ID: 80545 Sample Name: bitrecover-msg- converter-wizard.exe Cookbook: default.jbs Time: 17:08:33 Date: 27/09/2018 Version: 23.0.0 Table of Contents

Table of Contents 2 Analysis Report bitrecover-msg-converter-wizard.exe 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 6 Signature Overview 6 AV Detection: 7 Spreading: 7 Networking: 7 Key, Mouse, Clipboard, Microphone and Screen Capturing: 7 System Summary: 7 Data Obfuscation: 8 Persistence and Installation Behavior: 8 Boot Survival: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 Anti Debugging: 8 HIPS / PFW / Operating System Protection Evasion: 8 Language, Device and Operating System Detection: 9 Behavior Graph 9 Simulations 9 Behavior and APIs 9 Antivirus Detection 10 Initial Sample 10 Dropped Files 10 Unpacked PE Files 10 Domains 10 URLs 10 Yara Overview 10 Initial Sample 10 PCAP (Network Traffic) 10 Dropped Files 11 Memory Dumps 11 Unpacked PEs 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 11 Dropped Files 11 Screenshots 12 Thumbnails 12 Startup 13 Created / dropped Files 13 Domains and IPs 18 Contacted Domains 18 URLs from Memory and Binaries 19 Contacted IPs 20 Static File Info 21 General 21 File Icon 21

Copyright Joe Security LLC 2018 Page 2 of 37 Static PE Info 21 General 21 Authenticode Signature 21 Entrypoint Preview 22 Data Directories 22 Sections 23 Resources 23 Imports 23 Version Infos 24 Possible Origin 24 Network Behavior 24 Code Manipulations 24 Statistics 24 Behavior 24 System Behavior 25 Analysis Process: bitrecover-msg-converter-wizard.exe PID: 3972 Parent PID: 3700 25 General 25 File Activities 25 File Created 25 File Deleted 25 File Written 25 File Read 26 Analysis Process: bitrecover-msg-converter-wizard.tmp PID: 3984 Parent PID: 3972 26 General 26 File Activities 26 File Created 26 File Deleted 28 File Moved 28 File Written 28 File Read 35 Registry Activities 36 Key Created 36 Key Value Created 36 Analysis Process: MSGConverterWizard.exe PID: 1680 Parent PID: 3984 37 General 37 File Activities 37 Registry Activities 37 Disassembly 37 Code Analysis 37

Copyright Joe Security LLC 2018 Page 3 of 37 Analysis Report bitrecover-msg-converter-wizard.exe

Overview

General Information

Joe Sandbox Version: 23.0.0 Analysis ID: 80545 Start date: 27.09.2018 Start time: 17:08:33 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 8m 24s Hypervisor based Inspection enabled: false Report type: light Sample file name: bitrecover-msg-converter-wizard.exe Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean16.winEXE@5/21@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 11.7% (good quality ratio 11.5%) Quality average: 86% Quality standard deviation: 22.1% HCA Information: Successful, ratio: 94% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: MSGConverterWizard.exe

Detection

Strategy Score Range Reporting Detection

Copyright Joe Security LLC 2018 Page 4 of 37 Strategy Score Range Reporting Detection

Threshold 16 0 - 100 Report FP / FN

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 3 0 - 5 true

Classification

Copyright Joe Security LLC 2018 Page 5 of 37 Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample searches for specific file, try point organization specific fake files to the analysis machine

Signature Overview

• AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection Copyright Joe Security LLC 2018 Page 6 of 37 • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

AV Detection:

Antivirus detection for unpacked file

Spreading:

Enumerates the file system

Contains functionality to enumerate / list files inside a directory

Networking:

Contains functionality to download additional files from the internet

Found strings which match to known social media urls

Urls found in memory or binary data

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

System Summary:

Contains functionality to communicate with device drivers

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains strange resources

Sample file is different than original file name gathered from version info

Sample reads its own file content

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Classification label

Contains functionality to adjust token privileges (e.g. debug / backup)

Contains functionality to check free disk space

Contains functionality to instantiate COM classes

Contains functionality to load and extract PE file embedded resources

Creates files inside the program directory

Creates files inside the user directory

Creates temporary files

Parts of this applications are using the .NET runtime (Probably coded in C#)

Reads ini files

Copyright Joe Security LLC 2018 Page 7 of 37 Reads software policies

Reads the Windows registered organization settings

Spawns processes

Uses an in-process (OLE) Automation server

Reads the Windows registered owner settings

Executable creates window controls seldom found in malware

Found GUI installer (many successful clicks)

Found graphical window changes (likely an installer)

Uses Microsoft Silverlight

Creates a directory in C:\Program Files

Creates a software uninstall entry

Submission file is bigger than most known malware samples

Binary contains paths to debug symbols

Data Obfuscation:

Contains functionality to dynamically determine API calls

PE file contains an invalid checksum

Uses code obfuscation techniques (call, push, ret)

Persistence and Installation Behavior:

Drops PE files

Boot Survival:

Stores files to the Windows start menu directory

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Extensive use of GetProcAddress (often used to hide API calls)

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Enumerates the file system

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Contains functionality to enumerate / list files inside a directory

Contains functionality to query system information

Anti Debugging:

Checks for debuggers (devices)

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality to register its own exception handler

Creates guard pages, often used to prevent reverse engineering and debugging

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to launch a program with higher privileges

Copyright Joe Security LLC 2018 Page 8 of 37 Creates a process in suspended mode (likely to inject code)

Contains functionality to create a new security descriptor

May try to detect the Windows Explorer process (often used for injection)

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Queries the volume information (name, serial number etc) of a device

Contains functionality to create pipes for IPC

Contains functionality to query local / system time

Contains functionality to query the account / user name

Contains functionality to query windows version

Queries the cryptographic machine GUID

Behavior Graph

Hide Legend Legend: Process Behavior Graph ID: 80545 Signature Sample: bitrecover-msg-converter-wizard.exe

Startdate: 27/09/2018 Created File Architecture: WINDOWS DNS/IP Info Score: 16 Is Dropped

Is Windows Process Antivirus detection started for unpacked file Number of created Registry Values

Number of created Files

bitrecover-msg-converter-wizard.exe Visual Basic Delphi

2 Java

dropped .Net C# or VB.NET C, C++ or other language C:\...\bitrecover-msg-converter-wizard.tmp, PE32 started Is malicious

bitrecover-msg-converter-wizard.tmp

23 26

dropped dropped dropped dropped

C:\Program Files\BitRecover\...\is-KUJLB.tmp, PE32 C:\Program Files\BitRecover\...\is-K96D9.tmp, PE32 C:\Program Files\BitRecover\...\is-JHM84.tmp, PE32 9 other files (2 malicious) started

MSGConverterWizard.exe

1 5

Simulations

Behavior and APIs

Time Type Description 17:08:53 API Interceptor 1x Sleep call for process: bitrecover-msg-converter-wizard.tmp modified 17:08:54 API Interceptor 2x Sleep call for process: MSGConverterWizard.exe modified 17:09:00 API Interceptor 1x Sleep call for process: bitrecover-msg-converter-wizard.exe modified

Copyright Joe Security LLC 2018 Page 9 of 37 Antivirus Detection

Initial Sample

Source Detection Scanner Label Link bitrecover-msg-converter-wizard.exe 0% virustotal Browse

Dropped Files

Source Detection Scanner Label Link C:\Program Files\BitRecover\MSG Converter Wizard\is-6SKIK.tmp 0% virustotal Browse C:\Program Files\BitRecover\MSG Converter Wizard\is-6SKIK.tmp 0% metadefender Browse C:\Program Files\BitRecover\MSG Converter Wizard\is-H7HSB.tmp 0% virustotal Browse C:\Program Files\BitRecover\MSG Converter Wizard\is-JHM84.tmp 0% virustotal Browse C:\Program Files\BitRecover\MSG Converter Wizard\is-JHM84.tmp 0% metadefender Browse C:\Program Files\BitRecover\MSG Converter Wizard\is-K96D9.tmp 0% virustotal Browse C:\Program Files\BitRecover\MSG Converter Wizard\is-KUJLB.tmp 0% virustotal Browse

Unpacked PE Files

Source Detection Scanner Label Link 2.0.bitrecover-msg-converter-wizard.tmp.400000.1.unpack 100% Avira TR/Crypt.XPACK.Gen 2.1.bitrecover-msg-converter-wizard.tmp.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen 2.0.bitrecover-msg-converter-wizard.tmp.400000.5.unpack 100% Avira TR/Crypt.XPACK.Gen 2.0.bitrecover-msg-converter-wizard.tmp.400000.3.unpack 100% Avira TR/Crypt.XPACK.Gen 2.0.bitrecover-msg-converter-wizard.tmp.400000.2.unpack 100% Avira TR/Crypt.XPACK.Gen 2.2.bitrecover-msg-converter-wizard.tmp.400000.1.unpack 100% Avira TR/Crypt.XPACK.Gen 1.3.bitrecover-msg-converter-wizard.exe.1228000.0.unpack 100% Avira TR/Patched.Ren.Gen 2.0.bitrecover-msg-converter-wizard.tmp.400000.4.unpack 100% Avira TR/Crypt.XPACK.Gen 2.0.bitrecover-msg-converter-wizard.tmp.400000.0.unpack 100% Avira TR/Crypt.XPACK.Gen

