Malware analysis ToolBox4911mf18WinEN.exe Malicious activity

Add for printing

download:	ToolBox4911mf18WinEN.exe
Full analysis:	https://app.any.run/tasks/a6ce723b-9a56-4f46-82ce-e3fc191e3b62
Verdict:	Malicious activity
Analysis date:	July 03, 2019, 09:57:59
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	08ED71AB18A68D1361E9C5DBE63753F9
SHA1:	815CA6A64EB407D47C752D4C1688A0C5C1007D62
SHA256:	D4C4C8BEE96308A5F572CB46061C97CE2DCA5209ABC569B81241C36DC4FBE37F
SSDEEP:	196608:4RWvyfM8FpIXtWnzq59UuC+aXvCXQdrKgl71:EmKMDQzI9TCX6YlJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - MFTBOX.exe (PID: 2548)
  - MfTBox.exe (PID: 1484)
  - Setup.exe (PID: 852)
  - explorer.exe (PID: 2036)
- Application was dropped or rewritten from another process
  - MFTBOX.exe (PID: 2548)
  - Setup.exe (PID: 852)
  - MfTBox.exe (PID: 1484)
  - TBOXCFG.EXE (PID: 672)
SUSPICIOUS
- Executable content was dropped or overwritten
  - ToolBox4911mf18WinEN.exe (PID: 2136)
  - Setup.exe (PID: 852)
- Creates a software uninstall entry
  - Setup.exe (PID: 852)
- Searches for installed software
  - Setup.exe (PID: 852)
- Creates files in the program directory
  - Setup.exe (PID: 852)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (32.1)
.exe	\|	Win64 Executable (generic) (28.5)
.exe	\|	Winzip Win32 self-extracting archive (generic) (23.7)
.dll	\|	Win32 Dynamic Link Library (generic) (6.7)
.exe	\|	Win32 Executable (generic) (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2009:11:02 21:23:17+01:00
PEType:	PE32
LinkerVersion:	8
CodeSize:	151552
InitializedDataSize:	77824
UninitializedDataSize:	-
EntryPoint:	0x14bdf
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	02-Nov-2009 20:23:17
Detected languages:	English - United States

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x000000F0

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	5
Time date stamp:	02-Nov-2009 20:23:17
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_RELOCS_STRIPPED

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x0002435E	0x00025000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.59849
.rdata	0x00026000	0x00006B64	0x00007000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.66798
.data	0x0002D000	0x0001069C	0x00002000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	3.04482
.rsrc	0x0003E000	0x00009CBC	0x0000A000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.53018
_winzip_	0x00048000	0x0093E000	0x0093E000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	7.99965

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.04402	1503	Latin 1 / Western European	English - United States	RT_MANIFEST
2	4.03621	744	Latin 1 / Western European	English - United States	RT_ICON
3	3.14459	296	Latin 1 / Western European	English - United States	RT_ICON
4	5.56342	3752	Latin 1 / Western European	English - United States	RT_ICON
5	5.99214	2216	Latin 1 / Western European	English - United States	RT_ICON
6	3.69605	1384	Latin 1 / Western European	English - United States	RT_ICON
7	5.83382	9640	Latin 1 / Western European	English - United States	RT_ICON
8	6.01045	4264	Latin 1 / Western European	English - United States	RT_ICON
9	4.68735	1128	Latin 1 / Western European	English - United States	RT_ICON
63	3.18826	764	Latin 1 / Western European	English - United States	RT_STRING

Imports


ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

672

"C:\Program Files\Canon\MF Toolbox Ver4.9\TBOXCFG.EXE" /Q /F "C:\Program Files\Canon\MF Toolbox Ver4.9\TBOXCFG.ini"

C:\Program Files\Canon\MF Toolbox Ver4.9\TBOXCFG.EXE

—

Setup.exe

User:

admin

Company:

CANON INC.

