Malware Analysis Report

2024-10-18 22:18

Sample ID 240331-t2y79sfe58
Target TeraBox_1.30.0.2.exe
SHA256 721582ffe4abce8f7488a3b31c4c948b8ba9f439065437c6c9bd1c950f9446b9
Tags
qr link pdf
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

721582ffe4abce8f7488a3b31c4c948b8ba9f439065437c6c9bd1c950f9446b9

Threat Level: Likely benign

The file TeraBox_1.30.0.2.exe was found to be: Likely benign.

Malicious Activity Summary

qr link pdf

Checks computer location settings

HTTP links in PDF interactive object

Loads dropped DLL

One or more HTTP URLs in qr code identified

Unsigned PE

One or more HTTP URLs in PDF identified

Enumerates physical storage devices

Program crash

Suspicious use of SendNotifyMessage

Modifies system certificate store

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-31 16:38

Signatures

HTTP links in PDF interactive object

pdf link
Description Indicator Process Target
N/A N/A N/A N/A

One or more HTTP URLs in PDF identified

pdf link

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win7-20240221-en

Max time kernel

122s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe

"C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe"

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

174s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5424 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5424 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5424 wrote to memory of 2224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/2224-0-0x0000000073E50000-0x000000007527C000-memory.dmp

memory/2224-1-0x0000000002440000-0x0000000002441000-memory.dmp

memory/2224-2-0x0000000002450000-0x0000000002451000-memory.dmp

memory/2224-3-0x0000000002460000-0x0000000002461000-memory.dmp

memory/2224-4-0x0000000002470000-0x0000000002471000-memory.dmp

memory/2224-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/2224-6-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/2224-7-0x00000000025D0000-0x00000000025D1000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:43

Platform

win10v2004-20240226-en

Max time kernel

119s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 2860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4892 wrote to memory of 2860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4892 wrote to memory of 2860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2860 -ip 2860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 147.211.222.173.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win7-20240221-en

Max time kernel

121s

Max time network

141s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 3052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2000 wrote to memory of 3052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2000 wrote to memory of 3052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2000 wrote to memory of 3052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2000 wrote to memory of 3052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2000 wrote to memory of 3052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2000 wrote to memory of 3052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win10v2004-20240319-en

Max time kernel

143s

Max time network

155s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 3160 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2696 wrote to memory of 3160 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2696 wrote to memory of 3160 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5104 --field-trial-handle=2264,i,7994609493164365963,13212734413040148104,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
GB 13.105.221.16:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:43

Platform

win7-20240215-en

Max time kernel

120s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 1696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 1696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 1696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 1696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 1696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 1696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2740 wrote to memory of 1696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win7-20240221-en

Max time kernel

117s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BugReport.exe

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe"

C:\Users\Admin\AppData\Local\Temp\BugReport.exe

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe" /repair "rp:" ""

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5756 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win7-20231129-en

Max time kernel

145s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2556 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2556 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2556 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2556 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2556 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2556 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2556 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2556 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2556 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2556 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2556 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2556 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2556 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2556 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2556 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2556 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2556 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2024,11633460347085160391,9011658167980236210,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2056 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,11633460347085160391,9011658167980236210,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2988 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2024,11633460347085160391,9011658167980236210,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2024,11633460347085160391,9011658167980236210,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2024,11633460347085160391,9011658167980236210,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2056 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2556.0.807421580\114554819 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.62" -PcGuid "TBIMXV2-O_376CB45BCF2D470891199764E179DFAA-C_0-D_4d51303031302033202020202020202020202020-M_5ABF6C2465D5-V_8C4D6F22" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2556.0.807421580\114554819 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.62" -PcGuid "TBIMXV2-O_376CB45BCF2D470891199764E179DFAA-C_0-D_4d51303031302033202020202020202020202020-M_5ABF6C2465D5-V_8C4D6F22" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2556.1.420704371\487507376 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.62" -PcGuid "TBIMXV2-O_376CB45BCF2D470891199764E179DFAA-C_0-D_4d51303031302033202020202020202020202020-M_5ABF6C2465D5-V_8C4D6F22" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
US 8.8.8.8:53 www.microsoft.com udp
N/A 127.0.0.1:49251 tcp
N/A 127.0.0.1:49253 tcp
N/A 127.0.0.1:49255 tcp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:80 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:80 terabox.com tcp
CN 123.184.58.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 repository.certum.pl udp
GB 104.86.110.129:80 repository.certum.pl tcp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 111.170.22.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.170.26.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.105.172.38:443 global-staticplat.cdn.bcebos.com tcp
CN 106.225.194.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.225.184.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.238.241.38:443 global-staticplat.cdn.bcebos.com tcp
CN 140.249.244.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.107.86.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.198.38:443 global-staticplat.cdn.bcebos.com tcp
CN 123.184.58.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
CN 111.170.22.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.170.26.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.105.172.38:443 global-staticplat.cdn.bcebos.com tcp
CN 106.225.194.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.225.184.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.238.241.38:443 global-staticplat.cdn.bcebos.com tcp
CN 140.249.244.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.107.86.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.198.38:443 global-staticplat.cdn.bcebos.com tcp
CN 123.184.58.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.170.22.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.170.26.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.105.172.38:443 global-staticplat.cdn.bcebos.com tcp
CN 106.225.194.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.225.184.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.238.241.38:443 global-staticplat.cdn.bcebos.com tcp
CN 140.249.244.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.107.86.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.198.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 terabox.com tcp