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link www.bitrecover.com$ 0% Avira URL Cloud safe www.anything.com 0% virustotal Browse www.anything.com 0% Avira URL Cloud safe https://BUCKET. 0% Avira URL Cloud safe https://S3_BUCKET. 0% Avira URL Cloud safe www.mailpass.com/verify.cgi 0% virustotal Browse www.mailpass.com/verify.cgi 0% Avira URL Cloud safe www.istool.org/ 0% virustotal Browse www.istool.org/ 0% Avira URL Cloud safe BUCKET. 0% Avira URL Cloud safe ENDPOINT/Content- 0% Avira URL Cloud safe MD5DateAuthorizationS3_ListBucketsresponseHeaderBUCKETOBJECThttp://BUCKET./O www.bitrecover.com6 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Copyright Joe Security LLC 2018 Page 10 of 37 Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

Associated Sample Name / Match URL SHA 256 Detection Link Context C:\Users\SAMTAR~1\AppData\Local\Temp\is- kS7FWQVypL.exe 67cc03ffd0aead228598b1310ee malicious Browse I7DGQ.tmp\_isetup\_RegDLL.tmp b64d2fbe1b2ff47fd11cf6849188 6c3ded0ec siw-setup.exe 92175ad49051b9e289d3a76b98 malicious Browse 9497995236be7e6a0237ade6ce 9cb475706509 RmC5VXmHCD.exe 7cade85bdb1a2306ad976c4215 malicious Browse 7d9683553f6bb9ed459e8b1395 6439188086ca nbumailSrv405.exe 794a28b8ce14d9c7a85b9afe26 malicious Browse 3f65ab00063f970ef393beeecf22 3317e90420 9GtD8eJphx.exe 7cade85bdb1a2306ad976c4215 malicious Browse 7d9683553f6bb9ed459e8b1395 6439188086ca SUPERsetup.exe e0dbe12c88421865f4d555368a malicious Browse 82b41ac938b373afb4f6144497f 0f76536e62f C:\Users\SAMTAR~1\AppData\Local\Temp\is- kS7FWQVypL.exe 67cc03ffd0aead228598b1310ee malicious Browse I7DGQ.tmp\_isetup\_shfoldr.dll b64d2fbe1b2ff47fd11cf6849188 6c3ded0ec FPaukxOmd8.exe 7621557fa2b22b8b44f5c2b40ea malicious Browse 0348aea15fd55ba5e113755fe3d 7b68246659 yxcLHdJwJq.exe 9e5f163d61582ac9e16cf9ae96c malicious Browse 76bc420cea76c34aba50f54bb6 a558dc7fdea CouponViewer.exe 3178650a0e5cb13e5c1090c26e malicious Browse 2f9fded91e3a6996f3032a95c9b 9f078f740c8 DMSClientAUSDSetup.exe 873e5302ffb7aa3ba27de19830d malicious Browse ba65f1773387636099988009a1f 9b0e05f0d8 malicious Browse https://www.driveragentplus.co m/files/re-skin/drvagentrsplus- 5523256767.exe

Copyright Joe Security LLC 2018 Page 11 of 37 Associated Sample Name / Match URL SHA 256 Detection Link Context setup_mbot_es.exe 202df6e07c64ae4916a1e50116 malicious Browse 578634edc257350e4088b12798 dabc288e7672 Setup_FileViewPro_2016.exe 6a096d9206dc33e8a4283cc530 malicious Browse 035c4b1a02df55b1afb5d3eb324 e233bacec0f setup_mbot_es.exe 202df6e07c64ae4916a1e50116 malicious Browse 578634edc257350e4088b12798 dabc288e7672 PCBrotherSoftFreeMP3 9d2161fee41be8f9d3d9117d567 malicious Browse Cutter.exe 2dfdf0a8c36f5c57cd916778881 9a16757a11 siw-setup.exe 92175ad49051b9e289d3a76b98 malicious Browse 9497995236be7e6a0237ade6ce 9cb475706509 57PO-Enquiry094.exe fb850f9e5366a14acb9c5ad7904 malicious Browse d4ddcaa2e63c3817090a82bfa9 97e2cb1004a KzTddbsRwb.exe 07f1fbe7bfaaaa35583ce3baf156 malicious Browse 8c40019b387e2806a0146df411 a7c1caa662 RmC5VXmHCD.exe 7cade85bdb1a2306ad976c4215 malicious Browse 7d9683553f6bb9ed459e8b1395 6439188086ca yTY122FomU.exe 32b09526f5841dcaf3166a562f7f malicious Browse 28db4bb4cc14b1525605d40adc babf3b3faa malicious Browse games1.gamefools.com/downlo ads/installers/AirportManiaFirst FlightInstaller.exe nbumailSrv405.exe 794a28b8ce14d9c7a85b9afe26 malicious Browse 3f65ab00063f970ef393beeecf22 3317e90420 CouponViewer.exe f3626c12ba3d61d4133d74855b malicious Browse d82d9bc093237d6ddb8a2df687 5051184e3d2d google-earth-7_1_2_2041.exe d15418502c373e615002a15494 malicious Browse 34b35429e273b86aeea154add1 41f40295bafa CouponViewer.exe f3626c12ba3d61d4133d74855b malicious Browse d82d9bc093237d6ddb8a2df687 5051184e3d2d

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2018 Page 12 of 37 Startup

System is w7 bitrecover-msg-converter-wizard.exe (PID: 3972 cmdline: 'C:\Users\user\Desktop\bitrecover-msg-converter-wizard.exe' MD5: 89FBBA7D5B9D9730D18D59802E7AE2CA) bitrecover-msg-converter-wizard.tmp (PID: 3984 cmdline: 'C:\Users\SAMTAR~1\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp' /SL5='$13016 C,15875683,72192,C:\Users\user\Desktop\bitrecover-msg-converter-wizard.exe' MD5: 9605B01F38E7ACD4ECC093ECF5EAAD9A) MSGConverterWizard.exe (PID: 1680 cmdline: C:\Program Files\BitRecover\MSG Converter Wizard\MSGConverterWizard.exe MD5: AC39D4203155F048B76C9BD26587EFDE) cleanup

Created / dropped Files

C:\Program Files\BitRecover\MSG Converter Wizard\is-4ABBU.tmp Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Size (bytes): 6241664 Entropy (8bit): 6.54050771540699 Encrypted: false MD5: F73F3516AFA3B1DFCBD2F4AEC346AD0F SHA1: F9E8492CA64F369E9EC8358CA1F926B6B547F81D SHA-256: A03B402DD37B894AC4BA9B6630FC06DAE4C5C8B695277A0CB725BA902DFB1ABB SHA-512: A016D83AFD5DCAFE4AA4DC54AC6D44B4746A32E21B26AB17779F50330D3A616C6D782116F6221368743AF62E25 F4BDA622E0FE0AD9D2C9FD2CF54E1227E591A1 Copyright Joe Security LLC 2018 Page 13 of 37 C:\Program Files\BitRecover\MSG Converter Wizard\is-4ABBU.tmp Malicious: false Reputation: low

C:\Program Files\BitRecover\MSG Converter Wizard\is-6SKIK.tmp

Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Size (bytes): 245760 Entropy (8bit): 5.995767201035819 Encrypted: false MD5: 445CA83B14BCEB96D2C947DE4EA7DF70 SHA1: 8054D5163619150E7E76D164A98F084B78BE9169 SHA-256: AB258F6225C10C4E3A5389B029B501E786CA24ED15FEDE90191D2B85346336FD SHA-512: CC8802F14992FCBB99FD8FCD728A0AF5BDE037307A1E14A52B0419DCF68DC1915E9CD9EC2A2294DE67A653A1C 3487A4DF0A03313E71306302D8563602567181C Malicious: true Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Reputation: low

C:\Program Files\BitRecover\MSG Converter Wizard\is-E46TV.tmp Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 725876 Entropy (8bit): 6.52423030045362 Encrypted: false MD5: 40D614C67D7690DF3C8D91C552FDBAF6 SHA1: F2F3007E8EF733ECF35CCAB0D7F269C57E0CD4E9 SHA-256: A9E4FF9637D43C9D8FF3AAA67942F74F17690AEB19DEC471A68AC017A177F13B SHA-512: 9CE6135041D2DC2FDC605574C0D7978A4BD044C623785ACA786A2ABF3ECDA766FA336C82547E90182097D4BA28 C06E17FD377F1AC902516FF52D2E41509F317D Malicious: false Reputation: low

