Malware Analysis Report

2024-09-23 15:38

Sample ID 240515-ewlbwsha68
Target TeraBox_sl_b_1.31.0.1.exe
SHA256 09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85
Tags
qr link pdf
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85

Threat Level: Likely benign

The file TeraBox_sl_b_1.31.0.1.exe was found to be: Likely benign.

Malicious Activity Summary

qr link pdf

Checks computer location settings

Loads dropped DLL

HTTP links in PDF interactive object

Program crash

One or more HTTP URLs in qr code identified

Unsigned PE

Enumerates physical storage devices

One or more HTTP URLs in PDF identified

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-15 04:18

Signatures

HTTP links in PDF interactive object

pdf link
Description Indicator Process Target
N/A N/A N/A N/A

One or more HTTP URLs in PDF identified

pdf link

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd2E91.tmp\NsisInstallUI.dll

MD5 075abe6be6b717434cea2879a54c4714
SHA1 dc02581f578d22db7460352a476727ac5b2fcbb9
SHA256 5a5e5398424a4eab5ea1fb905313ea56a19b7210e0da44861503bbf3f9826c13
SHA512 90937b6aab2a4eeac74a33cf238131e011edc1b1f2bf9a9ce6dc5e0d21923330131ba5014e9ea1176ee88ee03d847cc69e6f1e91f7f68aa65c7a5ac4852f9d63

\Users\Admin\AppData\Local\Temp\nsd2E91.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

\Users\Admin\AppData\Local\Temp\nsd2E91.tmp\nsProcessW.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

memory/2340-20-0x0000000002A10000-0x0000000002A50000-memory.dmp

memory/2340-129-0x0000000002A10000-0x0000000002A50000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win7-20240508-en

Max time kernel

119s

Max time network

126s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 2760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2036 wrote to memory of 2760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2036 wrote to memory of 2760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2036 wrote to memory of 2760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2036 wrote to memory of 2760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2036 wrote to memory of 2760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2036 wrote to memory of 2760 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win7-20240508-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 232

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win7-20240221-en

Max time kernel

145s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"

Signatures

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 3064 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 3064 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 3064 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 3064 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3064 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3064 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3064 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3064 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3064 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3064 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3064 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3064 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3064 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3064 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3064 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3064 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2012,2335009130059581319,8706650755801169670,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=1996 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,2335009130059581319,8706650755801169670,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2972 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2012,2335009130059581319,8706650755801169670,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2012,2335009130059581319,8706650755801169670,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2012,2335009130059581319,8706650755801169670,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=1996 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.3064.0.990687617\377012412 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.1" -PcGuid "TBIMXV2-O_D1AB46F6AFB64BEAA6799556DED7A4A9-C_0-D_4d51303031302033202020202020202020202020-M_569FD5A164C1-V_4EAF6199" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.3064.0.990687617\377012412 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.1" -PcGuid "TBIMXV2-O_D1AB46F6AFB64BEAA6799556DED7A4A9-C_0-D_4d51303031302033202020202020202020202020-M_569FD5A164C1-V_4EAF6199" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.3064.1.1738951761\1786235064 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.1" -PcGuid "TBIMXV2-O_D1AB46F6AFB64BEAA6799556DED7A4A9-C_0-D_4d51303031302033202020202020202020202020-M_569FD5A164C1-V_4EAF6199" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:80 terabox.com tcp
JP 210.148.85.47:80 terabox.com tcp
US 8.8.8.8:53 repository.certum.pl udp
BE 2.17.196.128:80 repository.certum.pl tcp
CN 182.84.110.38:443 global-staticplat.cdn.bcebos.com tcp
N/A 127.0.0.1:49221 tcp
N/A 127.0.0.1:49223 tcp
N/A 127.0.0.1:49225 tcp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 125.74.110.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.23.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.24.38:443 global-staticplat.cdn.bcebos.com tcp
CN 175.4.51.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.1.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.106.158.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.140.225.38:443 global-staticplat.cdn.bcebos.com tcp
CN 183.61.177.38:443 global-staticplat.cdn.bcebos.com tcp
CN 220.169.152.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
CN 182.84.110.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.110.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.23.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.24.38:443 global-staticplat.cdn.bcebos.com tcp
CN 175.4.51.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.1.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.106.158.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.140.225.38:443 global-staticplat.cdn.bcebos.com tcp
CN 183.61.177.38:443 global-staticplat.cdn.bcebos.com tcp
CN 220.169.152.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.84.110.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.110.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.23.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.24.38:443 global-staticplat.cdn.bcebos.com tcp
CN 175.4.51.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.1.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.106.158.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.140.225.38:443 global-staticplat.cdn.bcebos.com tcp
CN 183.61.177.38:443 global-staticplat.cdn.bcebos.com tcp
CN 220.169.152.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 terabox.com tcp

