Analysis Overview
SHA256
09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85
Threat Level: Known bad
The file TeraBox_sl_b_1.31.0.1.exe was found to be: Known bad.
Malicious Activity Summary
Zloader, Terdot, DELoader, ZeusSphinx
Adds Run key to start application
Event Triggered Execution: Component Object Model Hijacking
Checks computer location settings
Checks installed software on the system
Modifies system executable filetype association
Executes dropped EXE
HTTP links in PDF interactive object
Loads dropped DLL
Program crash
One or more HTTP URLs in qr code identified
Unsigned PE
One or more HTTP URLs in PDF identified
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of WriteProcessMemory
Modifies system certificate store
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-19 20:27
Signatures
HTTP links in PDF interactive object
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
One or more HTTP URLs in PDF identified
One or more HTTP URLs in qr code identified
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win7-20240220-en
Max time kernel
122s
Max time network
130s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 232
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win7-20240221-en
Max time kernel
117s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 224
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
155s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{D3FB7F77-3B77-44C4-9EAE-FA87CEFEB645} | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2504 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=3040 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.3852.0.1182109868\1714830166 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.90" -PcGuid "TBIMXV2-O_42EAE23F1C604536953F7FAA597E5262-C_0-D_DD00013-M_7E85BBD6B187-V_3A8EB726" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.3852.0.1182109868\1714830166 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.90" -PcGuid "TBIMXV2-O_42EAE23F1C604536953F7FAA597E5262-C_0-D_DD00013-M_7E85BBD6B187-V_3A8EB726" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.3852.1.1257223808\60635573 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.90" -PcGuid "TBIMXV2-O_42EAE23F1C604536953F7FAA597E5262-C_0-D_DD00013-M_7E85BBD6B187-V_3A8EB726" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=3916 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 23.53.113.159:80 | tcp | |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | global-staticplat.cdn.bcebos.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| N/A | 127.0.0.1:51660 | tcp | |
| N/A | 127.0.0.1:51662 | tcp | |
| N/A | 127.0.0.1:51664 | tcp | |
| US | 8.8.8.8:53 | nephobox.com | udp |
| US | 8.8.8.8:443 | tcp | |
| US | 8.8.8.8:443 | tcp | |
| N/A | 127.0.0.1:51690 | tcp | |
| N/A | 127.0.0.1:51692 | tcp | |
| N/A | 127.0.0.1:51695 | tcp | |
| N/A | 127.0.0.1:51736 | tcp | |
| N/A | 127.0.0.1:51738 | tcp | |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
Files
memory/3852-8-0x0000000000C2A000-0x0000000000C2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini
| MD5 | 72b65264d8979d98bd19cc98c7dd5c30 |
| SHA1 | 3be7106007fa698dcf8b62bcd17d25a5702ab958 |
| SHA256 | b022346d5511f83bcde7ead672a0ec6b5ca5df3a3eed9a9ac3803257b44ea893 |
| SHA512 | e14136fcf9806ae2e13c76d7ae4e89f7387d5b09310783b306d42e244271ad15e1cd8a8b8c2b55a73babbad8477b994574b85792244622d220f1e03c8d6c4461 |
memory/3852-28-0x0000000000C20000-0x0000000001281000-memory.dmp
memory/1516-54-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/1516-55-0x0000000001270000-0x0000000001271000-memory.dmp
memory/1516-56-0x0000000001280000-0x0000000001281000-memory.dmp
memory/1516-57-0x0000000003190000-0x0000000003191000-memory.dmp
memory/1516-58-0x00000000031A0000-0x00000000031A1000-memory.dmp
memory/1516-59-0x00000000032C0000-0x00000000032C1000-memory.dmp
memory/1516-60-0x00000000032D0000-0x00000000032D1000-memory.dmp
memory/1516-61-0x00000000657B0000-0x0000000066BDC000-memory.dmp
memory/3852-91-0x0000000000C20000-0x0000000001281000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win10v2004-20240508-en
Max time kernel
90s
Max time network
159s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2964 wrote to memory of 3480 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2964 wrote to memory of 3480 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2964 wrote to memory of 3480 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win10v2004-20240611-en
Max time kernel
144s
Max time network
151s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe
"C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.162.46.104.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win7-20240508-en
Max time kernel
120s
Max time network
135s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win7-20240611-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| JP | 210.148.85.47:80 | www.terabox.com | tcp |
Files
memory/2000-0-0x00000000000F0000-0x00000000000F1000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win7-20240611-en
Max time kernel
145s
Max time network
124s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2028,732539179716811645,6399189127447276855,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2040 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,732539179716811645,6399189127447276855,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=3040 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2028,732539179716811645,6399189127447276855,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2028,732539179716811645,6399189127447276855,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2028,732539179716811645,6399189127447276855,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2180 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.1932.0.553451165\183935057 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.114" -PcGuid "TBIMXV2-O_226EC872D85D4F408B1ADEBAE8F71DB2-C_0-D_4444303031302033202020202020202020202020-M_FE0070C7CB2B-V_91B18CF6" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.1932.0.553451165\183935057 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.114" -PcGuid "TBIMXV2-O_226EC872D85D4F408B1ADEBAE8F71DB2-C_0-D_4444303031302033202020202020202020202020-M_FE0070C7CB2B-V_91B18CF6" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.1932.1.611277149\88016828 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.114" -PcGuid "TBIMXV2-O_226EC872D85D4F408B1ADEBAE8F71DB2-C_0-D_4444303031302033202020202020202020202020-M_FE0070C7CB2B-V_91B18CF6" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| US | 8.8.8.8:53 | global-staticplat.cdn.bcebos.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| JP | 210.148.85.47:80 | terabox.com | tcp |