C:\Program Files\BitRecover\MSG Converter Wizard\is-FLNCK.tmp Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 2138 Entropy (8bit): 4.889525468669152 Encrypted: false MD5: 2B42AD72835B688AC14CD2937CC4A67D SHA1: FB0860A3FA01057A46B4CC014218B8AF0CC7DE25 SHA-256: 8D2D54CBD14448860948D181AA2AC727A77FA371FEE517ACE06DCE665F73856A SHA-512: 02677C172EBD4953868F56D26E3EE410CE5660C9A394519C22A4FA96548E4DE283DEA50A5DF9EDF5567E6C7BBC 639E551F78943C2BBA03A715EED96FF96A131E Malicious: false Reputation: low

C:\Program Files\BitRecover\MSG Converter Wizard\is-H7HSB.tmp

Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Size (bytes): 9683456 Entropy (8bit): 7.9966389401971005 Encrypted: true MD5: 4D52AA03C2DA7CEA902067A3AC2103D7 SHA1: BFED79E4F2FC0E3DDB84B1EC9299BA67491364AB SHA-256: 70A3EE722328666D2640D55FB135EF5CCFD63C1420F26B1FD6E6528937252402 SHA-512: 0DEB83315449A96CEB583F145FB59D87475B12400B549F2E391ED1B020F3E9D2E45262E32D442FBDA07A272B8B2 CC4DAA5EAAFC307022FAE5DDA0A80DC2EE818 Malicious: true Antivirus: Antivirus: virustotal, Detection: 0%, Browse Reputation: low

C:\Program Files\BitRecover\MSG Converter Wizard\is-J89RQ.tmp Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows Size (bytes): 248096

Copyright Joe Security LLC 2018 Page 14 of 37 C:\Program Files\BitRecover\MSG Converter Wizard\is-J89RQ.tmp Entropy (8bit): 6.503242986849085 Encrypted: false MD5: AC39D4203155F048B76C9BD26587EFDE SHA1: FD523097DDA0C856C5253877E282E40277853A59 SHA-256: F98C6213392632399F8AA16443D245421E197B3544DFEAF952B22BEEE82F112D SHA-512: 04DBCCAF98D050BD2CF2D37EF51954BC73955ED5B75E817AC94D0D5C4DAE808755008D1E95C873F84DC082B853 36D16E8C5A5857630EE909DFF5BB261C8A43DD Malicious: false Reputation: low

C:\Program Files\BitRecover\MSG Converter Wizard\is-JHM84.tmp

Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Size (bytes): 3485696 Entropy (8bit): 6.159816921012735 Encrypted: false MD5: 4B1716853EA2868914F7EE82FBB39C49 SHA1: CA54A4310C63C58B5916437A45A44499D58C1571 SHA-256: BEB5C25EB5F659CBB2574F3EADDDA35C5B18E860558DAAC4533B4ED98E29BD55 SHA-512: 04F4D08D4A949F97D855239C37452A15D5D77870077DB4C1D32AD990E14DABD497E2F0E1AF7CFE183BEF13123B FCFB3C7C56B765B8949D2F7809719DFA2575C6 Malicious: true Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Reputation: low

C:\Program Files\BitRecover\MSG Converter Wizard\is-JQNG1.tmp Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: ASCII text, with very long lines, with no line terminators Size (bytes): 2138 Entropy (8bit): 4.889525468669152 Encrypted: false MD5: 2B42AD72835B688AC14CD2937CC4A67D SHA1: FB0860A3FA01057A46B4CC014218B8AF0CC7DE25 SHA-256: 8D2D54CBD14448860948D181AA2AC727A77FA371FEE517ACE06DCE665F73856A SHA-512: 02677C172EBD4953868F56D26E3EE410CE5660C9A394519C22A4FA96548E4DE283DEA50A5DF9EDF5567E6C7BBC 639E551F78943C2BBA03A715EED96FF96A131E Malicious: false Reputation: low

C:\Program Files\BitRecover\MSG Converter Wizard\is-K96D9.tmp

Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows Size (bytes): 7926272 Entropy (8bit): 6.601367231380244 Encrypted: false MD5: 45F919A95C4411E07FA9254A760F8597 SHA1: AD573425A2374DFE264984CA3AC688E2AEECDDEF SHA-256: 101F5C9F0F472E4C181FDD82917DAAF06DFF44D29921E7A4BC40B2833E44A26E SHA-512: 27A09A0217B4DB89E7C5DC3FF761F286B733E96454D08FFFB76F0D454448C4C95652DCA5022DD13B8CB418F9892 05A7E79ECBD2E61BC36C053EBA94BE920916C Malicious: true Antivirus: Antivirus: virustotal, Detection: 0%, Browse Reputation: low

C:\Program Files\BitRecover\MSG Converter Wizard\is-KUJLB.tmp

Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows Size (bytes): 679936 Entropy (8bit): 5.7686568950177595 Encrypted: false MD5: 640A9FE56938C1EF90FB1C57BE003583 SHA1: 729BD4EAB9AA5113AD42D8D2A833B76479F7FEB7 SHA-256: 8C792A1B7B9717299346D066C09BC12971F99A5B14C8A4ACDB4479FCD7A79343 SHA-512: 584D9FFC10891B52F3936F1AF9883D23397DDE38281CE59EC00954997730DA97F0F7BF8879B3D557834010FA358F 20D001D4BAA16A36D103E7DB094867444726

Copyright Joe Security LLC 2018 Page 15 of 37 C:\Program Files\BitRecover\MSG Converter Wizard\is-KUJLB.tmp

Malicious: true Antivirus: Antivirus: virustotal, Detection: 0%, Browse Reputation: low

C:\Program Files\BitRecover\MSG Converter Wizard\is-P49RL.tmp Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 1787680 Entropy (8bit): 6.419525098106039 Encrypted: false MD5: 11314DCD5C0306FBB12349B3A2EFDE10 SHA1: 688183228D9FBEC84FE759597901AA9BC7D1C2D2 SHA-256: E7ED381B381EEE55B9D07F51D802BCD37C111F81E3B44C00DCE1613EAE3C2F84 SHA-512: 6ABDFE12B6BE2D9689214E6641636548D30A8E5673B9498B41D62699B79E0BBC90FA8A5D702FE743822E5F971D8 56B2D14036FB34F0B5D712715D90AEB2C1F38 Malicious: false Reputation: low

C:\Program Files\BitRecover\MSG Converter Wizard\unins000.dat Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: data Size (bytes): 25971 Entropy (8bit): 4.575344130744787 Encrypted: false MD5: AD543B165C8496C5038C15FC5F525317 SHA1: 36A7D8DBB9607B8431FABB504538473C8B7346CC SHA-256: 33A80A662A147B3834273C306B77C6A915CD8AA7925B0EDA28F2302A6BDAAC79 SHA-512: 20E4D0177B3E946FBB7AC9A615A0A681EBE47D8744D73D526B9B7BE5BED3469F363002D75C8E024D669868D9B1 909D6D44396ACB1C36A2560ECAD2408598057A Malicious: false Reputation: low

C:\Program Files\BitRecover\MSG Converter Wizard\unins000.msg Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: data Size (bytes): 10517 Entropy (8bit): 4.705261726260295 Encrypted: false MD5: C287CE24F7789121CC4E760524C119FA SHA1: 4E54CEA2E6F44744D33D364D4CE4AC5066C8CB87 SHA-256: B6FD072854C505B9C08F2547869451554CE6EAF62ACB46ECA34FF8C608572BEE SHA-512: 139EA39EB63B8AE4FCE08602C2205DC9E6B8B2B50F76F63C1576B111FE747C45CB2F5D238F9425826884A486771 5B21FC9A1A55667FB6D51811C67D844871FD3 Malicious: false Reputation: low

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitRecover MSG Converter Wizard\BitRecover MSG Converter Wizard.lnk Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Sep 27 15:08:53 2018, mtime=Thu Sep 27 15:08:53 2018, atime=Wed Sep 5 11:29:46 2018, length=248096, window=hide Size (bytes): 1262 Entropy (8bit): 4.427156121183812 Encrypted: false MD5: 911A820CDEF1B30916B284CB09EB5EC8 SHA1: F62BC3E0924D61824367AD8F24C3F945FE4586AE SHA-256: 1D97FCC1EEC71B62D210E8F69DB649A738A912B2F8E7A9E1672EA98F6EF9AE67 SHA-512: 9EA6820140C0758B33C3CFA3CB740562F675F367C6C46F8505BFF0944D8A67F2BB80174FB31CF5826319B2C48BD 25975FF75B5533F6D7F1A6668EF002F661709 Malicious: false Reputation: low