Files

memory/2844-0-0x0000000000470000-0x0000000000471000-memory.dmp

memory/3064-16-0x000000000117A000-0x000000000117B000-memory.dmp

memory/3064-17-0x0000000001170000-0x00000000017D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

MD5 6031f9ec16728ab19be7fd50036b8f92
SHA1 c70956c5efdedc7c92c919060813aff5e2562d84
SHA256 236eff595ae3607390de5591ddfec3a81a72afd72e6251953e7b6e8bdd4de56c
SHA512 12cfc6a10ac3d39bbe01fe21fa596a1afdc56a7e2446decbb462300e0d7072017b2fa43b433b1b43d4ee0811c2433402f814be4771f9d324043d638f77251cfa

memory/3064-41-0x0000000001170000-0x00000000017D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab456B.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar468B.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

MD5 d5e98140c51869fc462c8975620faa78
SHA1 07e032e020b72c3f192f0628a2593a19a70f069e
SHA256 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
SHA512 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

MD5 b7f579336fceef8e8d78eb8d510bbcee
SHA1 59e7e9bc9e1c74281be64523ec00e0776acf2cb6
SHA256 33ab69f6a80fc6c2dcd5c672cd0b0f1ef4f8ff1b0ce98006f2538cb7dec2a52f
SHA512 b1c5fd8bcda1834a136a5ef608ddfddc84e999aaed9e0be9df05df8c5ea26c400a574be32566e5e73565237410b663a87d81ccb030c9de4d5f97f9dab24829cd

memory/3064-1423-0x0000000001170000-0x00000000017D1000-memory.dmp

memory/3060-1681-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3060-1679-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3060-1677-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3060-1696-0x0000000000220000-0x0000000000221000-memory.dmp