Files

memory/2212-0-0x0000000000700000-0x0000000000701000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar31CF.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/2556-52-0x00000000002F0000-0x00000000009D5000-memory.dmp

memory/2556-53-0x0000000002E90000-0x0000000002E91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

MD5 833901be7cae0bad61dcb3737fb347b8
SHA1 fc59c331de8952bbd92fbbd0008ffd886444108d
SHA256 4c87299bfd8a39708489ed0bd70e71045d81f73add2373c17028077f2ada0df3
SHA512 50965243768050282e2d96293b58b120f5c4cb833184495a9223982d860fd27e1f1516e861a03dd4790a4c0d0cf859ee93a72af3577acf79650799c2ab847bfd

memory/2556-66-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/2556-68-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c98d8a861330ef320569e1197002a769
SHA1 4e44c2feea1ebf77828ab3250392bdc85c15f879
SHA256 ed010f6597d8042e960be6c6d5fb0c23ba8c1de7d56563cd56f1299719a565ee
SHA512 5fe110dfa19f2982c62930b343349796a694aeb4d9d9bf46bb227ee0804c004754751614ad14cab8575bee315ff1fa7a6fc099540bd87e97f70aa14c4a9fe001

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 17b5988bdae67fbad89bb5f898d5dda5
SHA1 233c11ec290223233464252c8daad86efd437ca5
SHA256 8e20ad6023910e46617a95ca23b84aed416886c6409966cb99afa51bee63a271
SHA512 2e2d96d8849a338de88b5c5e8d5986658b8f72939220391a50cc4d45f24a7ebde0f6771ccb646af3252975640413e7ab6650a37b1281ca9ed8664523eecb576d

memory/2792-97-0x0000000000080000-0x0000000000081000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

MD5 fb5c1efeaad7a48f1be1e624884fb025
SHA1 11d228fe79deb203aa2f95f19b158cc0e31691ac
SHA256 e0bb5e07198bd3324f94f5109d59f5f130be468687bf7c952fd8c1e0fe7d6cd5
SHA512 2130ca5a5caad12f277447c2680550f45bdd99fb8f38b55da5d33fe2c5c58ed2d2ade4e7f81e5ce4f2cad74b355253ffe42dc72feaa1cb64fa1f6e5dd10bce7b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

MD5 d5e98140c51869fc462c8975620faa78
SHA1 07e032e020b72c3f192f0628a2593a19a70f069e
SHA256 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
SHA512 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

memory/2556-780-0x00000000002F0000-0x00000000009D5000-memory.dmp

memory/2556-853-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/2556-1719-0x0000000005C20000-0x0000000005E20000-memory.dmp

memory/2556-1720-0x0000000005C20000-0x0000000005E20000-memory.dmp

memory/320-1723-0x0000000000BE0000-0x0000000000C80000-memory.dmp

memory/320-1722-0x0000000000BE0000-0x0000000000C80000-memory.dmp

memory/320-1724-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/320-1725-0x0000000000270000-0x0000000000271000-memory.dmp

memory/320-1728-0x00000000682D0000-0x00000000696FC000-memory.dmp

memory/320-1727-0x0000000000270000-0x0000000000271000-memory.dmp

memory/320-1730-0x0000000000270000-0x0000000000271000-memory.dmp

memory/320-1731-0x0000000000280000-0x0000000000281000-memory.dmp

memory/320-1733-0x0000000000280000-0x0000000000281000-memory.dmp

memory/320-1735-0x0000000000280000-0x0000000000281000-memory.dmp

memory/320-1738-0x0000000000290000-0x0000000000291000-memory.dmp

memory/320-1740-0x0000000000290000-0x0000000000291000-memory.dmp

memory/320-1743-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/320-1745-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/320-1748-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/320-1750-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/320-1753-0x0000000000300000-0x0000000000301000-memory.dmp

memory/320-1755-0x0000000000300000-0x0000000000301000-memory.dmp

memory/320-1756-0x0000000000310000-0x0000000000311000-memory.dmp

memory/320-1758-0x0000000000310000-0x0000000000311000-memory.dmp

memory/320-1760-0x0000000000310000-0x0000000000311000-memory.dmp

memory/320-1762-0x0000000077980000-0x0000000077981000-memory.dmp

memory/1936-1869-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/1936-1868-0x0000000000BE0000-0x0000000000C80000-memory.dmp

memory/320-1870-0x0000000000BE0000-0x0000000000C80000-memory.dmp

memory/320-1871-0x00000000682D0000-0x00000000696FC000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:43

