FD1B4163FDDCA2050FC62A9E7D221864F1BD11E739144C90B685B3
C:\Users\user\AppData\Local\Temp\is-UN1KP.tmp\msgtopstdemo.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	03B1E8078CAE9C05B81C8B8FE2A11840	0780EAB7701BC74614159DC703DB72283F95C91B	3AAE4693EA36C39A5330BF720877868D5868E7775D963FC6A64B3C69ADABEC35

Windows Analysis Report msgtopstdemo.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
msgtopstdemo.exe