memory/3060-1694-0x0000000000220000-0x0000000000221000-memory.dmp

memory/3060-1691-0x0000000000210000-0x0000000000211000-memory.dmp

memory/3060-1689-0x0000000000210000-0x0000000000211000-memory.dmp

memory/3060-1686-0x0000000000200000-0x0000000000201000-memory.dmp

memory/3060-1684-0x0000000000200000-0x0000000000201000-memory.dmp

memory/3060-1682-0x0000000000200000-0x0000000000201000-memory.dmp

memory/3060-1704-0x0000000000280000-0x0000000000281000-memory.dmp

memory/3060-1706-0x0000000000280000-0x0000000000281000-memory.dmp

memory/3060-1701-0x0000000000270000-0x0000000000271000-memory.dmp

memory/3060-1699-0x0000000000270000-0x0000000000271000-memory.dmp

memory/3060-1711-0x0000000000290000-0x0000000000291000-memory.dmp

memory/3060-1709-0x0000000000290000-0x0000000000291000-memory.dmp

memory/3060-1707-0x0000000000290000-0x0000000000291000-memory.dmp

memory/3060-1712-0x0000000067A70000-0x0000000068E9C000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{301E84A5-CB0F-45B6-9AF8-1D28F527BFE3} C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4368 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4368 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4368 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4368 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4368 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4368 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4368 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4368 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4368 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4368 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4368 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4368 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4368 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 4368 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 4368 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 4368 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4368 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4368 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4368 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4368 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4368 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4368 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4368 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4368 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4368 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4368 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4368 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2612,5309092738358713367,15680928655530808046,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2468 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2612,5309092738358713367,15680928655530808046,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2956 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2612,5309092738358713367,15680928655530808046,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2612,5309092738358713367,15680928655530808046,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.4368.0.1871643396\358135047 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.23" -PcGuid "TBIMXV2-O_34779DC314E143F9B7E79F3D1F1928A6-C_0-D_DD00013-M_F6C903454AA3-V_3E0F83B3" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.4368.0.1871643396\358135047 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.23" -PcGuid "TBIMXV2-O_34779DC314E143F9B7E79F3D1F1928A6-C_0-D_DD00013-M_F6C903454AA3-V_3E0F83B3" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.4368.1.80606453\374032852 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.23" -PcGuid "TBIMXV2-O_34779DC314E143F9B7E79F3D1F1928A6-C_0-D_DD00013-M_F6C903454AA3-V_3E0F83B3" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2612,5309092738358713367,15680928655530808046,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=3480 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
US 8.8.8.8:53 137.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 47.85.148.210.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:80 terabox.com tcp
CN 182.84.110.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 repository.certum.pl udp
JP 210.148.85.47:80 terabox.com tcp
BE 2.17.196.128:80 repository.certum.pl tcp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 128.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
N/A 127.0.0.1:59803 tcp
N/A 127.0.0.1:59810 tcp
N/A 127.0.0.1:59812 tcp
CN 125.74.110.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 171.214.23.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.24.38:443 global-staticplat.cdn.bcebos.com tcp
CN 175.4.51.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.1.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.106.158.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.140.225.38:443 global-staticplat.cdn.bcebos.com tcp
CN 183.61.177.38:443 global-staticplat.cdn.bcebos.com tcp
CN 220.169.152.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.84.110.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.110.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.23.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.24.38:443 global-staticplat.cdn.bcebos.com tcp
CN 175.4.51.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.1.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.106.158.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.140.225.38:443 global-staticplat.cdn.bcebos.com tcp
CN 183.61.177.38:443 global-staticplat.cdn.bcebos.com tcp
CN 220.169.152.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
CN 182.84.110.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CN 125.74.110.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 171.214.23.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.24.38:443 global-staticplat.cdn.bcebos.com tcp
CN 175.4.51.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.1.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.106.158.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.140.225.38:443 global-staticplat.cdn.bcebos.com tcp
CN 183.61.177.38:443 global-staticplat.cdn.bcebos.com tcp
CN 220.169.152.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

memory/4368-10-0x0000000000C2A000-0x0000000000C2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

MD5 6b805ce6157a2da6827286ce54188e43
SHA1 6c5b45540c43d2137a2c9835f07a0fb5194e6de6
SHA256 356cf367b8d2e364d3e68e22d315fbdb9ea74ec2c36f899d28e8845a6b6ae6db
SHA512 3736cb5f41cd13052289d074cca93412d2c906cfeb2a2739bee08e08c1c8dd59b34c6eeccf4899d83d7359363503b402ac41d3e6f778812610e6775cfffdc6e8

memory/4368-34-0x0000000000C20000-0x0000000001281000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/4784-83-0x0000000002A90000-0x0000000002A91000-memory.dmp

memory/4784-84-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/4784-86-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/4784-85-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

memory/4784-88-0x0000000003050000-0x0000000003051000-memory.dmp

memory/4784-87-0x0000000003040000-0x0000000003041000-memory.dmp

memory/4784-89-0x0000000003060000-0x0000000003061000-memory.dmp

memory/4784-90-0x0000000065660000-0x0000000066A8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

