zloader | hxxps://www[.]terabox[.]com/sharing/link?surl=9n_AF67hAoysQy7FJJ1tCg

Analysis

max time kernel
142s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
31-12-2022 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.terabox.com/sharing/link?surl=9n_AF67hAoysQy7FJJ1tCg

Score

10^/10

zloader botnet discovery persistence trojan

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Downloads MZ/PE file

Executes dropped EXE 10 IoCs

Processes:

TeraBox_sl_b_1.12.5.8.exeTeraBox.exeYunUtilityService.exeTeraBoxWebService.exeTeraBox.exeTeraBoxWebService.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exe

pid	process
2364	TeraBox_sl_b_1.12.5.8.exe
1036	TeraBox.exe
4948	YunUtilityService.exe
4464	TeraBoxWebService.exe
520	TeraBox.exe
4196	TeraBoxWebService.exe
4896	TeraBoxRender.exe
4716	TeraBoxRender.exe
928	TeraBoxRender.exe
4800	TeraBoxRender.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 44 IoCs

Processes:

TeraBox_sl_b_1.12.5.8.exeTeraBox.exeregsvr32.exeregsvr32.exeYunUtilityService.exeTeraBoxWebService.exeTeraBox.exeTeraBoxWebService.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exe

pid	process
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
1036	TeraBox.exe
1036	TeraBox.exe
1036	TeraBox.exe
1036	TeraBox.exe
1036	TeraBox.exe
1036	TeraBox.exe
1352	regsvr32.exe
524	regsvr32.exe
4948	YunUtilityService.exe
4948	YunUtilityService.exe
4464	TeraBoxWebService.exe
4464	TeraBoxWebService.exe
520	TeraBox.exe
520	TeraBox.exe
520	TeraBox.exe
520	TeraBox.exe
4196	TeraBoxWebService.exe
520	TeraBox.exe
4196	TeraBoxWebService.exe
520	TeraBox.exe
520	TeraBox.exe
520	TeraBox.exe
520	TeraBox.exe
520	TeraBox.exe
520	TeraBox.exe
520	TeraBox.exe
520	TeraBox.exe
520	TeraBox.exe
520	TeraBox.exe
4896	TeraBoxRender.exe
4896	TeraBoxRender.exe
4896	TeraBoxRender.exe
4716	TeraBoxRender.exe
4716	TeraBoxRender.exe
4716	TeraBoxRender.exe
4800	TeraBoxRender.exe
4800	TeraBoxRender.exe
4800	TeraBoxRender.exe
4896	TeraBoxRender.exe
4716	TeraBoxRender.exe
4896	TeraBoxRender.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TeraBox.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun"	TeraBox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\""	TeraBox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 64 IoCs

Processes:

TeraBox_sl_b_1.12.5.8.exeregsvr32.exeTeraBox.exeTeraBoxWebService.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	TeraBox_sl_b_1.12.5.8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1\ = "YunShellExtContextMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox.torrent\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\",1"	TeraBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ = "IWorkspaceOverlayIconOK"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\DefaultIcon	TeraBoxWebService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox.torrent\ = "TeraBox Torrent File"	TeraBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ = "IWorkspaceOverlayIconSync"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox.torrent\DefaultIcon	TeraBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B9480AFD-C7B1-4452-BE14-BB8A9540A05D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CLSID\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\YunShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CurVer\ = "YunShellExt.YunShellExtContextMenu.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\VersionIndependentProgID\ = "YunShellExt.YunShellExtContextMenu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell	TeraBoxWebService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox.torrent\Shell\Open	TeraBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ = "YunShellExtContextMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ProgID\ = "YunShellExt.YunShellExtContextMenu.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\URL Protocol = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe"	TeraBoxWebService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell\open	TeraBoxWebService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\ = "TeraBoxProtocol"	TeraBoxWebService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ = "IWorkspaceOverlayIconError"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\" \"%1\""	TeraBoxWebService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\AppID = "{B9480AFD-C7B1-4452-BE14-BB8A9540A05D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ = "IWorkspaceOverlayIconError"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox	TeraBoxWebService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell\open\command	TeraBoxWebService.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	TeraBox_sl_b_1.12.5.8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox.torrent\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" \"%1\""	TeraBox.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