Platform

win7-20240221-en

Max time kernel

118s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe

"C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe"

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win10v2004-20240226-en

Max time kernel

113s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 www.terabox.com udp
JP 210.232.36.156:80 www.terabox.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 156.36.232.210.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:43

Platform

win7-20240221-en

Max time kernel

121s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nso8D92.tmp\NsisInstallUI.dll

MD5 93a820253b303c46ca5b6ba1e9ccec8d
SHA1 e691405b2906037008aa9e21817f579bf6c122ed
SHA256 6291ca8ac49760517bc06ed1f180d98ecd98b7993b32bcf6e350aa3993a42937
SHA512 708bce83e878a2a7c3dbbd888db5916e553c641915aaa182629612e8981c77a6110390569755566490615aaf6f5b4a637f47c4e8a103a158f42284b8c3bf1c6a

\Users\Admin\AppData\Local\Temp\nso8D92.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

\Users\Admin\AppData\Local\Temp\nso8D92.tmp\nsProcessW.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

memory/1996-20-0x0000000002DD0000-0x0000000002E10000-memory.dmp

memory/1996-99-0x0000000002DD0000-0x0000000002E10000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win10v2004-20240226-en

Max time kernel

128s

Max time network

175s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 1520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4980 wrote to memory of 1520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4980 wrote to memory of 1520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1520 -ip 1520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 640

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win10v2004-20240319-en

Max time kernel

141s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=744 --field-trial-handle=2256,i,16750283575152780128,2524258836761969159,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
GB 13.105.221.16:443 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{B5F1D091-D745-4F50-A93D-73E60D20A537} C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 988 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 988 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 988 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 988 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 988 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 988 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 988 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 988 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 988 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 988 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 988 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 988 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 988 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 988 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 988 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 988 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 988 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2604,4389756241652052730,15081228742835009740,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2612 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2604,4389756241652052730,15081228742835009740,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2772 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2604,4389756241652052730,15081228742835009740,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2604,4389756241652052730,15081228742835009740,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.988.0.509910715\1162017225 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.30" -PcGuid "TBIMXV2-O_11764094D0CA456E9891EA4243B161D2-C_0-D_QM00013-M_4643CEF3E9DE-V_556DE958" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.988.0.509910715\1162017225 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.30" -PcGuid "TBIMXV2-O_11764094D0CA456E9891EA4243B161D2-C_0-D_QM00013-M_4643CEF3E9DE-V_556DE958" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2604,4389756241652052730,15081228742835009740,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.988.1.1491316297\1895423684 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.30" -PcGuid "TBIMXV2-O_11764094D0CA456E9891EA4243B161D2-C_0-D_QM00013-M_4643CEF3E9DE-V_556DE958" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd a0044 -unlogin

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2604,4389756241652052730,15081228742835009740,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=3716 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 terabox.com udp
N/A 224.0.0.251:5353 udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
JP 210.148.85.47:80 terabox.com tcp
N/A 127.0.0.1:57589 tcp
N/A 127.0.0.1:57591 tcp
N/A 127.0.0.1:57593 tcp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:80 www.terabox.com tcp
US 8.8.8.8:53 repository.certum.pl udp
CN 171.214.23.38:443 global-staticplat.cdn.bcebos.com tcp
GB 104.86.110.129:80 repository.certum.pl tcp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 47.85.148.210.in-addr.arpa udp
US 8.8.8.8:53 129.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
US 8.8.8.8:53 s2.teraboxcdn.com udp
FR 90.84.164.15:443 s2.teraboxcdn.com tcp
FR 90.84.164.15:443 s2.teraboxcdn.com tcp
FR 90.84.164.15:443 s2.teraboxcdn.com tcp
FR 90.84.164.15:443 s2.teraboxcdn.com tcp
FR 90.84.164.15:443 s2.teraboxcdn.com tcp
US 8.8.8.8:53 15.164.84.90.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 sofire.bdstatic.com udp
US 8.8.8.8:53 static.line-scdn.net udp
BE 108.177.15.84:443 accounts.google.com tcp
DE 108.157.4.106:443 static.line-scdn.net tcp
CN 60.190.116.48:443 sofire.bdstatic.com tcp
CN 60.190.116.48:443 sofire.bdstatic.com tcp
US 8.8.8.8:53 84.15.177.108.in-addr.arpa udp
US 8.8.8.8:53 106.4.157.108.in-addr.arpa udp
US 8.8.8.8:53 77.4.157.108.in-addr.arpa udp
CN 110.185.108.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 firebase.googleapis.com udp
US 8.8.8.8:53 ymg-api.terabox.com udp
NL 142.250.179.202:443 firebase.googleapis.com tcp
JP 210.154.124.151:443 ymg-api.terabox.com tcp
US 8.8.8.8:53 sofire.terabox.com udp
JP 210.148.85.32:443 sofire.terabox.com tcp
JP 210.154.124.151:443 ymg-api.terabox.com tcp
US 8.8.8.8:53 202.179.250.142.in-addr.arpa udp
JP 210.148.85.32:443 sofire.terabox.com tcp
US 8.8.8.8:53 connect.facebook.net udp
GB 157.240.221.16:443 connect.facebook.net tcp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
US 8.8.8.8:53 www.google.com udp
JP 210.148.85.47:443 www.terabox.com tcp
NL 142.251.39.100:443 www.google.com tcp
US 8.8.8.8:53 151.124.154.210.in-addr.arpa udp
US 8.8.8.8:53 32.85.148.210.in-addr.arpa udp
US 8.8.8.8:53 16.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 40.36.251.142.in-addr.arpa udp
JP 210.148.85.47:443 www.terabox.com tcp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
JP 210.148.85.47:443 www.terabox.com tcp
CN 111.225.213.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 www.google.co.uk udp
NL 142.250.179.131:443 www.google.co.uk tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 216.239.34.36:443 region1.analytics.google.com tcp
US 216.239.34.36:443 region1.analytics.google.com tcp
NL 142.250.27.157:443 stats.g.doubleclick.net tcp
US 216.239.34.36:443 region1.analytics.google.com tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 157.27.250.142.in-addr.arpa udp
CN 113.142.207.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
CN 121.14.135.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.239.243.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.1.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.42.38:443 global-staticplat.cdn.bcebos.com tcp
CN 106.225.194.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
CN 171.214.23.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
CN 110.185.108.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
CN 111.225.213.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.142.207.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
CN 121.14.135.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.239.243.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.1.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.42.38:443 global-staticplat.cdn.bcebos.com tcp
CN 106.225.194.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CN 171.214.23.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 110.185.108.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.225.213.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 113.142.207.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
CN 121.14.135.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.239.243.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.1.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.42.38:443 global-staticplat.cdn.bcebos.com tcp
CN 106.225.194.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp

Files

memory/988-10-0x0000000000EC0000-0x00000000015A5000-memory.dmp

memory/988-29-0x0000000000EC0000-0x00000000015A5000-memory.dmp

memory/988-39-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/4528-79-0x0000000000A40000-0x0000000000AE0000-memory.dmp

memory/4528-88-0x0000000000A40000-0x0000000000AE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/4528-280-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

memory/4528-282-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/4528-283-0x00000000010F0000-0x00000000010F1000-memory.dmp

memory/4528-284-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

memory/4528-287-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/4528-286-0x0000000065290000-0x00000000666BC000-memory.dmp

memory/4528-285-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

memory/4528-288-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

memory/2336-323-0x0000000000A40000-0x0000000000AE0000-memory.dmp

memory/2336-324-0x0000000000A40000-0x0000000000AE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000056

MD5 cda68ffa26095220a82ae0a7eaea5f57
SHA1 e892d887688790ddd8f0594607b539fc6baa9e40
SHA256 f9db7dd5930be2a5c8b4f545a361d51ed9c38e56bd3957650a3f8dbdf9c547fb
SHA512 84c8b0a4f78d8f3797dedf13e833280e6b968b7aeb2c5479211f1ff0b0ba8d3c12e8ab71a89ed128387818e05e335e8b9280a49f1dc775bd090a6114644aaf62

memory/988-346-0x0000000000EC0000-0x00000000015A5000-memory.dmp

memory/988-347-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/4528-348-0x0000000000A40000-0x0000000000AE0000-memory.dmp

memory/4528-349-0x0000000065290000-0x00000000666BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox_status

MD5 8274b422f3a22f678f76607b2a8a6575
SHA1 4c8b70f7a3ba120fbc70640f1bd029643f6ff7ac
SHA256 2f2a23b1837793099440d34b1b128049914586bd34ef1063a7741ae9fff8e778
SHA512 f9b45a43df7393bc95357fe244da6cc84be421e693e0183bb5371ccc1f5a4b92f1691917bc80a542587747fa6b6f6d7302573a8f55025692c97ddb8d25bc8c89

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Download\AutoUpdate.xml

MD5 50e940a33557749e8967787951b0b1f3
SHA1 5569074d7d12835f7f4a04b93f1b91b3b3da3500
SHA256 4a0fe43edb114b8df1ea5088966f71c35091e89a96894738cc61dbe59fe63559
SHA512 4011d8a6619d9b9c002dbbea6cc70db7dc894760ad9938ecf63f32e717d49b9e4f983a411d31e2cb6a30aede455ebe60db74aa2f22497667793635b2b33f56b0

memory/2336-370-0x0000000000A40000-0x0000000000AE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

MD5 0fc7e183dcc4e05b382fefee33abb6b8
SHA1 48e391c252ff3b027bb2db1f955d84d6f03ffb00
SHA256 b666525be4dd7bdc1b3df8a506e3193cb6a0745da5399c13b1f8eb29fc48f6a9
SHA512 9a0ee23144f60d7f97536da656737278cd878637b55b7b5a0a7c817c0f83ddb7e11662c901a4a58ecb0927fb9971d30086d142ebabd586a20542e5bdb7fc8b37