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitRecover MSG Converter Wizard\Uninstall BitRecover MSG Converter Wizard.lnk Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Sep 27 15:08:49 2018, mtime=Thu Sep 27 15:08:49 2018, atime=Thu Sep 27 15:08:27 2018, length=725872, window=hide Copyright Joe Security LLC 2018 Page 16 of 37 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitRecover MSG Converter Wizard\Uninstall BitRecover MSG Converter Wizard.lnk Size (bytes): 1212 Entropy (8bit): 4.458900236257192 Encrypted: false MD5: CD435DFE5C87CB352F814E19942D6428 SHA1: 611552DC423262B94D7F732D632ADB95BFB98A12 SHA-256: C1D2253A57DE6A3D1EA20B05B6A853CBBB17880D3437FEE6511758FFA6A5A11F SHA-512: B6B8BE110FFD8D42F698DA9114CD09359B6D3D4669B3094E4FD16F75C42C1F9261C81E90CBE08F6202519161554 340D9399050179A12F642FD82234325C2A114 Malicious: false Reputation: low

C:\Users\SAMTAR~1\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp Process: C:\Users\user\Desktop\bitrecover-msg-converter-wizard.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 725872 Entropy (8bit): 6.524228325833372 Encrypted: false MD5: 9605B01F38E7ACD4ECC093ECF5EAAD9A SHA1: 7B410DDADD38EAB8DFDFE806ED6582F59705D880 SHA-256: F2F10CB6B23CE0B10AF57F72B73E3767D0FC80414C911C945FFC42020BDD6F18 SHA-512: 8AE17D11BE25BD7410DDFCF933EF46A1A22E3E7B32BAE8D8E5C576F6628A0C7570AF20C7179F5CC23F46FA43F 62F00C5C26861399FA045F40B0DA1F8B01FC1F4 Malicious: false Reputation: low

C:\Users\SAMTAR~1\AppData\Local\Temp\is-I7DGQ.tmp\_isetup\_RegDLL.tmp Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 4096 Entropy (8bit): 4.026670007889822 Encrypted: false MD5: 0EE914C6F0BB93996C75941E1AD629C6 SHA1: 12E2CB05506EE3E82046C41510F39A258A5E5549 SHA-256: 4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2 SHA-512: A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB 45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9 Malicious: false Joe Sandbox View: Filename: kS7FWQVypL.exe, Detection: malicious, Browse Filename: siw-setup.exe, Detection: malicious, Browse Filename: RmC5VXmHCD.exe, Detection: malicious, Browse Filename: nbumailSrv405.exe, Detection: malicious, Browse Filename: 9GtD8eJphx.exe, Detection: malicious, Browse Filename: SUPERsetup.exe, Detection: malicious, Browse Reputation: moderate, very likely benign file

C:\Users\SAMTAR~1\AppData\Local\Temp\is-I7DGQ.tmp\_isetup\_shfoldr.dll Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows Size (bytes): 23312 Entropy (8bit): 4.596242908851566 Encrypted: false MD5: 92DC6EF532FBB4A5C3201469A5B5EB63 SHA1: 3E89FF837147C16B4E41C30D6C796374E0B8E62C SHA-256: 9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 SHA-512: 9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2 FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3 Malicious: false

Copyright Joe Security LLC 2018 Page 17 of 37 C:\Users\SAMTAR~1\AppData\Local\Temp\is-I7DGQ.tmp\_isetup\_shfoldr.dll Joe Sandbox View: Filename: kS7FWQVypL.exe, Detection: malicious, Browse Filename: FPaukxOmd8.exe, Detection: malicious, Browse Filename: yxcLHdJwJq.exe, Detection: malicious, Browse Filename: CouponViewer.exe, Detection: malicious, Browse Filename: DMSClientAUSDSetup.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: setup_mbot_es.exe, Detection: malicious, Browse Filename: Setup_FileViewPro_2016.exe, Detection: malicious, Browse Filename: setup_mbot_es.exe, Detection: malicious, Browse Filename: PCBrotherSoftFreeMP3Cutter.exe, Detection: malicious, Browse Filename: siw-setup.exe, Detection: malicious, Browse Filename: 57PO-Enquiry094.exe, Detection: malicious, Browse Filename: KzTddbsRwb.exe, Detection: malicious, Browse Filename: RmC5VXmHCD.exe, Detection: malicious, Browse Filename: yTY122FomU.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: nbumailSrv405.exe, Detection: malicious, Browse Filename: CouponViewer.exe, Detection: malicious, Browse Filename: google-earth-7_1_2_2041.exe, Detection: malicious, Browse Filename: CouponViewer.exe, Detection: malicious, Browse

Reputation: moderate, very likely benign file

C:\Users\SAMTAR~1\AppData\Local\Temp\is-I7DGQ.tmp\isxdl.dll Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 124416 Entropy (8bit): 6.209017847933318 Encrypted: false MD5: 48AD1A1C893CE7BF456277A0A085ED01 SHA1: 803997EF17EEDF50969115C529A2BF8DE585DC91 SHA-256: B0CC4697B2FD1B4163FDDCA2050FC62A9E7D221864F1BD11E739144C90B685B3 SHA-512: 7C9E7FE9F00C62CCCB5921CB55BA0DD96A0077AD52962473C1E79CDA1FD9AA101129637043955703121443E1F8B 6B2860CD4DFDB71052B20A322E05DEED101A4 Malicious: false Reputation: moderate, very likely benign file

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\BitRecover MSG Converter Wizard.lnk Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Sep 27 15:08:53 2018, mtime=Thu Sep 27 15:08:53 2018, atime=Wed Sep 5 11:29:46 2018, length=248096, window=hide Size (bytes): 1268 Entropy (8bit): 4.425780789789728 Encrypted: false MD5: 185A5AB6A4A9073A3A3E0C1E2AA798D7 SHA1: 0C43C0BD68550E334578567884FE39DE8A297F7B SHA-256: 0B8329C505E95821FBF51C19D16838749C488BF56D0E8B968C92746B8B993A07 SHA-512: 3AB35432B611679D66C7D9D14D4CC49B5C896FD8AA1DC9718BAE9E8A553084C88C7F3B6AAF5AD5521C1BFD07C 63905F0B367B56FD0F5DB85AD98D4D7F0F09975 Malicious: false

C:\Users\user\Desktop\BitRecover MSG Converter Wizard.lnk Process: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Sep 27 15:08:53 2018, mtime=Thu Sep 27 15:08:53 2018, atime=Wed Sep 5 11:29:46 2018, length=248096, window=hide Size (bytes): 1244 Entropy (8bit): 4.4351106804564 Encrypted: false MD5: 6222029445BABA4E7CF42FEBFC45C95C SHA1: 12571454DDAE79E02EDF503F383DE8859385DA98 SHA-256: 4CEBE47685636AEC01801F8DD74F7EB5461DE234EEF0084DCDF0B327E98EF0D2 SHA-512: C2B1DDCB1D9811882C7BEAAA5BB43A14FE6CCE579CB289F9FED144CDB4A40F3EB511418B65B19D17EFA5CBC 3F60A0AD5A9ED2673A11730613CB8A733FC2F97EC Malicious: false