Integrity Level:

HIGH

Description:

MF Toolbox Config Tool

Exit code:

Version:

4.9.1.1.mf18

Modules

Images
c:\program files\canon\mf toolbox ver4.9\tboxcfg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

852

"C:\Users\admin\AppData\Local\Temp\ToolBox4911mf18WinEN\Setup.exe"

C:\Users\admin\AppData\Local\Temp\ToolBox4911mf18WinEN\Setup.exe

ToolBox4911mf18WinEN.exe

User:

admin

Company:

CANON INC.

Integrity Level:

HIGH

Description:

Toolbox Installer

Exit code:

Version:

3.0.11.0

Modules

Images
c:\users\admin\appdata\local\temp\toolbox4911mf18winen\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1100

"C:\Users\admin\AppData\Local\Temp\ToolBox4911mf18WinEN.exe"

C:\Users\admin\AppData\Local\Temp\ToolBox4911mf18WinEN.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\toolbox4911mf18winen.exe
c:\systemroot\system32\ntdll.dll

1484

"C:\Program Files\Canon\MF Toolbox Ver4.9\MfTBox.exe" --reg-toolbox

C:\Program Files\Canon\MF Toolbox Ver4.9\MfTBox.exe

Setup.exe

User:

admin

Company:

CANON INC.

Integrity Level:

HIGH

Description:

MF Toolbox Application

Exit code:

Version:

4.9.1.1.mf18

Modules

Images
c:\program files\canon\mf toolbox ver4.9\mftbox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\canon\mf toolbox ver4.9\cnpapgmg.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\canon\mf toolbox ver4.9\pafcv2.dll

2036

C:\Windows\Explorer.EXE

C:\Windows\explorer.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll

2136

"C:\Users\admin\AppData\Local\Temp\ToolBox4911mf18WinEN.exe"

C:\Users\admin\AppData\Local\Temp\ToolBox4911mf18WinEN.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\toolbox4911mf18winen.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

2548

"C:\Program Files\Canon\MF Toolbox Ver4.9\MFTBOX.exe"

C:\Program Files\Canon\MF Toolbox Ver4.9\MFTBOX.exe

—

explorer.exe

User:

admin

Company:

CANON INC.

Integrity Level:

MEDIUM

Description:

MF Toolbox Application

Exit code:

Version:

4.9.1.1.mf18

Modules

Images
c:\program files\canon\mf toolbox ver4.9\mftbox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\canon\mf toolbox ver4.9\cnpapgmg.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\canon\mf toolbox ver4.9\pafcv2.dll