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

MD5 40a79941e05d1cf25727a8fc9596fc1b
SHA1 9b91e809bc27cfe4e630c4e4434b7ec4e480f382
SHA256 16649116920f2fc9bf84e700537b673a50cd324337fb94c6c5149a75558fb281
SHA512 5d4b6ac784a52f2362387267a8bce47512a25a56ffc7f2844d7a099f2819ca848a2b9b3d47cc77e7becd5c562c678d54c687a7881c7c4f53f587d81c888f5af6

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

MD5 4da8ef0b702d76e61395831e10396ba3
SHA1 40e8cfa15fe42beef0f1eaac807318172cf9548f
SHA256 c2e5b67685c4b5721fe0c6e15f7eadbd56b0bdde472072ef8951dbe249fe3d23
SHA512 03de5a740b3f7838daf94602450211f481a4d19955c3d8c850f2f94ff5246435c98b435ffe1ef239bbbaca5753e5df66f1b1a927886dbd70d5e76e84f53ad39c

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe58845e.TMP

MD5 78bfcecb05ed1904edce3b60cb5c7e62
SHA1 bf77a7461de9d41d12aa88fba056ba758793d9ce
SHA256 c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572
SHA512 2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win7-20240221-en

Max time kernel

117s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win10v2004-20231215-en

Max time kernel

115s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4976 wrote to memory of 3648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4976 wrote to memory of 3648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4976 wrote to memory of 3648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3648 -ip 3648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win7-20240221-en

Max time kernel

121s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2768 wrote to memory of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2768 wrote to memory of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2768 wrote to memory of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2768 wrote to memory of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2768 wrote to memory of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2768 wrote to memory of 2808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

Network

N/A

Files

memory/2808-0-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2808-2-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2808-5-0x0000000071140000-0x000000007256C000-memory.dmp

memory/2808-6-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2808-4-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2808-8-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2808-10-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2808-13-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2808-15-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2808-17-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2808-18-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2808-21-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2808-23-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2808-33-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/2808-31-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/2808-29-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/2808-28-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2808-26-0x00000000002A0000-0x00000000002A1000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win7-20240221-en

Max time kernel

122s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-566096764-1992588923-1249862864-1000\{ABFE86EA-6D42-483B-A4F7-195477BB4496} C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4392 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 4392 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 4392 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 4392 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4392 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4392 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4392 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4392 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4392 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4392 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4392 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4392 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4392 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4392 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2584,4289272487516390802,5660517689875400756,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2592 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2584,4289272487516390802,5660517689875400756,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2992 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2584,4289272487516390802,5660517689875400756,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2584,4289272487516390802,5660517689875400756,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.4392.0.1622583539\948058461 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.127" -PcGuid "TBIMXV2-O_1BFC62DE894E4412891C1A105917C0CC-C_0-D_QM00013-M_CE289885E65A-V_936711F3" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.4392.0.1622583539\948058461 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.127" -PcGuid "TBIMXV2-O_1BFC62DE894E4412891C1A105917C0CC-C_0-D_QM00013-M_CE289885E65A-V_936711F3" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.4392.1.1315457311\1560588648 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.127" -PcGuid "TBIMXV2-O_1BFC62DE894E4412891C1A105917C0CC-C_0-D_QM00013-M_CE289885E65A-V_936711F3" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2584,4289272487516390802,5660517689875400756,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2584,4289272487516390802,5660517689875400756,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=4920 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 47.85.148.210.in-addr.arpa udp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:80 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
N/A 224.0.0.251:5353 udp
JP 210.148.85.47:80 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
US 8.8.8.8:53 repository.certum.pl udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
GB 104.86.110.129:80 repository.certum.pl tcp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
N/A 127.0.0.1:58125 tcp
N/A 127.0.0.1:58151 tcp
CN 111.170.22.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 terabox.com tcp
US 8.8.8.8:53 129.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
US 8.8.8.8:53 s2.teraboxcdn.com udp
FR 90.84.164.14:443 s2.teraboxcdn.com tcp
FR 90.84.164.14:443 s2.teraboxcdn.com tcp
FR 90.84.164.14:443 s2.teraboxcdn.com tcp
FR 90.84.164.14:443 s2.teraboxcdn.com tcp
FR 90.84.164.14:443 s2.teraboxcdn.com tcp
US 8.8.8.8:53 14.164.84.90.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 sofire.bdstatic.com udp
US 8.8.8.8:53 static.line-scdn.net udp
DE 108.157.4.45:443 static.line-scdn.net tcp
BE 108.177.15.84:443 accounts.google.com tcp
CN 60.190.116.48:443 sofire.bdstatic.com tcp
CN 60.190.116.48:443 sofire.bdstatic.com tcp
US 8.8.8.8:53 45.4.157.108.in-addr.arpa udp
US 8.8.8.8:53 84.15.177.108.in-addr.arpa udp
US 8.8.8.8:53 firebase.googleapis.com udp
NL 142.251.39.106:443 firebase.googleapis.com tcp
CN 106.225.194.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 sofire.terabox.com udp
US 8.8.8.8:53 106.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 77.4.157.108.in-addr.arpa udp
JP 210.148.85.32:443 sofire.terabox.com tcp
JP 210.148.85.32:443 sofire.terabox.com tcp
US 8.8.8.8:53 ymg-api.terabox.com udp
US 8.8.8.8:53 connect.facebook.net udp
GB 157.240.221.16:443 connect.facebook.net tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 32.85.148.210.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
NL 142.251.39.100:443 www.google.com tcp
JP 111.108.51.10:443 ymg-api.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
JP 111.108.51.10:443 ymg-api.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
US 8.8.8.8:53 16.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 40.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 10.51.108.111.in-addr.arpa udp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
CN 111.170.26.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 www.google.co.uk udp
NL 142.250.179.131:443 www.google.co.uk tcp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
NL 142.250.27.155:443 stats.g.doubleclick.net tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 155.27.250.142.in-addr.arpa udp
CN 113.105.172.38:443 global-staticplat.cdn.bcebos.com tcp
CN 123.184.58.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.225.184.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.238.241.38:443 global-staticplat.cdn.bcebos.com tcp
CN 140.249.244.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.107.86.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.198.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.170.22.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
CN 106.225.194.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
CN 111.170.26.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.105.172.38:443 global-staticplat.cdn.bcebos.com tcp
CN 123.184.58.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.225.184.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.238.241.38:443 global-staticplat.cdn.bcebos.com tcp
CN 140.249.244.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.107.86.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.198.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
CN 111.170.22.38:443 global-staticplat.cdn.bcebos.com tcp
CN 106.225.194.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.170.26.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 113.105.172.38:443 global-staticplat.cdn.bcebos.com tcp
CN 123.184.58.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.225.184.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.238.241.38:443 global-staticplat.cdn.bcebos.com tcp
CN 140.249.244.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.107.86.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.198.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4392-10-0x0000000000AD0000-0x00000000011B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