MD5 9404d8554c41b745c0fe0d60dedd2a9c
SHA1 8d305151cd002d4e2e5f10bff65e9088b8d7c0e0
SHA256 2c54e6c9475cd683a491884d624c3426b4b4fba2ffa36508496347ed8129b32c
SHA512 bf34626689f0ab61de8ad91cbca50bb140f3fca892c420bea512fa3e37d981a336609dd616750ffc8a286fe686908ba4b435a47d399cf63342d8ae896ea5b4df

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

MD5 989d81a3abfe21e5d44d4f2b35b0162c
SHA1 8b379800a56327d3ee51266241d9a839ce9524ea
SHA256 448ac0cbfbb4216615814940c7a0618ed92f9f200adc105facba1d702c9789fb
SHA512 abee490b2e07b313bb96473c6f7411000ccac782a74cbc0d4a6564d39f0dc4eb136bf4e6ba80ad86ac1698cf25defd41afec1e08d5a6fe54eb06da7dca655e27

memory/4368-135-0x0000000000C20000-0x0000000001281000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win7-20240220-en

Max time kernel

122s

Max time network

127s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2792 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2368 wrote to memory of 2792 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2368 wrote to memory of 2792 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2368 wrote to memory of 2792 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2368 wrote to memory of 2792 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2368 wrote to memory of 2792 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2368 wrote to memory of 2792 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 2672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 2672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2956 wrote to memory of 2672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2672 -ip 2672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 177.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win7-20240508-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 224

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2496 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

memory/5012-3-0x0000000002840000-0x0000000002841000-memory.dmp

memory/5012-7-0x0000000002870000-0x0000000002871000-memory.dmp

memory/5012-6-0x0000000074301000-0x0000000074955000-memory.dmp

memory/5012-5-0x0000000002860000-0x0000000002861000-memory.dmp

memory/5012-4-0x0000000002850000-0x0000000002851000-memory.dmp

memory/5012-1-0x0000000002800000-0x0000000002801000-memory.dmp

memory/5012-2-0x0000000002810000-0x0000000002811000-memory.dmp

memory/5012-0-0x0000000000F40000-0x0000000000F41000-memory.dmp

memory/5012-11-0x0000000073CB0000-0x00000000750DC000-memory.dmp

memory/5012-12-0x0000000073CB0000-0x00000000750DC000-memory.dmp

memory/5012-13-0x0000000073CB0000-0x00000000750DC000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win7-20240508-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe

"C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe"

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win7-20231129-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2380 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BugReport.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\BugReport.exe

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe"

C:\Users\Admin\AppData\Local\Temp\BugReport.exe

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe" /repair "rp:" ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 5060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 5060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 5060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5060 -ip 5060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win7-20240508-en

Max time kernel

122s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1812 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

Network

N/A

Files

memory/2120-2-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2120-0-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2120-4-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2120-5-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2120-7-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2120-9-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2120-12-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2120-14-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2120-16-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2120-17-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2120-27-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/2120-32-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/2120-30-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/2120-28-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/2120-25-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/2120-22-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/2120-20-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/2120-34-0x0000000071B11000-0x0000000072165000-memory.dmp

memory/2120-37-0x00000000714C0000-0x00000000728EC000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win10v2004-20240226-en

Max time kernel

130s

Max time network

168s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 3156 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1104 wrote to memory of 3156 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1104 wrote to memory of 3156 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4792 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 216.58.214.170:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 170.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{10C31C82-A132-4D5C-8FAC-01467E985711} C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2156 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2156 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2156 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2156 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2156 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2156 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2156 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2156 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2156 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2156 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2156 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2156 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2156 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2156 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2156 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2156 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2156 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2156 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2156 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2156 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2156 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2156 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2156 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2156 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2156 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2156 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2156 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2156 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2156 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2604,8132175135775110057,4045342937392615665,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2476 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2604,8132175135775110057,4045342937392615665,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2760 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2604,8132175135775110057,4045342937392615665,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2604,8132175135775110057,4045342937392615665,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2156.0.1467504068\1139724824 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.20" -PcGuid "TBIMXV2-O_79AD0BBDF4E149FBBD7DF4F537C39B53-C_0-D_DD00013-M_46FD0705B728-V_1243B1E5" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2156.0.1467504068\1139724824 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.20" -PcGuid "TBIMXV2-O_79AD0BBDF4E149FBBD7DF4F537C39B53-C_0-D_DD00013-M_46FD0705B728-V_1243B1E5" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2156.1.1307419480\1440466244 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.20" -PcGuid "TBIMXV2-O_79AD0BBDF4E149FBBD7DF4F537C39B53-C_0-D_DD00013-M_46FD0705B728-V_1243B1E5" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 100030 -unlogin

