009053dc6722ff482a3945853b43f8536bcdf87e90c537f586c4410a6eef73be

Analysis

max time kernel
61s
max time network
71s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15-09-2022 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TeraBox_1.9.0.4.exe
Size

78.6MB
MD5

1393dbe54a40e55d128120de408f8ddb
SHA1

1748cd612bb30fdee3f7a340fa49b2b6298ca265
SHA256

009053dc6722ff482a3945853b43f8536bcdf87e90c537f586c4410a6eef73be
SHA512

81f8238fc6248f2ccf8a92fc3144e5b890d3d7b0747d085a002201c2c3fb12713608a69858864b919315315c8b7e4da4868d5da678bd1c2e7e51116059e52b78
SSDEEP

1572864:q0j1sTb8vY/e5RIzdgZ7eGNsRXZEJE2PAdkOlXCi1z31D:qA1sTF/ev/GNiEqAdkOlV1L1D

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe

Executes dropped EXE 14 IoCs

Processes:

TeraBox.exeYunUtilityService.exeTeraBoxWebService.exeTeraBox.exeTeraBoxWebService.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxHost.exeTeraBoxHost.exeTeraBoxRender.exeTeraBoxHost.exeAutoUpdate.exe

pid	process
988	TeraBox.exe
768	YunUtilityService.exe
1096	TeraBoxWebService.exe
1524	TeraBox.exe
432	TeraBoxWebService.exe
1020	TeraBoxRender.exe
1992	TeraBoxRender.exe
1420	TeraBoxRender.exe
1620	TeraBoxRender.exe
2256	TeraBoxHost.exe
2444	TeraBoxHost.exe
2644	TeraBoxRender.exe
2740	TeraBoxHost.exe
2788	AutoUpdate.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TeraBoxRender.exeTeraBox.exeTeraBoxRender.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	TeraBox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe

Loads dropped DLL 64 IoCs

Processes:

TeraBox_1.9.0.4.exeTeraBox.exeregsvr32.exeregsvr32.exeYunUtilityService.exeTeraBoxWebService.exe

pid	process
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
988	TeraBox.exe
548	regsvr32.exe
964	regsvr32.exe
832	TeraBox_1.9.0.4.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
768	YunUtilityService.exe
832	TeraBox_1.9.0.4.exe
1096	TeraBoxWebService.exe
1096	TeraBoxWebService.exe
1096	TeraBoxWebService.exe
1096	TeraBoxWebService.exe
1096	TeraBoxWebService.exe
1096	TeraBoxWebService.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TeraBox.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\""	TeraBox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun"	TeraBox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

regsvr32.exeTeraBox.exeTeraBoxWebService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CLSID\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CurVer\ = "YunShellExt.YunShellExtContextMenu.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\ = "YunShellExt 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\TypeLib\ = "{75711486-6BB1-4c76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ = "IYunShellExtContextMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox.torrent\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\",1"	TeraBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\ = "YunShellExtContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ProgID\ = "YunShellExt.YunShellExtContextMenu.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\YunShellExt.DLL\AppID = "{B9480AFD-C7B1-4452-BE14-BB8A9540A05D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B9480AFD-C7B1-4452-BE14-BB8A9540A05D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe,0"	TeraBoxWebService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox.torrent\ = "TeraBox Torrent File"	TeraBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox.torrent\Shell	TeraBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1\ = "YunShellExtContextMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ = "IWorkspaceOverlayIconError"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox.torrent\Shell\Open\Command	TeraBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ = "YunShellExtContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ = "IWorkspaceOverlayIconOK"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ = "IWorkspaceOverlayIconError"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\URL Protocol = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe"	TeraBoxWebService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\ = "TeraBoxProtocol"	TeraBoxWebService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox.torrent\Shell\Open	TeraBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ = "IWorkspaceOverlayIconSync"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox.torrent\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" \"%1\""	TeraBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\VersionIndependentProgID\ = "YunShellExt.YunShellExtContextMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B9480AFD-C7B1-4452-BE14-BB8A9540A05D}\ = "YunShellExt"	regsvr32.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

TeraBox.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	TeraBox.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

TeraBox_1.9.0.4.exeTeraBox.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxHost.exeTeraBoxRender.exe

pid	process
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
832	TeraBox_1.9.0.4.exe
1524	TeraBox.exe
1524	TeraBox.exe
1524	TeraBox.exe
1020	TeraBoxRender.exe
1992	TeraBoxRender.exe
1420	TeraBoxRender.exe
1620	TeraBoxRender.exe
1524	TeraBox.exe
2444	TeraBoxHost.exe
2444	TeraBoxHost.exe
2444	TeraBoxHost.exe
2644	TeraBoxRender.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TeraBoxHost.exe

description pid process

Token: SeManageVolumePrivilege 2444 TeraBoxHost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