Domains and IPs

Contacted Domains Copyright Joe Security LLC 2018 Page 18 of 37 No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation www.innosetup.com/ bitrecover-msg-converter-wizard.tmp, bit false high recover-msg-converter-wizard.tmp, 00000002.00000002.17384566 35.00401000.00000020.sdmp cknotes.com/v9-5-0-55-micro-update-new-features- bitrecover-msg-converter-wizard.tmp, false high fixes-changes-etc-2/ 00000002.00000003.1728230550.0224 0000.00000004.sdmp, is-K96D9.t mp.2.dr bitrecover-msg-converter-wizard.tmp, false high spamarrest.com/ahttp://www.mailpass.com/verify.cgiYour 00000002.00000003.1728230550.0224 0000.00000004.sdmp spamarrest.com/a bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp www.bitrecover.com$ bitrecover-msg-converter-wizard.exe, false Avira URL Cloud: safe low 00000001.00000003.1628110655.013C 0000.00000004.sdmp, bitrecover-msg- converter-wizard.tmp, 00000002.0000 0003.1631106637.02220000.00000 004.sdmp www.cknotes.com/?p=210WSAEWOULDBLOCK bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp www.bitrecover.com MSGConverterWizard.exe, 000000 false high 04.00000002.2073854820.01D5E00 0.00000004.sdmp iptc.org/std/Iptc4xmpCore/1.0/xmlns/ bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp www.chilkatsoft.com/) bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp www.cknotes.com/?p=282 bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp cknotes.com/v9-5-0-55-micro-update-new-features- bitrecover-msg-converter-wizard.tmp, false high fixes-changes-etc-2/Update 00000002.00000003.1728230550.0224 0000.00000004.sdmp www.chilkatsoft.com/rssComponent.html bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp, is-K96D9.t mp.2.dr www.anything.com bitrecover-msg-converter-wizard.tmp, false 0%, virustotal, Browse low 00000002.00000003.1728230550.0224 Avira URL Cloud: safe 0000.00000004.sdmp www.chilkatforum.com/questions/11627/sftp-failed-to- bitrecover-msg-converter-wizard.tmp, false high get-address-info 00000002.00000003.1728230550.0224 0000.00000004.sdmp us.rd.yahoo.com/ bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp www.cknotes.com/?p=411The bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp us.ard.yahoo.com/ bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp us.rd.yahoo.com/http://us.ard.yahoo.com/No bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp www.aspose.com/corporate/purchase/license- MSGConverterWizard.exe, 000000 false high instructions.aspx 04.00000002.2073854820.01D5E00 0.00000004.sdmp www.cknotes.com/?p=91 bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp https://login.yahoo.com/account/security MSGConverterWizard.exe, 000000 false high 04.00000002.2073854820.01D5E00 0.00000004.sdmp www.cknotes.com/?p=91WSAECONNABORTED bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp www.bitrecover.com/msg/converter/ MSGConverterWizard.exe, 000000 false high 04.00000002.2073854820.01D5E00 0.00000004.sdmp Copyright Joe Security LLC 2018 Page 19 of 37 Name Source Malicious Antivirus Detection Reputation www.cknotes.com/?p=217WSAECONNRESET bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp MSGConverterWizard.exe, 000000 false high https://outlook.office365.com/ews/exchange.asmxZPlease 04.00000002.2073854820.01D5E00 0.00000004.sdmp https://www.chilkatsoft.com/oauth2_denied.html bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp www.remobjects.com/psU bitrecover-msg-converter-wizard.exe, false high 00000001.00000003.1628295443.013C 0000.00000004.sdmp, bitrecover-msg- converter-wizard.tmp, 00000002.0000 0002.1738456635.00401000.00000 020.sdmp www.chilkatsoft.com/p/p_463.asp) bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp, is-K96D9.t mp.2.dr www.cknotes.com/?p=217 bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp cknotes.com/determining-ftp2-connection-settings/ bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp www.cknotes.com/?p=411 bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp https://www.chilkatsoft.com/oauth2_allowed.html bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp www.cknotes.com/?p=370Check bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp https://BUCKET. bitrecover-msg-converter-wizard.tmp, false Avira URL Cloud: safe unknown 00000002.00000003.1728230550.0224 0000.00000004.sdmp, is-K96D9.t mp.2.dr https://S3_BUCKET. bitrecover-msg-converter-wizard.tmp, false Avira URL Cloud: safe low 00000002.00000003.1728230550.0224 0000.00000004.sdmp, is-K96D9.t mp.2.dr www.cknotes.com/?p=210 bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp www.cknotes.com/?p=370 bitrecover-msg-converter-wizard.tmp, false high 00000002.00000003.1728230550.0224 0000.00000004.sdmp www.mailpass.com/verify.cgi bitrecover-msg-converter-wizard.tmp, false 0%, virustotal, Browse unknown 00000002.00000003.1728230550.0224 Avira URL Cloud: safe 0000.00000004.sdmp www.istool.org/ bitrecover-msg-converter-wizard.tmp, false 0%, virustotal, Browse low 00000002.00000001.1640548630.1001 Avira URL Cloud: safe D000.00000002.sdmp www.remobjects.com/ps bitrecover-msg-converter-wizard.exe, false high 00000001.00000003.1628295443.013C 0000.00000004.sdmp, bitrecover-msg- converter-wizard.tmp BUCKET. bitrecover-msg-converter-wizard.tmp, false Avira URL Cloud: safe unknown 00000002.00000003.1728230550.0224 0000.00000004.sdmp, is-K96D9.t mp.2.dr ENDPOINT/Content- bitrecover-msg-converter-wizard.tmp, false Avira URL Cloud: safe low MD5DateAuthorizationS3_ListBucketsresponseHeaderBUCK 00000002.00000003.1728230550.0224 ETOBJECThttp://BUCKET./O 0000.00000004.sdmp www.bitrecover.com6 bitrecover-msg-converter-wizard.exe, false Avira URL Cloud: safe unknown 00000001.00000003.1628162818.0121 1000.00000004.sdmp, bitrecover-msg- converter-wizard.tmp, 00000002.0000 0003.1631235413.012E8000.00000 004.sdmp

Contacted IPs

No contacted IP infos

Copyright Joe Security LLC 2018 Page 20 of 37 Static File Info

General

File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 7.999808878996533 TrID: Win32 Executable (generic) a (10002005/4) 98.84% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% File name: bitrecover-msg-converter-wizard.exe File size: 16156784 MD5: 89fbba7d5b9d9730d18d59802e7ae2ca SHA1: 71667f4cc5850916014efdd9cd87b90e58518740 SHA256: 759341441c0ab1c1f0e474786d35d697513ab02450797e 05e76f3fd3ab7fd068 SHA512: 0d881af086688ee0662d2cae5cb9ea924d4adb5935f030c a97ad0651dbc26a3cb4e6688834b47db83c8475b313775 d413cc6ed438a206c32b566e62baf01b200 File Content Preview: MZP...... @...... !..L.!.. This program must be run under Win32..$7......

File Icon

Static PE Info

General Entrypoint: 0x409c40 Entrypoint Section: CODE Digitally signed: true Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED DLL Characteristics: TERMINAL_SERVER_AWARE Time Stamp: 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 1 OS Version Minor: 0 File Version Major: 1 File Version Minor: 0 Subsystem Version Major: 1 Subsystem Version Minor: 0 Import Hash: 884310b1928934402ea6fec1dbd3cf5e

Authenticode Signature

Signature Valid: true Signature Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 3/13/2016 1:00:00 AM 3/20/2019 1:00:00 PM Subject Chain CN=BitRecover Software, O=BitRecover Software, L=Delhi, S=Delhi, C=IN Version: 3 Thumbprint: 4A2A1DDEC5A7AC0412FBD9277C9223A06D8FB2A2 Serial: 0CFDFAB1E89A84EF19DFF9E4E2E4BC61

Copyright Joe Security LLC 2018 Page 21 of 37 Entrypoint Preview

Instruction push ebp mov ebp, esp add esp, FFFFFFC4h push ebx push esi push edi xor eax, eax mov dword ptr [ebp-10h], eax mov dword ptr [ebp-24h], eax call 00007FDFF0F0694Bh call 00007FDFF0F07B52h call 00007FDFF0F07DE1h call 00007FDFF0F09E18h call 00007FDFF0F09E5Fh call 00007FDFF0F0C78Eh call 00007FDFF0F0C8F5h xor eax, eax push ebp push 0040A2FCh push dword ptr fs:[eax] mov dword ptr fs:[eax], esp xor edx, edx push ebp push 0040A2C5h push dword ptr fs:[edx] mov dword ptr fs:[edx], esp mov eax, dword ptr [0040C014h] call 00007FDFF0F0D35Bh call 00007FDFF0F0CF8Eh lea edx, dword ptr [ebp-10h] xor eax, eax call 00007FDFF0F0A448h mov edx, dword ptr [ebp-10h] mov eax, 0040CDE8h call 00007FDFF0F069F7h push 00000002h push 00000000h push 00000001h mov ecx, dword ptr [0040CDE8h] mov dl, 01h mov eax, 0040738Ch call 00007FDFF0F0ACD7h mov dword ptr [0040CDECh], eax xor edx, edx push ebp push 0040A27Dh push dword ptr fs:[edx] mov dword ptr fs:[edx], esp call 00007FDFF0F0D3CBh mov dword ptr [0040CDF4h], eax mov eax, dword ptr [0040CDF4h] cmp dword ptr [eax+0Ch], 01h jne 00007FDFF0F0D50Ah mov eax, dword ptr [0040CDF4h] mov edx, 00000028h