| JP | 210.148.85.47:80 | terabox.com | tcp |
| US | 8.8.8.8:53 | terabox.com | udp |
| JP | 210.232.36.156:443 | terabox.com | tcp |
| JP | 210.232.36.156:443 | terabox.com | tcp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| NL | 23.62.61.145:80 | repository.certum.pl | tcp |
| CN | 60.188.66.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| N/A | 127.0.0.1:49287 | tcp | |
| N/A | 127.0.0.1:49289 | tcp | |
| N/A | 127.0.0.1:49291 | tcp | |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| CN | 36.99.225.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.101.56.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 1.71.157.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 1.193.146.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 58.222.20.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.101.4.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 1.194.253.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 27.221.77.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.81.98.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| US | 8.8.8.8:53 | terabox.com | udp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| CN | 60.188.66.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 36.99.225.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.101.56.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 1.71.157.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 1.193.146.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 58.222.20.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.101.4.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 1.194.253.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 27.221.77.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.81.98.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 60.188.66.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 36.99.225.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.101.56.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 1.71.157.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 1.193.146.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 58.222.20.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.101.4.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 1.194.253.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 27.221.77.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 42.81.98.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
Files
memory/1244-0-0x0000000000370000-0x0000000000371000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab2B56.tmp
| MD5 | 2d3dcf90f6c99f47e7593ea250c9e749 |
| SHA1 | 51be82be4a272669983313565b4940d4b1385237 |
| SHA256 | 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4 |
| SHA512 | 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5 |
memory/1932-46-0x000000000105A000-0x000000000105B000-memory.dmp
memory/1932-47-0x0000000001050000-0x00000000016B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini
| MD5 | 718e0118cbf9724812a82f0f790a6821 |
| SHA1 | bd2e9f045255c3805349aed979b2e57ee340340c |
| SHA256 | 0b3d0c699349b77605b4cf8f0641fd517eeeda73b721e5a57b75eb54d271de7a |
| SHA512 | e0da1d77d94afb258402ab04ff0478322f51b7736abc662783ca7841432920ef91326620932725dc5923547a112abbbe58ae6cbe8dcf4086e0add28bf5f219ae |
memory/1932-66-0x0000000001050000-0x00000000016B1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 88d5656f316cc8d64011d101924abcba |
| SHA1 | 1175e853790bfe6406f9905b471f488be2738a72 |
| SHA256 | 4e4b1dc183b156e84f0b769408788d08b45ef9ded4ed461a9c43b4669c4943c3 |
| SHA512 | b815a68500e39b343f5377994dd27963515a394e9663688ce904e6a8023cb1b838feb0ca08131f118b5f05b7c6c388f0565d8bba1aba267a84896e73e70b343c |
C:\Users\Admin\AppData\Local\Temp\Tar3AEF.tmp
| MD5 | 7186ad693b8ad9444401bd9bcd2217c2 |
| SHA1 | 5c28ca10a650f6026b0df4737078fa4197f3bac1 |
| SHA256 | 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed |
| SHA512 | 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F
| MD5 | 30d17002ebac0bc81c334d87e78701c3 |
| SHA1 | a2660ec8742ab940e7e705facf8755e5d27cc448 |
| SHA256 | 339dbe16c9f733f045d704eca04a4f43c267b15b4d0504e37fc2a99ecea41387 |
| SHA512 | 119bcca827ea93cb8fed73d74d9d0bd1e0e1090f082869ad2cf4a19e1cb50755f57ba737f49213a74c7c727a1830cad351e054a5ce7f6f6bf13c4d1a18286287 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F
| MD5 | d5e98140c51869fc462c8975620faa78 |
| SHA1 | 07e032e020b72c3f192f0628a2593a19a70f069e |
| SHA256 | 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e |
| SHA512 | 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105 |
memory/1932-1205-0x0000000001050000-0x00000000016B1000-memory.dmp
memory/2044-1402-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2044-1404-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2044-1406-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2044-1407-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2044-1409-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2044-1411-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2044-1414-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2044-1416-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2044-1419-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2044-1421-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2044-1424-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/2044-1426-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/2044-1429-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/2044-1431-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/2044-1432-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/2044-1436-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/2044-1434-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/2044-1437-0x0000000068790000-0x0000000069BBC000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win7-20231129-en
Max time kernel
121s
Max time network
129s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe
"C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe"
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win10v2004-20240508-en
Max time kernel
119s
Max time network
157s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe
"C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win10v2004-20240611-en
Max time kernel
138s
Max time network
132s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5068 wrote to memory of 2776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5068 wrote to memory of 2776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5068 wrote to memory of 2776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2776 -ip 2776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 608
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1416,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win7-20240611-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe
"C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe"
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win7-20240508-en
Max time kernel
144s
Max time network
151s
Command Line
Signatures
Zloader, Terdot, DELoader, ZeusSphinx
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\"" | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun" | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}" | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\ = "YunShellExtContextMenu Class" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ = "IYunPPTConnect" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CLSID\ = "{6D85624F-305A-491d-8848-C1927AA0D790}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect\CurVer\ = "YunOfficeAddin.YunExcelConnect.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ = "IWorkspaceOverlayIconError" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ = "YunWordConnect Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ = "IYunWordConnect" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CurVer\ = "YunShellExt.YunShellExtContextMenu.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID\ = "YunOfficeAddin.YunWordConnect" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell\open | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ = "IYunExcelConnect" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ = "IWorkspaceOverlayIconSync" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Version\ = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1\CLSID\ = "{71CD4110-1E24-4B80-B699-9A982584CD3F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID\ = "YunOfficeAddin.YunWordConnect" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ = "YunPPTConnect Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\VersionIndependentProgID\ = "YunShellExt.YunShellExtContextMenu" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ = "YunExcelConnect Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
C:\Windows\system32\regsvr32.exe
"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
C:\Windows\system32\regsvr32.exe
"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=1960,9707404346994720960,13577284352863838455,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=1968 /prefetch:2
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,9707404346994720960,13577284352863838455,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2584 /prefetch:8
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=1960,9707404346994720960,13577284352863838455,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:1
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=1960,9707404346994720960,13577284352863838455,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=1960,9707404346994720960,13577284352863838455,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=1968 /prefetch:2
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=1960,9707404346994720960,13577284352863838455,131072 --enable-features=CastMediaRouteProvider --disable-gpu-compositing --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:1
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=1960,9707404346994720960,13577284352863838455,131072 --enable-features=CastMediaRouteProvider --disable-gpu-compositing --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 50180 -unlogin
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | global-staticplat.cdn.bcebos.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| N/A | 127.0.0.1:49446 | tcp | |
| N/A | 127.0.0.1:49448 | tcp | |
| N/A | 127.0.0.1:49450 | tcp | |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | crl.globalsign.com | udp |
| US | 8.8.8.8:53 | nephobox.com | udp |
| N/A | 127.0.0.1:49490 | tcp | |
| US | 8.8.8.8:53 | global-staticplat.cdn.bcebos.com | udp |
| N/A | 127.0.0.1:49492 | tcp | |
| N/A | 127.0.0.1:49494 | tcp | |
| US | 8.8.8.8:443 | tcp | |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:443 | tcp | |
| US | 8.8.8.8:53 | crl.globalsign.com | udp |
| US | 8.8.8.8:53 | crl.globalsign.com | udp |
| US | 8.8.8.8:53 | crl.globalsign.com | udp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| US | 8.8.8.8:53 | nephobox.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | global-staticplat.cdn.bcebos.com | udp |
| US | 8.8.8.8:443 | tcp | |
| N/A | 127.0.0.1:49519 | tcp | |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:443 | tcp | |
| N/A | 127.0.0.1:49522 | tcp | |
| US | 8.8.8.8:53 | crl.globalsign.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | crl.globalsign.com | udp |
| US | 8.8.8.8:53 | crl.globalsign.com | udp |
| US | 8.8.8.8:53 | crl.globalsign.com | udp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nst2B95.tmp\NsisInstallUI.dll
| MD5 | 075abe6be6b717434cea2879a54c4714 |
| SHA1 | dc02581f578d22db7460352a476727ac5b2fcbb9 |
| SHA256 | 5a5e5398424a4eab5ea1fb905313ea56a19b7210e0da44861503bbf3f9826c13 |
| SHA512 | 90937b6aab2a4eeac74a33cf238131e011edc1b1f2bf9a9ce6dc5e0d21923330131ba5014e9ea1176ee88ee03d847cc69e6f1e91f7f68aa65c7a5ac4852f9d63 |
\Users\Admin\AppData\Local\Temp\nst2B95.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
\Users\Admin\AppData\Local\Temp\nst2B95.tmp\nsProcessW.dll
| MD5 | f0438a894f3a7e01a4aae8d1b5dd0289 |
| SHA1 | b058e3fcfb7b550041da16bf10d8837024c38bf6 |
| SHA256 | 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11 |
| SHA512 | f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7 |
memory/836-20-0x0000000002880000-0x00000000028C0000-memory.dmp
memory/836-129-0x0000000002880000-0x00000000028C0000-memory.dmp
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
| MD5 | 7ab6073a5c400a5071bfa4ef2d936425 |
| SHA1 | f794ea18eced4330979972da2a4bfa33c03afa2f |
| SHA256 | 7774449e13c24d2b0b69114d9ba044e80dc8378fa3dfb5d17a142d5cb4cde8af |