TeraBox.exe

pid process

1524 TeraBox.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

TeraBox.exe

pid process

1524 TeraBox.exe

description	pid	process
Token: SeManageVolumePrivilege	2444	TeraBoxHost.exe

pid	process
1524	TeraBox.exe

pid	process
1524	TeraBox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TeraBox_1.9.0.4.exeregsvr32.exeTeraBox.exe

description	pid	process	target process
PID 832 wrote to memory of 988	832	TeraBox_1.9.0.4.exe	TeraBox.exe
PID 832 wrote to memory of 988	832	TeraBox_1.9.0.4.exe	TeraBox.exe
PID 832 wrote to memory of 988	832	TeraBox_1.9.0.4.exe	TeraBox.exe
PID 832 wrote to memory of 988	832	TeraBox_1.9.0.4.exe	TeraBox.exe
PID 832 wrote to memory of 548	832	TeraBox_1.9.0.4.exe	regsvr32.exe
PID 832 wrote to memory of 548	832	TeraBox_1.9.0.4.exe	regsvr32.exe
PID 832 wrote to memory of 548	832	TeraBox_1.9.0.4.exe	regsvr32.exe
PID 832 wrote to memory of 548	832	TeraBox_1.9.0.4.exe	regsvr32.exe
PID 832 wrote to memory of 548	832	TeraBox_1.9.0.4.exe	regsvr32.exe
PID 832 wrote to memory of 548	832	TeraBox_1.9.0.4.exe	regsvr32.exe
PID 832 wrote to memory of 548	832	TeraBox_1.9.0.4.exe	regsvr32.exe
PID 548 wrote to memory of 964	548	regsvr32.exe	regsvr32.exe
PID 548 wrote to memory of 964	548	regsvr32.exe	regsvr32.exe
PID 548 wrote to memory of 964	548	regsvr32.exe	regsvr32.exe
PID 548 wrote to memory of 964	548	regsvr32.exe	regsvr32.exe
PID 548 wrote to memory of 964	548	regsvr32.exe	regsvr32.exe
PID 548 wrote to memory of 964	548	regsvr32.exe	regsvr32.exe
PID 548 wrote to memory of 964	548	regsvr32.exe	regsvr32.exe
PID 832 wrote to memory of 768	832	TeraBox_1.9.0.4.exe	YunUtilityService.exe
PID 832 wrote to memory of 768	832	TeraBox_1.9.0.4.exe	YunUtilityService.exe
PID 832 wrote to memory of 768	832	TeraBox_1.9.0.4.exe	YunUtilityService.exe
PID 832 wrote to memory of 768	832	TeraBox_1.9.0.4.exe	YunUtilityService.exe
PID 832 wrote to memory of 1096	832	TeraBox_1.9.0.4.exe	TeraBoxWebService.exe
PID 832 wrote to memory of 1096	832	TeraBox_1.9.0.4.exe	TeraBoxWebService.exe
PID 832 wrote to memory of 1096	832	TeraBox_1.9.0.4.exe	TeraBoxWebService.exe
PID 832 wrote to memory of 1096	832	TeraBox_1.9.0.4.exe	TeraBoxWebService.exe
PID 1524 wrote to memory of 1020	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 1020	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 1020	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 1020	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 1992	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 1992	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 1992	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 1992	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 1420	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 1420	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 1420	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 1420	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 1620	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 1620	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 1620	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 1620	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 2256	1524	TeraBox.exe	TeraBoxHost.exe
PID 1524 wrote to memory of 2256	1524	TeraBox.exe	TeraBoxHost.exe
PID 1524 wrote to memory of 2256	1524	TeraBox.exe	TeraBoxHost.exe
PID 1524 wrote to memory of 2256	1524	TeraBox.exe	TeraBoxHost.exe
PID 1524 wrote to memory of 2444	1524	TeraBox.exe	TeraBoxHost.exe
PID 1524 wrote to memory of 2444	1524	TeraBox.exe	TeraBoxHost.exe
PID 1524 wrote to memory of 2444	1524	TeraBox.exe	TeraBoxHost.exe
PID 1524 wrote to memory of 2444	1524	TeraBox.exe	TeraBoxHost.exe
PID 1524 wrote to memory of 2644	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 2644	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 2644	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 2644	1524	TeraBox.exe	TeraBoxRender.exe
PID 1524 wrote to memory of 2740	1524	TeraBox.exe	TeraBoxHost.exe
PID 1524 wrote to memory of 2740	1524	TeraBox.exe	TeraBoxHost.exe
PID 1524 wrote to memory of 2740	1524	TeraBox.exe	TeraBoxHost.exe
PID 1524 wrote to memory of 2740	1524	TeraBox.exe	TeraBoxHost.exe
PID 1524 wrote to memory of 2788	1524	TeraBox.exe	AutoUpdate.exe
PID 1524 wrote to memory of 2788	1524	TeraBox.exe	AutoUpdate.exe
PID 1524 wrote to memory of 2788	1524	TeraBox.exe	AutoUpdate.exe
PID 1524 wrote to memory of 2788	1524	TeraBox.exe	AutoUpdate.exe
PID 1524 wrote to memory of 2788	1524	TeraBox.exe	AutoUpdate.exe
PID 1524 wrote to memory of 2788	1524	TeraBox.exe	AutoUpdate.exe

C:\Users\Admin\AppData\Local\Temp\TeraBox_1.9.0.4.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBox_1.9.0.4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
PID:988

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\system32\regsvr32.exe
"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
3⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:964

C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1096

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=1560,15295956961593400809,8692734211880325005,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.9.0.4;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=1568 /prefetch:2
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1020

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1560,15295956961593400809,8692734211880325005,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.9.0.4;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2280 /prefetch:8
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=1560,15295956961593400809,8692734211880325005,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.9.0.4;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2776 /prefetch:1
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=1560,15295956961593400809,8692734211880325005,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.9.0.4;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.1524.0.267721620\1070995847 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.147" -PcGuid "TBIMXV2-O_3EF57441AF1040EEA0C78F51D5438E17-C_0-D_4d51303031302033202020202020202020202020-M_FAB5137186BE-V_DE3EA6A1" -Version "1.9.0.4" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
3⤵
- Executes dropped EXE
PID:2256