TeraBox.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeTeraBox_sl_b_1.12.5.8.exechrome.exeTeraBox.exe

pid	process
3768	chrome.exe
3768	chrome.exe
2204	chrome.exe
2204	chrome.exe
3740	chrome.exe
3740	chrome.exe
4424	chrome.exe
4424	chrome.exe
536	chrome.exe
452	chrome.exe
536	chrome.exe
452	chrome.exe
4884	chrome.exe
4884	chrome.exe
200	chrome.exe
200	chrome.exe
2336	chrome.exe
2336	chrome.exe
2204	chrome.exe
2204	chrome.exe
1540	chrome.exe
1540	chrome.exe
2096	chrome.exe
2096	chrome.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
5052	chrome.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
2364	TeraBox_sl_b_1.12.5.8.exe
520	TeraBox.exe
520	TeraBox.exe
520	TeraBox.exe
520	TeraBox.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

2204 chrome.exe
2204 chrome.exe
2204 chrome.exe
2204 chrome.exe
2204 chrome.exe
2204 chrome.exe
2204 chrome.exe
2204 chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

chrome.exeTeraBox.exe

pid	process
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
520	TeraBox.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

chrome.exeTeraBox.exe

pid	process
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
2204	chrome.exe
520	TeraBox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

TeraBox_sl_b_1.12.5.8.exeTeraBox.exeYunUtilityService.exeTeraBoxWebService.exe

pid process

2364 TeraBox_sl_b_1.12.5.8.exe
1036 TeraBox.exe
4948 YunUtilityService.exe
4464 TeraBoxWebService.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2204 wrote to memory of 2220	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2220	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3536	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3768	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 3768	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe
PID 2204 wrote to memory of 2888	2204	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.terabox.com/sharing/link?surl=9n_AF67hAoysQy7FJJ1tCg
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc0a104f50,0x7ffc0a104f60,0x7ffc0a104f70
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1628 /prefetch:2
2⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1676 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:8
2⤵
PID:2888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:1
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1
2⤵
PID:792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4016 /prefetch:8
2⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
2⤵
PID:4532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
2⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5504 /prefetch:8
2⤵
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
2⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5664 /prefetch:8
2⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6132 /prefetch:8
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4548 /prefetch:8
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5688 /prefetch:8
2⤵
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
2⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2888 /prefetch:8
2⤵
PID:1352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4676 /prefetch:8
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:8
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=932 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4268 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4272 /prefetch:8
2⤵
PID:1820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4444 /prefetch:8
2⤵
PID:1792

C:\Users\Admin\Downloads\TeraBox_sl_b_1.12.5.8.exe
"C:\Users\Admin\Downloads\TeraBox_sl_b_1.12.5.8.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1036

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
3⤵
- Loads dropped DLL
PID:1352

C:\Windows\system32\regsvr32.exe
"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
4⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:524

C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4948

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4464

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:520

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2000,12330234499005556879,11200517352815793675,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.12.5.8;PC;PC-Windows;10.0.15063;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2008 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4896

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,12330234499005556879,11200517352815793675,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.12.5.8;PC;PC-Windows;10.0.15063;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=1164 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4716

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2000,12330234499005556879,11200517352815793675,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.12.5.8;PC;PC-Windows;10.0.15063;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
4⤵
- Executes dropped EXE
PID:928

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2000,12330234499005556879,11200517352815793675,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.12.5.8;PC;PC-Windows;10.0.15063;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4800

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.520.0.1216830671\1432430335 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.182" -PcGuid "TBIMXV2-O_978E71AA3A404104810BB128F4294C3D-C_0-D_QM00013-M_EEC4A3384871-V_B1B10144" -Version "1.12.5.8" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
4⤵
PID:4260

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2000,12330234499005556879,11200517352815793675,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.12.5.8;PC;PC-Windows;10.0.15063;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2008 /prefetch:2
4⤵
PID:3972