| SHA512 | 4371b6b49df43dab4abf90a71819276f30dca823c93335edd5513a67a646c97ef575b2ede650ceb2f0f168af13431254530e9bffc3db0f5b0eada1492c3cab73 |
\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll
| MD5 | b9ee83666245d8de4f0709b03eac1ad3 |
| SHA1 | 38eaee6757499aaf4e8869837a767708392e225e |
| SHA256 | ce10dfac95461981072738c92ccf8b01599b5ddde2b0a21d18506d3528c83fda |
| SHA512 | d970c2a52dfde330bd32bc6718d194b90f8bc3131d9d7905e0f438483f3030bf64dfc69091562f467cc6ea34357513614671db94d2b664208016c3c11b77f08b |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 4296cf3a7180e10aaf6147f4aecd24e4 |
| SHA1 | f81e09af979a1146774d554783d1a22a03a61393 |
| SHA256 | 147f86ff93d61fea256b3de9149e1b36b68a83762e62a3389466218e18359ffc |
| SHA512 | 60357edde6572c5e796f927c3e72c31a96ff700624b7366fdda64bcf51ee00bf1e9ab477a46d8d3ba7391ba10491e69f745efec3607f8f49b6e1a3a3de7a0648 |
\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll
| MD5 | 216a2dd23f95bdd63cd88a50eb7e69bd |
| SHA1 | 9c63635c26e276179f8dba9e02079bb3170b0321 |
| SHA256 | 63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada |
| SHA512 | 390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0 |
\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll
| MD5 | b5ac5913784d34c843677547edd5c578 |
| SHA1 | ed2a4e165ad8b65b1699aaf048654142a66943c6 |
| SHA256 | 3267244255376bfaf68e75ad38468ba3ca0bbb49fe260f6e05611148d5cee3c9 |
| SHA512 | 28a29ff02d7ce6d6a74b4938a1a1388c4ad6b36600bc9e7664edf14eb8a89aee49c107c46e13aee0194a38ec506cd86094952ce9327d724a98541871ff58d6db |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | a0a883e26be6800508162e2a898148d9 |
| SHA1 | 4f79892e7766cb7831211864978575598c86a11b |
| SHA256 | 9753ae83536767c73e340c36c5f1610bc76a3e67e033b07503ec31431cba7b90 |
| SHA512 | 70904f2fd074073aebcf665178b34cf7f0f42ced7223ca296f7f202f6fa0175ace2832d9802f5bff4d67891ca09ae14fac47420d69107e72aa44b541a190f6c3 |
\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll
| MD5 | 7e489e7300d3177f64db31665a2079e0 |
| SHA1 | 50b20f0b4e5bb5b35e68dd90a5c465dffd30260e |
| SHA256 | 7a426359908ae2b6ca1bc8a2773269a48126c2db23c171bc56a3456da4f0016c |
| SHA512 | 0b3b34c0e5e095dfd77d801cd7e85e0431da23bf1c943aacb855a40f5a0d9439d7667718abe654eac17ed474b3c9eb644b90cc8cc215c9adc99b12e29b7907d3 |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 6a3d5701446f6635faff87014a836eee |
| SHA1 | 7bbc9db1c9ce70e9fc7b7348a2c96681e5d8265b |
| SHA256 | 16ba05a1fa928501ffaee2e9dce449d28e8fe538df5ec6d8d1080b610b15d466 |
| SHA512 | 839a1277b6dbb9f2d6e572e1b50b0ad08c93256a1367f36997db07285aa7b251346499a643a985a22d9a7618635c11964e414073aa7e1bf60d36368829de8fb3 |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 4ec243792d382305db59dc78b72d0a1e |
| SHA1 | 63b7285646c72ee640d34cdc200bfc5863db3563 |
| SHA256 | 56e0bdf91edb21f5f5041f052723025c059a11360bb745f965a9903de9c61756 |
| SHA512 | 88f648d45927db65ff8cead4bb1959b1297410bf3f5b3b2783a173d708649260a61470342694de8b93e9c1657de64db43db40ee71acc661b03786c0921d68d4b |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-time-l1-1-0.dll
| MD5 | a440776e10098f3a8ef1c5eaca72958e |
| SHA1 | 7b8662714f6e44fb29a4224a038e4127964003e9 |
| SHA256 | 40d8bc312ac7bca072703e5f0852228cde418f89ba9ad69551aa7a80a2b30316 |
| SHA512 | b043cd020d184a239510b2607c94210dc5fdc5d2a2b9285836bdce8934cc86a1cc3f47a2f520b15db84f755ac2e7c67e0247099648d292bbd5fb76f683d928df |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-multibyte-l1-1-0.dll
| MD5 | 169e20a74258b182d2cdc76f1ae77fc5 |
| SHA1 | fce3f718e6de505ac910cb7333a03a2c6544f654 |
| SHA256 | 224f526871c961615de17b5d7f7bbef2f3a799055cab2c8e3447b43c10c25372 |
| SHA512 | 0881c8704421a5f6e51abd22c55608dd7fb678491682ce86066e068b1973ebf11d6c2163be610a49f87e800c8563ebb41abfe36e1913d7d0b8485fd29ed81bf7 |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-math-l1-1-0.dll
| MD5 | ab87bdae2f62e32a533f89cd362d081c |
| SHA1 | 40311859dd042a7e392877364568aad892792ba9 |
| SHA256 | 0439703e47c8fce1f367f9e36248a738db6abcd9f2dd199cb190d5e59ed46978 |
| SHA512 | dbe0073da8979f3d32204680015b60435226840e732b5df964dbeeb7920c0bc5df92d866964f905518c97cc3539f628664503ffa64e50a2ef90c459b62555444 |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 8d097aa5bec8bdb5df8f39e0db30397c |
| SHA1 | 56f6da8703f8cdd4a8e4a170d1a6c0d3f2035158 |
| SHA256 | 42c235914844ce5d1bb64002fca34a776ae25ee658fc2b7b9da3291e5def7d4d |
| SHA512 | a891536e2a362fc73472fa7f5266ce29e8036959701bc0862f2b7ea5865dcd1505615edc8e064fb2f7aaa1b129e48422efe7b933b01faed9c2afadd8a64452dc |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 5c6fd1c6a5e69313a853a224e18a7fac |
| SHA1 | 10bae352f09b214edef2dc6adcb364c45fafdbec |
| SHA256 | 3aa0eb4c47ac94b911f1a440324d26eee8ddf99557a718f0905bfee3cf56255f |
| SHA512 | 08c2b1150f6bf505d10085a515bbfab6c1e18663c6ef75ec988727e3d30210532d03bfbfbb048b1a843d4faa5d1060f9079e018a9e892bce03f899a5a85f6034 |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | be16965acc8b0ce3a8a7c42d09329577 |
| SHA1 | 6ac0f1e759781c7e5342b20f2a200a6aab66535e |
| SHA256 | fcd55331cc1f0ff4fb44c9590a9fb8f891b161147a6947ce48b88bf708786c21 |
| SHA512 | 7ba55fa204d43c15aca02031f584b3396bb175365dad88e4047b8a991f1f1ddd88d769e4d8cb93ee0ed45e060a1156e953df794f9cb8bb687c84c4a088da2edf |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | a51cfb8cf618571215eeba7095733b25 |
| SHA1 | db4215890757c7c105a8001b41ae19ce1a5d3558 |
| SHA256 | 6501894e68a3871962731282a2e70614023ec3f63f600f933ec1785400716ce1 |
| SHA512 | 9ae11ab21486dea1aba607a4262f62678c5b0e9f62b6a63c76cfdc7698d872d8696ffb1aaae7aa2e2cf02c1c7eaa53d0ce503432960f4be6886fae0de2659535 |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 3eae6d370f2623b37ec39c521d1f1461 |
| SHA1 | 86d43e2e69b2066333e4afa28a27c7a74ff89991 |
| SHA256 | ce74bdc6999d084a1b44b2ecea42dd28849b2825d7779effdc4c18360308b79b |
| SHA512 | 30b2b6cf5cd1bbdf68de048e6d992133fe7ab0c847fa0d5eb8c681a9688d60794621a40178451a104036a0fff2e1bd66a18d9f96be6b28dbdc0bc1c8a535fc85 |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l1-2-0.dll
| MD5 | 00d8b4bed48a1bb8a0451b967a902977 |
| SHA1 | f10ef17bda66d7cab2840d7f89c6de022a7b3ff2 |
| SHA256 | 568d7f8551d8b4199db3359d5145bc4cb01d6d2f1347547f47967eb06a45c3b5 |
| SHA512 | e248cbc06fc610f315d7efcadb39b5cb85dfe5d40858768d5aea8d41b3b4b23eafe0db2b38cce362fd8ba8bc5eb26e9b2dddc00e2e8615395bca818ecfe0decc |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 7016bf365a155d29f01a000942a017ef |
| SHA1 | 47e25b97af56edbdd20ca72bba994c6bcf1b81e6 |
| SHA256 | b5f815d0a41add7fd9593036a8e6843fcc221298fefd61808f960eed3cc19830 |
| SHA512 | 2cd7e88717a2d81811ce03990737888b8a1e9e351dcdad401ffe5924bdf97be086bd766a1a5b25411b760cbf81b68bebd94d915100b6bc1310360813af11f827 |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 9efdffac1d337807b52356413b04b97b |
| SHA1 | 2590bd486abce24312066285fa1c1feaf8332fe0 |
| SHA256 | e1a87d7d01e2376dde81a16658915ccf2ecb692739fef09adfb962523756e22d |
| SHA512 | b3c164e50d48a78bd08cf365e02e263b97ec2dd3efcf04914c8677c838e10be23df5178a8618e3f2a6feb6faa2bb74eaf069e7e2db7c6e6fd9d0137dcffbcead |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 73483cbc229c62e129627adbf62b0ffe |
| SHA1 | 074ce67665c86355d3218b5e3ea4b1b335095af8 |
| SHA256 | 13471eb84db95f8270398ef1deb29f0ea024db17e331497545c36eea7b2a3a7c |
| SHA512 | 92f06cb8971e29da7607c6b1d1377f21c7e6f0e4a169aaa08326038d5cdb09422b91f4f2d26a7978521e0edbb9cf1235e583f2910048c917ccef8d12c5e1166a |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l2-1-0.dll
| MD5 | 534483b0f4a1924b1ae6d7e66b4a4926 |
| SHA1 | 4e954316acd216007f4a0225b138e0c0a04fbbed |
| SHA256 | c1bca1bb524c5ae3d877a099f469b6fc34288bab26ae7a7f4fc47cd869f4958d |
| SHA512 | cfad2ddf8a9ad67e36e978726d8a12ca26b180f73122b2e8d19a83f73028a050d9f418e7525f576cc3a9601b3369d4494dddbde620b4011b7ca8a7ec4b0d1b12 |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 42c72d838c34e4e7164c578a930b8fc7 |
| SHA1 | 82d02cb090eb6d81a1499189e4d3e6b82aa60061 |
| SHA256 | f1667bbda1b58fc688b422fd2f9f7040919c4ababe00a4be78b258cae2dfc3d3 |
| SHA512 | 1020d6010dca512adbc18f44b6453a974a200766013c39f6cb1cd0a72234a241c73587c929f1d0fcadf90c3eb71264086167f05bd7ebceb5b944f4e4a0811d92 |
\Users\Admin\AppData\Roaming\TeraBox\ucrtbase.dll
| MD5 | 8ed02a1a11cec72b6a6a4989bf03cfcc |
| SHA1 | 172908ff0f8d7e1c0cbf107f7075ed1dba4b36c8 |
| SHA256 | 4fd02f2699c49579319079b963425991198f59cb1589b8afa8795b5d6a0e5db3 |
| SHA512 | 444fe62a5c324d38bdc055d298b5784c741f3ca8faaeaed591bd6dcf94205dbf28c7d7f7d3825ccb99eff04e3ffd831e3f98d9b314820841a0c0960ae6a5e416 |
C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe
| MD5 | bdbf614848cfc3fada7dae8a55a9ad8e |
| SHA1 | 78ad1a6c45e5df62659274c66b3c3a7a8731cdf5 |
| SHA256 | 5cf7f5d5fbb371a29f45d3777860ad07df3b2e12b273076a555c65334a9702ad |
| SHA512 | da82bdaf7785333734998c2c919242f7e0d7d585de5972efd028f283913b4a4cfa4d24c73ffba6fec3ea674e8ac69499b992090377144a1cdfe7e5575f1d7d0c |
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 49363f3cf4671baa6be1abd03033542f |
| SHA1 | e58902a82df86adf16f44ebdc558b92ad214a979 |
| SHA256 | 505d2bde0d4d7cd3900a9c795cb84ab9c05208d6e5132749ab7c554ccd3c0fcc |
| SHA512 | 98e78a607cfbb777237dc812f468ec7a1abcba9472e20a5780dfc526f7992da1841fcd9e2f76f20fa161240007f185c7fbdc120fb4c3c1f2b90fdad5913d65dd |
\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll
| MD5 | b77eeaeaf5f8493189b89852f3a7a712 |
| SHA1 | c40cf51c2eadb070a570b969b0525dc3fb684339 |
| SHA256 | b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e |
| SHA512 | a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3 |
\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll
| MD5 | 1d8c79f293ca86e8857149fb4efe4452 |
| SHA1 | 7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f |
| SHA256 | c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4 |
| SHA512 | 83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1 |
C:\Users\Admin\Desktop\TeraBox.lnk
| MD5 | 305203be50e80ffc3b3c07fc3a141fea |
| SHA1 | c79c9cb38a6d01e5de7feb3dc17df2e21a0fd85b |
| SHA256 | 4b15501f03a2f7487aae4e1cb09e715aa185c9752641de2ecc30b8f66b1f233c |
| SHA512 | 8b2b5e5e241b3fa2715e17af965736219bb672230303d4ee7e0e555ecd28240d54e3ab8503d6663fd340f03bccc6dadeecd07e1182990b88d0e79662b3aa5167 |
\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll
| MD5 | 80337d9a646974e377f3c89991ed138c |
| SHA1 | 38b7f9b0e0e138448592c9776c67e53de8ac52a5 |
| SHA256 | 1cde95285c13d908720f5075a4ece533e4b98a1fefe2ebbbe71fd697f45dfd0d |
| SHA512 | 9ee967588c6f7718834b2e4d04dc2c46236b20bfcbdd9a09cf011ee3f7f6f57f66a0191ba4c2d85fb95a51f68c34de4b977cf5c099975feee5137928392c8a6e |
C:\Users\Admin\AppData\Local\Temp\nst2B95.tmp\SetupCfg.ini
| MD5 | 86daef0a1abf90f934b20119d95e8b73 |
| SHA1 | fa9170644b102c598005d1764a16aba54314ab69 |
| SHA256 | a5b0e58f66055ba5c9730dd7983946f92075bcf7052343b8d64ee95faa99eaaa |
| SHA512 | 1e95d6b697621f5c8bd194b5252f7717c3aa48a25d91d80fcd5fb0f1d06747c5f39708255bd85f18f776468dcde5645a8ac088431d412af1b10932d7f0df67b7 |
C:\Users\Admin\AppData\Local\Temp\Cab8123.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 091ebac5e8a29325319d9d50ea45fa23 |
| SHA1 | d6c89499421826fe8663fb204e789945f9803745 |
| SHA256 | a73b2088d49a0a19ef13338f47ca8a540f2440319d746dc2ee7b3328ac3aa7fc |
| SHA512 | 1609a5f11c81abc8b5fdf23b8a54f8e2aa0f6ad7026eabbd5ab8d3afb7eeddda9749787332982c3a1d72debcf2aacb8e227c44ae5cb96e1a71562caf953e5300 |
C:\Users\Admin\AppData\Local\Temp\TarB032.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
160s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1160 wrote to memory of 2116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1160 wrote to memory of 2116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1160 wrote to memory of 2116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2116 -ip 2116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win10v2004-20240508-en
Max time kernel
49s
Max time network
58s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2456 wrote to memory of 5024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2456 wrote to memory of 5024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2456 wrote to memory of 5024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/5024-0-0x00000000011F0000-0x00000000011F1000-memory.dmp
memory/5024-6-0x0000000002B70000-0x0000000002B71000-memory.dmp
memory/5024-5-0x0000000002B60000-0x0000000002B61000-memory.dmp
memory/5024-4-0x0000000002B50000-0x0000000002B51000-memory.dmp
memory/5024-3-0x0000000002B40000-0x0000000002B41000-memory.dmp
memory/5024-1-0x0000000001200000-0x0000000001201000-memory.dmp
memory/5024-2-0x0000000002B00000-0x0000000002B01000-memory.dmp
memory/5024-7-0x0000000074340000-0x000000007576C000-memory.dmp
memory/5024-8-0x0000000074991000-0x0000000074FE5000-memory.dmp
memory/5024-11-0x0000000074340000-0x000000007576C000-memory.dmp
memory/5024-12-0x0000000074340000-0x000000007576C000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win7-20240221-en
Max time kernel
121s
Max time network