MD5 3f12717aebc906157bc092b8a6d54d23
SHA1 ea83d10d3df3f2c1265042f5bae8ec69d8bb522f
SHA256 5f2c28229e5a0b634f12fb49e87509cb326da271f8d6ae6609f24f7b1f9688a3
SHA512 8d2a876b553455229811ad96337c7e0e7753b4b0da7b0f279fd3661ba5dd66521dcaf3dd0267f179d3f872af3c81b65e8dfc86dab6be62459fa65765e502254a

memory/4392-28-0x000000000AAF0000-0x000000000AAF1000-memory.dmp

memory/4392-31-0x00000000048C0000-0x00000000048D0000-memory.dmp

memory/3604-70-0x0000000000C00000-0x0000000000CA0000-memory.dmp

memory/3604-71-0x0000000000C00000-0x0000000000CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/3604-277-0x00000000014A0000-0x00000000014A1000-memory.dmp

memory/3604-278-0x00000000014B0000-0x00000000014B1000-memory.dmp

memory/3604-279-0x00000000014C0000-0x00000000014C1000-memory.dmp

memory/3604-280-0x0000000064F00000-0x000000006632C000-memory.dmp

memory/3604-281-0x0000000001890000-0x0000000001891000-memory.dmp

memory/3604-282-0x00000000018A0000-0x00000000018A1000-memory.dmp

memory/3604-283-0x0000000003360000-0x0000000003361000-memory.dmp

memory/3604-284-0x0000000003370000-0x0000000003371000-memory.dmp

memory/1216-298-0x0000000000C00000-0x0000000000CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000056

MD5 cda68ffa26095220a82ae0a7eaea5f57
SHA1 e892d887688790ddd8f0594607b539fc6baa9e40
SHA256 f9db7dd5930be2a5c8b4f545a361d51ed9c38e56bd3957650a3f8dbdf9c547fb
SHA512 84c8b0a4f78d8f3797dedf13e833280e6b968b7aeb2c5479211f1ff0b0ba8d3c12e8ab71a89ed128387818e05e335e8b9280a49f1dc775bd090a6114644aaf62

memory/4392-350-0x0000000000AD0000-0x00000000011B5000-memory.dmp

memory/4392-351-0x00000000048C0000-0x00000000048D0000-memory.dmp

memory/3604-352-0x0000000000C00000-0x0000000000CA0000-memory.dmp

memory/3604-354-0x0000000064F00000-0x000000006632C000-memory.dmp

memory/1216-357-0x0000000000C00000-0x0000000000CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe5805b8.TMP

MD5 620ae08b49d4e1d0d111e79d3a951aa5
SHA1 776fec2c3b8c1b48f639d73f564fe3fe37b688cd
SHA256 401337f580042d8dec3c6451e2b9d7d7c470817c053fd4462c84bb281e76eb1a
SHA512 7aed0af7f02b9206b5bff5c761a063352c71e4e82bb172ea78cecdccc538fa3b90aaf4a02f4de83bec8d4b2c5e6cdfcf93c615f9ba1e89d7a95c401f23b85c74