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2604,8132175135775110057,4045342937392615665,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=4656 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:80 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:80 www.terabox.com tcp
US 8.8.8.8:53 repository.certum.pl udp
BE 2.17.196.99:80 repository.certum.pl tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 47.85.148.210.in-addr.arpa udp
US 8.8.8.8:53 99.196.17.2.in-addr.arpa udp
CN 110.185.108.38:443 global-staticplat.cdn.bcebos.com tcp
N/A 127.0.0.1:64154 tcp
N/A 127.0.0.1:64168 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 111.170.25.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 111.174.9.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.142.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.161.38:443 global-staticplat.cdn.bcebos.com tcp
CN 114.232.92.38:443 global-staticplat.cdn.bcebos.com tcp
CN 117.68.34.38:443 global-staticplat.cdn.bcebos.com tcp
CN 117.68.52.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
CN 120.41.32.38:443 global-staticplat.cdn.bcebos.com tcp
CN 110.185.108.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.170.25.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.174.9.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.142.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.161.38:443 global-staticplat.cdn.bcebos.com tcp
CN 114.232.92.38:443 global-staticplat.cdn.bcebos.com tcp
CN 117.68.34.38:443 global-staticplat.cdn.bcebos.com tcp
CN 117.68.52.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
CN 120.41.32.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
CN 110.185.108.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 111.170.25.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 111.174.9.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.142.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.161.38:443 global-staticplat.cdn.bcebos.com tcp
CN 114.232.92.38:443 global-staticplat.cdn.bcebos.com tcp
CN 117.68.34.38:443 global-staticplat.cdn.bcebos.com tcp
CN 117.68.52.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
CN 120.41.32.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp

Files

memory/2156-5-0x0000000000D1A000-0x0000000000D1B000-memory.dmp

memory/2156-24-0x0000000000D10000-0x0000000001371000-memory.dmp

memory/5104-64-0x0000000001180000-0x0000000001181000-memory.dmp

memory/5104-65-0x0000000001190000-0x0000000001191000-memory.dmp

memory/5104-66-0x0000000003670000-0x0000000003671000-memory.dmp

memory/5104-67-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/5104-68-0x00000000036B0000-0x00000000036B1000-memory.dmp

memory/5104-69-0x00000000036C0000-0x00000000036C1000-memory.dmp

memory/5104-70-0x00000000036D0000-0x00000000036D1000-memory.dmp

memory/5104-71-0x0000000064D50000-0x000000006617C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/2156-120-0x0000000000D10000-0x0000000001371000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

MD5 a9ba057283169ae32e0d9b5c4168664a
SHA1 9ed7e626d8924c9cf09d81639fa5491f0188fd91
SHA256 430ee11fd3775b5be3e7160ad2d9956f9e30d8a8187f0436cdf2bf7537543ffa
SHA512 a150e0d2eda726411fd4d418ff009afe708f432d8933ad05a4aa3eec4e09d183e4d18ff49237cab79f570083436c7b8b3193251848e856aeab9f78c2ab3f2538

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe57c7a5.TMP

MD5 02629cdc11f51113350d9b5154bd1020
SHA1 55f54ab5826355d60aa7ee480130fd59c634d048
SHA256 3f7d692ddbd7748d4e1389bd47cc5c150599d61629624d8ac873a6aa06ab7bab
SHA512 a41460b58128fb11e0a43f1983619b458a8f1c1a647cbe01076b0d4596301632b1eb0ee308ee4c592caceb28bdae22278a73a7d058c518cbdfc7bddb55405c88

C:\Users\Admin\AppData\Local\Temp\TeraBox_status

MD5 bcbc0eb4c95f990b4aa4dd062b58e4f6
SHA1 35e3f9eb661573c11e84b1662ed1d9ff9be3ccf4
SHA256 79b2459c1527cdf848791f1ac48e6cf030e86236e64b674a9847e586aee3d76c
SHA512 306d803d4facfca74bcb4c30da21120ed1751290e15b75753642ad0c4a372bf59022a63083ae845e055c7718ccc041ac195c0f2a15163446e693525efe821aba

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Download\AutoUpdate.xml

MD5 c286cd40cd06c343b0a0daba4a8787ba
SHA1 971b13c25faff896033f77e0866fe21f7b26cbd5
SHA256 0af3d4862222a6b68993220e693c2501de14d6e922c3ecce1a60754462822c60
SHA512 e4ab1154ac2ece073d33277cf8d8394cec51100014589c6d997341d3553d19734b69cfc0ce9f3c87c55e34e833b7647c70a60e1972894762dba71914e38ac10b

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win7-20240221-en

Max time kernel

118s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:80 www.terabox.com tcp

Files

memory/1752-0-0x0000000000210000-0x0000000000211000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

156s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4264 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4264 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4264 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win7-20240221-en

Max time kernel

117s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BugReport.exe

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe"

C:\Users\Admin\AppData\Local\Temp\BugReport.exe

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe" /repair "rp:" ""

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win7-20240508-en

Max time kernel

121s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe

"C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe"

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe

"C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win7-20231129-en

Max time kernel

143s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2040 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2040 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2040 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2040 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2040 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2040 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2040 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2040 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2040 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2040 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2040 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2040 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2040 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2040 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2040 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2040 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2040 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2040 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2040 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2040 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2040 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2040 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2040 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2004,16303634618875018909,486177198247010054,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2012 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,16303634618875018909,486177198247010054,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2804 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2004,16303634618875018909,486177198247010054,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2004,16303634618875018909,486177198247010054,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2004,16303634618875018909,486177198247010054,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2012 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2040.0.182839400\752029662 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.54" -PcGuid "TBIMXV2-O_DD9FA761766D4276B9F5AB67CF89CDF4-C_0-D_4d51303031302033202020202020202020202020-M_D669B05BD432-V_52BAFC99" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2040.0.182839400\752029662 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.54" -PcGuid "TBIMXV2-O_DD9FA761766D4276B9F5AB67CF89CDF4-C_0-D_4d51303031302033202020202020202020202020-M_D669B05BD432-V_52BAFC99" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2040.1.314454941\1824739236 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.54" -PcGuid "TBIMXV2-O_DD9FA761766D4276B9F5AB67CF89CDF4-C_0-D_4d51303031302033202020202020202020202020-M_D669B05BD432-V_52BAFC99" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 2018c -unlogin

