Malware Analysis Report

2024-10-18 22:29

Sample ID 240928-wzje5ssdlc
Target Terabox_1.32.0.1.exe
SHA256 9ed5767db68fb669b3f18a0565cae471ee3800b94a187c4512e5a6691797c511
Tags
discovery zloader botnet persistence privilege_escalation trojan pdf link
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ed5767db68fb669b3f18a0565cae471ee3800b94a187c4512e5a6691797c511

Threat Level: Known bad

The file Terabox_1.32.0.1.exe was found to be: Known bad.

Malicious Activity Summary

discovery zloader botnet persistence privilege_escalation trojan pdf link

Zloader, Terdot, DELoader, ZeusSphinx

Adds Run key to start application

Event Triggered Execution: Component Object Model Hijacking

Checks computer location settings

Checks installed software on the system

Modifies system executable filetype association

Executes dropped EXE

Loads dropped DLL

HTTP links in PDF interactive object

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-28 18:22

Signatures

HTTP links in PDF interactive object

pdf link
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win7-20240729-en

Max time kernel

117s

Max time network

124s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SetupCfg.ini

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SetupCfg.ini

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

155s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\TeraBoxTorrentFile.ico

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\TeraBoxTorrentFile.ico

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win7-20240903-en

Max time kernel

117s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\VersionInfo2

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\VersionInfo2

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win7-20240903-en

Max time kernel

118s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\browserres\cef_200_percent.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\browserres\cef_200_percent.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\browserres\cef_200_percent.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\browserres\cef_200_percent.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 f07a1e3a21013018fef589d5c6280628
SHA1 4d98ffdd564a01c6ef7e47574bb5052e7fbbc699
SHA256 dd91e745c425e52383c5fc4686ba34c68bc8ba9bf8254f151a67049e0105125c
SHA512 c3f4dc41f58b3f38097625d792ee355d8db6a9cd6851fa01c83250bde2f24f00214e416d2581233aa5d6a9df19ebbee319c6eff08bc72ecbefef76332cab1b99

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:24

Platform

win7-20240903-en

Max time kernel

77s

Max time network

80s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe"

Signatures

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun" C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\"" C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Checks installed software on the system

discovery

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}" C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ = "IYunExcelConnect" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\AppID = "{B9480AFD-C7B1-4452-BE14-BB8A9540A05D}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID\ = "{8C5F2E83-848F-4741-9C87-47D21BF65FC2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\DefaultIcon C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\ = "YunExcelConnect Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\TypeLib\ = "{75711486-6BB1-4c76-853A-F3B7763FACF4}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect\CurVer\ = "YunOfficeAddin.YunPPTConnect.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ = "IYunPPTConnect" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect\ = "YunPPTConnect Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\ = "YunWordConnect Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\YunShellExt C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ = "IYunWordConnect" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect\CurVer\ = "YunOfficeAddin.YunExcelConnect.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ = "YunWordConnect Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1\ = "YunShellExtContextMenu Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\YunShellExt.DLL C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ = "YunPPTConnect Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ProgID\ = "YunOfficeAddin.YunPPTConnect.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\ = "YunWordConnect Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\ = "YunExcelConnect Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\ = "YunWordConnect Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 2064 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 2064 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 2064 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 2064 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 340 wrote to memory of 1532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 340 wrote to memory of 1532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 340 wrote to memory of 1532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 340 wrote to memory of 1532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 340 wrote to memory of 1532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 340 wrote to memory of 1532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 340 wrote to memory of 1532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2064 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2064 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1724 wrote to memory of 2484 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1724 wrote to memory of 2484 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1724 wrote to memory of 2484 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1724 wrote to memory of 2484 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1724 wrote to memory of 2484 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1724 wrote to memory of 2484 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1724 wrote to memory of 2484 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2064 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 2064 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 2064 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 2064 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 2064 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 2064 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 2064 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 2064 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 2984 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2984 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2984 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2984 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2984 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2984 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2984 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2984 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2984 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2984 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2984 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2984 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2984 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2984 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2984 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2984 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2984 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe"

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"

C:\Windows\system32\regsvr32.exe

"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"

C:\Windows\system32\regsvr32.exe

"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"

C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2064,6843126979829135423,14254501450181866669,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2080 /prefetch:2

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,6843126979829135423,14254501450181866669,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2768 /prefetch:8

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2064,6843126979829135423,14254501450181866669,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2064,6843126979829135423,14254501450181866669,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2064,6843126979829135423,14254501450181866669,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2144 /prefetch:2

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe

-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.2984.0.1726447011\1670797944 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.166" -PcGuid "TBIMXV2-O_E00A6C9E112346AFB177F6ED733F8F3C-C_0-D_3332313238333038313435362020202020202020-M_E67A421F41DB-V_37CF2089" -Version "1.32.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.2984.0.1726447011\1670797944 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.166" -PcGuid "TBIMXV2-O_E00A6C9E112346AFB177F6ED733F8F3C-C_0-D_3332313238333038313435362020202020202020-M_E67A421F41DB-V_37CF2089" -Version "1.32.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2984.1.404135263\1533772494 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.166" -PcGuid "TBIMXV2-O_E00A6C9E112346AFB177F6ED733F8F3C-C_0-D_3332313238333038313435362020202020202020-M_E67A421F41DB-V_37CF2089" -Version "1.32.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 4020e -unlogin

Network

Country Destination Domain Proto
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:80 www.terabox.com tcp
US 8.8.8.8:53 repository.certum.pl udp
GB 2.22.249.23:80 repository.certum.pl tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 117.92.139.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:80 terabox.com tcp
N/A 127.0.0.1:49442 tcp
N/A 127.0.0.1:49444 tcp
N/A 127.0.0.1:49446 tcp
CN 110.185.108.38:443 global-staticplat.cdn.bcebos.com tcp
CN 120.41.32.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.142.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
CN 117.68.52.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.225.213.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.161.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.170.25.38:443 global-staticplat.cdn.bcebos.com tcp
CN 117.33.185.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
CN 117.92.139.38:443 global-staticplat.cdn.bcebos.com tcp
CN 110.185.108.38:443 global-staticplat.cdn.bcebos.com tcp
CN 120.41.32.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.142.38:443 global-staticplat.cdn.bcebos.com tcp
CN 117.68.52.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.225.213.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.161.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.170.25.38:443 global-staticplat.cdn.bcebos.com tcp
CN 117.33.185.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
CN 117.92.139.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 terabox.com tcp
CN 110.185.108.38:443 global-staticplat.cdn.bcebos.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsyB260.tmp\NsisInstallUI.dll

MD5 69b36f5513e880105fe0994feef54e70
SHA1 57b689dbf36719e17a9f16ad5245c8605d59d4c0
SHA256 531d1191eded0bf76abb40f0367efa2f4e4554123dc2373cf23ee3af983b6d5f
SHA512 c5c09d81a601f8060acf6d9eeaa9e417843bb37b81d5de6b5c70fb404a529c2b906d4bb0995d574dd5a3b4986e3cbe20882aa3e8349e31ff26bdb832692596bd

\Users\Admin\AppData\Local\Temp\nsyB260.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

\Users\Admin\AppData\Local\Temp\nsyB260.tmp\nsProcessW.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

memory/2064-20-0x00000000029D0000-0x0000000002A10000-memory.dmp

memory/2064-129-0x00000000029D0000-0x0000000002A10000-memory.dmp

\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

MD5 117c541f80c5e6706e722f9431d9fef6
SHA1 d19eb357c221f4802e0c342da69bcdd463400b80
SHA256 e6435157581258557202d04b08ebda3c87d52e5354ccc33825d80673c6b16e30
SHA512 8239044b8b08d5743d09118c5db1a0e5dac8b77482b8d9b6146130df397d4a1b00427b6049bc82f14e6f6cf67a5dc8cdc3387931e28544277fe4fd9c912c0328