Add for printing

Total events

3 047

Read events

1 445

Write events

1 597

Delete events

Modification events


(PID) Process:	(2136) ToolBox4911mf18WinEN.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(2136) ToolBox4911mf18WinEN.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(2036) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:	write	Name:	P:\Hfref\nqzva\NccQngn\Ybpny\Grzc\GbbyObk4911zs18JvaRA.rkr
Value: 00000000000000000000000081020000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
(PID) Process:	(2036) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:	write	Name:	HRZR_PGYFRFFVBA
Value: 00000000050000000300000003D0000003000000020000008F8F00004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000002402000000003CE8240201000000000000000000EA7510E82402FCE524025E7C63773CE82402787C6377030000008A018C012C6DD4022CE62402F77C63770100000010E82402847C63777CE6240270E6240288E6240200000000000000000000000078E6240210E82402000000000000000000000000B0E72402B0E7240200000000010000003CE82402B0E72402B2FE6377F270637785FC6377838C4F759A7C62772C6DD402A27E6277F4E7240218000000CCF92402006F62770000000000000000DCE724023C003E003CE82402C34EE5007CE6240200000000D846230000002402D8E62402C4E9240200000088C8000000C8000000C8000000C8000000F20103000000000000000769D8914D030106004000000000B0E92402105307697FEBE4752000000011000000B8452400B045240000000000C4E924020000000064E700001F3C892414E724028291097664E7240218E72402279509760000000024CDDE0240E72402CD94097624CDDE02ECE7240298C8DE02E19409760000000098C8DE02ECE7240248E7240203000000020000008F8F00004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000002402000000003CE8240201000000000000000000EA7510E82402FCE524025E7C63773CE82402787C6377030000008A018C012C6DD4022CE62402F77C63770100000010E82402847C63777CE6240270E6240288E6240200000000000000000000000078E6240210E82402000000000000000000000000B0E72402B0E7240200000000010000003CE82402B0E72402B2FE6377F270637785FC6377838C4F759A7C62772C6DD402A27E6277F4E7240218000000CCF92402006F62770000000000000000DCE724023C003E003CE82402C34EE5007CE6240200000000D846230000002402D8E62402C4E9240200000088C8000000C8000000C8000000C8000000F20103000000000000000769D8914D030106004000000000B0E92402105307697FEBE4752000000011000000B8452400B045240000000000C4E924020000000064E700001F3C892414E724028291097664E7240218E72402279509760000000024CDDE0240E72402CD94097624CDDE02ECE7240298C8DE02E19409760000000098C8DE02ECE7240248E7240203000000020000008F8F00004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000002402000000003CE8240201000000000000000000EA7510E82402FCE524025E7C63773CE82402787C6377030000008A018C012C6DD4022CE62402F77C63770100000010E82402847C63777CE6240270E6240288E6240200000000000000000000000078E6240210E82402000000000000000000000000B0E72402B0E7240200000000010000003CE82402B0E72402B2FE6377F270637785FC6377838C4F759A7C62772C6DD402A27E6277F4E7240218000000CCF92402006F62770000000000000000DCE724023C003E003CE82402C34EE5007CE6240200000000D846230000002402D8E62402C4E9240200000088C8000000C8000000C8000000C8000000F20103000000000000000769D8914D030106004000000000B0E92402105307697FEBE4752000000011000000B8452400B045240000000000C4E924020000000064E700001F3C892414E724028291097664E7240218E72402279509760000000024CDDE0240E72402CD94097624CDDE02ECE7240298C8DE02E19409760000000098C8DE02ECE7240248E72402
(PID) Process:	(852) Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Canon\SateraMFP1\Toolbox Ver4.9\Devices\Canon MF5630
Operation:	write	Name:	DisableMultiScan
Value: 1
(PID) Process:	(852) Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Canon\SateraMFP1\Toolbox Ver4.9\Devices\Canon MF5630
Operation:	write	Name:	EnableBlackText
Value: 0
(PID) Process:	(852) Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Canon\SateraMFP1\Toolbox Ver4.9\Devices\Canon MF5630
Operation:	write	Name:	PushButton1Func
Value: SCAN
(PID) Process:	(852) Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Canon\SateraMFP1\Toolbox Ver4.9\Devices\Canon MF5630
Operation:	write	Name:	FeederMaxRes
Value: 300
(PID) Process:	(852) Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Canon\SateraMFP1\Toolbox Ver4.9\Devices\Canon MF5630
Operation:	write	Name:	GrayMaxRes
Value: 600
(PID) Process:	(852) Setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Canon\SateraMFP1\Toolbox Ver4.9\Devices\Canon MF5630
Operation:	write	Name:	FeederMinWidth
Value: 1480

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2136	ToolBox4911mf18WinEN.exe	C:\Users\admin\AppData\Local\Temp\ToolBox4911mf18WinEN\Setup\data2.cab		—
		MD5:—	SHA256:—
2136	ToolBox4911mf18WinEN.exe	C:\Users\admin\AppData\Local\Temp\ToolBox4911mf18WinEN\Setup\TBOXCFG.EXE		executable
		MD5:BCFF0978E7A5155CC52030E589FDC2F7	SHA256:174387BBF709E0288A633120923749639517A96442C37C6B6098E2359B56A01C
2136	ToolBox4911mf18WinEN.exe	C:\Users\admin\AppData\Local\Temp\ToolBox4911mf18WinEN\Setup\TBOXCFG.ini		ini
		MD5:74DD8186C5D66983938D3F607A0C594B	SHA256:F0B0EE9E9FAB368C572610F5889F9FF3A071348B82B3384A216F4B424C87E1C2
2136	ToolBox4911mf18WinEN.exe	C:\Users\admin\AppData\Local\Temp\ToolBox4911mf18WinEN\License.txt		text
		MD5:B32878C2C9499C1F63400BBE87363A9F	SHA256:C1E35538AA0FE88ED2579386148AB5E219A708A9F5B802400AB0BB70DC9344E0
2136	ToolBox4911mf18WinEN.exe	C:\Users\admin\AppData\Local\Temp\ToolBox4911mf18WinEN\Setup.exe		executable
		MD5:7B77F5DF8C0D8EC6D4E7AAC9725FE254	SHA256:442CAA7A5A9C40E2D8D7312C966A3B602C3B6E6D5DB4A88A8AD532AEE60C17E9
2136	ToolBox4911mf18WinEN.exe	C:\Users\admin\AppData\Local\Temp\ToolBox4911mf18WinEN\TBReg.ini		text
		MD5:CA189AFED30F2CB87CC408B63079C00F	SHA256:96648CECA4C4A9D7EABDAC10F7B7C26CC734524AFC9D8D15506A19CE90624B73
852	Setup.exe	C:\Program Files\Canon\MF Toolbox Ver4.9\MFTBOX.exe		executable
		MD5:2E1BFE01DFB211E32A2181CD55584CB5	SHA256:011FBDD4347074EF90D207D582B693AE4DE8E9A52665CCF73FDCF28991E93542
852	Setup.exe	C:\Program Files\Canon\MF Toolbox Ver4.9\MFTBOX.ini		text
		MD5:D162C2AAEDF2AAD7629FB37AFCFA95D9	SHA256:7AAFBA841AE85679037BBD113870B63A8F4E3B44CFC55385DD1040E56F3F3F9C
2136	ToolBox4911mf18WinEN.exe	C:\Users\admin\AppData\Local\Temp\ToolBox4911mf18WinEN\Setup.ini		text
		MD5:9459B50B5C367B7CBE34112E8366C7F6	SHA256:0393590D3065B32B7CC377B66EB08E5A5C12234B59498FF021967D2ADCEDF197
2136	ToolBox4911mf18WinEN.exe	C:\Users\admin\AppData\Local\Temp\ToolBox4911mf18WinEN\TBIstRes.dll		executable
		MD5:953A8692FB5C250039DC9E29A4327C00	SHA256:4EE33B574579855753E55DDC92140F9EF1FABA7F0B86918C5A4E63CC8A5C5781

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

Process	Message
Setup.exe	------- Install START -------
Setup.exe	--- Copy File START ---
Setup.exe	--- Copy File END ---
Setup.exe	--- Make Shortcut START ---
Setup.exe	--- Make Shortcut END ---
Setup.exe	--- Set Registry START ---
Setup.exe	--- Set Registry END ---
Setup.exe	--- Set Toolbox Data START ---
Setup.exe	--- Set Toolbox Data END ---
Setup.exe	------- Install END -------

General Info

ToolBox4911mf18WinEN.exe

08ED71AB18A68D1361E9C5DBE63753F9

815CA6A64EB407D47C752D4C1688A0C5C1007D62

D4C4C8BEE96308A5F572CB46061C97CE2DCA5209ABC569B81241C36DC4FBE37F

196608:4RWvyfM8FpIXtWnzq59UuC+aXvCXQdrKgl71:EmKMDQzI9TCX6YlJ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

SUSPICIOUS

Executable content was dropped or overwritten

Creates a software uninstall entry

Searches for installed software

Creates files in the program directory

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings