Malware Analysis Report

2024-09-23 19:04

Sample ID 240619-y7tl7avbnq
Target TeraBox_sl_b_1.31.0.1.exe
SHA256 09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85
Tags
zloader botnet discovery persistence privilege_escalation trojan qr link pdf
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85

Threat Level: Known bad

The file TeraBox_sl_b_1.31.0.1.exe was found to be: Known bad.

Malicious Activity Summary

zloader botnet discovery persistence privilege_escalation trojan qr link pdf

Zloader, Terdot, DELoader, ZeusSphinx

Adds Run key to start application

Event Triggered Execution: Component Object Model Hijacking

Checks computer location settings

Checks installed software on the system

Modifies system executable filetype association

Executes dropped EXE

HTTP links in PDF interactive object

Loads dropped DLL

Program crash

One or more HTTP URLs in qr code identified

Unsigned PE

One or more HTTP URLs in PDF identified

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-19 20:27

Signatures

HTTP links in PDF interactive object

pdf link
Description Indicator Process Target
N/A N/A N/A N/A

One or more HTTP URLs in PDF identified

pdf link

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win7-20240220-en

Max time kernel

122s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 232

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win7-20240221-en

Max time kernel

117s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{D3FB7F77-3B77-44C4-9EAE-FA87CEFEB645} C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3852 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 3852 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 3852 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 3852 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3852 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3852 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3852 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3852 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3852 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3852 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3852 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3852 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 3852 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 3852 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2504 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=3040 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.3852.0.1182109868\1714830166 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.90" -PcGuid "TBIMXV2-O_42EAE23F1C604536953F7FAA597E5262-C_0-D_DD00013-M_7E85BBD6B187-V_3A8EB726" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.3852.0.1182109868\1714830166 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.90" -PcGuid "TBIMXV2-O_42EAE23F1C604536953F7FAA597E5262-C_0-D_DD00013-M_7E85BBD6B187-V_3A8EB726" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.3852.1.1257223808\60635573 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.90" -PcGuid "TBIMXV2-O_42EAE23F1C604536953F7FAA597E5262-C_0-D_DD00013-M_7E85BBD6B187-V_3A8EB726" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2600,429012633068519631,12677433332019082768,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=3916 /prefetch:2

Network

Country Destination Domain Proto
US 23.53.113.159:80 tcp
US 8.8.8.8:53 www.terabox.com udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 www.terabox.com udp
N/A 127.0.0.1:51660 tcp
N/A 127.0.0.1:51662 tcp
N/A 127.0.0.1:51664 tcp
US 8.8.8.8:53 nephobox.com udp
US 8.8.8.8:443 tcp
US 8.8.8.8:443 tcp
N/A 127.0.0.1:51690 tcp
N/A 127.0.0.1:51692 tcp
N/A 127.0.0.1:51695 tcp
N/A 127.0.0.1:51736 tcp
N/A 127.0.0.1:51738 tcp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 terabox.com udp

Files

memory/3852-8-0x0000000000C2A000-0x0000000000C2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

MD5 72b65264d8979d98bd19cc98c7dd5c30
SHA1 3be7106007fa698dcf8b62bcd17d25a5702ab958
SHA256 b022346d5511f83bcde7ead672a0ec6b5ca5df3a3eed9a9ac3803257b44ea893
SHA512 e14136fcf9806ae2e13c76d7ae4e89f7387d5b09310783b306d42e244271ad15e1cd8a8b8c2b55a73babbad8477b994574b85792244622d220f1e03c8d6c4461

memory/3852-28-0x0000000000C20000-0x0000000001281000-memory.dmp

memory/1516-54-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/1516-55-0x0000000001270000-0x0000000001271000-memory.dmp

memory/1516-56-0x0000000001280000-0x0000000001281000-memory.dmp

memory/1516-57-0x0000000003190000-0x0000000003191000-memory.dmp

memory/1516-58-0x00000000031A0000-0x00000000031A1000-memory.dmp

memory/1516-59-0x00000000032C0000-0x00000000032C1000-memory.dmp

memory/1516-60-0x00000000032D0000-0x00000000032D1000-memory.dmp

memory/1516-61-0x00000000657B0000-0x0000000066BDC000-memory.dmp

memory/3852-91-0x0000000000C20000-0x0000000001281000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win10v2004-20240508-en

Max time kernel

90s

Max time network

159s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 3480 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2964 wrote to memory of 3480 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2964 wrote to memory of 3480 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win10v2004-20240611-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe

"C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win7-20240508-en

Max time kernel

120s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win7-20240611-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:80 www.terabox.com tcp

Files

memory/2000-0-0x00000000000F0000-0x00000000000F1000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win7-20240611-en

Max time kernel

145s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 1932 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 1932 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 1932 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 1932 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 1932 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 1932 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 1932 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 1932 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 1932 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 1932 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 1932 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 1932 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 1932 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 1932 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 1932 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 1932 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Autoupdate.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe NoUpdate