C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

MD5 1605626fc49e04528739581c8805e227
SHA1 c3a3f8b626b99c5c8ca41b5fa181681f571f4825
SHA256 8ed13ef0a5372d46ecfa82dd66e3f8bb963c3db7d9442d11ac33aa9ad34d37e6
SHA512 975e211ec53d54d434692c48cbb86bb843f314bd2c6ac5dbeed6155097c7a7a59cb7e3df119ce463c2895755be9ded6012bab59b2a7b7dd22dc6acc600a7ef8a

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-conio-l1-1-0.dll

MD5 4296cf3a7180e10aaf6147f4aecd24e4
SHA1 f81e09af979a1146774d554783d1a22a03a61393
SHA256 147f86ff93d61fea256b3de9149e1b36b68a83762e62a3389466218e18359ffc
SHA512 60357edde6572c5e796f927c3e72c31a96ff700624b7366fdda64bcf51ee00bf1e9ab477a46d8d3ba7391ba10491e69f745efec3607f8f49b6e1a3a3de7a0648

\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

MD5 216a2dd23f95bdd63cd88a50eb7e69bd
SHA1 9c63635c26e276179f8dba9e02079bb3170b0321
SHA256 63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada
SHA512 390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll

MD5 aed059c46be32077f7b63ab9349eee76
SHA1 cc84ed3fe63e110f489111d7acefe9effb389aac
SHA256 b7234ea6641f484834412a6edf820a56b7b26257e8780bff70f1c9d7cf02b9ee
SHA512 f829e6d503f88f3cb50c1142a024368ca8cd787a9a85f6955fa5092cb5c06f679bdf5377718f97e1077a89a8606c3698839e344524f9d43629cdf02a4306da27

\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll

MD5 2b01d156bf9857a17daa46979218fa4c
SHA1 591285020e8525ca51d1021ef8b4267d22b07329
SHA256 b36a5d808f8e64ba0635c72c7c9049453a98edf160083df05a0311dff471030f
SHA512 8afcfdf2d745cc634fa9440b7792b5d1477b1a15838a787aab9f4be4ee5cf0b81e08f4322a96ece37ff31f19fa4bf1f74463b3c908f0d532d1b25cee0d59bd3e

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-utility-l1-1-0.dll

MD5 a0a883e26be6800508162e2a898148d9
SHA1 4f79892e7766cb7831211864978575598c86a11b
SHA256 9753ae83536767c73e340c36c5f1610bc76a3e67e033b07503ec31431cba7b90
SHA512 70904f2fd074073aebcf665178b34cf7f0f42ced7223ca296f7f202f6fa0175ace2832d9802f5bff4d67891ca09ae14fac47420d69107e72aa44b541a190f6c3

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-environment-l1-1-0.dll

MD5 6a3d5701446f6635faff87014a836eee
SHA1 7bbc9db1c9ce70e9fc7b7348a2c96681e5d8265b
SHA256 16ba05a1fa928501ffaee2e9dce449d28e8fe538df5ec6d8d1080b610b15d466
SHA512 839a1277b6dbb9f2d6e572e1b50b0ad08c93256a1367f36997db07285aa7b251346499a643a985a22d9a7618635c11964e414073aa7e1bf60d36368829de8fb3

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 4ec243792d382305db59dc78b72d0a1e
SHA1 63b7285646c72ee640d34cdc200bfc5863db3563
SHA256 56e0bdf91edb21f5f5041f052723025c059a11360bb745f965a9903de9c61756
SHA512 88f648d45927db65ff8cead4bb1959b1297410bf3f5b3b2783a173d708649260a61470342694de8b93e9c1657de64db43db40ee71acc661b03786c0921d68d4b

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-time-l1-1-0.dll

MD5 a440776e10098f3a8ef1c5eaca72958e
SHA1 7b8662714f6e44fb29a4224a038e4127964003e9
SHA256 40d8bc312ac7bca072703e5f0852228cde418f89ba9ad69551aa7a80a2b30316
SHA512 b043cd020d184a239510b2607c94210dc5fdc5d2a2b9285836bdce8934cc86a1cc3f47a2f520b15db84f755ac2e7c67e0247099648d292bbd5fb76f683d928df

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 169e20a74258b182d2cdc76f1ae77fc5
SHA1 fce3f718e6de505ac910cb7333a03a2c6544f654
SHA256 224f526871c961615de17b5d7f7bbef2f3a799055cab2c8e3447b43c10c25372
SHA512 0881c8704421a5f6e51abd22c55608dd7fb678491682ce86066e068b1973ebf11d6c2163be610a49f87e800c8563ebb41abfe36e1913d7d0b8485fd29ed81bf7

C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe

MD5 af58fb8e4130fd3779a743f05a17524d
SHA1 c1b1d0e256a58c3f148d818aa79b2a7429e8a8ea
SHA256 e02a12cda93ff7f02539661d5e7459550cb2c72047c034e357af3d641785ab5f
SHA512 27a7681a07d6c3f3f5f18ab8c9ad3fafd2352c6fd10e00544b51bf7314e5e603e556b153ffdfdfa0ccaa0110a53022ea535549de8886f689ff9ebbec25262480

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-math-l1-1-0.dll

MD5 ab87bdae2f62e32a533f89cd362d081c
SHA1 40311859dd042a7e392877364568aad892792ba9
SHA256 0439703e47c8fce1f367f9e36248a738db6abcd9f2dd199cb190d5e59ed46978
SHA512 dbe0073da8979f3d32204680015b60435226840e732b5df964dbeeb7920c0bc5df92d866964f905518c97cc3539f628664503ffa64e50a2ef90c459b62555444

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-locale-l1-1-0.dll

MD5 8d097aa5bec8bdb5df8f39e0db30397c
SHA1 56f6da8703f8cdd4a8e4a170d1a6c0d3f2035158
SHA256 42c235914844ce5d1bb64002fca34a776ae25ee658fc2b7b9da3291e5def7d4d
SHA512 a891536e2a362fc73472fa7f5266ce29e8036959701bc0862f2b7ea5865dcd1505615edc8e064fb2f7aaa1b129e48422efe7b933b01faed9c2afadd8a64452dc

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-convert-l1-1-0.dll

MD5 5c6fd1c6a5e69313a853a224e18a7fac
SHA1 10bae352f09b214edef2dc6adcb364c45fafdbec
SHA256 3aa0eb4c47ac94b911f1a440324d26eee8ddf99557a718f0905bfee3cf56255f
SHA512 08c2b1150f6bf505d10085a515bbfab6c1e18663c6ef75ec988727e3d30210532d03bfbfbb048b1a843d4faa5d1060f9079e018a9e892bce03f899a5a85f6034

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-stdio-l1-1-0.dll

MD5 be16965acc8b0ce3a8a7c42d09329577
SHA1 6ac0f1e759781c7e5342b20f2a200a6aab66535e
SHA256 fcd55331cc1f0ff4fb44c9590a9fb8f891b161147a6947ce48b88bf708786c21
SHA512 7ba55fa204d43c15aca02031f584b3396bb175365dad88e4047b8a991f1f1ddd88d769e4d8cb93ee0ed45e060a1156e953df794f9cb8bb687c84c4a088da2edf

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-heap-l1-1-0.dll

MD5 a51cfb8cf618571215eeba7095733b25
SHA1 db4215890757c7c105a8001b41ae19ce1a5d3558
SHA256 6501894e68a3871962731282a2e70614023ec3f63f600f933ec1785400716ce1
SHA512 9ae11ab21486dea1aba607a4262f62678c5b0e9f62b6a63c76cfdc7698d872d8696ffb1aaae7aa2e2cf02c1c7eaa53d0ce503432960f4be6886fae0de2659535

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-string-l1-1-0.dll

MD5 3eae6d370f2623b37ec39c521d1f1461
SHA1 86d43e2e69b2066333e4afa28a27c7a74ff89991
SHA256 ce74bdc6999d084a1b44b2ecea42dd28849b2825d7779effdc4c18360308b79b
SHA512 30b2b6cf5cd1bbdf68de048e6d992133fe7ab0c847fa0d5eb8c681a9688d60794621a40178451a104036a0fff2e1bd66a18d9f96be6b28dbdc0bc1c8a535fc85

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l1-2-0.dll

MD5 00d8b4bed48a1bb8a0451b967a902977
SHA1 f10ef17bda66d7cab2840d7f89c6de022a7b3ff2
SHA256 568d7f8551d8b4199db3359d5145bc4cb01d6d2f1347547f47967eb06a45c3b5
SHA512 e248cbc06fc610f315d7efcadb39b5cb85dfe5d40858768d5aea8d41b3b4b23eafe0db2b38cce362fd8ba8bc5eb26e9b2dddc00e2e8615395bca818ecfe0decc

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-processthreads-l1-1-1.dll

MD5 7016bf365a155d29f01a000942a017ef
SHA1 47e25b97af56edbdd20ca72bba994c6bcf1b81e6
SHA256 b5f815d0a41add7fd9593036a8e6843fcc221298fefd61808f960eed3cc19830
SHA512 2cd7e88717a2d81811ce03990737888b8a1e9e351dcdad401ffe5924bdf97be086bd766a1a5b25411b760cbf81b68bebd94d915100b6bc1310360813af11f827

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-synch-l1-2-0.dll

MD5 9efdffac1d337807b52356413b04b97b
SHA1 2590bd486abce24312066285fa1c1feaf8332fe0
SHA256 e1a87d7d01e2376dde81a16658915ccf2ecb692739fef09adfb962523756e22d
SHA512 b3c164e50d48a78bd08cf365e02e263b97ec2dd3efcf04914c8677c838e10be23df5178a8618e3f2a6feb6faa2bb74eaf069e7e2db7c6e6fd9d0137dcffbcead

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-localization-l1-2-0.dll

MD5 73483cbc229c62e129627adbf62b0ffe
SHA1 074ce67665c86355d3218b5e3ea4b1b335095af8
SHA256 13471eb84db95f8270398ef1deb29f0ea024db17e331497545c36eea7b2a3a7c
SHA512 92f06cb8971e29da7607c6b1d1377f21c7e6f0e4a169aaa08326038d5cdb09422b91f4f2d26a7978521e0edbb9cf1235e583f2910048c917ccef8d12c5e1166a

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l2-1-0.dll

MD5 534483b0f4a1924b1ae6d7e66b4a4926
SHA1 4e954316acd216007f4a0225b138e0c0a04fbbed
SHA256 c1bca1bb524c5ae3d877a099f469b6fc34288bab26ae7a7f4fc47cd869f4958d
SHA512 cfad2ddf8a9ad67e36e978726d8a12ca26b180f73122b2e8d19a83f73028a050d9f418e7525f576cc3a9601b3369d4494dddbde620b4011b7ca8a7ec4b0d1b12

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-timezone-l1-1-0.dll

MD5 42c72d838c34e4e7164c578a930b8fc7
SHA1 82d02cb090eb6d81a1499189e4d3e6b82aa60061
SHA256 f1667bbda1b58fc688b422fd2f9f7040919c4ababe00a4be78b258cae2dfc3d3
SHA512 1020d6010dca512adbc18f44b6453a974a200766013c39f6cb1cd0a72234a241c73587c929f1d0fcadf90c3eb71264086167f05bd7ebceb5b944f4e4a0811d92

\Users\Admin\AppData\Roaming\TeraBox\ucrtbase.dll

MD5 8ed02a1a11cec72b6a6a4989bf03cfcc
SHA1 172908ff0f8d7e1c0cbf107f7075ed1dba4b36c8
SHA256 4fd02f2699c49579319079b963425991198f59cb1589b8afa8795b5d6a0e5db3
SHA512 444fe62a5c324d38bdc055d298b5784c741f3ca8faaeaed591bd6dcf94205dbf28c7d7f7d3825ccb99eff04e3ffd831e3f98d9b314820841a0c0960ae6a5e416

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-runtime-l1-1-0.dll

MD5 49363f3cf4671baa6be1abd03033542f
SHA1 e58902a82df86adf16f44ebdc558b92ad214a979
SHA256 505d2bde0d4d7cd3900a9c795cb84ab9c05208d6e5132749ab7c554ccd3c0fcc
SHA512 98e78a607cfbb777237dc812f468ec7a1abcba9472e20a5780dfc526f7992da1841fcd9e2f76f20fa161240007f185c7fbdc120fb4c3c1f2b90fdad5913d65dd

\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

MD5 b77eeaeaf5f8493189b89852f3a7a712
SHA1 c40cf51c2eadb070a570b969b0525dc3fb684339
SHA256 b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e
SHA512 a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

MD5 1d8c79f293ca86e8857149fb4efe4452
SHA1 7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f
SHA256 c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4
SHA512 83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

C:\Users\Admin\Desktop\TeraBox.lnk

MD5 61e8d7d30f67e17c6b1a3b964493cf9e
SHA1 acaf4141637ae1e266c87aea18ba25eac1d1aece
SHA256 063366405c274b85d2a463eed688cdb8118814f2743edcc248adb6c9e82afa49
SHA512 712d21c134d824628b64b48e7965c3ba238545470d5a4bf632589fdf1946b193b2e774f79a0be6103ea96598bae6290fa625c93e0c41128c3e166bcfef0a3c47

\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

MD5 3a70aef3153e58a9624ef1bcaa63fbbb
SHA1 9f6a9f877a2153294687cdc5e661c6c539b3136d
SHA256 aede12d6e7221cdf81ca4dd73c7961a7d5bd4313f7793f5437a64ac271844317
SHA512 4d131f536f560207f7d259144327625d7c352c93979f663212d0fc430840757239e9be9c7030bc1826765d078fdaa9cb730e0cf2d217ff8203f6742547ffdaac

C:\Users\Admin\AppData\Local\Temp\nsyB260.tmp\SetupCfg.ini

MD5 ac0835ca6cc22eb3547391cd28babd84
SHA1 6f557aeebdae72ce980b7cb0507cbdffb1c13b93
SHA256 fe2e95678fbd1a8b6609eb95f3e9941f67018ebab32149cf0b94b0a200354a54
SHA512 038269833537aab00f65a1170ff70b3e7c6ce75051ff5e8a05cf52f47438127d7df10b88c60b55996f180c0bbeeae55d58426886184f23a618447ee87aa829ec

C:\Users\Admin\AppData\Local\Temp\Cab5775.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar57D6.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

MD5 8e2e7d20b96a7eca87a169b442d33829
SHA1 abacd6cc775bc53572ab16401a99aeae61ecf11b
SHA256 2a8a0a17b5a38e05c5117c7ba86fb2f73e4bfcc2b617ec65324b43ea2776d832
SHA512 8db0e2efd2b24b52aab649b0c461d73e123ffbe24bfbb4930f798105f8f45771f15de9f0cb30df5fa225075d73548e39c8cedc801eeaa35f6f7247e6777b487e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

MD5 d5e98140c51869fc462c8975620faa78
SHA1 07e032e020b72c3f192f0628a2593a19a70f069e
SHA256 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
SHA512 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

memory/2360-1788-0x0000000000340000-0x0000000000341000-memory.dmp

memory/2360-1786-0x0000000000340000-0x0000000000341000-memory.dmp

memory/2360-1784-0x0000000000340000-0x0000000000341000-memory.dmp

memory/2360-1783-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2360-1781-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2360-1778-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2360-1776-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2360-1773-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2360-1771-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2360-1768-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2360-1766-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2360-1763-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2360-1761-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2360-1759-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2360-1758-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2360-1756-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2360-1754-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2360-1789-0x00000000677C0000-0x0000000068BEC000-memory.dmp

C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\Download\AutoUpdate.xml

MD5 3c20637d0f03f1d738b7ed4bd188f6cc
SHA1 962dfe88ea36e784041153b7bc8d590aadaad8bc
SHA256 74d964f69c722b49398f949a76a8e2d7546c8fbd0148e7ebec9834a374386066
SHA512 7c3cbdffcb4eec2789f30cea93a58bfc90e7f11625b5ba915a2986aff7f818a92aa8ab134efffe2f3b8d6d4efed389ae547a3aca5ed42af8b031e47af29f5dac

Analysis: behavioral18

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

155s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\DuiEngine license.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\DuiEngine license.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:26

Platform

win7-20240903-en

Max time kernel

118s

Max time network

135s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\VersionInfo

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\VersionInfo

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

156s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\VersionInfo

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\VersionInfo

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

155s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\VersionInfo2

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\VersionInfo2

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:26

Platform

win7-20240708-en

Max time kernel

11s

Max time network

17s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\autobackup.ico

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\autobackup.ico

Network

N/A

Files

memory/1756-0-0x0000000001F50000-0x0000000001F51000-memory.dmp

memory/1756-1-0x0000000001F50000-0x0000000001F51000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win7-20240903-en

Max time kernel

119s

Max time network

124s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\browserres\cef.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\browserres\cef.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\browserres\cef.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\browserres\cef.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ee5e9b3b94d5e1c61d2ad2261b156c99
SHA1 7e18f91a18281b6f304134dd072b8cff037380c4
SHA256 d661c7c632cfa67061fd2725333a62ae9dfa586813edeef6c0c04ef405676837
SHA512 07cedc2f71932dffef381300fcaff7ce5c31101dc0fd65ed2927a79d866db20481f4393f4a446fcc26f733a6c8cad1bceabdb57c764699a6c0652399be7d8635

Analysis: behavioral30

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:26

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

155s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\browserres\cef_100_percent.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\browserres\cef_100_percent.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:26

Platform

win10v2004-20240802-en

Max time kernel

124s

Max time network

159s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SetupCfg.ini

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SetupCfg.ini

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4072,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win7-20240903-en

Max time kernel

120s

Max time network

126s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:26

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

156s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\CEF license.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\CEF license.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:26

Platform

win10v2004-20240802-en

Max time kernel

123s

Max time network

158s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ChromeManifest.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ChromeManifest.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=944,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:26

Platform

win7-20240903-en

Max time kernel

118s

Max time network

124s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ChromeManifest.json

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ChromeManifest.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\ChromeManifest.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ChromeManifest.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 9c018f9bb8b7e9ae1bd81b4bbcdc8145
SHA1 e03aca393d094a1b734598af1d052f8fb9c1d95e
SHA256 c1f3504edc0fb020da3ee6c1291f66241d444b9e54e2cf6c24dfeb0f86c9c4f3
SHA512 e7606b8047f1edaecc07f4c15bb063a5d8278e5a29ebf3fb4fd5eb0c9d2033d7cffdc5894eb97fc8aba912b4b1ed5c7aa707c1fda56ec2a0e0bc6f6f89a40b1d

Analysis: behavioral5

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:26

Platform

win7-20240903-en

Max time kernel

133s

Max time network

132s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\VersionInfo.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000407128f93ffb6f4332d0bcc33c550d0f6b3523e91476fb841afd869e0e3b1191000000000e800000000200002000000052881a761aeadbeccb2e0bb251e431b81a7d7dbe187c722b04cc891f9a9d65b32000000078d01a64cf1c3193e6e6a7521460529eeb972095630d88bd5602ab502b1a0c5540000000820f0eae8ed4660435b43ea6ce26b9e3817e4fb1030b5d2e179dc75afa95e4df9bbc8e2311103570cf9875c0c564e5d85420594b3d1cebad58cbe79968c99145 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000002cb98d9c3c2bcc5dac9802bae89edadbd576f22acab055325bb2fc9809425abb000000000e8000000002000020000000ff12af7fa6f12f38e04707ee0be4b72a7068db72dfe7db3d108f4f446d25c4d290000000b543dce394dc7cce19045a607338e70325b5a4f4797a4cfea633c9e8dc08e6b51bfc197984b8e90f06e0213e4f3354e00e6dde0fd3cf6a6dae493dc914c1f8778675171e64e46b2dd2855b0a459542233b71a5b66e71e85823ff5e67872e19092cff351b411f375754641b17babb7a7cb8ad5a97ca47239463ce9cc984ae41d662b03d03ca620c71ebfbc33168615a9d40000000da49585e496239ed6caf16bfac18171d2bf0f42112136d5130ad025fb2f76dd71a8c00690ab6702fcb30e2a0342189e1a56c48709a0f032c3e71c50fd226582a C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C05BC111-7DC6-11EF-A528-527E38F5B48B} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433709673" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e024cc94d311db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2232 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2232 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2232 wrote to memory of 2804 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2804 wrote to memory of 3028 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 3028 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 3028 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2804 wrote to memory of 3028 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3028 wrote to memory of 2604 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3028 wrote to memory of 2604 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3028 wrote to memory of 2604 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3028 wrote to memory of 2604 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\VersionInfo.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab9D99.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar9E39.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 627a1811c2e1c87b577dc0a53a65755d
SHA1 1dc220a40a5d2bbf682def181f4e6d77662f8633
SHA256 884e698f8a579e68a6078a46bcf57e7148077095b56d50b00ceeb3b9f852bf5a
SHA512 c71400cbe1458bdd2efd1f161d6a10483049c7e3d42eeb9c3b715fa517b441bcd42dd830c93839af412da79a31d188f77e39b17aea45149367739fd4e3f01057

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2241b07d5915162eb9aa1bd9a22dba22
SHA1 3d7bef6055e2209a05e177e1a9c72211eadf486a
SHA256 3b45eed576cad504da2697be639087d6d402b461a7174ffaecc26a58a6b4d047
SHA512 211431423282cf174ae270de348b5440a23a401d12bfd126213fee407832cdc03f3e498042d5b543981d5b089f86edc6f2f5671dc8204dc1f771a67034aa9540

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb08f4bae2f2cb35660c39a8cc0da53e
SHA1 3ddb03a82ffa7e681cb089198a36e4f64f89095b
SHA256 359010aef62bfc6385bd090e6ded3a9b0747537fc7b3bbb83db76ef6ccfe2729
SHA512 33523eb99c2e9f9d7d051d0936b3dd0120720d341ed651f9d21ea1d396f6cd84746f951ba9d72206017beecff26d00629eb3e25d15ba660210ec015128982fa1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c485bd03c1f2b7c30e510743dca4d436
SHA1 e16a4955d334e03bf7839910592c36f0a4ca2285
SHA256 9745c837b754b6876786f464dbb46f235e126bfc65bed331b3ea1481d9124acb
SHA512 5ab559ba360734d0ba5bae94f522f9ae0e59812383fb06ea3ddb4ad23589ebdcb84e919890c72eeb8dc5b8f8265b1a290e9a6f83ed70fe42f0d0e10eaedbcdd2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 beb6d7271d6b1ad7c6cc4644ae8f277f
SHA1 c90955a222fc0305892f6d3839bc8cd7e29c6f3d
SHA256 95214a0cc2d5f4a9eb51cb811f23475cfbc5f657e8c026d4a1948dc3b0e845c5
SHA512 590f85e44bde70f15a3a73118e2bcf8abf9ce7531b66df45cbb170235b03c4293a02b70bd03cbcd8f1a092d362a9bea53bda729270cde08d18b46a2cafaa745a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95e43c0d074953b9715dd7a2de1b527a
SHA1 204ccf3e4b3f9bf6ff6addf978f376eb82cef96e
SHA256 082566a7ef2ed3ea3dac65ff3d0b1edaaab4c0e438bfe5f6402c335ce36aaf3d
SHA512 acf1e99f2be3041f645d5e5dadfc65aa3058454dc9fd25b5e6050dc3a2a09883e33d5308d4422d5626d1161294a00f4bdee3a7fbc62594b11bcca0779d8f1b73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f058970b2b41481d03187ca4e4a5d669
SHA1 ab15b3ef10e899ff9f4ffbddef1e07b278cb7c6f
SHA256 10f99fd20062f48bace1f23d0854aa993e43a9c6da4c422ab7ffcda4eb6f77ab
SHA512 94199e22643afaef8c5db24d8ab4947bd8c3391757a85609fe67b8688c6b0c94fc0778e079d3aecccbd8069e981e4370b7050dc5adf49c270b2c11d824bcdd75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3cbd8f096e008cf45ef8ae11724ec4e
SHA1 a9c91066c6590349fdf2ba6c63c75027135e2f58
SHA256 abaa0678eaaebfeaa92678a3dbbb6327390aa6339a00443a1d231a658192f82d
SHA512 90a38629df0cad0dfa9b510ea625edfc54202984caf3ab6670ae9dd126042ba8a3abe59ff4df158d1aa83c739141a663b70d1b9850a0867a2bfa3d8da5aaab40