136s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2844 wrote to memory of 2028 | N/A | C:\Users\Admin\AppData\Local\Temp\BugReport.exe | C:\Users\Admin\AppData\Local\Temp\BugReport.exe |
| PID 2844 wrote to memory of 2028 | N/A | C:\Users\Admin\AppData\Local\Temp\BugReport.exe | C:\Users\Admin\AppData\Local\Temp\BugReport.exe |
| PID 2844 wrote to memory of 2028 | N/A | C:\Users\Admin\AppData\Local\Temp\BugReport.exe | C:\Users\Admin\AppData\Local\Temp\BugReport.exe |
| PID 2844 wrote to memory of 2028 | N/A | C:\Users\Admin\AppData\Local\Temp\BugReport.exe | C:\Users\Admin\AppData\Local\Temp\BugReport.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\BugReport.exe
"C:\Users\Admin\AppData\Local\Temp\BugReport.exe"
C:\Users\Admin\AppData\Local\Temp\BugReport.exe
"C:\Users\Admin\AppData\Local\Temp\BugReport.exe" /repair "rp:" ""
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win7-20240508-en
Max time kernel
118s
Max time network
133s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2052 wrote to memory of 1704 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2052 wrote to memory of 1704 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2052 wrote to memory of 1704 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2052 wrote to memory of 1704 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2052 wrote to memory of 1704 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2052 wrote to memory of 1704 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2052 wrote to memory of 1704 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
157s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| JP | 210.148.85.47:80 | www.terabox.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.85.148.210.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win10v2004-20240508-en
Max time kernel
49s
Max time network
55s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BugReport.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4008 wrote to memory of 1520 | N/A | C:\Users\Admin\AppData\Local\Temp\BugReport.exe | C:\Users\Admin\AppData\Local\Temp\BugReport.exe |
| PID 4008 wrote to memory of 1520 | N/A | C:\Users\Admin\AppData\Local\Temp\BugReport.exe | C:\Users\Admin\AppData\Local\Temp\BugReport.exe |
| PID 4008 wrote to memory of 1520 | N/A | C:\Users\Admin\AppData\Local\Temp\BugReport.exe | C:\Users\Admin\AppData\Local\Temp\BugReport.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\BugReport.exe
"C:\Users\Admin\AppData\Local\Temp\BugReport.exe"
C:\Users\Admin\AppData\Local\Temp\BugReport.exe
"C:\Users\Admin\AppData\Local\Temp\BugReport.exe" /repair "rp:" ""
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win10v2004-20240611-en
Max time kernel
136s
Max time network
127s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsh4085.tmp\NsisInstallUI.dll
| MD5 | 075abe6be6b717434cea2879a54c4714 |
| SHA1 | dc02581f578d22db7460352a476727ac5b2fcbb9 |
| SHA256 | 5a5e5398424a4eab5ea1fb905313ea56a19b7210e0da44861503bbf3f9826c13 |
| SHA512 | 90937b6aab2a4eeac74a33cf238131e011edc1b1f2bf9a9ce6dc5e0d21923330131ba5014e9ea1176ee88ee03d847cc69e6f1e91f7f68aa65c7a5ac4852f9d63 |
C:\Users\Admin\AppData\Local\Temp\nsh4085.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
C:\Users\Admin\AppData\Local\Temp\nsh4085.tmp\nsProcessW.dll
| MD5 | f0438a894f3a7e01a4aae8d1b5dd0289 |
| SHA1 | b058e3fcfb7b550041da16bf10d8837024c38bf6 |
| SHA256 | 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11 |
| SHA512 | f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7 |
memory/4968-17-0x0000000003A10000-0x0000000003A20000-memory.dmp
memory/4968-126-0x0000000003A10000-0x0000000003A20000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win7-20240221-en
Max time kernel
142s
Max time network
131s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2032,175521062090650123,5403248993222217393,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2080 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,175521062090650123,5403248993222217393,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2980 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2032,175521062090650123,5403248993222217393,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2032,175521062090650123,5403248993222217393,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2032,175521062090650123,5403248993222217393,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2176 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2880.0.1285412532\1345265334 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.245" -PcGuid "TBIMXV2-O_3F58BB89F7454C119F33615B0CD78530-C_0-D_4d51303031302033202020202020202020202020-M_6EAD7206CC74-V_2F927B92" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2880.0.1285412532\1345265334 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.245" -PcGuid "TBIMXV2-O_3F58BB89F7454C119F33615B0CD78530-C_0-D_4d51303031302033202020202020202020202020-M_6EAD7206CC74-V_2F927B92" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2880.1.1177577902\1093266508 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.245" -PcGuid "TBIMXV2-O_3F58BB89F7454C119F33615B0CD78530-C_0-D_4d51303031302033202020202020202020202020-M_6EAD7206CC74-V_2F927B92" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 40188 -unlogin
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49214 | tcp | |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| JP | 210.148.85.47:80 | terabox.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| JP | 210.148.85.47:80 | www.terabox.com | tcp |
| N/A | 127.0.0.1:49237 | tcp | |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| US | 8.8.8.8:53 | global-staticplat.cdn.bcebos.com | udp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| NL | 23.62.61.57:80 | repository.certum.pl | tcp |
| US | 8.8.8.8:53 | terabox.com | udp |
| JP | 210.232.36.156:443 | terabox.com | tcp |
| CN | 182.140.225.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| JP | 210.232.36.156:443 | terabox.com | tcp |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| JP | 210.148.85.47:443 | www.terabox.com | tcp |