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.1524.0.267721620\1070995847 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.147" -PcGuid "TBIMXV2-O_3EF57441AF1040EEA0C78F51D5438E17-C_0-D_4d51303031302033202020202020202020202020-M_FAB5137186BE-V_DE3EA6A1" -Version "1.9.0.4" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=1560,15295956961593400809,8692734211880325005,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.9.0.4;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=1680 /prefetch:2
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2644

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.1524.1.1482242550\1445574256 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.147" -PcGuid "TBIMXV2-O_3EF57441AF1040EEA0C78F51D5438E17-C_0-D_4d51303031302033202020202020202020202020-M_FAB5137186BE-V_DE3EA6A1" -Version "1.9.0.4" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
3⤵
- Executes dropped EXE
PID:2740

C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -srvwnd 101ba -unlogin
3⤵
- Executes dropped EXE
PID:2788

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
2⤵
- Executes dropped EXE
PID:432

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1668

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:2368

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.DLL
Filesize
2.7MB

MD5
1fccddc7a87307bbe8b750eefec52be7

SHA1
ef0e2342930ea0e15a0cc2f9afd1ec0a3b1e5b81

SHA256
e14e491f282e3e71ec0fbf2a41a305ec0997135e6992132ec3101a02fe09ee7f

SHA512
ba50e65f133f6716d0786a76b427483a0ab8b97f6bd32390c8ffb5a613fffbd2440ddae51c9e588d568815e6bb421fb5608153ea210356c20405c8d195b3d493

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\MSVCP140.dll
Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
5.3MB

MD5
3209e66257889956860049c47dfb2309

SHA1
4e445d0e93ec5becad558ba54c8a9b25d1f953f3

SHA256
fb6bfe103e3343b5fbdead7b7e206bfa978912904fc8834153a6eeea78282b03

SHA512
28c699fddc345e6cee11137755a8b3d61880b56ba2f1dde368b7d78aecea8353b7d926576b280034e830648efeba764d646c98b00947ff3e63bcb079d903c04f

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
5.3MB

MD5
3209e66257889956860049c47dfb2309

SHA1
4e445d0e93ec5becad558ba54c8a9b25d1f953f3

SHA256
fb6bfe103e3343b5fbdead7b7e206bfa978912904fc8834153a6eeea78282b03

SHA512
28c699fddc345e6cee11137755a8b3d61880b56ba2f1dde368b7d78aecea8353b7d926576b280034e830648efeba764d646c98b00947ff3e63bcb079d903c04f

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\VCRUNTIME140.dll
Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll
Filesize
965KB

MD5
9c0d4e04006d7523021cc36633792314

SHA1
9685ac642500523ce270a7c3b30edb4034c5922f

SHA256
ce0e3509597179e012bb09bcead37a8e82672babea7c180ac0a4636808366eea

SHA512
0ed54924a1475a54a245f6eb4b7f507057a90e9e582fc470106ba8ff510f3d4e7c2430874da3ed3c68b135e190d168ccc850d85c309946401417c9e67fbb79cd

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l1-2-0.dll
Filesize
11KB

MD5
00d8b4bed48a1bb8a0451b967a902977

SHA1
f10ef17bda66d7cab2840d7f89c6de022a7b3ff2

SHA256
568d7f8551d8b4199db3359d5145bc4cb01d6d2f1347547f47967eb06a45c3b5

SHA512
e248cbc06fc610f315d7efcadb39b5cb85dfe5d40858768d5aea8d41b3b4b23eafe0db2b38cce362fd8ba8bc5eb26e9b2dddc00e2e8615395bca818ecfe0decc

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l2-1-0.dll
Filesize
11KB

MD5
534483b0f4a1924b1ae6d7e66b4a4926

SHA1
4e954316acd216007f4a0225b138e0c0a04fbbed

SHA256
c1bca1bb524c5ae3d877a099f469b6fc34288bab26ae7a7f4fc47cd869f4958d

SHA512
cfad2ddf8a9ad67e36e978726d8a12ca26b180f73122b2e8d19a83f73028a050d9f418e7525f576cc3a9601b3369d4494dddbde620b4011b7ca8a7ec4b0d1b12

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-localization-l1-2-0.dll
Filesize
13KB

MD5
73483cbc229c62e129627adbf62b0ffe

SHA1
074ce67665c86355d3218b5e3ea4b1b335095af8

SHA256
13471eb84db95f8270398ef1deb29f0ea024db17e331497545c36eea7b2a3a7c

SHA512
92f06cb8971e29da7607c6b1d1377f21c7e6f0e4a169aaa08326038d5cdb09422b91f4f2d26a7978521e0edbb9cf1235e583f2910048c917ccef8d12c5e1166a

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
11KB

MD5
7016bf365a155d29f01a000942a017ef

SHA1
47e25b97af56edbdd20ca72bba994c6bcf1b81e6

SHA256
b5f815d0a41add7fd9593036a8e6843fcc221298fefd61808f960eed3cc19830

SHA512
2cd7e88717a2d81811ce03990737888b8a1e9e351dcdad401ffe5924bdf97be086bd766a1a5b25411b760cbf81b68bebd94d915100b6bc1310360813af11f827

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-synch-l1-2-0.dll
Filesize
11KB

MD5
9efdffac1d337807b52356413b04b97b

SHA1
2590bd486abce24312066285fa1c1feaf8332fe0

SHA256
e1a87d7d01e2376dde81a16658915ccf2ecb692739fef09adfb962523756e22d

SHA512
b3c164e50d48a78bd08cf365e02e263b97ec2dd3efcf04914c8677c838e10be23df5178a8618e3f2a6feb6faa2bb74eaf069e7e2db7c6e6fd9d0137dcffbcead

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-timezone-l1-1-0.dll
Filesize
11KB