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50bb11e85e7478904a7be26770fc573c
SHA1 2b68174e08f4ef801d6be7732d6ce21aaac3bc1d
SHA256 f5fdcbc37b092e6334a3006cfae89417154f6a29e0608a9b35f2ba71db477279
SHA512 186110b320fd9bee3e6bab9b6165a316d5691ec8d8188c4d048d7c15829d65036b71b8793d390df4f788b5c0cce201d9fc072b5f00c1eb43ec55146807903a27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1b50750b6c75296f50d3ad66ea8c760
SHA1 e24cb15c64b73a9962460c99012dfc03fefb9614
SHA256 05a1999d82f0373c20db25895c611c829ac04608708976e425e85b8f415e1350
SHA512 6aef20630b9a3de42057c72f425d644a91ac555fee3a11d92bedff92c59dc7fb6dd8485f2afa029aecf248684426e3211b2be6cf2b30cd120eafaa32b4f7b074

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db08af0576b51fd00ccd916e742a896a
SHA1 d61bc77b34ae88b2ccd0120d4e8ab4b2b809d344
SHA256 6233e63bcd2c826bae17f6ab117f89dfc5a235df36d3aa1b2b613947bcdedb94
SHA512 8f78d4f9ac44a4bdfc6ff168199a419fa4f0ec57d028a5ad52f790b7e4760acc04b6120653da5466629b6bc4598df85afeaa70b20e06c15e15a68c1a4f6afe9a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1f2c62cb8173801754f6c86acb12748
SHA1 2235a27e10d41dbc5e09a6ed6c22ca4ac6211de3
SHA256 d0405b5d405e3b18114e4cd465c843b8a59e7399495c27719229a7628e0979c6
SHA512 77f0d685e1831d07ecde4514944bfbd26adb394c020a7fd6304de4849706e4c4be5c531ef518de0379eb069d1601fa877b9509431be239568e3cff5feb7249c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 107d5281f7f0de4053f7dda501fc2813
SHA1 c9bcb9eebf679fa5731fe6dc493f8407d30dad68
SHA256 67a650b72191d8b38cc805c8149339bd2a46cb5a4b680e0a542b187b70c55c0a
SHA512 127a45825d63601cf45fa589806f02d33957f9b628319030e4d281e6b7bf8f40f6b44d009800923d0220a45141452e798db3aea7b6559eb430423eed75760168

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3e9645916310d09d8061631b586365a
SHA1 4c178f0fe18ddf2f78dfb8ba2b5663a8ca7c2220
SHA256 df714dbfe8574bf5f5ada3e2009f3b90bc691c9960d5ebfeb969b7c7ca3f0f86
SHA512 e8021b96787f2af298f87011fcc4695aa498b20084804fac7a0938523035a8d3ebe8329163751c7ae494030d937ad50d5fae8e460f767b3951a7c91809ba4c33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d91d63065ca03124a3a4f07e76e2b9e
SHA1 4e200b27d23d22fbaae21b4f746f075863ea0751
SHA256 a7d68fea3484d3c6039589a14ebabde5db2126900fe449049ce9d15cf4565003
SHA512 89cb1c189ed58e2060b33aa2bdb406f47ab77cb86b1d0e415a182451c42cbeb4032e50be253fb28b0b3e658fbbb8a52277970a37eecf8b4b5f57cef74b25ff81

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69acc1183b427be6f8b4848a021363f7
SHA1 8ba1ea1910816564e864fc8f0ac5390ca11dc5c8
SHA256 04707a0dd5d40e0c089028944e9b4e4566f27fb924bef1e7ecea172569fc3a43
SHA512 43d840d5ba999871e6d4ab8a58350dc55aaa7b84bf1f2558c41b39cc9a1146379e01bdf4de49bc46c7353b788117692d0a165413fc07c3e88c1e7adc55a2f7ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4c213de7572434af26773ceeb1b1872
SHA1 96255436dfbeb61545bf1e3306ef364e4af43857
SHA256 6476b2ecf8ad591b46c98924093229ef770a076aa9e1dc523c4432f893788926
SHA512 9ae6171e055c8083a806a4d7307eaa7950b00d593773ec3c00bd1dcac0c0cc71a69e537ed42fa7220ca3719f3dee93edd7d1b6dfae3ea19387475c14a8e398cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff402211c2a4fa47b84bbae40d2f6aee
SHA1 b97b3d7c49f1bf2db8b0fdb4372a28315c1bb84e
SHA256 bd0aabbf843b98513eb124a119c5d190de57a3d1392ec19811d5098139a27b4a
SHA512 f036f9c307b9b7e4b6c2e0124b128d3e08ae5332ecbf4e8ae882b416b60fadd3432f080fde4b4400a19a574021fdca859b2d8695d2927d5ad5048c41ea041032

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0865601c22b8c2051764e6498799d43
SHA1 411e24977881cafc1f79d6086d36fa33887eba20
SHA256 4afa72e623c973f609e8c0a1104d3979b1b5874befb980e50f0e2d3004b85f31
SHA512 a78941ed5fee093b3b76f7afdc52252b748bc1c3336436e42ff6e7226d75a929d83e6c9145e20a5a411c4a1f3ab34cc348cd3f017ec9b8d691699af92eb060f2

Analysis: behavioral8

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AppProperty.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AppProperty.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp

Files

memory/4672-1-0x00007FFD7132D000-0x00007FFD7132E000-memory.dmp

memory/4672-0-0x00007FFD31310000-0x00007FFD31320000-memory.dmp

memory/4672-2-0x00007FFD71290000-0x00007FFD71485000-memory.dmp

memory/4672-3-0x00007FFD71290000-0x00007FFD71485000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win7-20240903-en

Max time kernel

118s

Max time network

125s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\TeraBoxTorrentFile.ico

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\TeraBoxTorrentFile.ico

Network

N/A

Files

memory/1884-0-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1884-1-0x0000000000310000-0x0000000000311000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:26

Platform

win10v2004-20240802-en

Max time kernel

133s

Max time network

156s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\autobackup.ico

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\autobackup.ico

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

155s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\browserres\cef_200_percent.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\browserres\cef_200_percent.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\Terabox_1.32.0.1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsh71C7.tmp\NsisInstallUI.dll

MD5 69b36f5513e880105fe0994feef54e70
SHA1 57b689dbf36719e17a9f16ad5245c8605d59d4c0
SHA256 531d1191eded0bf76abb40f0367efa2f4e4554123dc2373cf23ee3af983b6d5f
SHA512 c5c09d81a601f8060acf6d9eeaa9e417843bb37b81d5de6b5c70fb404a529c2b906d4bb0995d574dd5a3b4986e3cbe20882aa3e8349e31ff26bdb832692596bd

C:\Users\Admin\AppData\Local\Temp\nsh71C7.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsh71C7.tmp\nsProcessW.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

memory/1868-17-0x0000000002350000-0x0000000002360000-memory.dmp

memory/1868-126-0x0000000002350000-0x0000000002360000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win10v2004-20240802-en

Max time kernel

118s

Max time network

155s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\VersionInfo.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\VersionInfo.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4108-1-0x00007FFF470ED000-0x00007FFF470EE000-memory.dmp

memory/4108-0-0x00007FFF070D0000-0x00007FFF070E0000-memory.dmp

memory/4108-2-0x00007FFF47050000-0x00007FFF47245000-memory.dmp

memory/4108-3-0x00007FFF47050000-0x00007FFF47245000-memory.dmp

memory/4108-4-0x00007FFF47050000-0x00007FFF47245000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:26