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

MD5 b2fd1e3657286da576372b2e5a2dcb23
SHA1 7b7f8627733e4d88742b604bfbc3cf0dbcebd615
SHA256 53dd28037deb7219f0872ca77ef677570193c850f08504d29f473f4d8d3cc9ad
SHA512 566df1f251b11bde85f98c5b8efa3534553ad0b9a3100225733dc1ec07ce60f8ed0dbb518f3a637d83c25971d26406432da830c27948a0f62a31512d4b75c29c

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

MD5 91d8c03fefb04c9ce22929fe3158eeb2
SHA1 0020d50463910a9d02bfa5999c9e040d685e5a70
SHA256 a0c3d6b8d7f5853fd3f37bf39620ea70e7a68b817220ee8d0d53a6224840bc9a
SHA512 decf35dc1457b65c465aa4cc0798eead5fcad2c35e4737a2fa84098597a9c633b841a061441e6482eb1798b35f91a3a5d82cdf6e4095c871fe3bb32451523cd7

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe58726c.TMP

MD5 78bfcecb05ed1904edce3b60cb5c7e62
SHA1 bf77a7461de9d41d12aa88fba056ba758793d9ce
SHA256 c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572
SHA512 2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:43

Platform

win10v2004-20240319-en

Max time kernel

143s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBox_1.30.0.2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3928 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
GB 13.105.221.15:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsm7E98.tmp\NsisInstallUI.dll

MD5 93a820253b303c46ca5b6ba1e9ccec8d
SHA1 e691405b2906037008aa9e21817f579bf6c122ed
SHA256 6291ca8ac49760517bc06ed1f180d98ecd98b7993b32bcf6e350aa3993a42937
SHA512 708bce83e878a2a7c3dbbd888db5916e553c641915aaa182629612e8981c77a6110390569755566490615aaf6f5b4a637f47c4e8a103a158f42284b8c3bf1c6a

C:\Users\Admin\AppData\Local\Temp\nsm7E98.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsm7E98.tmp\nsProcessW.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

memory/3940-17-0x0000000003AF0000-0x0000000003B00000-memory.dmp

memory/3940-126-0x0000000003AF0000-0x0000000003B00000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win7-20240220-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4472 wrote to memory of 4588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4472 wrote to memory of 4588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4472 wrote to memory of 4588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4588 -ip 4588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
IE 52.111.236.21:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win10v2004-20240226-en

Max time kernel

105s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BugReport.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\BugReport.exe

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe"

C:\Users\Admin\AppData\Local\Temp\BugReport.exe

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe" /repair "rp:" ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win10v2004-20240226-en

Max time kernel

120s

Max time network

277s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe

"C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win7-20240220-en

Max time kernel

144s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2784 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2784 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2784 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2784 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2784 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2784 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2784 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2784 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2784 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2784 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2784 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2784 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2784 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2784 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2784 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2784 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2784 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2784 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2784 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2784 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2784 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2784 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2784 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2004,6816175084339473979,2898641024467457375,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2012 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,6816175084339473979,2898641024467457375,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2912 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2004,6816175084339473979,2898641024467457375,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2004,6816175084339473979,2898641024467457375,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2004,6816175084339473979,2898641024467457375,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2076 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2784.0.1051558144\1530927846 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.66" -PcGuid "TBIMXV2-O_5D35C2DA204C4C498B15006E83FE3D71-C_0-D_4d51303031302033202020202020202020202020-M_62A279F6AF31-V_DC7ED3BE" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2784.0.1051558144\1530927846 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.66" -PcGuid "TBIMXV2-O_5D35C2DA204C4C498B15006E83FE3D71-C_0-D_4d51303031302033202020202020202020202020-M_62A279F6AF31-V_DC7ED3BE" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2784.1.428538331\1663127011 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.66" -PcGuid "TBIMXV2-O_5D35C2DA204C4C498B15006E83FE3D71-C_0-D_4d51303031302033202020202020202020202020-M_62A279F6AF31-V_DC7ED3BE" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 40182 -unlogin

Network

Country Destination Domain Proto
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:80 terabox.com tcp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:80 www.terabox.com tcp
N/A 127.0.0.1:49215 tcp
N/A 127.0.0.1:49217 tcp
N/A 127.0.0.1:49219 tcp
US 8.8.8.8:53 repository.certum.pl udp
GB 2.18.66.176:80 repository.certum.pl tcp
CN 113.142.207.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 terabox.com udp
JP 111.108.51.56:443 terabox.com tcp
JP 111.108.51.56:443 terabox.com tcp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 110.185.108.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.225.213.38:443 global-staticplat.cdn.bcebos.com tcp
CN 106.225.194.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
CN 121.14.135.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.239.243.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.1.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.42.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.23.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.142.207.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
CN 110.185.108.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.225.213.38:443 global-staticplat.cdn.bcebos.com tcp
CN 106.225.194.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
CN 121.14.135.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.239.243.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.1.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.42.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.23.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.142.207.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 terabox.com tcp
CN 110.185.108.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.225.213.38:443 global-staticplat.cdn.bcebos.com tcp
CN 106.225.194.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
CN 121.14.135.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.239.243.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.1.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.42.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.23.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 terabox.com tcp

Files

memory/2784-10-0x0000000000980000-0x0000000001065000-memory.dmp

memory/2784-13-0x0000000000410000-0x0000000000411000-memory.dmp

memory/2784-23-0x00000000030D0000-0x00000000030D1000-memory.dmp

memory/2784-24-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

memory/2168-31-0x0000000000080000-0x0000000000081000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab33DE.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar34EF.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

MD5 d5e98140c51869fc462c8975620faa78
SHA1 07e032e020b72c3f192f0628a2593a19a70f069e
SHA256 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
SHA512 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

MD5 1c3a89dd0bb8e119cf3f65cef5dde403
SHA1 2c429665535df69f04e9ed0319052dcd92d284b8
SHA256 fdb8e7493ded472d9545a044c9fae3b9d9961d4de1e15c29be6af4293da8f3e0
SHA512 2e664df5fdb536d083d224378eacbba1a94862618778f16edc00422109c93a910677b9fd08b2b07e5406ea44e22a00a4ba60db632e3cd742f231811a72fd9735

memory/2784-719-0x0000000000980000-0x0000000001065000-memory.dmp

memory/2784-898-0x0000000000410000-0x0000000000411000-memory.dmp

memory/2784-1103-0x00000000030D0000-0x00000000030D1000-memory.dmp

memory/2784-1504-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

memory/1696-1714-0x0000000001300000-0x00000000013A0000-memory.dmp

memory/1696-1716-0x0000000000280000-0x0000000000281000-memory.dmp

memory/1696-1715-0x0000000001300000-0x00000000013A0000-memory.dmp

memory/2784-1717-0x0000000005BE0000-0x0000000005DE0000-memory.dmp

memory/2784-1718-0x0000000005BE0000-0x0000000005DE0000-memory.dmp

memory/1696-1719-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1696-1721-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1696-1723-0x00000000686D0000-0x0000000069AFC000-memory.dmp

memory/1696-1726-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1696-1727-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1696-1729-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1696-1731-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1696-1736-0x0000000000530000-0x0000000000531000-memory.dmp

memory/1696-1734-0x0000000000530000-0x0000000000531000-memory.dmp

memory/1696-1739-0x0000000000540000-0x0000000000541000-memory.dmp

memory/1696-1741-0x0000000000540000-0x0000000000541000-memory.dmp

memory/1696-1744-0x0000000000550000-0x0000000000551000-memory.dmp

memory/1696-1746-0x0000000000550000-0x0000000000551000-memory.dmp

memory/1696-1749-0x0000000000560000-0x0000000000561000-memory.dmp

memory/1696-1751-0x0000000000560000-0x0000000000561000-memory.dmp

memory/1696-1752-0x0000000000570000-0x0000000000571000-memory.dmp

memory/1696-1754-0x0000000000570000-0x0000000000571000-memory.dmp

memory/1696-1756-0x0000000000570000-0x0000000000571000-memory.dmp

memory/1696-1758-0x0000000077D80000-0x0000000077D81000-memory.dmp

memory/692-1861-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/692-1858-0x0000000001300000-0x00000000013A0000-memory.dmp

memory/1696-1872-0x0000000001300000-0x00000000013A0000-memory.dmp

memory/1696-1873-0x00000000686D0000-0x0000000069AFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox_status

MD5 2e98d2a75c1324f831b3982b310782ac
SHA1 48b52810d933c27052d509dc5dd67d25b4d45165
SHA256 64a5d6b7d6bb0b5de5cdc7f32df1cdefdad082d1d33fd683e2ffb6d09fb083e9
SHA512 3d8362a3e6425a9ea74f1cb17a4872b1b1348bba60e505c373763eb2b172563eeeeb93b7e5da56f70c2063d11fd54e7cafe655d66f75382ba086b77b6ee87ae4

memory/908-1876-0x00000000004C0000-0x00000000004C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Download\AutoUpdate.xml

MD5 50e940a33557749e8967787951b0b1f3
SHA1 5569074d7d12835f7f4a04b93f1b91b3b3da3500
SHA256 4a0fe43edb114b8df1ea5088966f71c35091e89a96894738cc61dbe59fe63559
SHA512 4011d8a6619d9b9c002dbbea6cc70db7dc894760ad9938ecf63f32e717d49b9e4f983a411d31e2cb6a30aede455ebe60db74aa2f22497667793635b2b33f56b0

Analysis: behavioral31

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win7-20240221-en

Max time kernel

120s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:80 www.terabox.com tcp

Files

memory/2492-0-0x0000000000170000-0x0000000000171000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win7-20240215-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 232

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win7-20240221-en

Max time kernel

120s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 228

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

155s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4924 wrote to memory of 2908 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4924 wrote to memory of 2908 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4924 wrote to memory of 2908 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-31 16:33

Reported

2024-03-31 16:44

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe

"C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

N/A