MD5
42c72d838c34e4e7164c578a930b8fc7

SHA1
82d02cb090eb6d81a1499189e4d3e6b82aa60061

SHA256
f1667bbda1b58fc688b422fd2f9f7040919c4ababe00a4be78b258cae2dfc3d3

SHA512
1020d6010dca512adbc18f44b6453a974a200766013c39f6cb1cd0a72234a241c73587c929f1d0fcadf90c3eb71264086167f05bd7ebceb5b944f4e4a0811d92

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-conio-l1-1-0.dll
Filesize
12KB

MD5
4296cf3a7180e10aaf6147f4aecd24e4

SHA1
f81e09af979a1146774d554783d1a22a03a61393

SHA256
147f86ff93d61fea256b3de9149e1b36b68a83762e62a3389466218e18359ffc

SHA512
60357edde6572c5e796f927c3e72c31a96ff700624b7366fdda64bcf51ee00bf1e9ab477a46d8d3ba7391ba10491e69f745efec3607f8f49b6e1a3a3de7a0648

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-convert-l1-1-0.dll
Filesize
15KB

MD5
5c6fd1c6a5e69313a853a224e18a7fac

SHA1
10bae352f09b214edef2dc6adcb364c45fafdbec

SHA256
3aa0eb4c47ac94b911f1a440324d26eee8ddf99557a718f0905bfee3cf56255f

SHA512
08c2b1150f6bf505d10085a515bbfab6c1e18663c6ef75ec988727e3d30210532d03bfbfbb048b1a843d4faa5d1060f9079e018a9e892bce03f899a5a85f6034

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-environment-l1-1-0.dll
Filesize
11KB

MD5
6a3d5701446f6635faff87014a836eee

SHA1
7bbc9db1c9ce70e9fc7b7348a2c96681e5d8265b

SHA256
16ba05a1fa928501ffaee2e9dce449d28e8fe538df5ec6d8d1080b610b15d466

SHA512
839a1277b6dbb9f2d6e572e1b50b0ad08c93256a1367f36997db07285aa7b251346499a643a985a22d9a7618635c11964e414073aa7e1bf60d36368829de8fb3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-filesystem-l1-1-0.dll
Filesize
13KB

MD5
4ec243792d382305db59dc78b72d0a1e

SHA1
63b7285646c72ee640d34cdc200bfc5863db3563

SHA256
56e0bdf91edb21f5f5041f052723025c059a11360bb745f965a9903de9c61756

SHA512
88f648d45927db65ff8cead4bb1959b1297410bf3f5b3b2783a173d708649260a61470342694de8b93e9c1657de64db43db40ee71acc661b03786c0921d68d4b

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-heap-l1-1-0.dll
Filesize
12KB

MD5
a51cfb8cf618571215eeba7095733b25

SHA1
db4215890757c7c105a8001b41ae19ce1a5d3558

SHA256
6501894e68a3871962731282a2e70614023ec3f63f600f933ec1785400716ce1

SHA512
9ae11ab21486dea1aba607a4262f62678c5b0e9f62b6a63c76cfdc7698d872d8696ffb1aaae7aa2e2cf02c1c7eaa53d0ce503432960f4be6886fae0de2659535

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-locale-l1-1-0.dll
Filesize
11KB

MD5
8d097aa5bec8bdb5df8f39e0db30397c

SHA1
56f6da8703f8cdd4a8e4a170d1a6c0d3f2035158

SHA256
42c235914844ce5d1bb64002fca34a776ae25ee658fc2b7b9da3291e5def7d4d

SHA512
a891536e2a362fc73472fa7f5266ce29e8036959701bc0862f2b7ea5865dcd1505615edc8e064fb2f7aaa1b129e48422efe7b933b01faed9c2afadd8a64452dc

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-math-l1-1-0.dll
Filesize
21KB

MD5
ab87bdae2f62e32a533f89cd362d081c

SHA1
40311859dd042a7e392877364568aad892792ba9

SHA256
0439703e47c8fce1f367f9e36248a738db6abcd9f2dd199cb190d5e59ed46978

SHA512
dbe0073da8979f3d32204680015b60435226840e732b5df964dbeeb7920c0bc5df92d866964f905518c97cc3539f628664503ffa64e50a2ef90c459b62555444

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-multibyte-l1-1-0.dll
Filesize
19KB

MD5
169e20a74258b182d2cdc76f1ae77fc5

SHA1
fce3f718e6de505ac910cb7333a03a2c6544f654

SHA256
224f526871c961615de17b5d7f7bbef2f3a799055cab2c8e3447b43c10c25372

SHA512
0881c8704421a5f6e51abd22c55608dd7fb678491682ce86066e068b1973ebf11d6c2163be610a49f87e800c8563ebb41abfe36e1913d7d0b8485fd29ed81bf7

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-runtime-l1-1-0.dll
Filesize
15KB

MD5
49363f3cf4671baa6be1abd03033542f

SHA1
e58902a82df86adf16f44ebdc558b92ad214a979

SHA256
505d2bde0d4d7cd3900a9c795cb84ab9c05208d6e5132749ab7c554ccd3c0fcc

SHA512
98e78a607cfbb777237dc812f468ec7a1abcba9472e20a5780dfc526f7992da1841fcd9e2f76f20fa161240007f185c7fbdc120fb4c3c1f2b90fdad5913d65dd

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-stdio-l1-1-0.dll
Filesize
17KB