Platform

win7-20240903-en

Max time kernel

122s

Max time network

128s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\CEF license.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\CEF license.txt"

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win7-20240903-en

Max time kernel

117s

Max time network

122s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\DuiEngine license.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\DuiEngine license.txt"

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

155s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\browserres\cef.pak

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\browserres\cef.pak

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win7-20240903-en

Max time kernel

134s

Max time network

133s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AppProperty.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BCEDAC01-7DC6-11EF-A02E-FA59FB4FA467} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000677c7bfa69220c5fe70249209b1d6bf29fb15d78871671d136747d88ac456c20000000000e80000000020000200000009baa8a4b989b01d1e265886f3409f4315e831c5d985bb5f64c547b480957743f200000006a5d7bf9a308197561abb64be77740669e31dea6ff824bc3245894cd7fd37fda4000000097e6f86bfc39e94b3bd791f7d53cddc160d91a9dbf576a1e0486b393b56e5aef5b60e5e4a771b98db107680db19ba05d1800437d6123e23ab976d667eae61c57 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0569291d311db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000003f9917389937eeb4dfa68a4e3a0fa572da796f5e87912766b055b3b7969e3367000000000e80000000020000200000009438699f6cefc5884e268ae5dd762ed4294b381ae6227317363b03aa2db4979c900000001d84495672b86e8462d28901411f8f73f3ebb26d94c10d7736f4053c2b04632a8e3df3e04320c89a6cac9a4f5fc34e190fc4c5091781b96cb105af0d46de0ed2faa0e1bf72ae3c538df438534ca73f68154b89f16031ae2846e336150f22453c2f7435348defeca241f48d71475df68654250785b2c5939dec0cbfa60b804450f49c803e2641a80b7c080721b7e2935f40000000eacd39ef3ef991842261d3699edc0e2d76e5b07c70647f7740c7cf9cf4fcc8f4738fd61c9af9520e040db3bec6d4d2aa440c36543cb817aeef4d10e92462a511 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433709667" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 2960 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2500 wrote to memory of 2960 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2500 wrote to memory of 2960 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2500 wrote to memory of 2960 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2960 wrote to memory of 3000 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2960 wrote to memory of 3000 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2960 wrote to memory of 3000 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2960 wrote to memory of 3000 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3000 wrote to memory of 2352 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3000 wrote to memory of 2352 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3000 wrote to memory of 2352 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3000 wrote to memory of 2352 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AppProperty.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3000 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabBEA1.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarBEF2.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b7869b44579986d2cd5c7e9d22b6eeb
SHA1 f3a5bcd780fb804f6292b3c3ee08d3597e46511a
SHA256 1b0f1e63ccf381502155037433d9a04d6bb3056fa1bdff821c93a448f89eee0e
SHA512 505aa4f66debccef4d8f573b29b788f331ea4a2025eeec70262e3e22a43b7321f51785e0212a724fb3b163f251fad97d80e8abf306e951316b9521b63dba77c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27424f4961ab3320c7af45348569458d
SHA1 ca1242f15a4e1f141837e11150431fcf855f6483
SHA256 e0160f7620be54517c6d4afd2cedc00a543192a24f5e9490f814b82253d3a506
SHA512 52f50e3814af4788affb9be9be513da3cd874f295bb1f28d63a270c61c6a2152bed72780abddc8264746c6749d0ccb50309ec4891570883cc102b2b2f4b727bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28b5db637af74409e71e26f5c9d4b643
SHA1 2196be19c97f5ceb5e493476762b29ea0f9a194c
SHA256 ca5465c0d9e690b49c75069a2a7e4bfc6608f458540e69b58ff796f9b339b10a
SHA512 1ea132d2358c9414cc3630b2e8e70dd82cdf6717f1be699f6c8cfe2b7567a5247314727927332c86e6f7374c2c33b5dd0ac85809a24dda5117314683009b755a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5118faf8cdb7491e840a9b0186d3fbf
SHA1 55f8e3255a9128f4100129582bcaa005e64d52e2
SHA256 cac2eb125f10dba71b24545e0090fb673f023f9f69c79210bf5a23845d608224
SHA512 9a1fedf09a858082d3efb6689bb47d5cf60d5a1faf4b057374f28b0c0d45c1f36098196723cf180f64dad7a4b2d23f5ddcefa4d635528da4563efe49560617f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c6356399cb2b2c12fa5f164383e5f79
SHA1 3a54f2654a54f3751306f871db584235a0078a1f
SHA256 0f8e4804bfe08f6ff6184044085e320ad2b9613b5034ac21e1a18886886b28d3
SHA512 3c2e88377ec789e256ddaeb72f96f1413636a028588ffad755a6cca19a327f0b73ee8f606b2d611a7a97d5c7945ab9fb850f263f63946e455f5dafa630044b4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad47b196491548f28f9d1dd1868adeff
SHA1 cb8c9d8458bf58cefb6f1938e06141bdfc6a6771
SHA256 0305be62fd6b0a7c0c44760d7972e7346fa532d39f31309674548b3c461e88d2
SHA512 8fa2096578a537c7bbc459c9d840b3816b544f27728be4f84ae04f57c82f6f2ef3114ce14aeda49e91d6ee622e650f2ee6375422fa9d13af29e008024fda0cc4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da19138d28ad03e2922737f306430aba
SHA1 1ec09184e7be7d38c9e91b9c0f57afebdcb8e831
SHA256 9886065758fdaa4d1facfb1af5087b3552aac07a207e55b3feffcc6f9eef72de
SHA512 7bbd7c4b291162a77c55669f21b5679b06e842acbe45b464019cfe6cf6fec30d18859e8be253ce58f4dadb9e3791b8524be81e9762de187f6605884921c25cac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18c6bdfb7e279be8a9640d2227f4babe
SHA1 7b750b813ed2c06a5adc69b4dcb23ad7857a3e32
SHA256 2807abb8fae140f1f9b40edcc256d924f37b2eea8e1bcbc10fe98b78a7f2f610
SHA512 a77f669a049fabff90d7e0183fff173c88861a0a2419178f4562090d062105b6db67d4afeaf7d1441081625b4a7808b5124149409176e9a53f15188650e52a5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb743da36e7949eb0d962e5082a62bff
SHA1 54b77662429d4ec3c89f0a7d3a4020f43dbb72f3
SHA256 5d942fdb3b980036c51c767e5d612163a49b7a68d9c62e9ef6c3681a415d2864
SHA512 54656db7b97210a34a0898717ffcf447fab0544e7671556d18b11c5305b492553433441cc5eb411e1ca638b30bc943aa28d76334777e4be79eb5a320010bb8d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72829b56ea28875a699f32c283fad258
SHA1 ceda4e0c9b7810368d2ba3ae01cb4802d00b7465
SHA256 3999c2da2b9283927382765476a12b5693f2c4336a0b4014c11446ba808e7d38
SHA512 289dce8519d911aebe40e4b898afc4964e20e78ddd66f1ab2f593fd036bc43f5601cb3f5b8eaaaaa1806cf655360fcababa30ae1168f6d596bafdb2be183f52b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14bd88e56d4b43b1283c593bc9be9fb0
SHA1 d3f9e4d0dace2708373f1372cb254a6262f0eda0
SHA256 f5da15b984b3f22add54c1f79e4ca5ed4cc5acfa32f7d5e87f6b293879b6c83d
SHA512 96347b92073287bb5b35d4c524e4bf7617fded725e5fe86d2eafcad69e7bb7d6203fe48988ee4f36cfa13c02b0f88413bf4070c140445337ffcbf484030a5540

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3844770f5a092378a60362a9e54f214
SHA1 17d0ff114b7d355c82f4d21b9c02d9e0ffe03fdd
SHA256 f17c03bb12249c2600c7ff8a6212e630240bd4145ce098e71f3af8402e974ece
SHA512 03d2a53654b6ed3461d5c82e821c9882b7811931f9fa27bb48275f62802af0056f09b6ba74ba354ebf32ecff5c30a432770d3d28126172be145c25e6233285d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b44322a573d0651ef888fb0109a03be
SHA1 048d9d8b158f8a40829d1d158d974d6948e9d692
SHA256 416126d9a3f22a4fa2304b4267dfa213e92bd521385d05f6a5bb36c9e2ab0474
SHA512 626b2bcc8fa46b9dc46800fd9a544b946af4b10a46ce84a2381986db91c4fcfc6a269ff8cf8f4e8202beac260ac531db65481895ff6cc26d0c653403554f6960