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0xd000 0x950 .idata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x11000 0x7060 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 Copyright Joe Security LLC 2018 Page 22 of 37 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_SECURITY 0xf67b00 0xd70 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x10000 0x0 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0xf000 0x18 .rdata IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics CODE 0x1000 0x9364 0x9400 False 0.614864864865 data 6.56223225793 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ DATA 0xb000 0x24c 0x400 False 0.3154296875 data 2.7534822782 IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ BSS 0xc000 0xe4c 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .idata 0xd000 0x950 0xa00 False 0.414453125 data 4.4307330698 IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .tls 0xe000 0x8 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rdata 0xf000 0x18 0x200 False 0.052734375 dBase IV DBT of 0.20448815744 IMAGE_SCN_CNT_INITIALIZED \320\[email protected], blocks size _DATA, 4251656, next free block index IMAGE_SCN_MEM_SHARED, 4251648 IMAGE_SCN_MEM_READ .reloc 0x10000 0x8b4 0x0 False 0 empty 0.0 IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ .rsrc 0x11000 0x7060 0x7200 False 0.32695997807 data 5.83545429233 IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_ICON 0x113b4 0x568 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x1191c 0x8a8 data English United States RT_ICON 0x121c4 0xea8 data English United States RT_ICON 0x1306c 0x468 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x134d4 0x10a8 data English United States RT_ICON 0x1457c 0x25a8 data English United States RT_STRING 0x16b24 0x2f2 data RT_STRING 0x16e18 0x30c data RT_STRING 0x17124 0x2ce data RT_STRING 0x173f4 0x68 data RT_STRING 0x1745c 0xb4 data RT_STRING 0x17510 0xae data RT_RCDATA 0x175c0 0x2c data RT_GROUP_ICON 0x175ec 0x5a MS Windows icon resource - 6 icons, 16x16, 256- English United States colors RT_VERSION 0x17648 0x4b8 COM executable for DOS English United States RT_MANIFEST 0x17b00 0x560 XML document text English United States

Imports

DLL Import kernel32.dll DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle Copyright Joe Security LLC 2018 Page 23 of 37 DLL Import user32.dll MessageBoxA oleaut32.dll VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen advapi32.dll RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA kernel32.dll WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle user32.dll TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA comctl32.dll InitCommonControls advapi32.dll AdjustTokenPrivileges

Version Infos

Description Data LegalCopyright FileVersion 6.5 CompanyName BitRecover Comments This installation was built with Inno Setup. ProductName BitRecover MSG Converter Wizard ProductVersion 6.5 FileDescription BitRecover MSG Converter Wizard Setup Translation 0x0000 0x04b0

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• bitrecover-msg-converter-wizard.exe • bitrecover-msg-converter-wizard.tmp • MSGConverterWizard.exe

Copyright Joe Security LLC 2018 Page 24 of 37 Click to jump to process

System Behavior

Analysis Process: bitrecover-msg-converter-wizard.exe PID: 3972 Parent PID: 3700

General

Start time: 17:08:27 Start date: 27/09/2018 Path: C:\Users\user\Desktop\bitrecover-msg-converter-wizard.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\bitrecover-msg-converter-wizard.exe' Imagebase: 0x400000 File size: 16156784 bytes MD5 hash: 89FBBA7D5B9D9730D18D59802E7AE2CA Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\SAMTAR~1\AppData\Local\Temp\is-DSQVJ.tmp read data or list normal directory file | success or wait 1 40937B CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\SAMTAR~1\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg- read attributes | normal synchronous io success or wait 1 4075BD CreateFileA converter-wizard.tmp synchronize | non alert | non generic write directory file

File Deleted

Source File Path Completion Count Address Symbol C:\Users\SAMTAR~1\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp success or wait 1 408FF8 DeleteFileA

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Copyright Joe Security LLC 2018 Page 25 of 37 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\SAMTAR~1\AppData\Local\Temp\is- unknown 725872 4d 5a 50 00 02 00 00 MZP...... @..... success or wait 1 4076E4 WriteFile DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp 00 04 00 0f 00 ff ff 00 ...... InUn...... 00 b8 00 00 00 00 00 ...... !..L.!..This program 00 00 40 00 1a 00 00 must be run under 00 00 00 00 00 00 00 Win32..$7 00 00 00 00 00 00 00 ...... 00 00 00 00 00 49 6e ...... 55 6e 00 00 00 00 00 ...... 00 00 00 00 01 00 00 ...... ba 10 00 0e 1f b4 09 ...... cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\bitrecover-msg-converter-wizard.exe unknown 64 success or wait 1 407648 ReadFile C:\Users\user\Desktop\bitrecover-msg-converter-wizard.exe unknown 4 success or wait 2 407648 ReadFile C:\Users\user\Desktop\bitrecover-msg-converter-wizard.exe unknown 4 success or wait 4 407648 ReadFile C:\Users\user\Desktop\bitrecover-msg-converter-wizard.exe unknown 4 success or wait 2 407648 ReadFile

Analysis Process: bitrecover-msg-converter-wizard.tmp PID: 3984 Parent PID: 3972

General

Start time: 17:08:27 Start date: 27/09/2018 Path: C:\Users\user\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp Wow64 process (32bit): false Commandline: 'C:\Users\SAMTAR~1\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wiza rd.tmp' /SL5='$13016C,15875683,72192,C:\Users\user\Desktop\bitrecover-msg-converter- wizard.exe' Imagebase: 0x400000 File size: 725872 bytes MD5 hash: 9605B01F38E7ACD4ECC093ECF5EAAD9A Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol

Copyright Joe Security LLC 2018 Page 26 of 37 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\SAMTAR~1\AppData\Local\Temp\is-I7DGQ.tmp read data or list normal directory file | success or wait 1 4530CF CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\SAMTAR~1\AppData\Local\Temp\is-I7DGQ.tmp\_isetup read data or list normal directory file | success or wait 1 47B7A4 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\SAMTAR~1\AppData\Local\Temp\is-I7DGQ.tmp\_isetup\_R read attributes | normal synchronous io success or wait 1 406EEA CreateFileA egDLL.tmp synchronize | non alert | non generic read | directory file generic write C:\Users\SAMTAR~1\AppData\Local\Temp\is-I7DGQ.tmp\_isetup\_shfoldr.dll read attributes | normal synchronous io success or wait 1 406EEA CreateFileA synchronize | non alert | non generic read | directory file generic write C:\Users\SAMTAR~1\AppData\Local\Temp\is-I7DGQ.tmp\isxdl.dll read attributes | normal synchronous io success or wait 1 44FE69 CreateFileA synchronize | non alert | non generic write directory file C:\Program Files\BitRecover read data or list normal directory file | success or wait 1 451E0E CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files\BitRecover\MSG Converter Wizard read data or list normal directory file | success or wait 1 451E0E CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files\BitRecover\MSG Converter Wizard\unins000.dat read attributes | normal synchronous io success or wait 1 47434E CreateFileA synchronize | non alert | non generic read | directory file generic write C:\Program Files\BitRecover\MSG Converter Wizard\is-E46TV.tmp read attributes | normal synchronous io success or wait 1 44FE69 CreateFileA synchronize | non alert | non generic read | directory file generic write C:\Program Files\BitRecover\MSG Converter Wizard\is-JQNG1.tmp read attributes | normal synchronous io success or wait 1 44FE69 CreateFileA synchronize | non alert | non generic read | directory file generic write C:\Program Files\BitRecover\MSG Converter Wizard\is-P49RL.tmp read attributes | normal synchronous io success or wait 1 44FE69 CreateFileA synchronize | non alert | non generic read | directory file generic write C:\Program Files\BitRecover\MSG Converter Wizard\is-4ABBU.tmp read attributes | normal synchronous io success or wait 1 44FE69 CreateFileA synchronize | non alert | non generic read | directory file generic write C:\Program Files\BitRecover\MSG Converter Wizard\is-FLNCK.tmp read attributes | normal synchronous io success or wait 1 44FE69 CreateFileA synchronize | non alert | non generic read | directory file generic write C:\Program Files\BitRecover\MSG Converter Wizard\is-H7HSB.tmp read attributes | normal synchronous io success or wait 1 44FE69 CreateFileA synchronize | non alert | non generic read | directory file generic write C:\Program Files\BitRecover\MSG Converter Wizard\is-JHM84.tmp read attributes | normal synchronous io success or wait 1 44FE69 CreateFileA synchronize | non alert | non generic read | directory file generic write C:\Program Files\BitRecover\MSG Converter Wizard\is-KUJLB.tmp read attributes | normal synchronous io success or wait 1 44FE69 CreateFileA synchronize | non alert | non generic read | directory file generic write C:\Program Files\BitRecover\MSG Converter Wizard\is-6SKIK.tmp read attributes | normal synchronous io success or wait 1 44FE69 CreateFileA synchronize | non alert | non generic read | directory file generic write C:\Program Files\BitRecover\MSG Converter Wizard\is-K96D9.tmp read attributes | normal synchronous io success or wait 1 44FE69 CreateFileA synchronize | non alert | non generic read | directory file generic write

Copyright Joe Security LLC 2018 Page 27 of 37 Source File Path Access Attributes Options Completion Count Address Symbol C:\Program Files\BitRecover\MSG Converter Wizard\is-J89RQ.tmp read attributes | normal synchronous io success or wait 1 44FE69 CreateFileA synchronize | non alert | non generic read | directory file generic write C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitRecover MSG read data or list normal directory file | success or wait 1 451E0E CreateDirectoryA Converter Wizard directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Program Files\BitRecover\MSG Converter Wizard\unins000.msg read attributes | normal synchronous io success or wait 1 44FE69 CreateFileA synchronize | non alert | non generic write directory file

