Analysis Overview
SHA256
09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85
Threat Level: Likely benign
The file TeraBox_sl_b_1.31.0.1.exe was found to be: Likely benign.
Malicious Activity Summary
Checks computer location settings
Loads dropped DLL
HTTP links in PDF interactive object
Program crash
One or more HTTP URLs in qr code identified
Unsigned PE
Enumerates physical storage devices
One or more HTTP URLs in PDF identified
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-15 04:18
Signatures
HTTP links in PDF interactive object
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
One or more HTTP URLs in PDF identified
One or more HTTP URLs in qr code identified
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsd2E91.tmp\NsisInstallUI.dll
| MD5 | 075abe6be6b717434cea2879a54c4714 |
| SHA1 | dc02581f578d22db7460352a476727ac5b2fcbb9 |
| SHA256 | 5a5e5398424a4eab5ea1fb905313ea56a19b7210e0da44861503bbf3f9826c13 |
| SHA512 | 90937b6aab2a4eeac74a33cf238131e011edc1b1f2bf9a9ce6dc5e0d21923330131ba5014e9ea1176ee88ee03d847cc69e6f1e91f7f68aa65c7a5ac4852f9d63 |
\Users\Admin\AppData\Local\Temp\nsd2E91.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
\Users\Admin\AppData\Local\Temp\nsd2E91.tmp\nsProcessW.dll
| MD5 | f0438a894f3a7e01a4aae8d1b5dd0289 |
| SHA1 | b058e3fcfb7b550041da16bf10d8837024c38bf6 |
| SHA256 | 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11 |
| SHA512 | f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7 |
memory/2340-20-0x0000000002A10000-0x0000000002A50000-memory.dmp
memory/2340-129-0x0000000002A10000-0x0000000002A50000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win7-20240508-en
Max time kernel
119s
Max time network
126s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2036 wrote to memory of 2760 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2036 wrote to memory of 2760 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2036 wrote to memory of 2760 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2036 wrote to memory of 2760 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2036 wrote to memory of 2760 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2036 wrote to memory of 2760 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2036 wrote to memory of 2760 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win7-20240508-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 232
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win7-20240221-en
Max time kernel
145s
Max time network
130s
Command Line
Signatures
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2012,2335009130059581319,8706650755801169670,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=1996 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,2335009130059581319,8706650755801169670,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2972 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2012,2335009130059581319,8706650755801169670,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2012,2335009130059581319,8706650755801169670,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2012,2335009130059581319,8706650755801169670,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=1996 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.3064.0.990687617\377012412 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.1" -PcGuid "TBIMXV2-O_D1AB46F6AFB64BEAA6799556DED7A4A9-C_0-D_4d51303031302033202020202020202020202020-M_569FD5A164C1-V_4EAF6199" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.3064.0.990687617\377012412 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.1" -PcGuid "TBIMXV2-O_D1AB46F6AFB64BEAA6799556DED7A4A9-C_0-D_4d51303031302033202020202020202020202020-M_569FD5A164C1-V_4EAF6199" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.3064.1.1738951761\1786235064 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.1" -PcGuid "TBIMXV2-O_D1AB46F6AFB64BEAA6799556DED7A4A9-C_0-D_4d51303031302033202020202020202020202020-M_569FD5A164C1-V_4EAF6199" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | global-staticplat.cdn.bcebos.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| JP | 210.148.85.47:80 | terabox.com | tcp |
| JP | 210.148.85.47:80 | terabox.com | tcp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| BE | 2.17.196.128:80 | repository.certum.pl | tcp |
| CN | 182.84.110.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| N/A | 127.0.0.1:49221 | tcp | |
| N/A | 127.0.0.1:49223 | tcp | |
| N/A | 127.0.0.1:49225 | tcp | |