| CN | 124.239.243.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 180.97.64.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 123.235.31.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 125.74.110.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 150.138.188.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 171.214.24.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.106.158.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 175.4.51.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 171.214.23.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| US | 8.8.8.8:53 | terabox.com | udp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| CN | 182.140.225.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 124.239.243.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 180.97.64.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 123.235.31.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 125.74.110.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 150.138.188.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 171.214.24.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.106.158.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 175.4.51.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 171.214.23.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.140.225.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
| CN | 124.239.243.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 180.97.64.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 123.235.31.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 125.74.110.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 150.138.188.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 171.214.24.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 182.106.158.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 175.4.51.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| CN | 171.214.23.38:443 | global-staticplat.cdn.bcebos.com | tcp |
| JP | 210.148.85.47:443 | terabox.com | tcp |
Files
memory/2880-10-0x000000000020A000-0x000000000020B000-memory.dmp
memory/2880-11-0x0000000000200000-0x0000000000861000-memory.dmp
memory/2880-23-0x0000000000200000-0x0000000000861000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab3101.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar3250.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F
| MD5 | 4198a9030d3db6ab58d97960a2a04b64 |
| SHA1 | e10f3d358acd8c3217eb915d76600535a16675c8 |
| SHA256 | de8a4d52b5454f2cc5584cd3af2d5430f7efd3b7ca5ab2bea55d7ce1318cfc45 |
| SHA512 | a883fd075e9251dd92ef2a769f2eeca29708b2c32fd5b6fd7601f34de1a38006f956a86e65e9b935266c474aedc40e1f99dd20014c46781d0bc30c32d9693767 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F
| MD5 | d5e98140c51869fc462c8975620faa78 |
| SHA1 | 07e032e020b72c3f192f0628a2593a19a70f069e |
| SHA256 | 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e |
| SHA512 | 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105 |
memory/2880-1429-0x0000000000200000-0x0000000000861000-memory.dmp
memory/2880-1692-0x000000000B2D0000-0x000000000BAD0000-memory.dmp
memory/2880-1693-0x000000000B2D0000-0x000000000BAD0000-memory.dmp
memory/1304-1713-0x0000000000200000-0x0000000000201000-memory.dmp
memory/1304-1711-0x0000000000200000-0x0000000000201000-memory.dmp
memory/1304-1708-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/1304-1706-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/1304-1703-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/1304-1701-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/1304-1699-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/1304-1698-0x0000000000150000-0x0000000000151000-memory.dmp
memory/1304-1696-0x0000000000150000-0x0000000000151000-memory.dmp
memory/1304-1694-0x0000000000150000-0x0000000000151000-memory.dmp
memory/1304-1723-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1304-1721-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1304-1718-0x0000000000210000-0x0000000000211000-memory.dmp
memory/1304-1716-0x0000000000210000-0x0000000000211000-memory.dmp
memory/1304-1724-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1304-1726-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1304-1728-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1304-1730-0x0000000067DD0000-0x00000000691FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TeraBox_status
| MD5 | 693e2d593893db008536fefa8fc32fb7 |
| SHA1 | 217358bf9133242c3969a9dd297fafb5aa114fea |
| SHA256 | cf643a2fd9443e31c5b2652406a48ce58ec18fb7465f90dc275a9bfbaf1fd8bc |
| SHA512 | 6c47b51e45a7fa3d7410b7fac332c16c38be7bea6f9aeea586646224dd7525b63966bbf22d53034927442e4e47755c7e07e71b4678afcf7340058c0b2901adf6 |
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Download\AutoUpdate.xml
| MD5 | c286cd40cd06c343b0a0daba4a8787ba |
| SHA1 | 971b13c25faff896033f77e0866fe21f7b26cbd5 |
| SHA256 | 0af3d4862222a6b68993220e693c2501de14d6e922c3ecce1a60754462822c60 |
| SHA512 | e4ab1154ac2ece073d33277cf8d8394cec51100014589c6d997341d3553d19734b69cfc0ce9f3c87c55e34e833b7647c70a60e1972894762dba71914e38ac10b |
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
138s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{2B70B898-79C7-4A9B-BF02-E6995D3A2463} | C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBox.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBox.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2596,13627056050401957421,7014753926590675866,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2624 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2596,13627056050401957421,7014753926590675866,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2976 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2596,13627056050401957421,7014753926590675866,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2596,13627056050401957421,7014753926590675866,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2596,13627056050401957421,7014753926590675866,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2596,13627056050401957421,7014753926590675866,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.4576.0.1051254639\846335309 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.105" -PcGuid "TBIMXV2-O_A1A1B2EB119E4AB4B98C5FEF9DF8AF4B-C_0-D_DD00013-M_F6C903454AA3-V_B38E9D55" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.4576.0.1051254639\846335309 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.105" -PcGuid "TBIMXV2-O_A1A1B2EB119E4AB4B98C5FEF9DF8AF4B-C_0-D_DD00013-M_F6C903454AA3-V_B38E9D55" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.4576.1.1432872129\1951231859 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.105" -PcGuid "TBIMXV2-O_A1A1B2EB119E4AB4B98C5FEF9DF8AF4B-C_0-D_DD00013-M_F6C903454AA3-V_B38E9D55" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 701d6 -unlogin