MD5
be16965acc8b0ce3a8a7c42d09329577

SHA1
6ac0f1e759781c7e5342b20f2a200a6aab66535e

SHA256
fcd55331cc1f0ff4fb44c9590a9fb8f891b161147a6947ce48b88bf708786c21

SHA512
7ba55fa204d43c15aca02031f584b3396bb175365dad88e4047b8a991f1f1ddd88d769e4d8cb93ee0ed45e060a1156e953df794f9cb8bb687c84c4a088da2edf

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-string-l1-1-0.dll
Filesize
17KB

MD5
3eae6d370f2623b37ec39c521d1f1461

SHA1
86d43e2e69b2066333e4afa28a27c7a74ff89991

SHA256
ce74bdc6999d084a1b44b2ecea42dd28849b2825d7779effdc4c18360308b79b

SHA512
30b2b6cf5cd1bbdf68de048e6d992133fe7ab0c847fa0d5eb8c681a9688d60794621a40178451a104036a0fff2e1bd66a18d9f96be6b28dbdc0bc1c8a535fc85

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-time-l1-1-0.dll
Filesize
13KB

MD5
a440776e10098f3a8ef1c5eaca72958e

SHA1
7b8662714f6e44fb29a4224a038e4127964003e9

SHA256
40d8bc312ac7bca072703e5f0852228cde418f89ba9ad69551aa7a80a2b30316

SHA512
b043cd020d184a239510b2607c94210dc5fdc5d2a2b9285836bdce8934cc86a1cc3f47a2f520b15db84f755ac2e7c67e0247099648d292bbd5fb76f683d928df

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-utility-l1-1-0.dll
Filesize
11KB

MD5
a0a883e26be6800508162e2a898148d9

SHA1
4f79892e7766cb7831211864978575598c86a11b

SHA256
9753ae83536767c73e340c36c5f1610bc76a3e67e033b07503ec31431cba7b90

SHA512
70904f2fd074073aebcf665178b34cf7f0f42ced7223ca296f7f202f6fa0175ace2832d9802f5bff4d67891ca09ae14fac47420d69107e72aa44b541a190f6c3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\appUtil.DLL
Filesize
888KB

MD5
558be69a5972c56da69225134b049f30

SHA1
2cdf4a3404581b6c125932d8825048af08e51479

SHA256
15e59790c32b69409087c534b3a9c16c9f1833faceb7b40edae4e4e746ac970d

SHA512
b284d6a2f71b3f6514e70aba2f1a44437113b69bb8e87669af0eb8311b41e82510a34e497500df2d139640f42ab060e6787cefc84595563b8f59fd693021c907

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll
Filesize
2.8MB

MD5
bece035264eaf3c68a2d4996e86db8b7

SHA1
48442d78e425b7e6eda79ad9ad64941abb4c50f6

SHA256
ce9e96c889e85124d1ba94404d3f1e41332fb8307b17e603a3538a775689e651

SHA512
b533f68f2d6c5a12788dbed28d061f57ebc0746d7e1cc75675176710051042dff09634fc6ccef1abab6af84780b2a18665856d22e5505d2743e75e5240a5b150

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\ucrtbase.DLL
Filesize
863KB

MD5
8ed02a1a11cec72b6a6a4989bf03cfcc

SHA1
172908ff0f8d7e1c0cbf107f7075ed1dba4b36c8

SHA256
4fd02f2699c49579319079b963425991198f59cb1589b8afa8795b5d6a0e5db3

SHA512
444fe62a5c324d38bdc055d298b5784c741f3ca8faaeaed591bd6dcf94205dbf28c7d7f7d3825ccb99eff04e3ffd831e3f98d9b314820841a0c0960ae6a5e416

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe
Filesize
671KB

MD5
ae829feb56c8d2461dfc956a60d40899

SHA1
1feadee2f38e1fc879961fdc910e5eed2a1738e9

SHA256
fd692efdb69b1455e18f73776f5bd8f1640ea4499bb5915468db745208501a5a

SHA512
36905d132b16c64a6e2901ee6ce44e5cab0dd4e28489a0da38455a79121968fca56d524964fe40a9239e375054ab68ef2a727e1c65c9d371000cab6209e80e26

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll
Filesize
1.1MB

MD5
5ac958babaf6d968ea55db6cc748eca5

SHA1
57511fe1538b9bcf225c236a64d20ad823dd5286

SHA256
fadaa73c180f1bdfb1784a9cd834a0a2f5c9d02dc26bc73790dc25c809aa313d

SHA512
1c6e0205b7b823d6c6b2865842af6ff113910a688be8bbf7edb3f5c58bfd84789c08b5f6d1c7a836083bd26a9e1f599b886255eaac761fe1e49cbbc564dc55a4

Download Submit
\Users\Admin\AppData\Local\Temp\nsoEE.tmp\NsisInstallUI.dll
Filesize
2.0MB

MD5
6d088ea958c26dda8c5534d4400b37c4

SHA1
cbc08b5bb0e2853f19960a3b74ff6168d0af2199

SHA256
fc95bf4f3a117710cd6cb6466957317dfc11417366c9829d21b12830154ebb10

SHA512
81e5a07ace641860c74ce54eff77d7c625ddebba8df0c7d285d62b8a2d56d572a5106c83938baba16bbd25fdbc4ddd48d61c164702437b5871eeb7aa3a2cb419

Download Submit
\Users\Admin\AppData\Local\Temp\nsoEE.tmp\System.dll
Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
\Users\Admin\AppData\Local\Temp\nsoEE.tmp\nsProcessW.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll
Filesize
888KB