File Deleted

Source File Path Completion Count Address Symbol C:\Program Files\BitRecover\MSG Converter Wizard\messsage.dat success or wait 1 451FA4 DeleteFileA C:\Users\SAMTAR~1\AppData\Local\Temp\is-I7DGQ.tmp\isxdl.dll success or wait 1 451FA4 DeleteFileA C:\Users\SAMTAR~1\AppData\Local\Temp\is-I7DGQ.tmp\_isetup\_RegDLL.tmp success or wait 1 451FA4 DeleteFileA C:\Users\SAMTAR~1\AppData\Local\Temp\is-I7DGQ.tmp\_isetup\_shfoldr.dll success or wait 1 451FA4 DeleteFileA

File Moved

Source Old File Path New File Path Completion Count Address Symbol C:\Program Files\BitRecover\MSG Converter Wizard\is-E46TV.tmp C:\Program Files\BitRecover\MSG Converter Wizard\unins000.exe success or wait 1 452327 MoveFileA C:\Program Files\BitRecover\MSG Converter Wizard\is-JQNG1.tm C:\Program Files\BitRecover\MSG Converter Wizard\messsage.dat success or wait 1 452327 MoveFileA p C:\Program Files\BitRecover\MSG Converter Wizard\is-P49RL.tmp C:\Program Files\BitRecover\MSG Converter Wizard\Activate.exe success or wait 1 452327 MoveFileA C:\Program Files\BitRecover\MSG Converter Wizard\is-4ABBU.tm C:\Program Files\BitRecover\MSG Converter Wizard\Aspose.Emai success or wait 1 452327 MoveFileA p l.dll C:\Program Files\BitRecover\MSG Converter Wizard\is-FLNCK.tm C:\Program Files\BitRecover\MSG Converter Wizard\messsage.dat success or wait 1 452327 MoveFileA p C:\Program Files\BitRecover\MSG Converter Wizard\is-H7HSB.tm C:\Program Files\BitRecover\MSG Converter Wizard\NReco.PdfGe success or wait 1 452327 MoveFileA p nerator.dll C:\Program Files\BitRecover\MSG Converter Wizard\is-JHM84.tm C:\Program Files\BitRecover\MSG Converter Wizard\itextsharp.dll success or wait 1 452327 MoveFileA p C:\Program Files\BitRecover\MSG Converter Wizard\is-KUJLB.tmp C:\Program Files\BitRecover\MSG Converter Wizard\UseOffice.dll success or wait 1 452327 MoveFileA C:\Program Files\BitRecover\MSG Converter Wizard\is-6SKIK.tmp C:\Program Files\BitRecover\MSG Converter Wizard\Interop.Dom success or wait 1 452327 MoveFileA ino.dll C:\Program Files\BitRecover\MSG Converter Wizard\is-K96D9.tmp C:\Program Files\BitRecover\MSG Converter Wizard\ChilkatDotN success or wait 1 452327 MoveFileA et4.dll C:\Program Files\BitRecover\MSG Converter Wizard\is-J89RQ.tmp C:\Program Files\BitRecover\MSG Converter success or wait 1 452327 MoveFileA Wizard\MSGConverterWizard.exe

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Copyright Joe Security LLC 2018 Page 28 of 37 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\SAMTAR~1\AppData\Local\Temp\is- unknown 4096 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 406F31 WriteFile I7DGQ.tmp\_isetup\_RegDLL.tmp 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... H..... 00 00 00 00 00 00 00 ...... |...... |...... |.. 00 00 00 00 00 00 00 ....Rich...... PE..L....M 00 00 00 c8 00 00 00 ;J...... 0e 1f ba 0e 00 b4 09 ....@ cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cf db f3 aa 8b ba 9d f9 8b ba 9d f9 8b ba 9d f9 48 b5 c0 f9 8c ba 9d f9 8b ba 9c f9 85 ba 9d f9 ac 7c f0 f9 8a ba 9d f9 ac 7c e1 f9 8a ba 9d f9 ac 7c e5 f9 8a ba 9d f9 52 69 63 68 8b ba 9d f9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a3 4d 3b 4a 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 08 00 00 02 00 00 00 0a 00 00 00 00 00 00 d0 11 00 00 00 10 00 00 00 20 00 00 00 00 40 C:\Users\SAMTAR~1\AppData\Local\Temp\is- unknown 23312 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 406F31 WriteFile I7DGQ.tmp\_isetup\_shfoldr.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... IzJ^..$...$...$...%.". 00 00 00 00 00 00 00 $.T87...$.[."...$...$...$.Rich 00 00 00 00 00 00 00 ..$...... PE 00 00 00 d0 00 00 00 ..L.....\;...... #...... 0e 1f ba 0e 00 b4 09 .4...... '..... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 49 7a 4a 5e 0d 1b 24 0d 0d 1b 24 0d 0d 1b 24 0d 0d 1b 25 0d 22 1b 24 0d 54 38 37 0d 0b 1b 24 0d 5b 13 22 0d 0c 1b 24 0d 0d 1b 24 0d 0c 1b 24 0d 52 69 63 68 0d 1b 24 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 85 d9 5c 3b 00 00 00 00 00 00 00 00 e0 00 06 23 0b 01 05 0c 00 20 00 00 00 34 00 00 00 00 00 00 f6 27 00 00 00 10 00

Copyright Joe Security LLC 2018 Page 29 of 37 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\SAMTAR~1\AppData\Local\Temp\is- unknown 65536 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 44FFC4 WriteFile I7DGQ.tmp\isxdl.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... 00 00 00 00 00 00 00 ...... ;...... ;...... 00 00 00 00 00 00 00 u...... 00 00 00 f0 00 00 00 ...... Rich...... 0e 1f ba 0e 00 b4 09 PE..L....>.I... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a9 9c ed c0 ed fd 83 93 ed fd 83 93 ed fd 83 93 e4 85 16 93 fb fd 83 93 e4 85 00 93 8e fd 83 93 ca 3b ee 93 ec fd 83 93 ca 3b f8 93 e4 fd 83 93 ed fd 82 93 75 fd 83 93 e4 85 07 93 d5 fd 83 93 e4 85 11 93 ec fd 83 93 f3 af 17 93 ec fd 83 93 e4 85 12 93 ec fd 83 93 52 69 63 68 ed fd 83 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e2 3e db 49 00 00 00 C:\Program Files\BitRecover\MSG Converter Wizard\is- unknown 4 49 6e 55 6e InUn success or wait 1 44FFC4 WriteFile E46TV.tmp C:\Program Files\BitRecover\MSG Converter Wizard\is- unknown 2138 3c 65 6d 61 69 6c 73 20 65 6c 65 6d 65 6e 22 31 22 3e 3c 65 6d 3a 73 70 61 63 65 3d 46 4d 65 73 73 61 67