| US | 8.8.8.8:53 | terabox.com | udp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| CN | 125.74.110.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 171.214.23.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 171.214.24.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 175.4.51.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 125.74.1.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.106.158.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.140.225.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 183.61.177.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 220.169.152.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| US | 8.8.8.8:53 | terabox.com | udp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| CN | 182.84.110.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 125.74.110.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 171.214.23.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 171.214.24.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 175.4.51.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 125.74.1.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.106.158.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.140.225.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 183.61.177.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 220.169.152.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.84.110.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 125.74.110.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 171.214.23.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 171.214.24.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 175.4.51.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 125.74.1.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.106.158.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.140.225.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 183.61.177.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 220.169.152.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
Files
memory/2844-0-0x0000000000470000-0x0000000000471000-memory.dmp
memory/3064-16-0x000000000117A000-0x000000000117B000-memory.dmp
memory/3064-17-0x0000000001170000-0x00000000017D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini
| MD5 | 6031f9ec16728ab19be7fd50036b8f92 |
| SHA1 | c70956c5efdedc7c92c919060813aff5e2562d84 |
| SHA256 | 236eff595ae3607390de5591ddfec3a81a72afd72e6251953e7b6e8bdd4de56c |
| SHA512 | 12cfc6a10ac3d39bbe01fe21fa596a1afdc56a7e2446decbb462300e0d7072017b2fa43b433b1b43d4ee0811c2433402f814be4771f9d324043d638f77251cfa |
memory/3064-41-0x0000000001170000-0x00000000017D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab456B.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar468B.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F
| MD5 | d5e98140c51869fc462c8975620faa78 |
| SHA1 | 07e032e020b72c3f192f0628a2593a19a70f069e |
| SHA256 | 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e |
| SHA512 | 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F
| MD5 | b7f579336fceef8e8d78eb8d510bbcee |
| SHA1 | 59e7e9bc9e1c74281be64523ec00e0776acf2cb6 |
| SHA256 | 33ab69f6a80fc6c2dcd5c672cd0b0f1ef4f8ff1b0ce98006f2538cb7dec2a52f |
| SHA512 | b1c5fd8bcda1834a136a5ef608ddfddc84e999aaed9e0be9df05df8c5ea26c400a574be32566e5e73565237410b663a87d81ccb030c9de4d5f97f9dab24829cd |
memory/3064-1423-0x0000000001170000-0x00000000017D1000-memory.dmp
memory/3060-1681-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/3060-1679-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/3060-1677-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/3060-1696-0x0000000000220000-0x0000000000221000-memory.dmp
memory/3060-1694-0x0000000000220000-0x0000000000221000-memory.dmp
memory/3060-1691-0x0000000000210000-0x0000000000211000-memory.dmp
memory/3060-1689-0x0000000000210000-0x0000000000211000-memory.dmp
memory/3060-1686-0x0000000000200000-0x0000000000201000-memory.dmp
memory/3060-1684-0x0000000000200000-0x0000000000201000-memory.dmp
memory/3060-1682-0x0000000000200000-0x0000000000201000-memory.dmp
memory/3060-1704-0x0000000000280000-0x0000000000281000-memory.dmp
memory/3060-1706-0x0000000000280000-0x0000000000281000-memory.dmp
memory/3060-1701-0x0000000000270000-0x0000000000271000-memory.dmp
memory/3060-1699-0x0000000000270000-0x0000000000271000-memory.dmp
memory/3060-1711-0x0000000000290000-0x0000000000291000-memory.dmp
memory/3060-1709-0x0000000000290000-0x0000000000291000-memory.dmp
memory/3060-1707-0x0000000000290000-0x0000000000291000-memory.dmp
memory/3060-1712-0x0000000067A70000-0x0000000068E9C000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
155s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{301E84A5-CB0F-45B6-9AF8-1D28F527BFE3} | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2612,5309092738358713367,15680928655530808046,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2468 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2612,5309092738358713367,15680928655530808046,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2956 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2612,5309092738358713367,15680928655530808046,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2612,5309092738358713367,15680928655530808046,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.4368.0.1871643396\358135047 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.23" -PcGuid "TBIMXV2-O_34779DC314E143F9B7E79F3D1F1928A6-C_0-D_DD00013-M_F6C903454AA3-V_3E0F83B3" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.4368.0.1871643396\358135047 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.23" -PcGuid "TBIMXV2-O_34779DC314E143F9B7E79F3D1F1928A6-C_0-D_DD00013-M_F6C903454AA3-V_3E0F83B3" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.4368.1.80606453\374032852 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.23" -PcGuid "TBIMXV2-O_34779DC314E143F9B7E79F3D1F1928A6-C_0-D_DD00013-M_F6C903454AA3-V_3E0F83B3" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2612,5309092738358713367,15680928655530808046,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=3480 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| US | 8.8.8.8:53 | 137.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.85.148.210.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | global-staticplat.cdn.bcebos.com | udp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| JP | 210.148.85.47:80 | terabox.com | tcp |