MD5
558be69a5972c56da69225134b049f30

SHA1
2cdf4a3404581b6c125932d8825048af08e51479

SHA256
15e59790c32b69409087c534b3a9c16c9f1833faceb7b40edae4e4e746ac970d

SHA512
b284d6a2f71b3f6514e70aba2f1a44437113b69bb8e87669af0eb8311b41e82510a34e497500df2d139640f42ab060e6787cefc84595563b8f59fd693021c907

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll
Filesize
2.7MB

MD5
1fccddc7a87307bbe8b750eefec52be7

SHA1
ef0e2342930ea0e15a0cc2f9afd1ec0a3b1e5b81

SHA256
e14e491f282e3e71ec0fbf2a41a305ec0997135e6992132ec3101a02fe09ee7f

SHA512
ba50e65f133f6716d0786a76b427483a0ab8b97f6bd32390c8ffb5a613fffbd2440ddae51c9e588d568815e6bb421fb5608153ea210356c20405c8d195b3d493

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
5.3MB

MD5
3209e66257889956860049c47dfb2309

SHA1
4e445d0e93ec5becad558ba54c8a9b25d1f953f3

SHA256
fb6bfe103e3343b5fbdead7b7e206bfa978912904fc8834153a6eeea78282b03

SHA512
28c699fddc345e6cee11137755a8b3d61880b56ba2f1dde368b7d78aecea8353b7d926576b280034e830648efeba764d646c98b00947ff3e63bcb079d903c04f

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
5.3MB

MD5
3209e66257889956860049c47dfb2309

SHA1
4e445d0e93ec5becad558ba54c8a9b25d1f953f3

SHA256
fb6bfe103e3343b5fbdead7b7e206bfa978912904fc8834153a6eeea78282b03

SHA512
28c699fddc345e6cee11137755a8b3d61880b56ba2f1dde368b7d78aecea8353b7d926576b280034e830648efeba764d646c98b00947ff3e63bcb079d903c04f

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
5.3MB

MD5
3209e66257889956860049c47dfb2309

SHA1
4e445d0e93ec5becad558ba54c8a9b25d1f953f3

SHA256
fb6bfe103e3343b5fbdead7b7e206bfa978912904fc8834153a6eeea78282b03

SHA512
28c699fddc345e6cee11137755a8b3d61880b56ba2f1dde368b7d78aecea8353b7d926576b280034e830648efeba764d646c98b00947ff3e63bcb079d903c04f

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
5.3MB

MD5
3209e66257889956860049c47dfb2309

SHA1
4e445d0e93ec5becad558ba54c8a9b25d1f953f3

SHA256
fb6bfe103e3343b5fbdead7b7e206bfa978912904fc8834153a6eeea78282b03

SHA512
28c699fddc345e6cee11137755a8b3d61880b56ba2f1dde368b7d78aecea8353b7d926576b280034e830648efeba764d646c98b00947ff3e63bcb079d903c04f

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll
Filesize
965KB

MD5
9c0d4e04006d7523021cc36633792314

SHA1
9685ac642500523ce270a7c3b30edb4034c5922f

SHA256
ce0e3509597179e012bb09bcead37a8e82672babea7c180ac0a4636808366eea

SHA512
0ed54924a1475a54a245f6eb4b7f507057a90e9e582fc470106ba8ff510f3d4e7c2430874da3ed3c68b135e190d168ccc850d85c309946401417c9e67fbb79cd

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l1-2-0.dll
Filesize
11KB

MD5
00d8b4bed48a1bb8a0451b967a902977

SHA1
f10ef17bda66d7cab2840d7f89c6de022a7b3ff2

SHA256
568d7f8551d8b4199db3359d5145bc4cb01d6d2f1347547f47967eb06a45c3b5

SHA512
e248cbc06fc610f315d7efcadb39b5cb85dfe5d40858768d5aea8d41b3b4b23eafe0db2b38cce362fd8ba8bc5eb26e9b2dddc00e2e8615395bca818ecfe0decc

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l2-1-0.dll
Filesize
11KB

MD5
534483b0f4a1924b1ae6d7e66b4a4926

SHA1
4e954316acd216007f4a0225b138e0c0a04fbbed

SHA256
c1bca1bb524c5ae3d877a099f469b6fc34288bab26ae7a7f4fc47cd869f4958d

SHA512
cfad2ddf8a9ad67e36e978726d8a12ca26b180f73122b2e8d19a83f73028a050d9f418e7525f576cc3a9601b3369d4494dddbde620b4011b7ca8a7ec4b0d1b12

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-localization-l1-2-0.dll
Filesize
13KB

MD5
73483cbc229c62e129627adbf62b0ffe

SHA1
074ce67665c86355d3218b5e3ea4b1b335095af8

SHA256
13471eb84db95f8270398ef1deb29f0ea024db17e331497545c36eea7b2a3a7c

SHA512
92f06cb8971e29da7607c6b1d1377f21c7e6f0e4a169aaa08326038d5cdb09422b91f4f2d26a7978521e0edbb9cf1235e583f2910048c917ccef8d12c5e1166a

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
11KB

MD5
7016bf365a155d29f01a000942a017ef

SHA1
47e25b97af56edbdd20ca72bba994c6bcf1b81e6

SHA256
b5f815d0a41add7fd9593036a8e6843fcc221298fefd61808f960eed3cc19830

SHA512
2cd7e88717a2d81811ce03990737888b8a1e9e351dcdad401ffe5924bdf97be086bd766a1a5b25411b760cbf81b68bebd94d915100b6bc1310360813af11f827

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-synch-l1-2-0.dll
Filesize
11KB