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2596,13627056050401957421,7014753926590675866,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2852 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | global-staticplat.cdn.bcebos.com | udp |
| US | 8.8.8.8:53 | www.terabox.com | udp |
| N/A | 127.0.0.1:54707 | tcp | |
| N/A | 127.0.0.1:54709 | tcp | |
| N/A | 127.0.0.1:54711 | tcp | |
| US | 8.8.8.8:53 | nephobox.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:443 | tcp | |
| US | 8.8.8.8:53 | global-staticplat.cdn.bcebos.com | udp |
| US | 8.8.8.8:443 | tcp | |
| N/A | 127.0.0.1:54736 | tcp | |
| N/A | 127.0.0.1:54738 | tcp | |
| N/A | 127.0.0.1:54741 | tcp | |
| US | 8.8.8.8:53 | crl.globalsign.com | udp |
| N/A | 127.0.0.1:54790 | tcp | |
| US | 8.8.8.8:443 | tcp | |
| N/A | 127.0.0.1:54793 | tcp | |
| US | 8.8.8.8:443 | tcp | |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
| US | 8.8.8.8:53 | terabox.com | udp |
Files
memory/4576-5-0x000000000030A000-0x000000000030B000-memory.dmp
memory/4576-30-0x0000000000300000-0x0000000000961000-memory.dmp
memory/4576-49-0x0000000000300000-0x0000000000961000-memory.dmp
memory/4640-51-0x00000000010C0000-0x00000000010C1000-memory.dmp
memory/4640-52-0x00000000010D0000-0x00000000010D1000-memory.dmp
memory/4640-53-0x0000000002C10000-0x0000000002C11000-memory.dmp
memory/4640-54-0x0000000002C40000-0x0000000002C41000-memory.dmp
memory/4640-55-0x0000000002C50000-0x0000000002C51000-memory.dmp
memory/4640-56-0x00000000032C0000-0x00000000032C1000-memory.dmp
memory/4640-57-0x00000000032D0000-0x00000000032D1000-memory.dmp
memory/4640-58-0x0000000065B50000-0x0000000066F7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TeraBox_status
| MD5 | 1c05e7e591fb899068e6b5b834dc75f4 |
| SHA1 | d32c810f28057b3f1129f4b42803b8e0b623dadd |
| SHA256 | 8c6c33e3dc1347d061662f38d47ab4ead811fa72d5d47d99a189c7506bd9af54 |
| SHA512 | 95f6ff82605d34d8c78ea877edcebc633a03263b3d17ce46af926cef7d7abb969d135ff68574b95c7bd29cc93dd821700baf70b355cd527a40129161c782c75f |
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win10v2004-20240611-en
Max time kernel
144s
Max time network
160s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win10v2004-20240611-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3560 wrote to memory of 3940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3560 wrote to memory of 3940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3560 wrote to memory of 3940 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3940 -ip 3940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 648
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win7-20240611-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2228 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2228 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2228 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2228 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2228 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2228 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2228 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1
Network
Files
memory/2304-0-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2304-2-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2304-4-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2304-7-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2304-5-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2304-9-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2304-14-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2304-12-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2304-34-0x0000000070CA0000-0x00000000720CC000-memory.dmp
memory/2304-32-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2304-36-0x00000000712F1000-0x0000000071945000-memory.dmp
memory/2304-30-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2304-28-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2304-27-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2304-25-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2304-22-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2304-20-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2304-17-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2304-16-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2304-37-0x0000000070CA0000-0x00000000720CC000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win10v2004-20240508-en
Max time kernel
49s
Max time network
64s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4980 wrote to memory of 2060 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4980 wrote to memory of 2060 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4980 wrote to memory of 2060 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win7-20240611-en
Max time kernel
118s
Max time network
135s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 224
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win7-20240611-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win10v2004-20240508-en
Max time kernel
49s
Max time network
54s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win7-20240508-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 220
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win7-20240508-en
Max time kernel
117s
Max time network
128s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 2208 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2180 wrote to memory of 2208 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2180 wrote to memory of 2208 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2180 wrote to memory of 2208 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2180 wrote to memory of 2208 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2180 wrote to memory of 2208 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2180 wrote to memory of 2208 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-19 20:26
Reported
2024-06-19 20:30
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
176s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2772 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2772 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2772 wrote to memory of 2548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2548 -ip 2548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 612
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3884 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.242.123.52.in-addr.arpa | udp |