| CN | 182.84.110.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| JP | 210.148.85.47:80 | terabox.com | tcp |
| BE | 2.17.196.128:80 | repository.certum.pl | tcp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| N/A | 127.0.0.1:59803 | tcp | |
| N/A | 127.0.0.1:59810 | tcp | |
| N/A | 127.0.0.1:59812 | tcp | |
| CN | 125.74.110.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| CN | 171.214.23.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 171.214.24.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 175.4.51.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 125.74.1.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.106.158.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.140.225.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 183.61.177.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 220.169.152.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.84.110.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 125.74.110.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 171.214.23.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 171.214.24.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 175.4.51.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 125.74.1.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.106.158.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.140.225.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 183.61.177.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 220.169.152.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| CN | 182.84.110.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| CN | 125.74.110.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| CN | 171.214.23.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 171.214.24.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 175.4.51.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 125.74.1.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.106.158.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.140.225.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 183.61.177.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 220.169.152.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
memory/4368-10-0x0000000000C2A000-0x0000000000C2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini
| MD5 | 6b805ce6157a2da6827286ce54188e43 |
| SHA1 | 6c5b45540c43d2137a2c9835f07a0fb5194e6de6 |
| SHA256 | 356cf367b8d2e364d3e68e22d315fbdb9ea74ec2c36f899d28e8845a6b6ae6db |
| SHA512 | 3736cb5f41cd13052289d074cca93412d2c906cfeb2a2739bee08e08c1c8dd59b34c6eeccf4899d83d7359363503b402ac41d3e6f778812610e6775cfffdc6e8 |
memory/4368-34-0x0000000000C20000-0x0000000001281000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Session Storage\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
memory/4784-83-0x0000000002A90000-0x0000000002A91000-memory.dmp
memory/4784-84-0x0000000002AA0000-0x0000000002AA1000-memory.dmp
memory/4784-86-0x0000000002AC0000-0x0000000002AC1000-memory.dmp
memory/4784-85-0x0000000002AB0000-0x0000000002AB1000-memory.dmp
memory/4784-88-0x0000000003050000-0x0000000003051000-memory.dmp
memory/4784-87-0x0000000003040000-0x0000000003041000-memory.dmp
memory/4784-89-0x0000000003060000-0x0000000003061000-memory.dmp
memory/4784-90-0x0000000065660000-0x0000000066A8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index
| MD5 | 9404d8554c41b745c0fe0d60dedd2a9c |
| SHA1 | 8d305151cd002d4e2e5f10bff65e9088b8d7c0e0 |
| SHA256 | 2c54e6c9475cd683a491884d624c3426b4b4fba2ffa36508496347ed8129b32c |
| SHA512 | bf34626689f0ab61de8ad91cbca50bb140f3fca892c420bea512fa3e37d981a336609dd616750ffc8a286fe686908ba4b435a47d399cf63342d8ae896ea5b4df |
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index
| MD5 | 989d81a3abfe21e5d44d4f2b35b0162c |
| SHA1 | 8b379800a56327d3ee51266241d9a839ce9524ea |
| SHA256 | 448ac0cbfbb4216615814940c7a0618ed92f9f200adc105facba1d702c9789fb |
| SHA512 | abee490b2e07b313bb96473c6f7411000ccac782a74cbc0d4a6564d39f0dc4eb136bf4e6ba80ad86ac1698cf25defd41afec1e08d5a6fe54eb06da7dca655e27 |
memory/4368-135-0x0000000000C20000-0x0000000001281000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win7-20240220-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2368 wrote to memory of 2792 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2368 wrote to memory of 2792 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2368 wrote to memory of 2792 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2368 wrote to memory of 2792 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2368 wrote to memory of 2792 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2368 wrote to memory of 2792 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2368 wrote to memory of 2792 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