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.520.0.1216830671\1432430335 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.182" -PcGuid "TBIMXV2-O_978E71AA3A404104810BB128F4294C3D-C_0-D_QM00013-M_EEC4A3384871-V_B1B10144" -Version "1.12.5.8" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
4⤵
PID:1612

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 /prefetch:8
2⤵
PID:3316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1448 /prefetch:8
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:8
2⤵
PID:4520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4028 /prefetch:8
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4200 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4208 /prefetch:8
2⤵
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,3947650290071726688,2245213080680273710,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
2⤵
PID:4472

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x358
1⤵
PID:4272

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.DLL
Filesize
2.8MB

MD5
4a94aeaae0c93775e316811eebbdda59

SHA1
3e0bbdf75a7a6e7c7265d9be620692c861fca005

SHA256
b00a620bf804fb0a473153c2497e7f07a38eba0dc82ebf32c3673f055924cc01

SHA512
810b0f216e500c04b501055f2f46d7c01f1447c0ddc06c405757b566193ecea8c6ff52c9a92344d701bbbc2eb65bbe8f6e26b2e073944873ccbe7296d0d012d2

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\MSVCP140.dll
Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
5.6MB

MD5
e8fafcb661bb6e6d37864f70a950a601

SHA1
2a8123dcafddd70140922730f75df3ffe5752ad9

SHA256
d968f376f45f2d0b4b5ce6bf018ab36b8fa8eff18c694e4ebfb0f6ed18c3eaec

SHA512
0702073727844532efac1c405ea509adc58d8a5115a6f12333f3b8d696d5802c2cb875316abf1ec760449e96a5152ea154283828ee2e0d000fc017c221a364af

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
5.6MB

MD5
e8fafcb661bb6e6d37864f70a950a601

SHA1
2a8123dcafddd70140922730f75df3ffe5752ad9

SHA256
d968f376f45f2d0b4b5ce6bf018ab36b8fa8eff18c694e4ebfb0f6ed18c3eaec

SHA512
0702073727844532efac1c405ea509adc58d8a5115a6f12333f3b8d696d5802c2cb875316abf1ec760449e96a5152ea154283828ee2e0d000fc017c221a364af

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\VCRUNTIME140.dll
Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll
Filesize
966KB

MD5
df12f5b83c1d536d90cd823f83abea7b

SHA1
e74357326e43891d3361f2dbdd6df1d019011ca5

SHA256
3d255b300c164c4440ba16933a784080836b431bd723a5e1f0794bab515a0b23

SHA512
d6beaf89e3d78a5a9dc0a1ddb9a9b9f829f72917e5d5a836c0b4b66be515c9d228ecb884cb948a1fc54d99fe6acf81034b3c07149bca7029b31a9b9f170eea91

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
Filesize
110KB

MD5
2d189a79c8ddb6034eb84e2887f495e8

SHA1
5d38c654b5f3836c61946c20af3360c86e8d266b

SHA256
e60bec7deb79be14b832ed820c8f8b3e0593bb8885ee1ccdade3fdcc07a03fcb

SHA512
be801326b2d857899b52f32dbd09d6d798eb8a6dd703f3e0ce5b68321863c0533b8889c35e532dc1563b0e9d7d3fd7ae53b30756b109f3f8fdcd9dadcabeaef9

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
Filesize
110KB

MD5
2d189a79c8ddb6034eb84e2887f495e8

SHA1
5d38c654b5f3836c61946c20af3360c86e8d266b

SHA256
e60bec7deb79be14b832ed820c8f8b3e0593bb8885ee1ccdade3fdcc07a03fcb

SHA512
be801326b2d857899b52f32dbd09d6d798eb8a6dd703f3e0ce5b68321863c0533b8889c35e532dc1563b0e9d7d3fd7ae53b30756b109f3f8fdcd9dadcabeaef9

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\appUtil.DLL
Filesize
978KB

MD5
3666544b0402606e70abe7fd71615c79

SHA1
4033da55136fe5558e63ad3e056a7e8ca3c7e209

SHA256
e98f4488686d0e2513d8f386f00edbbc732cd4e996e34514373907010b673756

SHA512
952ab35d9bde41cef7bc0b54950189c3213997d8cdd7e7675274f13e71883bc5682e88b67032dc92693eb16d57af4d81408dbd3054d77fda556b7090f06860ef