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8dfb4ab28b8b16b75eaab5a6410c2037
SHA1 beb308c7be7f7872e12bddd3e4673acd9df5c745
SHA256 286beff31e7031a37073d04b0e9e8439c65ad0ce2705f7e74565ebbc64666b84
SHA512 b0d42d6316d16c7f95b3d2dd9597ad8979efe64835f2bbbdba1b112aead903144d76a4fab43153406e37aba833a83bfd690edeb72dad53300514e08b51464e78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e61b0eeb7a59a19cd8159ce2ba7c630a
SHA1 6c7f8ab4e380929dc98f647ea8516a8adbfe068f
SHA256 9c028fee4968ff774f2d910d20f4759eb637ccf3ced331aa0ca8d3836e502da1
SHA512 566e41f889f61ef7ffccbb5222352527ef257f05612699f98465b6216ad5c1d61674da569465eb8220f7dc6f7bc06c340526419a71283cbed794ab1f6d1d20c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51e485b43a3f776e1895a05928ed8aa7
SHA1 459b09859c8c92ce28b11cff8f0c67e8d8bfcf4c
SHA256 2edbba9a77e26fab5664f4ff96626c31542f736a5b557944c60ff4c71c50a922
SHA512 e94a455131afad129993d57ba64fc13b63b0414c7c5e99a3362bd86f7c5c48ad2dc348273254d1201234d126d8f70290f4c6a3e304d7a43651e3fb64406470ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b627f704315e5eac2fdda7f2f8f278e
SHA1 aecef65c6e11bb632e439a64da0fa9a9286c6f3a
SHA256 90027370f7c37a36cd07cd56a17a04c5c5a02d957fab28d0219bb8186c110902
SHA512 ff587643f561dcca90bc58e1b7c2228c660e52e17a294b55ccbf0410b75da04b824ad7ae606f41eaed290fa2b928d91edd3db8ab93020b58138cb3703e913770

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 298c41778d3c005dea2a1b8433b00ab5
SHA1 f15aeae5296eaed336629bf0b826b735da7aba2d
SHA256 c5bd1efcfb1ef236d31528953c9f6523cbcfd1f869c369571bc5d932d64d80cc
SHA512 28a66b0b6ac3bf46667f03ebd1d194822f2efde44e21171043bfa9bfa3257898c4b79b5c441988621bc4b789ff3a749e85c3143a70c9d0cd07aa8d0ff2df491d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad07ac11aa3d8e7d24c82cd3c93b62ca
SHA1 c7c61d816c0c5449d0a849b5b8de63233e28a8be
SHA256 a939558476301b76174315fdfef0a753364a1297d3bf1608e97e0aec7c8cfd33
SHA512 195f4b7cc3dd7dd2331fed74a073b69bbe434449bf282f7791f1410fd01b7fb55fb5e4ecd0b75c666795c6c12f901a121ca88eea7d5656500a736f0a56ed73a6

Analysis: behavioral10

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:26

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

155s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AutoUpdate\VersionInfo.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AutoUpdate\VersionInfo.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/2680-1-0x00007FFAC7E2D000-0x00007FFAC7E2E000-memory.dmp

memory/2680-0-0x00007FFA87E10000-0x00007FFA87E20000-memory.dmp

memory/2680-2-0x00007FFAC7D90000-0x00007FFAC7F85000-memory.dmp

memory/2680-3-0x00007FFAC7D90000-0x00007FFAC7F85000-memory.dmp

memory/2680-4-0x00007FFAC7D90000-0x00007FFAC7F85000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win7-20240708-en

Max time kernel

134s

Max time network

133s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AutoUpdate\VersionInfo.xml"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433709670" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb000000000002000000000010660000000100002000000001772b30a1fc29174372ddefc196e22b145a6466a4ab3cc4cd07219fc3a50fef000000000e800000000200002000000080c6656eeea9bab5df0dfe6ac9ed7457b74982f905f9d7a030b96ebf03db1ec490000000ab9bcf51980130b72bab65bb696abd571ce2fac65e562bc5e8f03ddda92b67b3f1571e9071220311483b2a7246fdecdf55c78c6cfe524ee8469e279f22d38b83620094b522e91c5111ad8e0d4827014eb0ae90984fa91719c2356cb09084de0a91fde87eef7680da1dbd0ac62ec775bb3ad78874363505a0206822867822ab82160d788069d5a1d8dd48767e457e432c40000000fb1e72322ec958ed9e84dc98d2e724fdeff62b577e946f449c136e3c3fc73ddf9b81f22433517cd4364fbb7566676624bd163158237c937ea94a03048b4ca276 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70306493d311db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb00000000000200000000001066000000010000200000004817388a9968db3177475d239c1c9fe4033f3bf2ff96d71ce4874d1e16f166b3000000000e80000000020000200000007e83dbe32adfb47c44e176798213ae848b1dee8fd3a16b9a5c22a438d9cd61622000000051f07ae3cf7710a7d8f7a20ba40c98d044f5e560cc11dafe0968e7af7851945040000000209104e158da49b768bbc18a905d2c4fae419b85e29641dd6a32865dab0fd7f4e6643020ebcccb4a37d8e46d0e79f751b87d89588ba7e3d03f921841ebcc6c3d C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BEDC06B1-7DC6-11EF-BD1D-D238DC34531D} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 3016 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 3016 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 3016 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 3016 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3016 wrote to memory of 2720 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3016 wrote to memory of 2720 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3016 wrote to memory of 2720 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3016 wrote to memory of 2720 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2720 wrote to memory of 2624 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2720 wrote to memory of 2624 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2720 wrote to memory of 2624 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2720 wrote to memory of 2624 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AutoUpdate\VersionInfo.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab90FC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar919B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba1af25ea1800f94b7b3dcfdcbb352e0
SHA1 956a5190552f82bc081b356aac38bd9c08fe89ff
SHA256 fd7ae46efb88d48cd8fe433c0e8652f3330ceb825415fa1ec34ae291a277e3b8
SHA512 a4bb0865f747bb5335c76ee8955b65d370a5464def32abf4522260cb9944b4e1254319258b19cfc1a6bf34f359a3bcac195d24bf819f4fef83e95a8d1505b6b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26751eebed79485f2486475a2abebf21
SHA1 025225076952663acb3dcd0acd1189068feaabc6
SHA256 4ea36a27a39352867d78647e2258c3fded45e727a4b3d1eedd3bcb5bb4a4da66
SHA512 2a258610f4ee7a99632cd93a6880b38ed1bc6f22e5a9c272eb87aa70fef4ec71577aae35dc30c0bda3293cd41e4b3fe641d8a495a0f17fa4a2678de65dad0d6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 baad7817d96234c871e8897d45cb872d
SHA1 756d173804127da05fd753d1954641bc86692286
SHA256 0b070cefd44c37b111c5da039a8907abf4fe251f1a30720dab6cf8b10adf341a
SHA512 168974819fa7cb7fb1b3943982900aaee51c497cb5c52b08e9246dc110f783e409bb8fe160703a75a63f7fd8cafe3d763c52b0d30ca56e2ae14e215a73841a89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae68e774a8be95835104d9bb47f1092a
SHA1 56e24e526228d7cfe69b307a52373e6220dab165
SHA256 3feca502faeae06aebb78f66a14194f28beec49bfa6f33f781b7c875b9959479
SHA512 7f75bb45c7232eaa22e143323d3bcf32dcbed351a0a569f1ddb068ecd69f019de5f92a40b459d832189c4cb624f93cacc704341f1ba0411fe20f6537571c207b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 defaedf26ef21a9aff0510b1ca4214fe
SHA1 937342ac878fbceede50f888d4d70ade1b846333
SHA256 9cd81dd3f1e659118ece3c4584ef32822fce28f51f4ef7e87115b68928274a3f
SHA512 2e7afe58e9ff052455c2e656e2094c7ee6e0ec4af1d159ef2b792c386fffbed37b48e17e2c2b8abd4b5f5afef42b74c88ec489a74ef968ac68c38040cc249fd2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9dff0b60bcd2721faa0ec4e3e6a2f69a
SHA1 87546ff029f36d52afe07bbd7ab1653ec5792878
SHA256 0c7bafca2af8a1892cb6eeeeb8ca82c5de8a0beb6773ddfd3ca166cc961460c7
SHA512 d1dde76a52f23ddc9d994286710e7e367ce07d027cdb5fddd9fbb1e9b5f5011b7c9b738c3bfbeb52e1dc5cab10a098f20a93b2bfdb76fb415f5bfa0e49cd44b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70f492e61c97cc600af6c04200b606ef
SHA1 32553f3748b679efb388b1a38360ddaccc33ac0e
SHA256 a5585369a6d4d9339ef04dad89c7c4900377ab739aa231fa524b799911b0ad44
SHA512 e99f9d137abe95c17b815385850cfb154f3a3cbf3c694a1a65a2ef0cc1b3ffad34ac193247180dc45bca36d57f59871c46c3a209300e573f3a1fb6131d743da3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cba8940cbc41052ffed6d4ac97289a9a
SHA1 58186863548363cd74dba381d297eaf23b4f4930
SHA256 ffe0e667b0f60042cf551abb813cd77cd126799bca231165d69ccd54fc573ea7
SHA512 a4e153ce581c1999aa9a3b2db84368064f105a1d82e3c2653d64d798ab0c7be7019d874b78a3659edbf457bd81c711553281430ebacb79e69fe5bd7b519a93f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c54c9494436687a5658f84c00cb254c
SHA1 edeb10bb072b997144b937d6da31dd08c6011647
SHA256 7a31ab9f5c2a88c7889d1eecb5e96a89e00047fd817fa35c92eca0bb1fd85d3c
SHA512 e9878f1017341c40f0320d26db481254fbd515a57cdea952e0dc3f6fbe5a3dd5e3d39d09dc59ea2d185e56e215e8f6d46d55272d457bf04fae93357dc84d6583