Copyright Joe Security LLC 2018 Page 31 of 37 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files\BitRecover\MSG Converter Wizard\is- unknown 65536 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 148 44FFC4 WriteFile H7HSB.tmp 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... PE..L... 00 00 00 00 00 00 00 <..V...... !...... n.... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... V....@...... 00 00 00 80 00 00 00 ...... 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 3c 0a b2 56 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 b8 93 00 00 08 00 00 00 00 00 00 6e d7 93 00 00 20 00 00 00 e0 93 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 94 00 00 02 00 00 a7 56 94 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Program Files\BitRecover\MSG Converter Wizard\is- unknown 65536 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 54 44FFC4 WriteFile JHM84.tmp 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....f.L...... 00 00 00 00 00 00 00 .!...... 5...... 5.. ... 5...... 00 00 00 00 00 00 00 ...... ` 00 00 00 80 00 00 00 5...... 6...@...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9f 66 d2 4c 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 00 35 00 00 20 00 00 00 00 00 00 2e 17 35 00 00 20 00 00 00 20 35 00 00 00 00 11 00 20 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 35 00 00 10 00 00 bd 1f 36 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2018 Page 32 of 37 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files\BitRecover\MSG Converter Wizard\is- unknown 65536 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 11 44FFC4 WriteFile KUJLB.tmp 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L.....5W...... 00 00 00 00 00 00 00 .!.....0...... D...... `....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bd f5 35 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 30 0a 00 00 20 00 00 00 00 00 00 ee 44 0a 00 00 20 00 00 00 60 0a 00 00 00 40 00 00 20 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0a 00 00 10 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Program Files\BitRecover\MSG Converter Wizard\is-6SKIK.tm unknown 65536 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 4 44FFC4 WriteFile p 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....W'F...... 00 00 00 00 00 00 00 .!...... @.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 87 57 27 46 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 90 03 00 00 20 00 00 00 00 00 00 be aa 03 00 00 20 00 00 00 c0 03 00 00 00 40 00 00 20 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 04 00 00 10 00 00 00 00 00 00 03 00 00 04 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2018 Page 33 of 37 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files\BitRecover\MSG Converter Wizard\is- unknown 65536 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 121 44FFC4 WriteFile K96D9.tmp 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... %.^.K.^.K.^.K.@...\. 00 00 00 00 00 00 00 K.E%..].K.....\.K.E%..R.K.E 00 00 00 00 00 00 00 %.. 00 00 00 f8 00 00 00 S.K.W...T.K.^.J.B.K.E%.... 0e 1f ba 0e 00 b4 09 K.E% cd 21 b8 01 4c cd 21 .._.K.E%.._.K.Rich^.K...... 54 68 69 73 20 70 72 ...... PE..L.. 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1a d9 25 c0 5e b8 4b 93 5e b8 4b 93 5e b8 4b 93 40 ea d8 93 5c b8 4b 93 45 25 d7 93 5d b8 4b 93 cd f6 d3 93 5c b8 4b 93 45 25 d5 93 52 b8 4b 93 45 25 e1 93 53 b8 4b 93 57 c0 d8 93 54 b8 4b 93 5e b8 4a 93 42 b9 4b 93 45 25 e0 93 13 ba 4b 93 45 25 d1 93 5f b8 4b 93 45 25 d6 93 5f b8 4b 93 52 69 63 68 5e b8 4b 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 C:\Program Files\BitRecover\MSG Converter Wizard\is- unknown 65536 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 4 44FFC4 WriteFile J89RQ.tmp 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... PE..L...R.. 00 00 00 00 00 00 00 [...... L...... k...... 00 00 00 00 00 00 00 ..@...... 00 00 00 00 00 00 00 ...... \.....@...... 00 00 00 80 00 00 00 ...... 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 52 8c 8f 5b 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 0b 00 00 4c 03 00 00 b4 03 00 00 00 00 00 c2 6b 03 00 00 20 00 00 00 80 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 5c 1f 04 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2018 Page 34 of 37 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files\BitRecover\MSG Converter unknown 10472 49 6e 6e 6f 20 53 65 Inno Setup Messages success or wait 2 44FFC4 WriteFile Wizard\unins000.msg 74 75 70 20 4d 65 73 (5.1.11).. 73 61 67 65 73 20 28 ...... 35 2e 31 2e 31 31 29 (...... '\..&About Setup....%1 00 00 00 00 00 00 00 version %2..%3....%1 00 00 00 00 00 00 00 home page:..%4..About 00 00 00 00 00 00 00 Setup.You must be logged 00 00 00 00 00 00 00 in as an administrator 00 00 00 00 00 00 00 when installing this 00 cf 00 00 00 e8 28 program..Folder names 00 00 17 d7 ff ff 27 5c cannot include any of 8f 08 26 41 62 6f 75 74 20 53 65 74 75 70 2e 2e 2e 00 25 31 20 76 65 72 73 69 6f 6e 20 25 32 0d 0a 25 33 0d 0a 0d 0a 25 31 20 68 6f 6d 65 20 70 61 67 65 3a 0d 0a 25 34 00 00 41 62 6f 75 74 20 53 65 74 75 70 00 59 6f 75 20 6d 75 73 74 20 62 65 20 6c 6f 67 67 65 64 20 69 6e 20 61 73 20 61 6e 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 77 68 65 6e 20 69 6e 73 74 61 6c 6c 69 6e 67 20 74 68 69 73 20 70 72 6f 67 72 61 6d 2e 00 46 6f 6c 64 65 72 20 6e 61 6d 65 73 20 63 61 6e 6e 6f 74 20 69 6e 63 6c 75 64 65 20 61 6e 79 20 6f 66 20 C:\Program Files\BitRecover\MSG Converter unknown 448 00 00 00 00 00 00 00 ...... success or wait 2 44FFC4 WriteFile Wizard\unins000.dat 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Program Files\BitRecover\MSG Converter unknown 12 00 10 00 00 ff ef ff ff d0 ...... ]._ success or wait 12 44FFC4 WriteFile Wizard\unins000.dat 5d 0c 5f C:\Program Files\BitRecover\MSG Converter unknown 12 9f 01 00 00 60 fe ff ff ....`...d... success or wait 2 44FFC4 WriteFile Wizard\unins000.dat 64 94 a7 d0

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\bitrecover-msg-converter-wizard.exe unknown 64 success or wait 1 44FEF4 ReadFile

Copyright Joe Security LLC 2018 Page 35 of 37 Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\bitrecover-msg-converter-wizard.exe unknown 4 success or wait 2 44FEF4 ReadFile C:\Users\user\Desktop\bitrecover-msg-converter-wizard.exe unknown 4 success or wait 4 44FEF4 ReadFile C:\Users\user\Desktop\bitrecover-msg-converter-wizard.exe unknown 4 success or wait 2 44FEF4 ReadFile C:\Users\user\Desktop\bitrecover-msg-converter-wizard.exe unknown 4 success or wait 1 44FEF4 ReadFile C:\Users\user\Desktop\bitrecover-msg-converter-wizard.exe unknown 5 success or wait 2 44FEF4 ReadFile C:\Users\SAMTAR~1\AppData\Local\Temp\is-DSQVJ.tmp\bitrecover-msg-converter-wizard.tmp unknown 65536 success or wait 1 44FEF4 ReadFile C:\Users\user\Desktop\bitrecover-msg-converter-wizard.exe unknown 65536 success or wait 240 44FEF4 ReadFile C:\Program Files\BitRecover\MSG Converter Wizard\messsage.dat unknown 2138 success or wait 1 44FEF4 ReadFile

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HXGYMIED success or wait 1 42DD3D RegCreateKeyExA HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\BitRecover MSG Converter Wizard_is1 success or wait 1 42DD3D RegCreateKeyExA

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Cl FilePath unicode C:\Program Files\BitRecover\MSG success or wait 1 472CEF RegSetValueExA asses\HXGYMIED Converter Wizard HKEY_LOCAL_MACHINE\SOFTWARE\Cl ActivationKey unicode success or wait 1 472CEF RegSetValueExA asses\HXGYMIED HKEY_LOCAL_MACHINE\SOFTWARE\Cl UHJk unicode success or wait 1 472CEF RegSetValueExA asses\HXGYMIED HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: Setup unicode 5.4.2 (a) success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion Version \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: App unicode C:\Program Files\BitRecover\MSG success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion Path Converter Wizard \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi InstallLocation unicode C:\Program Files\BitRecover\MSG success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion Converter Wizard\ \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: Icon unicode BitRecover MSG Converter Wizard success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion Group \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: User unicode Sam Tarwell success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: unicode desktopicon,quicklaunchicon success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion Selected Tasks \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: unicode success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion Deselected Tasks \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi Inno Setup: unicode en success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion Language \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi DisplayName unicode BitRecover MSG Converter Wizard success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi DisplayIcon unicode main.ico success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi UninstallString unicode "C:\Program Files\BitRecover\MSG success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion Converter Wizard\unins000.exe" \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi QuietUninstallString unicode "C:\Program Files\BitRecover\MSG success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion Converter Wizard\unins000.exe" \Uninstall\BitRecover MSG Converter Wizard_is1 /SILENT HKEY_LOCAL_MACHINE\SOFTWARE\Mi Publisher unicode BitRecover success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi URLInfoAbout unicode http://www.bitrecover.com success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi HelpLink unicode http://www.bitrecover.com success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\BitRecover MSG Converter Wizard_is1 Copyright Joe Security LLC 2018 Page 36 of 37 Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Mi URLUpdateInfo unicode http://www.bitrecover.com success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi NoModify dword 1 success or wait 1 46E02C RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi NoRepair dword 1 success or wait 1 46E02C RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi InstallDate unicode 20180927 success or wait 1 46DFCC RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\BitRecover MSG Converter Wizard_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Mi EstimatedSize dword 30301 success or wait 1 46E02C RegSetValueExA crosoft\Windows\CurrentVersion \Uninstall\BitRecover MSG Converter Wizard_is1

Analysis Process: MSGConverterWizard.exe PID: 1680 Parent PID: 3984

General

Start time: 17:08:54 Start date: 27/09/2018 Path: C:\Program Files\BitRecover\MSG Converter Wizard\MSGConverterWizard.exe Wow64 process (32bit): false Commandline: C:\Program Files\BitRecover\MSG Converter Wizard\MSGConverterWizard.exe Imagebase: 0x1070000 File size: 248096 bytes MD5 hash: AC39D4203155F048B76C9BD26587EFDE Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Disassembly

Code Analysis

Copyright Joe Security LLC 2018 Page 37 of 37