MD5
9efdffac1d337807b52356413b04b97b

SHA1
2590bd486abce24312066285fa1c1feaf8332fe0

SHA256
e1a87d7d01e2376dde81a16658915ccf2ecb692739fef09adfb962523756e22d

SHA512
b3c164e50d48a78bd08cf365e02e263b97ec2dd3efcf04914c8677c838e10be23df5178a8618e3f2a6feb6faa2bb74eaf069e7e2db7c6e6fd9d0137dcffbcead

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-timezone-l1-1-0.dll
Filesize
11KB

MD5
42c72d838c34e4e7164c578a930b8fc7

SHA1
82d02cb090eb6d81a1499189e4d3e6b82aa60061

SHA256
f1667bbda1b58fc688b422fd2f9f7040919c4ababe00a4be78b258cae2dfc3d3

SHA512
1020d6010dca512adbc18f44b6453a974a200766013c39f6cb1cd0a72234a241c73587c929f1d0fcadf90c3eb71264086167f05bd7ebceb5b944f4e4a0811d92

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-conio-l1-1-0.dll
Filesize
12KB

MD5
4296cf3a7180e10aaf6147f4aecd24e4

SHA1
f81e09af979a1146774d554783d1a22a03a61393

SHA256
147f86ff93d61fea256b3de9149e1b36b68a83762e62a3389466218e18359ffc

SHA512
60357edde6572c5e796f927c3e72c31a96ff700624b7366fdda64bcf51ee00bf1e9ab477a46d8d3ba7391ba10491e69f745efec3607f8f49b6e1a3a3de7a0648

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-convert-l1-1-0.dll
Filesize
15KB

MD5
5c6fd1c6a5e69313a853a224e18a7fac

SHA1
10bae352f09b214edef2dc6adcb364c45fafdbec

SHA256
3aa0eb4c47ac94b911f1a440324d26eee8ddf99557a718f0905bfee3cf56255f

SHA512
08c2b1150f6bf505d10085a515bbfab6c1e18663c6ef75ec988727e3d30210532d03bfbfbb048b1a843d4faa5d1060f9079e018a9e892bce03f899a5a85f6034

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-environment-l1-1-0.dll
Filesize
11KB

MD5
6a3d5701446f6635faff87014a836eee

SHA1
7bbc9db1c9ce70e9fc7b7348a2c96681e5d8265b

SHA256
16ba05a1fa928501ffaee2e9dce449d28e8fe538df5ec6d8d1080b610b15d466

SHA512
839a1277b6dbb9f2d6e572e1b50b0ad08c93256a1367f36997db07285aa7b251346499a643a985a22d9a7618635c11964e414073aa7e1bf60d36368829de8fb3

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-filesystem-l1-1-0.dll
Filesize
13KB

MD5
4ec243792d382305db59dc78b72d0a1e

SHA1
63b7285646c72ee640d34cdc200bfc5863db3563

SHA256
56e0bdf91edb21f5f5041f052723025c059a11360bb745f965a9903de9c61756

SHA512
88f648d45927db65ff8cead4bb1959b1297410bf3f5b3b2783a173d708649260a61470342694de8b93e9c1657de64db43db40ee71acc661b03786c0921d68d4b

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-heap-l1-1-0.dll
Filesize
12KB

MD5
a51cfb8cf618571215eeba7095733b25

SHA1
db4215890757c7c105a8001b41ae19ce1a5d3558

SHA256
6501894e68a3871962731282a2e70614023ec3f63f600f933ec1785400716ce1

SHA512
9ae11ab21486dea1aba607a4262f62678c5b0e9f62b6a63c76cfdc7698d872d8696ffb1aaae7aa2e2cf02c1c7eaa53d0ce503432960f4be6886fae0de2659535

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-locale-l1-1-0.dll
Filesize
11KB

MD5
8d097aa5bec8bdb5df8f39e0db30397c

SHA1
56f6da8703f8cdd4a8e4a170d1a6c0d3f2035158

SHA256
42c235914844ce5d1bb64002fca34a776ae25ee658fc2b7b9da3291e5def7d4d

SHA512
a891536e2a362fc73472fa7f5266ce29e8036959701bc0862f2b7ea5865dcd1505615edc8e064fb2f7aaa1b129e48422efe7b933b01faed9c2afadd8a64452dc

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-math-l1-1-0.dll
Filesize
21KB

MD5
ab87bdae2f62e32a533f89cd362d081c

SHA1
40311859dd042a7e392877364568aad892792ba9

SHA256
0439703e47c8fce1f367f9e36248a738db6abcd9f2dd199cb190d5e59ed46978

SHA512
dbe0073da8979f3d32204680015b60435226840e732b5df964dbeeb7920c0bc5df92d866964f905518c97cc3539f628664503ffa64e50a2ef90c459b62555444

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-multibyte-l1-1-0.dll
Filesize
19KB

MD5
169e20a74258b182d2cdc76f1ae77fc5

SHA1
fce3f718e6de505ac910cb7333a03a2c6544f654

SHA256
224f526871c961615de17b5d7f7bbef2f3a799055cab2c8e3447b43c10c25372

SHA512
0881c8704421a5f6e51abd22c55608dd7fb678491682ce86066e068b1973ebf11d6c2163be610a49f87e800c8563ebb41abfe36e1913d7d0b8485fd29ed81bf7

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-runtime-l1-1-0.dll
Filesize
15KB

MD5
49363f3cf4671baa6be1abd03033542f

SHA1
e58902a82df86adf16f44ebdc558b92ad214a979

SHA256
505d2bde0d4d7cd3900a9c795cb84ab9c05208d6e5132749ab7c554ccd3c0fcc

SHA512
98e78a607cfbb777237dc812f468ec7a1abcba9472e20a5780dfc526f7992da1841fcd9e2f76f20fa161240007f185c7fbdc120fb4c3c1f2b90fdad5913d65dd