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2028,732539179716811645,6399189127447276855,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2040 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,732539179716811645,6399189127447276855,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=3040 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2028,732539179716811645,6399189127447276855,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2028,732539179716811645,6399189127447276855,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2028,732539179716811645,6399189127447276855,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2180 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.1932.0.553451165\183935057 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.114" -PcGuid "TBIMXV2-O_226EC872D85D4F408B1ADEBAE8F71DB2-C_0-D_4444303031302033202020202020202020202020-M_FE0070C7CB2B-V_91B18CF6" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.1932.0.553451165\183935057 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.114" -PcGuid "TBIMXV2-O_226EC872D85D4F408B1ADEBAE8F71DB2-C_0-D_4444303031302033202020202020202020202020-M_FE0070C7CB2B-V_91B18CF6" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.1932.1.611277149\88016828 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.114" -PcGuid "TBIMXV2-O_226EC872D85D4F408B1ADEBAE8F71DB2-C_0-D_4444303031302033202020202020202020202020-M_FE0070C7CB2B-V_91B18CF6" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:80 terabox.com tcp
JP 210.148.85.47:80 terabox.com tcp
US 8.8.8.8:53 terabox.com udp
JP 210.232.36.156:443 terabox.com tcp
JP 210.232.36.156:443 terabox.com tcp
US 8.8.8.8:53 repository.certum.pl udp
NL 23.62.61.145:80 repository.certum.pl tcp
CN 60.188.66.38:443 global-staticplat.cdn.bcebos.com tcp
N/A 127.0.0.1:49287 tcp
N/A 127.0.0.1:49289 tcp
N/A 127.0.0.1:49291 tcp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 36.99.225.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.101.56.38:443 global-staticplat.cdn.bcebos.com tcp
CN 1.71.157.38:443 global-staticplat.cdn.bcebos.com tcp
CN 1.193.146.38:443 global-staticplat.cdn.bcebos.com tcp
CN 58.222.20.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.101.4.38:443 global-staticplat.cdn.bcebos.com tcp
CN 1.194.253.38:443 global-staticplat.cdn.bcebos.com tcp
CN 27.221.77.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.81.98.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
CN 60.188.66.38:443 global-staticplat.cdn.bcebos.com tcp
CN 36.99.225.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.101.56.38:443 global-staticplat.cdn.bcebos.com tcp
CN 1.71.157.38:443 global-staticplat.cdn.bcebos.com tcp
CN 1.193.146.38:443 global-staticplat.cdn.bcebos.com tcp
CN 58.222.20.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.101.4.38:443 global-staticplat.cdn.bcebos.com tcp
CN 1.194.253.38:443 global-staticplat.cdn.bcebos.com tcp
CN 27.221.77.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.81.98.38:443 global-staticplat.cdn.bcebos.com tcp
CN 60.188.66.38:443 global-staticplat.cdn.bcebos.com tcp
CN 36.99.225.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.101.56.38:443 global-staticplat.cdn.bcebos.com tcp
CN 1.71.157.38:443 global-staticplat.cdn.bcebos.com tcp
CN 1.193.146.38:443 global-staticplat.cdn.bcebos.com tcp
CN 58.222.20.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.101.4.38:443 global-staticplat.cdn.bcebos.com tcp
CN 1.194.253.38:443 global-staticplat.cdn.bcebos.com tcp
CN 27.221.77.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.81.98.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 terabox.com tcp

Files

memory/1244-0-0x0000000000370000-0x0000000000371000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2B56.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

memory/1932-46-0x000000000105A000-0x000000000105B000-memory.dmp

memory/1932-47-0x0000000001050000-0x00000000016B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

MD5 718e0118cbf9724812a82f0f790a6821
SHA1 bd2e9f045255c3805349aed979b2e57ee340340c
SHA256 0b3d0c699349b77605b4cf8f0641fd517eeeda73b721e5a57b75eb54d271de7a
SHA512 e0da1d77d94afb258402ab04ff0478322f51b7736abc662783ca7841432920ef91326620932725dc5923547a112abbbe58ae6cbe8dcf4086e0add28bf5f219ae

memory/1932-66-0x0000000001050000-0x00000000016B1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88d5656f316cc8d64011d101924abcba
SHA1 1175e853790bfe6406f9905b471f488be2738a72
SHA256 4e4b1dc183b156e84f0b769408788d08b45ef9ded4ed461a9c43b4669c4943c3
SHA512 b815a68500e39b343f5377994dd27963515a394e9663688ce904e6a8023cb1b838feb0ca08131f118b5f05b7c6c388f0565d8bba1aba267a84896e73e70b343c

C:\Users\Admin\AppData\Local\Temp\Tar3AEF.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

MD5 30d17002ebac0bc81c334d87e78701c3
SHA1 a2660ec8742ab940e7e705facf8755e5d27cc448
SHA256 339dbe16c9f733f045d704eca04a4f43c267b15b4d0504e37fc2a99ecea41387
SHA512 119bcca827ea93cb8fed73d74d9d0bd1e0e1090f082869ad2cf4a19e1cb50755f57ba737f49213a74c7c727a1830cad351e054a5ce7f6f6bf13c4d1a18286287

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

MD5 d5e98140c51869fc462c8975620faa78
SHA1 07e032e020b72c3f192f0628a2593a19a70f069e
SHA256 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
SHA512 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

memory/1932-1205-0x0000000001050000-0x00000000016B1000-memory.dmp

memory/2044-1402-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2044-1404-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2044-1406-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2044-1407-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2044-1409-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2044-1411-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2044-1414-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2044-1416-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2044-1419-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2044-1421-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2044-1424-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2044-1426-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2044-1429-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2044-1431-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2044-1432-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2044-1436-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2044-1434-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2044-1437-0x0000000068790000-0x0000000069BBC000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win7-20231129-en

Max time kernel

121s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe

"C:\Users\Admin\AppData\Local\Temp\ChromeNativeMessagingHost.exe"

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win10v2004-20240508-en

Max time kernel

119s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe

"C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 2776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5068 wrote to memory of 2776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5068 wrote to memory of 2776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcessW.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2776 -ip 2776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1416,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win7-20240611-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe

"C:\Users\Admin\AppData\Local\Temp\HelpUtility.exe"

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win7-20240508-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"

Signatures

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\"" C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun" C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}" C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\ = "YunShellExtContextMenu Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ = "IYunPPTConnect" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CLSID\ = "{6D85624F-305A-491d-8848-C1927AA0D790}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect\CurVer\ = "YunOfficeAddin.YunExcelConnect.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ = "IWorkspaceOverlayIconError" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ = "YunWordConnect Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ = "IYunWordConnect" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CurVer\ = "YunShellExt.YunShellExtContextMenu.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID\ = "YunOfficeAddin.YunWordConnect" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell\open C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ = "IYunExcelConnect" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ = "IWorkspaceOverlayIconSync" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1\CLSID\ = "{71CD4110-1E24-4B80-B699-9A982584CD3F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID\ = "YunOfficeAddin.YunWordConnect" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ = "YunPPTConnect Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\VersionIndependentProgID\ = "YunShellExt.YunShellExtContextMenu" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ = "YunExcelConnect Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 836 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 836 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 836 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 836 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 844 wrote to memory of 1776 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 844 wrote to memory of 1776 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 844 wrote to memory of 1776 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 844 wrote to memory of 1776 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 844 wrote to memory of 1776 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 844 wrote to memory of 1776 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 844 wrote to memory of 1776 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 836 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 836 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1864 wrote to memory of 964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1864 wrote to memory of 964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1864 wrote to memory of 964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1864 wrote to memory of 964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1864 wrote to memory of 964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1864 wrote to memory of 964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1864 wrote to memory of 964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 836 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 836 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 836 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 836 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 836 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 836 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 836 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 836 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 952 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 952 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 952 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 952 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 952 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 952 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 952 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 952 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 952 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 952 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 952 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 952 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 952 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 952 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 952 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 952 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 952 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"

C:\Windows\system32\regsvr32.exe

"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"

C:\Windows\system32\regsvr32.exe

"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"

C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=1960,9707404346994720960,13577284352863838455,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=1968 /prefetch:2

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,9707404346994720960,13577284352863838455,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2584 /prefetch:8

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=1960,9707404346994720960,13577284352863838455,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=1960,9707404346994720960,13577284352863838455,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=1960,9707404346994720960,13577284352863838455,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=1968 /prefetch:2

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=1960,9707404346994720960,13577284352863838455,131072 --enable-features=CastMediaRouteProvider --disable-gpu-compositing --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=1960,9707404346994720960,13577284352863838455,131072 --enable-features=CastMediaRouteProvider --disable-gpu-compositing --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 50180 -unlogin

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.terabox.com udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 terabox.com udp
N/A 127.0.0.1:49446 tcp
N/A 127.0.0.1:49448 tcp
N/A 127.0.0.1:49450 tcp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 crl.globalsign.com udp
US 8.8.8.8:53 nephobox.com udp
N/A 127.0.0.1:49490 tcp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
N/A 127.0.0.1:49492 tcp
N/A 127.0.0.1:49494 tcp
US 8.8.8.8:443 tcp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:443 tcp
US 8.8.8.8:53 crl.globalsign.com udp
US 8.8.8.8:53 crl.globalsign.com udp
US 8.8.8.8:53 crl.globalsign.com udp
US 8.8.8.8:53 repository.certum.pl udp
US 8.8.8.8:53 nephobox.com udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
US 8.8.8.8:443 tcp
N/A 127.0.0.1:49519 tcp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:443 tcp
N/A 127.0.0.1:49522 tcp
US 8.8.8.8:53 crl.globalsign.com udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 crl.globalsign.com udp
US 8.8.8.8:53 crl.globalsign.com udp
US 8.8.8.8:53 crl.globalsign.com udp
US 8.8.8.8:53 repository.certum.pl udp
US 8.8.8.8:53 www.microsoft.com udp

Files

\Users\Admin\AppData\Local\Temp\nst2B95.tmp\NsisInstallUI.dll

MD5 075abe6be6b717434cea2879a54c4714
SHA1 dc02581f578d22db7460352a476727ac5b2fcbb9
SHA256 5a5e5398424a4eab5ea1fb905313ea56a19b7210e0da44861503bbf3f9826c13
SHA512 90937b6aab2a4eeac74a33cf238131e011edc1b1f2bf9a9ce6dc5e0d21923330131ba5014e9ea1176ee88ee03d847cc69e6f1e91f7f68aa65c7a5ac4852f9d63

\Users\Admin\AppData\Local\Temp\nst2B95.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

\Users\Admin\AppData\Local\Temp\nst2B95.tmp\nsProcessW.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

memory/836-20-0x0000000002880000-0x00000000028C0000-memory.dmp

memory/836-129-0x0000000002880000-0x00000000028C0000-memory.dmp

\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

MD5 7ab6073a5c400a5071bfa4ef2d936425
SHA1 f794ea18eced4330979972da2a4bfa33c03afa2f
SHA256 7774449e13c24d2b0b69114d9ba044e80dc8378fa3dfb5d17a142d5cb4cde8af
SHA512 4371b6b49df43dab4abf90a71819276f30dca823c93335edd5513a67a646c97ef575b2ede650ceb2f0f168af13431254530e9bffc3db0f5b0eada1492c3cab73

\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

MD5 b9ee83666245d8de4f0709b03eac1ad3
SHA1 38eaee6757499aaf4e8869837a767708392e225e
SHA256 ce10dfac95461981072738c92ccf8b01599b5ddde2b0a21d18506d3528c83fda
SHA512 d970c2a52dfde330bd32bc6718d194b90f8bc3131d9d7905e0f438483f3030bf64dfc69091562f467cc6ea34357513614671db94d2b664208016c3c11b77f08b

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-conio-l1-1-0.dll

MD5 4296cf3a7180e10aaf6147f4aecd24e4
SHA1 f81e09af979a1146774d554783d1a22a03a61393
SHA256 147f86ff93d61fea256b3de9149e1b36b68a83762e62a3389466218e18359ffc
SHA512 60357edde6572c5e796f927c3e72c31a96ff700624b7366fdda64bcf51ee00bf1e9ab477a46d8d3ba7391ba10491e69f745efec3607f8f49b6e1a3a3de7a0648