Network

Country Destination Domain Proto
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:80 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:80 www.terabox.com tcp
US 8.8.8.8:53 www.microsoft.com udp
CN 60.188.66.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 repository.certum.pl udp
BE 2.17.196.128:80 repository.certum.pl tcp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
N/A 127.0.0.1:49201 tcp
N/A 127.0.0.1:49203 tcp
N/A 127.0.0.1:49205 tcp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 180.97.66.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.198.38:443 global-staticplat.cdn.bcebos.com tcp
CN 183.131.185.38:443 global-staticplat.cdn.bcebos.com tcp
CN 219.151.25.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.81.98.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.101.4.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.101.56.38:443 global-staticplat.cdn.bcebos.com tcp
CN 58.57.102.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.64.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
CN 60.188.66.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.66.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.198.38:443 global-staticplat.cdn.bcebos.com tcp
CN 183.131.185.38:443 global-staticplat.cdn.bcebos.com tcp
CN 219.151.25.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.81.98.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.101.4.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.101.56.38:443 global-staticplat.cdn.bcebos.com tcp
CN 58.57.102.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.64.38:443 global-staticplat.cdn.bcebos.com tcp
CN 60.188.66.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 terabox.com tcp
CN 180.97.66.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.198.38:443 global-staticplat.cdn.bcebos.com tcp
CN 183.131.185.38:443 global-staticplat.cdn.bcebos.com tcp
CN 219.151.25.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.81.98.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.101.4.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.101.56.38:443 global-staticplat.cdn.bcebos.com tcp
CN 58.57.102.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.64.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 terabox.com tcp

Files

memory/2040-5-0x000000000100A000-0x000000000100B000-memory.dmp

memory/2040-6-0x0000000001000000-0x0000000001661000-memory.dmp

memory/2040-34-0x0000000001000000-0x0000000001661000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar3AC4.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 d638abbfc7d1bd1b8ac6d35ff3eaf843
SHA1 655a88e303187486a8069e0e28cdcdad739b4dfa
SHA256 57576ebf7fc0c563704e315e24278b3bb0062d664d8920771243b2dcaa250b82
SHA512 b9e86d4decccd9348b0946c5cc2cbcabb3d3b0ec385779e82064f13c538d408d8ad72770ac3f666ae123fcd64b1a0a5fb94ba233cba693c03d884a3e7ed8360d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d219ff3572365950f6c9cb621f89557
SHA1 7dd74e2c7d32bdaefb65b07b9fd56c4160cd3739
SHA256 bc81f2454ccb9c74729367973d65b50622508c44aa244d075d76f39c12b579cd
SHA512 935a54a48e3a98980030f176f19cc40eb48932d908044d38f44b4c53ce91823f495e800ae7d2c0b360c69d0987eeb0f31155fde2ebe454e34ec4a6f6e1378a18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 662640fc9324ca0e2d15dd212b4487b1
SHA1 172c58f557893b24a34672ca5edfcc48669dc9fe
SHA256 edead2b78501b91f576d2cefb5ec2a2034a6c341777177ea2b6edf5bc5ba780e
SHA512 786d5ef37e2c26a8650e397b0ae305a2ed4712d4bbc096858656f070147107dddb30241a068a466857a847db16ad89d715cda944d4a77213663d4523dd9c402e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8200d543030a404295105e50ff49d9d4
SHA1 190c1d88221562c143f01fb99fafeae52b3b813a
SHA256 e804ea7b9f9ab2fb040f1be0c1fda6e8ad9f1dba75926eae029aa28fba888e85
SHA512 fe39df0793cc8aa82b31a2d92ba4583ff407e30e3bbcb405dbcd385f683296bf2cba193d795c696100687cf4493680daaf3e486cca5f67de5fcc32ffb8cffe7a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb34a762e7c6868d65dbbb34fc5610d7
SHA1 55cfcfe6055ede1491caac685f7605c5a9c916b1
SHA256 b3a6242b74c633fea146e2e877a75b3cd7147e8536e969d1b35bb672055084e0
SHA512 3b2a0e5bdf5dee7ee90d9af866c3e03e7fcfe592aad2560653a7e22fd929e604c0f73f715a34b5b2e8173f8fa6dccf3de8b21d7b6c3150d0bb11a5b355770106

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

MD5 d5e98140c51869fc462c8975620faa78
SHA1 07e032e020b72c3f192f0628a2593a19a70f069e
SHA256 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
SHA512 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