157s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2956 wrote to memory of 2672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2956 wrote to memory of 2672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2956 wrote to memory of 2672 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2672 -ip 2672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| BE | 2.17.196.177:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 177.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win7-20240508-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 224
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
156s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2496 wrote to memory of 5012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2496 wrote to memory of 5012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2496 wrote to memory of 5012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.196.65:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 65.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| BE | 2.17.196.65:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
memory/5012-3-0x0000000002840000-0x0000000002841000-memory.dmp
memory/5012-7-0x0000000002870000-0x0000000002871000-memory.dmp
memory/5012-6-0x0000000074301000-0x0000000074955000-memory.dmp
memory/5012-5-0x0000000002860000-0x0000000002861000-memory.dmp
memory/5012-4-0x0000000002850000-0x0000000002851000-memory.dmp
memory/5012-1-0x0000000002800000-0x0000000002801000-memory.dmp
memory/5012-2-0x0000000002810000-0x0000000002811000-memory.dmp
memory/5012-0-0x0000000000F40000-0x0000000000F41000-memory.dmp
memory/5012-11-0x0000000073CB0000-0x00000000750DC000-memory.dmp
memory/5012-12-0x0000000073CB0000-0x00000000750DC000-memory.dmp
memory/5012-13-0x0000000073CB0000-0x00000000750DC000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win7-20240508-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe
"C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe"
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win7-20231129-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2380 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
98s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BugReport.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5016 wrote to memory of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\BugReport.exe | C:\Users\Admin\AppData\Local\Temp\BugReport.exe |
| PID 5016 wrote to memory of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\BugReport.exe | C:\Users\Admin\AppData\Local\Temp\BugReport.exe |
| PID 5016 wrote to memory of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\BugReport.exe | C:\Users\Admin\AppData\Local\Temp\BugReport.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\BugReport.exe
"C:\Users\Admin\AppData\Local\Temp\BugReport.exe"
C:\Users\Admin\AppData\Local\Temp\BugReport.exe
"C:\Users\Admin\AppData\Local\Temp\BugReport.exe" /repair "rp:" ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| BE | 2.17.196.65:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 65.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
156s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| BE | 2.17.196.65:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
161s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1724 wrote to memory of 5060 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1724 wrote to memory of 5060 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1724 wrote to memory of 5060 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5060 -ip 5060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.65:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| BE | 2.17.196.65:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win7-20240508-en
Max time kernel
122s
Max time network
131s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1812 wrote to memory of 2120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1812 wrote to memory of 2120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1812 wrote to memory of 2120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1812 wrote to memory of 2120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1812 wrote to memory of 2120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1812 wrote to memory of 2120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1812 wrote to memory of 2120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1
Network
Files
memory/2120-2-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2120-0-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2120-4-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2120-5-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2120-7-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2120-9-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2120-12-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/2120-14-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/2120-16-0x0000000000200000-0x0000000000201000-memory.dmp
memory/2120-17-0x0000000000200000-0x0000000000201000-memory.dmp
memory/2120-27-0x00000000006B0000-0x00000000006B1000-memory.dmp
memory/2120-32-0x00000000006C0000-0x00000000006C1000-memory.dmp
memory/2120-30-0x00000000006C0000-0x00000000006C1000-memory.dmp
memory/2120-28-0x00000000006C0000-0x00000000006C1000-memory.dmp