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-stdio-l1-1-0.dll
Filesize
17KB

MD5
be16965acc8b0ce3a8a7c42d09329577

SHA1
6ac0f1e759781c7e5342b20f2a200a6aab66535e

SHA256
fcd55331cc1f0ff4fb44c9590a9fb8f891b161147a6947ce48b88bf708786c21

SHA512
7ba55fa204d43c15aca02031f584b3396bb175365dad88e4047b8a991f1f1ddd88d769e4d8cb93ee0ed45e060a1156e953df794f9cb8bb687c84c4a088da2edf

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-string-l1-1-0.dll
Filesize
17KB

MD5
3eae6d370f2623b37ec39c521d1f1461

SHA1
86d43e2e69b2066333e4afa28a27c7a74ff89991

SHA256
ce74bdc6999d084a1b44b2ecea42dd28849b2825d7779effdc4c18360308b79b

SHA512
30b2b6cf5cd1bbdf68de048e6d992133fe7ab0c847fa0d5eb8c681a9688d60794621a40178451a104036a0fff2e1bd66a18d9f96be6b28dbdc0bc1c8a535fc85

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-time-l1-1-0.dll
Filesize
13KB

MD5
a440776e10098f3a8ef1c5eaca72958e

SHA1
7b8662714f6e44fb29a4224a038e4127964003e9

SHA256
40d8bc312ac7bca072703e5f0852228cde418f89ba9ad69551aa7a80a2b30316

SHA512
b043cd020d184a239510b2607c94210dc5fdc5d2a2b9285836bdce8934cc86a1cc3f47a2f520b15db84f755ac2e7c67e0247099648d292bbd5fb76f683d928df

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-utility-l1-1-0.dll
Filesize
11KB

MD5
a0a883e26be6800508162e2a898148d9

SHA1
4f79892e7766cb7831211864978575598c86a11b

SHA256
9753ae83536767c73e340c36c5f1610bc76a3e67e033b07503ec31431cba7b90

SHA512
70904f2fd074073aebcf665178b34cf7f0f42ced7223ca296f7f202f6fa0175ace2832d9802f5bff4d67891ca09ae14fac47420d69107e72aa44b541a190f6c3

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll
Filesize
2.8MB

MD5
bece035264eaf3c68a2d4996e86db8b7

SHA1
48442d78e425b7e6eda79ad9ad64941abb4c50f6

SHA256
ce9e96c889e85124d1ba94404d3f1e41332fb8307b17e603a3538a775689e651

SHA512
b533f68f2d6c5a12788dbed28d061f57ebc0746d7e1cc75675176710051042dff09634fc6ccef1abab6af84780b2a18665856d22e5505d2743e75e5240a5b150

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll
Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\ucrtbase.dll
Filesize
863KB

MD5
8ed02a1a11cec72b6a6a4989bf03cfcc

SHA1
172908ff0f8d7e1c0cbf107f7075ed1dba4b36c8

SHA256
4fd02f2699c49579319079b963425991198f59cb1589b8afa8795b5d6a0e5db3

SHA512
444fe62a5c324d38bdc055d298b5784c741f3ca8faaeaed591bd6dcf94205dbf28c7d7f7d3825ccb99eff04e3ffd831e3f98d9b314820841a0c0960ae6a5e416

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll
Filesize
1.1MB

MD5
5ac958babaf6d968ea55db6cc748eca5

SHA1
57511fe1538b9bcf225c236a64d20ad823dd5286

SHA256
fadaa73c180f1bdfb1784a9cd834a0a2f5c9d02dc26bc73790dc25c809aa313d

SHA512
1c6e0205b7b823d6c6b2865842af6ff113910a688be8bbf7edb3f5c58bfd84789c08b5f6d1c7a836083bd26a9e1f599b886255eaac761fe1e49cbbc564dc55a4

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll
Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
memory/548-119-0x0000000000000000-mapping.dmp

Download
memory/768-125-0x0000000000000000-mapping.dmp

Download
memory/832-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/964-123-0x0000000000000000-mapping.dmp

Download
memory/964-124-0x000007FEFC371000-0x000007FEFC373000-memory.dmp

Filesize
8KB

Download
memory/988-59-0x0000000000000000-mapping.dmp

Download
memory/1020-130-0x0000000000000000-mapping.dmp

Download
memory/1096-126-0x0000000000000000-mapping.dmp

Download
memory/1420-135-0x0000000000000000-mapping.dmp

Download
memory/1620-136-0x0000000000000000-mapping.dmp

Download
memory/1992-133-0x0000000000000000-mapping.dmp

Download
memory/2256-139-0x0000000000000000-mapping.dmp

Download
memory/2396-143-0x00000000686C1000-0x00000000686C3000-memory.dmp

Filesize
8KB

Download
memory/2444-144-0x0000000000000000-mapping.dmp

Download
memory/2444-146-0x0000000068560000-0x0000000069987000-memory.dmp

Filesize
20.2MB

Download
memory/2444-149-0x0000000068560000-0x0000000069987000-memory.dmp

Filesize
20.2MB

Download
memory/2444-152-0x0000000068560000-0x0000000069987000-memory.dmp

Filesize
20.2MB

Download
memory/2444-155-0x0000000068560000-0x0000000069987000-memory.dmp

Filesize
20.2MB

Download
memory/2644-150-0x0000000000000000-mapping.dmp

Download
memory/2740-153-0x0000000000000000-mapping.dmp

Download
memory/2788-156-0x0000000000000000-mapping.dmp

Download