MD5 b7da530d839d42c218f978a5bb66dd46
SHA1 ebf0799abff525145e58fdf5833ec0cc0c8603d9
SHA256 6857f2dd0e042ccd90864854fdae8e6d41a17be8a16b78084c7770139a245ca6
SHA512 494923b0997c1e24032c55320d62f3f0faabcca1f1d9a42b89be14d2ece9ec6788878d6e605cbb82458507aef0c4bfa878ddb5cef7e909c70b1f5e1136a4f343

memory/2040-1304-0x0000000001000000-0x0000000001661000-memory.dmp

memory/2020-1748-0x0000000000E20000-0x0000000000E21000-memory.dmp

memory/2020-1753-0x0000000068770000-0x0000000069B9C000-memory.dmp

memory/2020-1752-0x0000000000E20000-0x0000000000E21000-memory.dmp

memory/2020-1750-0x0000000000E20000-0x0000000000E21000-memory.dmp

memory/2020-1747-0x0000000000E10000-0x0000000000E11000-memory.dmp

memory/2020-1745-0x0000000000E10000-0x0000000000E11000-memory.dmp

memory/2020-1742-0x0000000000E00000-0x0000000000E01000-memory.dmp

memory/2020-1740-0x0000000000E00000-0x0000000000E01000-memory.dmp

memory/2020-1737-0x0000000000590000-0x0000000000591000-memory.dmp

memory/2020-1735-0x0000000000590000-0x0000000000591000-memory.dmp

memory/2020-1732-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2020-1730-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2020-1727-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2020-1725-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2020-1723-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2020-1722-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2020-1720-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2020-1718-0x00000000002D0000-0x00000000002D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox_status

MD5 3cb13c3029092c710560ff070b985c4d
SHA1 9204cd5757b749106eed024f7ebe89256edc9b19
SHA256 a4687788375a7a6d338443037fe4bf6fb50801526a02b2e09d0725f8fc9ba3ee
SHA512 681579e8109279d09300d46b66b1a458f92ff9eddf57ea1321baa194de3f643cc3ebb29986126770204190fb0daf7e9c40cd1a3c16960aa7d74a71142976d0b7

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Download\AutoUpdate.xml

MD5 c286cd40cd06c343b0a0daba4a8787ba
SHA1 971b13c25faff896033f77e0866fe21f7b26cbd5
SHA256 0af3d4862222a6b68993220e693c2501de14d6e922c3ecce1a60754462822c60
SHA512 e4ab1154ac2ece073d33277cf8d8394cec51100014589c6d997341d3553d19734b69cfc0ce9f3c87c55e34e833b7647c70a60e1972894762dba71914e38ac10b

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win7-20240215-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 137.196.17.2.in-addr.arpa udp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsq3C7E.tmp\NsisInstallUI.dll

MD5 075abe6be6b717434cea2879a54c4714
SHA1 dc02581f578d22db7460352a476727ac5b2fcbb9
SHA256 5a5e5398424a4eab5ea1fb905313ea56a19b7210e0da44861503bbf3f9826c13
SHA512 90937b6aab2a4eeac74a33cf238131e011edc1b1f2bf9a9ce6dc5e0d21923330131ba5014e9ea1176ee88ee03d847cc69e6f1e91f7f68aa65c7a5ac4852f9d63

C:\Users\Admin\AppData\Local\Temp\nsq3C7E.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsq3C7E.tmp\nsProcessW.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

memory/1580-17-0x0000000003A70000-0x0000000003A80000-memory.dmp

memory/1580-126-0x0000000003A70000-0x0000000003A80000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win7-20240221-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 4676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1668 wrote to memory of 4676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1668 wrote to memory of 4676 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 640

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 137.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win7-20231129-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 220

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1056 wrote to memory of 684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1056 wrote to memory of 684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 684 -ip 684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 137.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe

"C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 137.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"

Network

Country Destination Domain Proto
BE 2.17.196.137:443 www.bing.com tcp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 137.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-15 04:17

Reported

2024-05-15 04:24

Platform

win10v2004-20240508-en

Max time kernel

90s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

Network

Country Destination Domain Proto
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:80 www.terabox.com tcp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 47.85.148.210.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A