memory/2120-25-0x00000000006B0000-0x00000000006B1000-memory.dmp
memory/2120-22-0x00000000006A0000-0x00000000006A1000-memory.dmp
memory/2120-20-0x00000000006A0000-0x00000000006A1000-memory.dmp
memory/2120-34-0x0000000071B11000-0x0000000072165000-memory.dmp
memory/2120-37-0x00000000714C0000-0x00000000728EC000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win10v2004-20240226-en
Max time kernel
130s
Max time network
168s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1104 wrote to memory of 3156 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1104 wrote to memory of 3156 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1104 wrote to memory of 3156 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4792 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| FR | 216.58.214.170:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 170.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
156s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{10C31C82-A132-4D5C-8FAC-01467E985711} | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2604,8132175135775110057,4045342937392615665,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2476 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2604,8132175135775110057,4045342937392615665,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2760 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2604,8132175135775110057,4045342937392615665,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2604,8132175135775110057,4045342937392615665,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2156.0.1467504068\1139724824 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.20" -PcGuid "TBIMXV2-O_79AD0BBDF4E149FBBD7DF4F537C39B53-C_0-D_DD00013-M_46FD0705B728-V_1243B1E5" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2156.0.1467504068\1139724824 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.20" -PcGuid "TBIMXV2-O_79AD0BBDF4E149FBBD7DF4F537C39B53-C_0-D_DD00013-M_46FD0705B728-V_1243B1E5" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2156.1.1307419480\1440466244 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.20" -PcGuid "TBIMXV2-O_79AD0BBDF4E149FBBD7DF4F537C39B53-C_0-D_DD00013-M_46FD0705B728-V_1243B1E5" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 100030 -unlogin
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2604,8132175135775110057,4045342937392615665,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=4656 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | terabox.com | udp |
| JP | 210.148.85.47:80 | terabox.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| US | 8.8.8.8:53 | global-staticplat.cdn.bcebos.com | udp |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| JP | 210.148.85.47:80 | www.terabox.com | tcp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| BE | 2.17.196.99:80 | repository.certum.pl | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.85.148.210.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.196.17.2.in-addr.arpa | udp |
| CN | 110.185.108.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| N/A | 127.0.0.1:64154 | tcp | |
| N/A | 127.0.0.1:64168 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | terabox.com | udp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| CN | 111.170.25.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| CN | 111.174.9.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 113.219.142.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 113.219.161.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 114.232.92.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 117.68.34.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 117.68.52.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 118.180.40.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 120.41.32.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 110.185.108.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 111.170.25.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 111.174.9.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 113.219.142.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 113.219.161.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 114.232.92.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 117.68.34.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 117.68.52.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 118.180.40.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 120.41.32.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| CN | 110.185.108.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| CN | 111.170.25.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| CN | 111.174.9.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 113.219.142.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 113.219.161.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 114.232.92.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 117.68.34.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 117.68.52.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 118.180.40.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 120.41.32.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.80.50.20.in-addr.arpa | udp |
Files
memory/2156-5-0x0000000000D1A000-0x0000000000D1B000-memory.dmp