\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

MD5 216a2dd23f95bdd63cd88a50eb7e69bd
SHA1 9c63635c26e276179f8dba9e02079bb3170b0321
SHA256 63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada
SHA512 390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll

MD5 b5ac5913784d34c843677547edd5c578
SHA1 ed2a4e165ad8b65b1699aaf048654142a66943c6
SHA256 3267244255376bfaf68e75ad38468ba3ca0bbb49fe260f6e05611148d5cee3c9
SHA512 28a29ff02d7ce6d6a74b4938a1a1388c4ad6b36600bc9e7664edf14eb8a89aee49c107c46e13aee0194a38ec506cd86094952ce9327d724a98541871ff58d6db

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-utility-l1-1-0.dll

MD5 a0a883e26be6800508162e2a898148d9
SHA1 4f79892e7766cb7831211864978575598c86a11b
SHA256 9753ae83536767c73e340c36c5f1610bc76a3e67e033b07503ec31431cba7b90
SHA512 70904f2fd074073aebcf665178b34cf7f0f42ced7223ca296f7f202f6fa0175ace2832d9802f5bff4d67891ca09ae14fac47420d69107e72aa44b541a190f6c3

\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll

MD5 7e489e7300d3177f64db31665a2079e0
SHA1 50b20f0b4e5bb5b35e68dd90a5c465dffd30260e
SHA256 7a426359908ae2b6ca1bc8a2773269a48126c2db23c171bc56a3456da4f0016c
SHA512 0b3b34c0e5e095dfd77d801cd7e85e0431da23bf1c943aacb855a40f5a0d9439d7667718abe654eac17ed474b3c9eb644b90cc8cc215c9adc99b12e29b7907d3

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-environment-l1-1-0.dll

MD5 6a3d5701446f6635faff87014a836eee
SHA1 7bbc9db1c9ce70e9fc7b7348a2c96681e5d8265b
SHA256 16ba05a1fa928501ffaee2e9dce449d28e8fe538df5ec6d8d1080b610b15d466
SHA512 839a1277b6dbb9f2d6e572e1b50b0ad08c93256a1367f36997db07285aa7b251346499a643a985a22d9a7618635c11964e414073aa7e1bf60d36368829de8fb3

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 4ec243792d382305db59dc78b72d0a1e
SHA1 63b7285646c72ee640d34cdc200bfc5863db3563
SHA256 56e0bdf91edb21f5f5041f052723025c059a11360bb745f965a9903de9c61756
SHA512 88f648d45927db65ff8cead4bb1959b1297410bf3f5b3b2783a173d708649260a61470342694de8b93e9c1657de64db43db40ee71acc661b03786c0921d68d4b

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-time-l1-1-0.dll

MD5 a440776e10098f3a8ef1c5eaca72958e
SHA1 7b8662714f6e44fb29a4224a038e4127964003e9
SHA256 40d8bc312ac7bca072703e5f0852228cde418f89ba9ad69551aa7a80a2b30316
SHA512 b043cd020d184a239510b2607c94210dc5fdc5d2a2b9285836bdce8934cc86a1cc3f47a2f520b15db84f755ac2e7c67e0247099648d292bbd5fb76f683d928df

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 169e20a74258b182d2cdc76f1ae77fc5
SHA1 fce3f718e6de505ac910cb7333a03a2c6544f654
SHA256 224f526871c961615de17b5d7f7bbef2f3a799055cab2c8e3447b43c10c25372
SHA512 0881c8704421a5f6e51abd22c55608dd7fb678491682ce86066e068b1973ebf11d6c2163be610a49f87e800c8563ebb41abfe36e1913d7d0b8485fd29ed81bf7

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-math-l1-1-0.dll

MD5 ab87bdae2f62e32a533f89cd362d081c
SHA1 40311859dd042a7e392877364568aad892792ba9
SHA256 0439703e47c8fce1f367f9e36248a738db6abcd9f2dd199cb190d5e59ed46978
SHA512 dbe0073da8979f3d32204680015b60435226840e732b5df964dbeeb7920c0bc5df92d866964f905518c97cc3539f628664503ffa64e50a2ef90c459b62555444

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-locale-l1-1-0.dll

MD5 8d097aa5bec8bdb5df8f39e0db30397c
SHA1 56f6da8703f8cdd4a8e4a170d1a6c0d3f2035158
SHA256 42c235914844ce5d1bb64002fca34a776ae25ee658fc2b7b9da3291e5def7d4d
SHA512 a891536e2a362fc73472fa7f5266ce29e8036959701bc0862f2b7ea5865dcd1505615edc8e064fb2f7aaa1b129e48422efe7b933b01faed9c2afadd8a64452dc

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-convert-l1-1-0.dll

MD5 5c6fd1c6a5e69313a853a224e18a7fac
SHA1 10bae352f09b214edef2dc6adcb364c45fafdbec
SHA256 3aa0eb4c47ac94b911f1a440324d26eee8ddf99557a718f0905bfee3cf56255f
SHA512 08c2b1150f6bf505d10085a515bbfab6c1e18663c6ef75ec988727e3d30210532d03bfbfbb048b1a843d4faa5d1060f9079e018a9e892bce03f899a5a85f6034

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-stdio-l1-1-0.dll

MD5 be16965acc8b0ce3a8a7c42d09329577
SHA1 6ac0f1e759781c7e5342b20f2a200a6aab66535e
SHA256 fcd55331cc1f0ff4fb44c9590a9fb8f891b161147a6947ce48b88bf708786c21
SHA512 7ba55fa204d43c15aca02031f584b3396bb175365dad88e4047b8a991f1f1ddd88d769e4d8cb93ee0ed45e060a1156e953df794f9cb8bb687c84c4a088da2edf