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll
Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\terabox_ext_chrome.crx
Filesize
169KB

MD5
8b62fae8abb6a0ad718f2159032d96ec

SHA1
24b7c81b4562b9c104b281fbdecd1772b8aafdda

SHA256
838bf0a9e53138a59fc4c5d4712eea6605b1d60867c6549d97bd6411e6bd5585

SHA512
ef8ea529f1e1de211f69c6f58661ea6c55954e7d6b3fe0586978103d1b257581f0d007c77b03622ee122265abec259f85362d93803d74137fddba11da499e8ff

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe
Filesize
675KB

MD5
37de15e71ab3d4badf49dbb3f1c86d96

SHA1
0cb47de2288b468c8068993cc6359a29b44ea778

SHA256
69248af2b4081d590a6cbd1d8f4673b19c3c64a46944f26d1ab8181c94767ff2

SHA512
00add89ef350b24ce209d4f29bef28d87f6713b56d10b733cfb47706342b11ef0bf9e9befdd01b1430740d46449d000a5b7c391754b09ed3e27bec4bbc2568df

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll
Filesize
1.1MB

MD5
d2e7c378748436cb40a679fac6a455ca

SHA1
e86149b5edd7654f974fee444652452216541a99

SHA256
dafa9b2f3c103c94951f41f9b20944ee0ef3936e6830f1d3330a374acbd8b454

SHA512
e4cb74adda38487f58e10f7934c99d87e7fac5dbaa3925455b6d576d25ad5dcf1218a13416235014abcb306d93356e8ca84459943d28c7400a77ceebd3d00566

Download Submit
C:\Users\Admin\Downloads\TeraBox_sl_b_1.12.5.8.exe
Filesize
79.6MB

MD5
abb9d5c04ddca3f017c5c6a06f2b2638

SHA1
c2e777f8fecb6a3eb20858106e859b4887393816

SHA256
40eac089c6218e0825d02999a9f7e6957a086e84c69c3ae730040f64530da7b9

SHA512
910052f17354383618e4a6bb9c0eaeb9e380f86885a33c8aa5bd628b46cb8e25b7ada9a8007520d639b66d9e059a391c31ab6aa0751af4cb83874dfdae70117d

Download Submit
C:\Users\Admin\Downloads\TeraBox_sl_b_1.12.5.8.exe
Filesize
79.6MB

MD5
abb9d5c04ddca3f017c5c6a06f2b2638

SHA1
c2e777f8fecb6a3eb20858106e859b4887393816

SHA256
40eac089c6218e0825d02999a9f7e6957a086e84c69c3ae730040f64530da7b9

SHA512
910052f17354383618e4a6bb9c0eaeb9e380f86885a33c8aa5bd628b46cb8e25b7ada9a8007520d639b66d9e059a391c31ab6aa0751af4cb83874dfdae70117d

Download Submit
\??\pipe\crashpad_2204_TZWDWIOBRHMYYXRZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nsgE1A7.tmp\NsisInstallUI.dll
Filesize
2.0MB

MD5
8e0dbee28c2982770d3070d1c5af0a8e

SHA1
66a419649dc0c4a1402a6b4994555f3008e0d0c5

SHA256
3832b553afb67bf638235229b67bf0f356d2ef30cf27aeb860b4235b96b35d65

SHA512
7c6c67363a54799641b83c22bf68ad155379434762e5ee376dfdfede244e1fa9b2f635d0675b0ff6c39ba34c9fc125b358f0e334c505f57af5c375b1dbb30a7c

Download Submit
\Users\Admin\AppData\Local\Temp\nsgE1A7.tmp\System.dll
Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
\Users\Admin\AppData\Local\Temp\nsgE1A7.tmp\nsProcessW.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll
Filesize
978KB