memory/2156-24-0x0000000000D10000-0x0000000001371000-memory.dmp
memory/5104-64-0x0000000001180000-0x0000000001181000-memory.dmp
memory/5104-65-0x0000000001190000-0x0000000001191000-memory.dmp
memory/5104-66-0x0000000003670000-0x0000000003671000-memory.dmp
memory/5104-67-0x00000000036A0000-0x00000000036A1000-memory.dmp
memory/5104-68-0x00000000036B0000-0x00000000036B1000-memory.dmp
memory/5104-69-0x00000000036C0000-0x00000000036C1000-memory.dmp
memory/5104-70-0x00000000036D0000-0x00000000036D1000-memory.dmp
memory/5104-71-0x0000000064D50000-0x000000006617C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Local Storage\leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
memory/2156-120-0x0000000000D10000-0x0000000001371000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index
| MD5 | a9ba057283169ae32e0d9b5c4168664a |
| SHA1 | 9ed7e626d8924c9cf09d81639fa5491f0188fd91 |
| SHA256 | 430ee11fd3775b5be3e7160ad2d9956f9e30d8a8187f0436cdf2bf7537543ffa |
| SHA512 | a150e0d2eda726411fd4d418ff009afe708f432d8933ad05a4aa3eec4e09d183e4d18ff49237cab79f570083436c7b8b3193251848e856aeab9f78c2ab3f2538 |
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe57c7a5.TMP
| MD5 | 02629cdc11f51113350d9b5154bd1020 |
| SHA1 | 55f54ab5826355d60aa7ee480130fd59c634d048 |
| SHA256 | 3f7d692ddbd7748d4e1389bd47cc5c150599d61629624d8ac873a6aa06ab7bab |
| SHA512 | a41460b58128fb11e0a43f1983619b458a8f1c1a647cbe01076b0d4596301632b1eb0ee308ee4c592caceb28bdae22278a73a7d058c518cbdfc7bddb55405c88 |
C:\Users\Admin\AppData\Local\Temp\TeraBox_status
| MD5 | bcbc0eb4c95f990b4aa4dd062b58e4f6 |
| SHA1 | 35e3f9eb661573c11e84b1662ed1d9ff9be3ccf4 |
| SHA256 | 79b2459c1527cdf848791f1ac48e6cf030e86236e64b674a9847e586aee3d76c |
| SHA512 | 306d803d4facfca74bcb4c30da21120ed1751290e15b75753642ad0c4a372bf59022a63083ae845e055c7718ccc041ac195c0f2a15163446e693525efe821aba |
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Download\AutoUpdate.xml
| MD5 | c286cd40cd06c343b0a0daba4a8787ba |
| SHA1 | 971b13c25faff896033f77e0866fe21f7b26cbd5 |
| SHA256 | 0af3d4862222a6b68993220e693c2501de14d6e922c3ecce1a60754462822c60 |
| SHA512 | e4ab1154ac2ece073d33277cf8d8394cec51100014589c6d997341d3553d19734b69cfc0ce9f3c87c55e34e833b7647c70a60e1972894762dba71914e38ac10b |
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win7-20240221-en
Max time kernel
118s
Max time network
134s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| JP | 210.148.85.47:80 | www.terabox.com | tcp |
Files
memory/1752-0-0x0000000000210000-0x0000000000211000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4264 wrote to memory of 2380 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4264 wrote to memory of 2380 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4264 wrote to memory of 2380 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win7-20240221-en
Max time kernel
117s
Max time network
133s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1668 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\BugReport.exe | C:\Users\Admin\AppData\Local\Temp\BugReport.exe |
| PID 1668 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\BugReport.exe | C:\Users\Admin\AppData\Local\Temp\BugReport.exe |
| PID 1668 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\BugReport.exe | C:\Users\Admin\AppData\Local\Temp\BugReport.exe |
| PID 1668 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\BugReport.exe | C:\Users\Admin\AppData\Local\Temp\BugReport.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\BugReport.exe
"C:\Users\Admin\AppData\Local\Temp\BugReport.exe"
C:\Users\Admin\AppData\Local\Temp\BugReport.exe
"C:\Users\Admin\AppData\Local\Temp\BugReport.exe" /repair "rp:" ""
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win7-20240508-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe
"C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe"
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
164s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe
"C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.65:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| BE | 2.17.196.65:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win7-20231129-en
Max time kernel
143s
Max time network
131s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2004,16303634618875018909,486177198247010054,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2012 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,16303634618875018909,486177198247010054,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2804 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2004,16303634618875018909,486177198247010054,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2004,16303634618875018909,486177198247010054,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2004,16303634618875018909,486177198247010054,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2012 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2040.0.182839400\752029662 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.54" -PcGuid "TBIMXV2-O_DD9FA761766D4276B9F5AB67CF89CDF4-C_0-D_4d51303031302033202020202020202020202020-M_D669B05BD432-V_52BAFC99" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2040.0.182839400\752029662 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.54" -PcGuid "TBIMXV2-O_DD9FA761766D4276B9F5AB67CF89CDF4-C_0-D_4d51303031302033202020202020202020202020-M_D669B05BD432-V_52BAFC99" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2040.1.314454941\1824739236 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.54" -PcGuid "TBIMXV2-O_DD9FA761766D4276B9F5AB67CF89CDF4-C_0-D_4d51303031302033202020202020202020202020-M_D669B05BD432-V_52BAFC99" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 2018c -unlogin