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-heap-l1-1-0.dll

MD5 a51cfb8cf618571215eeba7095733b25
SHA1 db4215890757c7c105a8001b41ae19ce1a5d3558
SHA256 6501894e68a3871962731282a2e70614023ec3f63f600f933ec1785400716ce1
SHA512 9ae11ab21486dea1aba607a4262f62678c5b0e9f62b6a63c76cfdc7698d872d8696ffb1aaae7aa2e2cf02c1c7eaa53d0ce503432960f4be6886fae0de2659535

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-string-l1-1-0.dll

MD5 3eae6d370f2623b37ec39c521d1f1461
SHA1 86d43e2e69b2066333e4afa28a27c7a74ff89991
SHA256 ce74bdc6999d084a1b44b2ecea42dd28849b2825d7779effdc4c18360308b79b
SHA512 30b2b6cf5cd1bbdf68de048e6d992133fe7ab0c847fa0d5eb8c681a9688d60794621a40178451a104036a0fff2e1bd66a18d9f96be6b28dbdc0bc1c8a535fc85

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l1-2-0.dll

MD5 00d8b4bed48a1bb8a0451b967a902977
SHA1 f10ef17bda66d7cab2840d7f89c6de022a7b3ff2
SHA256 568d7f8551d8b4199db3359d5145bc4cb01d6d2f1347547f47967eb06a45c3b5
SHA512 e248cbc06fc610f315d7efcadb39b5cb85dfe5d40858768d5aea8d41b3b4b23eafe0db2b38cce362fd8ba8bc5eb26e9b2dddc00e2e8615395bca818ecfe0decc

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-processthreads-l1-1-1.dll

MD5 7016bf365a155d29f01a000942a017ef
SHA1 47e25b97af56edbdd20ca72bba994c6bcf1b81e6
SHA256 b5f815d0a41add7fd9593036a8e6843fcc221298fefd61808f960eed3cc19830
SHA512 2cd7e88717a2d81811ce03990737888b8a1e9e351dcdad401ffe5924bdf97be086bd766a1a5b25411b760cbf81b68bebd94d915100b6bc1310360813af11f827

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-synch-l1-2-0.dll

MD5 9efdffac1d337807b52356413b04b97b
SHA1 2590bd486abce24312066285fa1c1feaf8332fe0
SHA256 e1a87d7d01e2376dde81a16658915ccf2ecb692739fef09adfb962523756e22d
SHA512 b3c164e50d48a78bd08cf365e02e263b97ec2dd3efcf04914c8677c838e10be23df5178a8618e3f2a6feb6faa2bb74eaf069e7e2db7c6e6fd9d0137dcffbcead

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-localization-l1-2-0.dll

MD5 73483cbc229c62e129627adbf62b0ffe
SHA1 074ce67665c86355d3218b5e3ea4b1b335095af8
SHA256 13471eb84db95f8270398ef1deb29f0ea024db17e331497545c36eea7b2a3a7c
SHA512 92f06cb8971e29da7607c6b1d1377f21c7e6f0e4a169aaa08326038d5cdb09422b91f4f2d26a7978521e0edbb9cf1235e583f2910048c917ccef8d12c5e1166a

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l2-1-0.dll

MD5 534483b0f4a1924b1ae6d7e66b4a4926
SHA1 4e954316acd216007f4a0225b138e0c0a04fbbed
SHA256 c1bca1bb524c5ae3d877a099f469b6fc34288bab26ae7a7f4fc47cd869f4958d
SHA512 cfad2ddf8a9ad67e36e978726d8a12ca26b180f73122b2e8d19a83f73028a050d9f418e7525f576cc3a9601b3369d4494dddbde620b4011b7ca8a7ec4b0d1b12

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-timezone-l1-1-0.dll

MD5 42c72d838c34e4e7164c578a930b8fc7
SHA1 82d02cb090eb6d81a1499189e4d3e6b82aa60061
SHA256 f1667bbda1b58fc688b422fd2f9f7040919c4ababe00a4be78b258cae2dfc3d3
SHA512 1020d6010dca512adbc18f44b6453a974a200766013c39f6cb1cd0a72234a241c73587c929f1d0fcadf90c3eb71264086167f05bd7ebceb5b944f4e4a0811d92

\Users\Admin\AppData\Roaming\TeraBox\ucrtbase.dll

MD5 8ed02a1a11cec72b6a6a4989bf03cfcc
SHA1 172908ff0f8d7e1c0cbf107f7075ed1dba4b36c8
SHA256 4fd02f2699c49579319079b963425991198f59cb1589b8afa8795b5d6a0e5db3
SHA512 444fe62a5c324d38bdc055d298b5784c741f3ca8faaeaed591bd6dcf94205dbf28c7d7f7d3825ccb99eff04e3ffd831e3f98d9b314820841a0c0960ae6a5e416

C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe

MD5 bdbf614848cfc3fada7dae8a55a9ad8e
SHA1 78ad1a6c45e5df62659274c66b3c3a7a8731cdf5
SHA256 5cf7f5d5fbb371a29f45d3777860ad07df3b2e12b273076a555c65334a9702ad
SHA512 da82bdaf7785333734998c2c919242f7e0d7d585de5972efd028f283913b4a4cfa4d24c73ffba6fec3ea674e8ac69499b992090377144a1cdfe7e5575f1d7d0c

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-runtime-l1-1-0.dll

MD5 49363f3cf4671baa6be1abd03033542f
SHA1 e58902a82df86adf16f44ebdc558b92ad214a979
SHA256 505d2bde0d4d7cd3900a9c795cb84ab9c05208d6e5132749ab7c554ccd3c0fcc
SHA512 98e78a607cfbb777237dc812f468ec7a1abcba9472e20a5780dfc526f7992da1841fcd9e2f76f20fa161240007f185c7fbdc120fb4c3c1f2b90fdad5913d65dd

\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

MD5 b77eeaeaf5f8493189b89852f3a7a712
SHA1 c40cf51c2eadb070a570b969b0525dc3fb684339
SHA256 b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e
SHA512 a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

MD5 1d8c79f293ca86e8857149fb4efe4452
SHA1 7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f
SHA256 c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4
SHA512 83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

C:\Users\Admin\Desktop\TeraBox.lnk

MD5 305203be50e80ffc3b3c07fc3a141fea
SHA1 c79c9cb38a6d01e5de7feb3dc17df2e21a0fd85b
SHA256 4b15501f03a2f7487aae4e1cb09e715aa185c9752641de2ecc30b8f66b1f233c
SHA512 8b2b5e5e241b3fa2715e17af965736219bb672230303d4ee7e0e555ecd28240d54e3ab8503d6663fd340f03bccc6dadeecd07e1182990b88d0e79662b3aa5167

\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

MD5 80337d9a646974e377f3c89991ed138c
SHA1 38b7f9b0e0e138448592c9776c67e53de8ac52a5
SHA256 1cde95285c13d908720f5075a4ece533e4b98a1fefe2ebbbe71fd697f45dfd0d
SHA512 9ee967588c6f7718834b2e4d04dc2c46236b20bfcbdd9a09cf011ee3f7f6f57f66a0191ba4c2d85fb95a51f68c34de4b977cf5c099975feee5137928392c8a6e

C:\Users\Admin\AppData\Local\Temp\nst2B95.tmp\SetupCfg.ini

MD5 86daef0a1abf90f934b20119d95e8b73
SHA1 fa9170644b102c598005d1764a16aba54314ab69
SHA256 a5b0e58f66055ba5c9730dd7983946f92075bcf7052343b8d64ee95faa99eaaa
SHA512 1e95d6b697621f5c8bd194b5252f7717c3aa48a25d91d80fcd5fb0f1d06747c5f39708255bd85f18f776468dcde5645a8ac088431d412af1b10932d7f0df67b7

C:\Users\Admin\AppData\Local\Temp\Cab8123.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 091ebac5e8a29325319d9d50ea45fa23
SHA1 d6c89499421826fe8663fb204e789945f9803745
SHA256 a73b2088d49a0a19ef13338f47ca8a540f2440319d746dc2ee7b3328ac3aa7fc
SHA512 1609a5f11c81abc8b5fdf23b8a54f8e2aa0f6ad7026eabbd5ab8d3afb7eeddda9749787332982c3a1d72debcf2aacb8e227c44ae5cb96e1a71562caf953e5300

C:\Users\Admin\AppData\Local\Temp\TarB032.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1160 wrote to memory of 2116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1160 wrote to memory of 2116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1160 wrote to memory of 2116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2116 -ip 2116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win10v2004-20240508-en

Max time kernel

49s

Max time network

58s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2456 wrote to memory of 5024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2456 wrote to memory of 5024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2456 wrote to memory of 5024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/5024-0-0x00000000011F0000-0x00000000011F1000-memory.dmp

memory/5024-6-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/5024-5-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/5024-4-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/5024-3-0x0000000002B40000-0x0000000002B41000-memory.dmp

memory/5024-1-0x0000000001200000-0x0000000001201000-memory.dmp

memory/5024-2-0x0000000002B00000-0x0000000002B01000-memory.dmp

memory/5024-7-0x0000000074340000-0x000000007576C000-memory.dmp

memory/5024-8-0x0000000074991000-0x0000000074FE5000-memory.dmp

memory/5024-11-0x0000000074340000-0x000000007576C000-memory.dmp

memory/5024-12-0x0000000074340000-0x000000007576C000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win7-20240221-en

Max time kernel

121s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BugReport.exe

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe"

C:\Users\Admin\AppData\Local\Temp\BugReport.exe

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe" /repair "rp:" ""

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win7-20240508-en

Max time kernel

118s

Max time network

133s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 1704 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2052 wrote to memory of 1704 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2052 wrote to memory of 1704 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2052 wrote to memory of 1704 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2052 wrote to memory of 1704 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2052 wrote to memory of 1704 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2052 wrote to memory of 1704 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Bull140U.dll

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:80 www.terabox.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 47.85.148.210.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win10v2004-20240508-en

Max time kernel

49s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BugReport.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\BugReport.exe

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe"

C:\Users\Admin\AppData\Local\Temp\BugReport.exe

"C:\Users\Admin\AppData\Local\Temp\BugReport.exe" /repair "rp:" ""

Network

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win10v2004-20240611-en

Max time kernel

136s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsh4085.tmp\NsisInstallUI.dll

MD5 075abe6be6b717434cea2879a54c4714
SHA1 dc02581f578d22db7460352a476727ac5b2fcbb9
SHA256 5a5e5398424a4eab5ea1fb905313ea56a19b7210e0da44861503bbf3f9826c13
SHA512 90937b6aab2a4eeac74a33cf238131e011edc1b1f2bf9a9ce6dc5e0d21923330131ba5014e9ea1176ee88ee03d847cc69e6f1e91f7f68aa65c7a5ac4852f9d63

C:\Users\Admin\AppData\Local\Temp\nsh4085.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsh4085.tmp\nsProcessW.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

memory/4968-17-0x0000000003A10000-0x0000000003A20000-memory.dmp

memory/4968-126-0x0000000003A10000-0x0000000003A20000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win7-20240221-en

Max time kernel

142s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2880 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2880 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2880 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 2880 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 2880 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2880 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2880 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2880 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2880 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2880 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2880 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2880 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2880 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2880 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2880 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2880 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 2880 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2880 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2880 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2880 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2880 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2880 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 2880 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2032,175521062090650123,5403248993222217393,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2080 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,175521062090650123,5403248993222217393,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2980 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2032,175521062090650123,5403248993222217393,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2032,175521062090650123,5403248993222217393,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2032,175521062090650123,5403248993222217393,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2176 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2880.0.1285412532\1345265334 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.245" -PcGuid "TBIMXV2-O_3F58BB89F7454C119F33615B0CD78530-C_0-D_4d51303031302033202020202020202020202020-M_6EAD7206CC74-V_2F927B92" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.2880.0.1285412532\1345265334 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.245" -PcGuid "TBIMXV2-O_3F58BB89F7454C119F33615B0CD78530-C_0-D_4d51303031302033202020202020202020202020-M_6EAD7206CC74-V_2F927B92" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2880.1.1177577902\1093266508 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.245" -PcGuid "TBIMXV2-O_3F58BB89F7454C119F33615B0CD78530-C_0-D_4d51303031302033202020202020202020202020-M_6EAD7206CC74-V_2F927B92" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 40188 -unlogin

Network

Country Destination Domain Proto
N/A 127.0.0.1:49214 tcp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:80 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:80 www.terabox.com tcp
N/A 127.0.0.1:49237 tcp
JP 210.148.85.47:443 www.terabox.com tcp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
US 8.8.8.8:53 repository.certum.pl udp
NL 23.62.61.57:80 repository.certum.pl tcp
US 8.8.8.8:53 terabox.com udp
JP 210.232.36.156:443 terabox.com tcp
CN 182.140.225.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.232.36.156:443 terabox.com tcp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 124.239.243.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.64.38:443 global-staticplat.cdn.bcebos.com tcp
CN 123.235.31.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.110.38:443 global-staticplat.cdn.bcebos.com tcp
CN 150.138.188.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.24.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.106.158.38:443 global-staticplat.cdn.bcebos.com tcp
CN 175.4.51.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.23.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
CN 182.140.225.38:443 global-staticplat.cdn.bcebos.com tcp
CN 124.239.243.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.64.38:443 global-staticplat.cdn.bcebos.com tcp
CN 123.235.31.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.110.38:443 global-staticplat.cdn.bcebos.com tcp
CN 150.138.188.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.24.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.106.158.38:443 global-staticplat.cdn.bcebos.com tcp
CN 175.4.51.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.23.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.140.225.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 terabox.com tcp
CN 124.239.243.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.64.38:443 global-staticplat.cdn.bcebos.com tcp
CN 123.235.31.38:443 global-staticplat.cdn.bcebos.com tcp
CN 125.74.110.38:443 global-staticplat.cdn.bcebos.com tcp
CN 150.138.188.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.24.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.106.158.38:443 global-staticplat.cdn.bcebos.com tcp
CN 175.4.51.38:443 global-staticplat.cdn.bcebos.com tcp
CN 171.214.23.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 terabox.com tcp

Files

memory/2880-10-0x000000000020A000-0x000000000020B000-memory.dmp

memory/2880-11-0x0000000000200000-0x0000000000861000-memory.dmp

memory/2880-23-0x0000000000200000-0x0000000000861000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3101.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3250.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

MD5 4198a9030d3db6ab58d97960a2a04b64
SHA1 e10f3d358acd8c3217eb915d76600535a16675c8
SHA256 de8a4d52b5454f2cc5584cd3af2d5430f7efd3b7ca5ab2bea55d7ce1318cfc45
SHA512 a883fd075e9251dd92ef2a769f2eeca29708b2c32fd5b6fd7601f34de1a38006f956a86e65e9b935266c474aedc40e1f99dd20014c46781d0bc30c32d9693767

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

MD5 d5e98140c51869fc462c8975620faa78
SHA1 07e032e020b72c3f192f0628a2593a19a70f069e
SHA256 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
SHA512 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

memory/2880-1429-0x0000000000200000-0x0000000000861000-memory.dmp

memory/2880-1692-0x000000000B2D0000-0x000000000BAD0000-memory.dmp

memory/2880-1693-0x000000000B2D0000-0x000000000BAD0000-memory.dmp

memory/1304-1713-0x0000000000200000-0x0000000000201000-memory.dmp

memory/1304-1711-0x0000000000200000-0x0000000000201000-memory.dmp

memory/1304-1708-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1304-1706-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1304-1703-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/1304-1701-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/1304-1699-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/1304-1698-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1304-1696-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1304-1694-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1304-1723-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1304-1721-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1304-1718-0x0000000000210000-0x0000000000211000-memory.dmp

memory/1304-1716-0x0000000000210000-0x0000000000211000-memory.dmp

memory/1304-1724-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1304-1726-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1304-1728-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1304-1730-0x0000000067DD0000-0x00000000691FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox_status

MD5 693e2d593893db008536fefa8fc32fb7
SHA1 217358bf9133242c3969a9dd297fafb5aa114fea
SHA256 cf643a2fd9443e31c5b2652406a48ce58ec18fb7465f90dc275a9bfbaf1fd8bc
SHA512 6c47b51e45a7fa3d7410b7fac332c16c38be7bea6f9aeea586646224dd7525b63966bbf22d53034927442e4e47755c7e07e71b4678afcf7340058c0b2901adf6

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\Download\AutoUpdate.xml

MD5 c286cd40cd06c343b0a0daba4a8787ba
SHA1 971b13c25faff896033f77e0866fe21f7b26cbd5
SHA256 0af3d4862222a6b68993220e693c2501de14d6e922c3ecce1a60754462822c60
SHA512 e4ab1154ac2ece073d33277cf8d8394cec51100014589c6d997341d3553d19734b69cfc0ce9f3c87c55e34e833b7647c70a60e1972894762dba71914e38ac10b

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{2B70B898-79C7-4A9B-BF02-E6995D3A2463} C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4576 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 4576 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 4576 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe
PID 4576 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4576 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4576 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4576 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4576 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4576 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4576 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4576 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4576 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe
PID 4576 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 4576 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 4576 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe
PID 4576 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe
PID 4576 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox.exe C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBox.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBox.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2596,13627056050401957421,7014753926590675866,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2624 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2596,13627056050401957421,7014753926590675866,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2976 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2596,13627056050401957421,7014753926590675866,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2596,13627056050401957421,7014753926590675866,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxWebService.exe"

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2596,13627056050401957421,7014753926590675866,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --field-trial-handle=2596,13627056050401957421,7014753926590675866,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Local\Temp\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.4576.0.1051254639\846335309 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.105" -PcGuid "TBIMXV2-O_A1A1B2EB119E4AB4B98C5FEF9DF8AF4B-C_0-D_DD00013-M_F6C903454AA3-V_B38E9D55" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Local\Temp\kernel.dll" -ChannelName terabox.4576.0.1051254639\846335309 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.105" -PcGuid "TBIMXV2-O_A1A1B2EB119E4AB4B98C5FEF9DF8AF4B-C_0-D_DD00013-M_F6C903454AA3-V_B38E9D55" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Local\Temp\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.4576.1.1432872129\1951231859 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.105" -PcGuid "TBIMXV2-O_A1A1B2EB119E4AB4B98C5FEF9DF8AF4B-C_0-D_DD00013-M_F6C903454AA3-V_B38E9D55" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 701d6 -unlogin

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2596,13627056050401957421,7014753926590675866,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres\locales" --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --mojo-platform-channel-handle=2852 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 terabox.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
US 8.8.8.8:53 www.terabox.com udp
N/A 127.0.0.1:54707 tcp
N/A 127.0.0.1:54709 tcp
N/A 127.0.0.1:54711 tcp
US 8.8.8.8:53 nephobox.com udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:443 tcp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
US 8.8.8.8:443 tcp
N/A 127.0.0.1:54736 tcp
N/A 127.0.0.1:54738 tcp
N/A 127.0.0.1:54741 tcp
US 8.8.8.8:53 crl.globalsign.com udp
N/A 127.0.0.1:54790 tcp
US 8.8.8.8:443 tcp
N/A 127.0.0.1:54793 tcp
US 8.8.8.8:443 tcp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 terabox.com udp

Files

memory/4576-5-0x000000000030A000-0x000000000030B000-memory.dmp

memory/4576-30-0x0000000000300000-0x0000000000961000-memory.dmp

memory/4576-49-0x0000000000300000-0x0000000000961000-memory.dmp

memory/4640-51-0x00000000010C0000-0x00000000010C1000-memory.dmp

memory/4640-52-0x00000000010D0000-0x00000000010D1000-memory.dmp

memory/4640-53-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/4640-54-0x0000000002C40000-0x0000000002C41000-memory.dmp

memory/4640-55-0x0000000002C50000-0x0000000002C51000-memory.dmp

memory/4640-56-0x00000000032C0000-0x00000000032C1000-memory.dmp

memory/4640-57-0x00000000032D0000-0x00000000032D1000-memory.dmp

memory/4640-58-0x0000000065B50000-0x0000000066F7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox_status

MD5 1c05e7e591fb899068e6b5b834dc75f4
SHA1 d32c810f28057b3f1129f4b42803b8e0b623dadd
SHA256 8c6c33e3dc1347d061662f38d47ab4ead811fa72d5d47d99a189c7506bd9af54
SHA512 95f6ff82605d34d8c78ea877edcebc633a03263b3d17ce46af926cef7d7abb969d135ff68574b95c7bd29cc93dd821700baf70b355cd527a40129161c782c75f

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win10v2004-20240611-en

Max time kernel

144s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxHost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3560 wrote to memory of 3940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3560 wrote to memory of 3940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3560 wrote to memory of 3940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsisInstallUI.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3940 -ip 3940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 648

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win7-20240611-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2228 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2228 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2228 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2228 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2228 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2228 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\kernel.dll,#1

Network

N/A

Files

memory/2304-0-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2304-2-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2304-4-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2304-7-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2304-5-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2304-9-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2304-14-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2304-12-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2304-34-0x0000000070CA0000-0x00000000720CC000-memory.dmp

memory/2304-32-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2304-36-0x00000000712F1000-0x0000000071945000-memory.dmp

memory/2304-30-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2304-28-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2304-27-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2304-25-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2304-22-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2304-20-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2304-17-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2304-16-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2304-37-0x0000000070CA0000-0x00000000720CC000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win10v2004-20240508-en

Max time kernel

49s

Max time network

64s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 2060 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4980 wrote to memory of 2060 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4980 wrote to memory of 2060 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

Network

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win7-20240611-en

Max time kernel

118s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 224

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win7-20240611-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win10v2004-20240508-en

Max time kernel

49s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBoxRender.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win7-20240508-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 220

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win7-20240508-en

Max time kernel

117s

Max time network

128s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2180 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2180 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2180 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2180 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2180 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2180 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AppUtil.dll

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-19 20:26

Reported

2024-06-19 20:30

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

176s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2772 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2772 wrote to memory of 2548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AutoUpdate\AutoUpdateUtil.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3884 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 38.242.123.52.in-addr.arpa udp

Files

N/A