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74cbb4df2e422ad48dfedccaed8ff954
SHA1 c93a91db3e766db528f500415ebbc59f66b2d8d4
SHA256 6bd3230d37c0b285b7cc2dc0b0fab0b5e36271598b78703d106170a79c20b7b0
SHA512 968522a11cf1097a2de3c62bc13cc27f03e2a9466aacc1af22099e4a61ee1d2888e507d6ee3259b0995150e8824d187e3fb31cfa6baba467a526a1524d1d4bc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0891c4d438b2852e95b19ce11750b711
SHA1 576fccdaef576f698795b9393082da1907598c4c
SHA256 e01cf65bbe3c400e74b341c27105d9975d6e33e03b12bce30ae52572350893e0
SHA512 a6fa914bfef481f5961ee0f8921f47545ccf8c35dcf4283d3fccd5c27284bb2a6ff1c79fb528ac14bec748983693e9f5e3bfe7b0c4666feea291ed0ad305c2dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea974798fd807ccbeb42bdf75e366385
SHA1 ed295986e81bb8dc1f5737d7b93af9998936ab54
SHA256 72b2646f3d2a794de301fc3896d96afbaed6125796661954dc4291a5fefdf084
SHA512 37123fd986ff13ae06e6bc59fa773e95bafcb5a57a8a7f1d8c5e330ec2a208bc4de0b9ccc90c60c5836766d9028ce1f0d2d51d4e3b7b70a3257d49a6d39933fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a9f56ae439039cd0463ef074e80e498
SHA1 167c79a89f3ccd9bee9e3e58d0cb80f95f241ccb
SHA256 994bb7c42dbc554f50ecfed1e6e4abccd1dc6c6ca6258e2a927963ea8b990b62
SHA512 0682c7195f3009bda32a0e1d7ea4ae572f2ff32a1bb10b20c9046e4e9c0548d7a9adf5e5e24ccb49b0e60886d0f6b2823eef8f47b0f3d9e493503763080ec1a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cac132c383876af46184f7826543f1cc
SHA1 6580fd86b45d9eef62e5e60fed5c74a433f7b21b
SHA256 f63dff2c08a10cfbe5c40e34411eae0988519fbacc0bde9a9a84a75e1c97c4ab
SHA512 3e4c1ff8055d29566fbc6d309c928a138ecd4cf694b3eee0bc64b5baf0adcbaa82d255de058e1706381031e4d4d366f727840e6e06de251cd355aa02f8e0c5db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a6f9a3942cc756a3a6ae05df9461d21
SHA1 bfcd75988b5992c228918b74412dcaa5827df283
SHA256 731029fadc3c1348fd6e04e679aff16fc028e6a5c9802887b116c673492616d6
SHA512 c9594cd726dcd13a4c17b5e7b2787ddc31ac4916fb656c28163ff82954fcde0aa16162ec431e563558ad376b8bd0b09cb0f2c3125275d747aed7ecfb3e03765b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8db1c30ca1a4927411447fbc45a9fceb
SHA1 0756a31d982395401505877458bbbce9185b3439
SHA256 732b95ccc284007449f10125ef75c39f6d02c2219bba6182ec913f089e21ea34
SHA512 876e9dc048057a4ce8bdbb95f40b9f65a919fec1e6cc25467ad190fbd4aff51164d48d3872ee7ba38cfac8f9725a62febc558f0161cef5e4b2f6c58077b6ea9a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6c9f313b883c6c51796ee095b896089
SHA1 de17a2edc1cfb2c0facf420b28e9756d20c70cf7
SHA256 e4ce737f9311a8ebbb4658014169a506d94dcae2b526fcca663fbee6d58c455f
SHA512 2bcd8e0afda4ba50c0e5b0d5fc1229fd76113bc235b06c60eaa5a52e015f218e1d1ae40d5dffc902494adacafb4bd7de2544b5f5e5cd683b43b74082c6a77415

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c73287b9cb9911c8f7311b737c5bd15
SHA1 000cbf4f9b51a429b2c5dbc60e77fcf7db58050f
SHA256 772287910cf7684e12de774e1a1658177a61bd24874c97dbc717884bff1f40cc
SHA512 1fd50047dbd437a6d93e2c2de5ec736fe53eadd9f01ac8796eeac25f4fe86d90d47b65c257a1650720b3e25809063949d81af85a6ccf28ea1f7d9e2d3f457490

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbb48957c6a596e37276fc2056d48504
SHA1 0f9a63695e0264b14a82bf50e127820e7f590343
SHA256 15db38d4445c225263c0d243340bc938a2d980b70c1cbe47fc5c33d5ce3a5040
SHA512 22d639a781abfc0df3e0e07a8e5d6901cd4479c7ea9c358894804728677b34401ca61f04f9dddf25d661786f106e7b7c365acdb37b6367a37fa1ec7f45f488c2

Analysis: behavioral12

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:26

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

155s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\AutoUpdate\config.ini

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-09-28 18:21

Reported

2024-09-28 18:25

Platform

win7-20240704-en

Max time kernel

118s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\browserres\cef_100_percent.pak

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\.pak\ = "pak_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\.pak C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\pak_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\browserres\cef_100_percent.pak

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\browserres\cef_100_percent.pak

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\browserres\cef_100_percent.pak"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 c60a5ded5e2ea073df1a99be856d449e
SHA1 f7eb068d4014a964abd8d8523c59dc502a0a813c
SHA256 efc1e3b46bf38d2dc6d85bfbe0bef24e12a8cb9bdd33c592bc9a6608172e70f4
SHA512 69ec42f12c2a93808324802a9c5922a113e136db4c25456b6571fd351f0790be2b2a4358dd062e4da1a1ed6b864ee2891268a8f17a306218ca5fddae1c229791