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | global-staticplat.cdn.bcebos.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| JP | 210.148.85.47:80 | terabox.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| JP | 210.148.85.47:80 | www.terabox.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| CN | 60.188.66.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| BE | 2.17.196.128:80 | repository.certum.pl | tcp |
| US | 8.8.8.8:53 | terabox.com | udp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| N/A | 127.0.0.1:49201 | tcp | |
| N/A | 127.0.0.1:49203 | tcp | |
| N/A | 127.0.0.1:49205 | tcp | |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| CN | 180.97.66.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 180.97.198.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 183.131.185.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 219.151.25.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.81.98.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.101.4.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.101.56.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 58.57.102.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 180.97.64.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| US | 8.8.8.8:53 | terabox.com | udp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| CN | 60.188.66.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 180.97.66.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 180.97.198.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 183.131.185.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 219.151.25.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.81.98.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.101.4.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.101.56.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 58.57.102.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 180.97.64.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 60.188.66.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| CN | 180.97.66.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 180.97.198.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 183.131.185.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 219.151.25.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.81.98.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.101.4.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.101.56.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 58.57.102.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 180.97.64.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
Files
memory/2040-5-0x000000000100A000-0x000000000100B000-memory.dmp
memory/2040-6-0x0000000001000000-0x0000000001661000-memory.dmp
memory/2040-34-0x0000000001000000-0x0000000001661000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar3AC4.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | d638abbfc7d1bd1b8ac6d35ff3eaf843 |
| SHA1 | 655a88e303187486a8069e0e28cdcdad739b4dfa |
| SHA256 | 57576ebf7fc0c563704e315e24278b3bb0062d664d8920771243b2dcaa250b82 |
| SHA512 | b9e86d4decccd9348b0946c5cc2cbcabb3d3b0ec385779e82064f13c538d408d8ad72770ac3f666ae123fcd64b1a0a5fb94ba233cba693c03d884a3e7ed8360d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8d219ff3572365950f6c9cb621f89557 |
| SHA1 | 7dd74e2c7d32bdaefb65b07b9fd56c4160cd3739 |
| SHA256 | bc81f2454ccb9c74729367973d65b50622508c44aa244d075d76f39c12b579cd |
| SHA512 | 935a54a48e3a98980030f176f19cc40eb48932d908044d38f44b4c53ce91823f495e800ae7d2c0b360c69d0987eeb0f31155fde2ebe454e34ec4a6f6e1378a18 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 662640fc9324ca0e2d15dd212b4487b1 |
| SHA1 | 172c58f557893b24a34672ca5edfcc48669dc9fe |
| SHA256 | edead2b78501b91f576d2cefb5ec2a2034a6c341777177ea2b6edf5bc5ba780e |
| SHA512 | 786d5ef37e2c26a8650e397b0ae305a2ed4712d4bbc096858656f070147107dddb30241a068a466857a847db16ad89d715cda944d4a77213663d4523dd9c402e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8200d543030a404295105e50ff49d9d4 |
| SHA1 | 190c1d88221562c143f01fb99fafeae52b3b813a |
| SHA256 | e804ea7b9f9ab2fb040f1be0c1fda6e8ad9f1dba75926eae029aa28fba888e85 |
| SHA512 | fe39df0793cc8aa82b31a2d92ba4583ff407e30e3bbcb405dbcd385f683296bf2cba193d795c696100687cf4493680daaf3e486cca5f67de5fcc32ffb8cffe7a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb34a762e7c6868d65dbbb34fc5610d7 |
| SHA1 | 55cfcfe6055ede1491caac685f7605c5a9c916b1 |
| SHA256 | b3a6242b74c633fea146e2e877a75b3cd7147e8536e969d1b35bb672055084e0 |
| SHA512 | 3b2a0e5bdf5dee7ee90d9af866c3e03e7fcfe592aad2560653a7e22fd929e604c0f73f715a34b5b2e8173f8fa6dccf3de8b21d7b6c3150d0bb11a5b355770106 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F
| MD5 | d5e98140c51869fc462c8975620faa78 |