MD5
3666544b0402606e70abe7fd71615c79

SHA1
4033da55136fe5558e63ad3e056a7e8ca3c7e209

SHA256
e98f4488686d0e2513d8f386f00edbbc732cd4e996e34514373907010b673756

SHA512
952ab35d9bde41cef7bc0b54950189c3213997d8cdd7e7675274f13e71883bc5682e88b67032dc92693eb16d57af4d81408dbd3054d77fda556b7090f06860ef

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll
Filesize
2.8MB

MD5
4a94aeaae0c93775e316811eebbdda59

SHA1
3e0bbdf75a7a6e7c7265d9be620692c861fca005

SHA256
b00a620bf804fb0a473153c2497e7f07a38eba0dc82ebf32c3673f055924cc01

SHA512
810b0f216e500c04b501055f2f46d7c01f1447c0ddc06c405757b566193ecea8c6ff52c9a92344d701bbbc2eb65bbe8f6e26b2e073944873ccbe7296d0d012d2

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll
Filesize
966KB

MD5
df12f5b83c1d536d90cd823f83abea7b

SHA1
e74357326e43891d3361f2dbdd6df1d019011ca5

SHA256
3d255b300c164c4440ba16933a784080836b431bd723a5e1f0794bab515a0b23

SHA512
d6beaf89e3d78a5a9dc0a1ddb9a9b9f829f72917e5d5a836c0b4b66be515c9d228ecb884cb948a1fc54d99fe6acf81034b3c07149bca7029b31a9b9f170eea91

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll
Filesize
966KB

MD5
df12f5b83c1d536d90cd823f83abea7b

SHA1
e74357326e43891d3361f2dbdd6df1d019011ca5

SHA256
3d255b300c164c4440ba16933a784080836b431bd723a5e1f0794bab515a0b23

SHA512
d6beaf89e3d78a5a9dc0a1ddb9a9b9f829f72917e5d5a836c0b4b66be515c9d228ecb884cb948a1fc54d99fe6acf81034b3c07149bca7029b31a9b9f170eea91

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll
Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll
Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll
Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll
Filesize
1.1MB

MD5
d2e7c378748436cb40a679fac6a455ca

SHA1
e86149b5edd7654f974fee444652452216541a99

SHA256
dafa9b2f3c103c94951f41f9b20944ee0ef3936e6830f1d3330a374acbd8b454

SHA512
e4cb74adda38487f58e10f7934c99d87e7fac5dbaa3925455b6d576d25ad5dcf1218a13416235014abcb306d93356e8ca84459943d28c7400a77ceebd3d00566

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll
Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll
Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
memory/524-329-0x0000000000000000-mapping.dmp

Download
memory/928-673-0x0000000000000000-mapping.dmp

Download
memory/1036-201-0x0000000000000000-mapping.dmp

Download
memory/1352-286-0x0000000000000000-mapping.dmp

Download
memory/1612-1039-0x0000000000000000-mapping.dmp

Download
memory/2364-148-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-189-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-142-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-158-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-159-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-160-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-161-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-162-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-164-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-163-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-165-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-166-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-167-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-157-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-168-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-169-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-171-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-172-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-173-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-170-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-175-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-178-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-176-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-177-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-149-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-179-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-181-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-180-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-182-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-184-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-156-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-186-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-155-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-187-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-188-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-146-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-190-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-150-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-154-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-153-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-152-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-151-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-147-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-145-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-144-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-143-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-141-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-139-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-138-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-140-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-137-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-136-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-135-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-134-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-132-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-133-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-131-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-129-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-128-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-121-0x0000000000000000-mapping.dmp

Download
memory/2364-123-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-127-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-126-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-124-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-125-0x00000000771D0000-0x000000007735E000-memory.dmp

Filesize
1.6MB

Download
memory/3972-995-0x0000000000000000-mapping.dmp

Download
memory/4260-920-0x0000000000000000-mapping.dmp

Download
memory/4464-372-0x0000000000000000-mapping.dmp

Download
memory/4716-648-0x0000000000000000-mapping.dmp

Download
memory/4800-676-0x0000000000000000-mapping.dmp

Download
memory/4896-619-0x0000000000000000-mapping.dmp

Download
memory/4948-332-0x0000000000000000-mapping.dmp

Download