| SHA1 | 07e032e020b72c3f192f0628a2593a19a70f069e |
| SHA256 | 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e |
| SHA512 | 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F
| MD5 | b7da530d839d42c218f978a5bb66dd46 |
| SHA1 | ebf0799abff525145e58fdf5833ec0cc0c8603d9 |
| SHA256 | 6857f2dd0e042ccd90864854fdae8e6d41a17be8a16b78084c7770139a245ca6 |
| SHA512 | 494923b0997c1e24032c55320d62f3f0faabcca1f1d9a42b89be14d2ece9ec6788878d6e605cbb82458507aef0c4bfa878ddb5cef7e909c70b1f5e1136a4f343 |
memory/2040-1304-0x0000000001000000-0x0000000001661000-memory.dmp
memory/2020-1748-0x0000000000E20000-0x0000000000E21000-memory.dmp
memory/2020-1753-0x0000000068770000-0x0000000069B9C000-memory.dmp
memory/2020-1752-0x0000000000E20000-0x0000000000E21000-memory.dmp
memory/2020-1750-0x0000000000E20000-0x0000000000E21000-memory.dmp
memory/2020-1747-0x0000000000E10000-0x0000000000E11000-memory.dmp
memory/2020-1745-0x0000000000E10000-0x0000000000E11000-memory.dmp
memory/2020-1742-0x0000000000E00000-0x0000000000E01000-memory.dmp
memory/2020-1740-0x0000000000E00000-0x0000000000E01000-memory.dmp
memory/2020-1737-0x0000000000590000-0x0000000000591000-memory.dmp
memory/2020-1735-0x0000000000590000-0x0000000000591000-memory.dmp
memory/2020-1732-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2020-1730-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2020-1727-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2020-1725-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2020-1723-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2020-1722-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/2020-1720-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/2020-1718-0x00000000002D0000-0x00000000002D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TeraBox_status
| MD5 | 3cb13c3029092c710560ff070b985c4d |
| SHA1 | 9204cd5757b749106eed024f7ebe89256edc9b19 |
| SHA256 | a4687788375a7a6d338443037fe4bf6fb50801526a02b2e09d0725f8fc9ba3ee |
| SHA512 | 681579e8109279d09300d46b66b1a458f92ff9eddf57ea1321baa194de3f643cc3ebb29986126770204190fb0daf7e9c40cd1a3c16960aa7d74a71142976d0b7 |
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Download\AutoUpdate.xml
| MD5 | c286cd40cd06c343b0a0daba4a8787ba |
| SHA1 | 971b13c25faff896033f77e0866fe21f7b26cbd5 |
| SHA256 | 0af3d4862222a6b68993220e693c2501de14d6e922c3ecce1a60754462822c60 |
| SHA512 | e4ab1154ac2ece073d33277cf8d8394cec51100014589c6d997341d3553d19734b69cfc0ce9f3c87c55e34e833b7647c70a60e1972894762dba71914e38ac10b |
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win7-20240215-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.196.17.2.in-addr.arpa | udp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.80.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsq3C7E.tmp\NsisInstallUI.dll
| MD5 | 075abe6be6b717434cea2879a54c4714 |
| SHA1 | dc02581f578d22db7460352a476727ac5b2fcbb9 |
| SHA256 | 5a5e5398424a4eab5ea1fb905313ea56a19b7210e0da44861503bbf3f9826c13 |
| SHA512 | 90937b6aab2a4eeac74a33cf238131e011edc1b1f2bf9a9ce6dc5e0d21923330131ba5014e9ea1176ee88ee03d847cc69e6f1e91f7f68aa65c7a5ac4852f9d63 |
C:\Users\Admin\AppData\Local\Temp\nsq3C7E.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
C:\Users\Admin\AppData\Local\Temp\nsq3C7E.tmp\nsProcessW.dll
| MD5 | f0438a894f3a7e01a4aae8d1b5dd0289 |
| SHA1 | b058e3fcfb7b550041da16bf10d8837024c38bf6 |
| SHA256 | 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11 |
| SHA512 | f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7 |
memory/1580-17-0x0000000003A70000-0x0000000003A80000-memory.dmp
memory/1580-126-0x0000000003A70000-0x0000000003A80000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win7-20240221-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1668 wrote to memory of 4676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1668 wrote to memory of 4676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1668 wrote to memory of 4676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 640
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 137.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win7-20231129-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 220
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1056 wrote to memory of 684 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1056 wrote to memory of 684 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1056 wrote to memory of 684 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 684 -ip 684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 210.80.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe
"C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
158s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"
Network
| Country | Destination | Domain | Proto |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-15 04:17
Reported
2024-05-15 04:24
Platform
win10v2004-20240508-en
Max time kernel
90s
Max time network
162s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
Network
| Country | Destination | Domain | Proto |
| BE | 2.17.196.65:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| JP | 210.148.85.47:80 | www.terabox.com | tcp |
| US | 8.8.8.8:53 | 65.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.85.148.210.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |