zloader | a3ae0e066665b3209e6f5d4195201c839c5b58a698cb53e31d5dd1efbb467e03

Analysis

max time kernel
114s
max time network
115s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-04-2023 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TeraBox_sl_c_1.17.0.15.exe
Size

84.3MB
MD5

51a20b31858d5db4642014b2e7d36d13
SHA1

b967116a1005898007be9b0fbb996013da63e595
SHA256

a3ae0e066665b3209e6f5d4195201c839c5b58a698cb53e31d5dd1efbb467e03
SHA512

ca7755ff18e031234e6c9b4980a16212435ddd21e850136fdb001b8cfd7679474a1e2555ac173dd5957cdde71923cfd9aed87cefded452f9ec819540f6b1fa79
SSDEEP

1572864:MbaKmbV87UwAuiIHCWJKQ9bYVH5VNG/e7Q14/AA7mW58heb/141vJ:MO84cJz945VNHQ7Yr1Ih

Score

10^/10

zloader botnet discovery persistence trojan

Malware Config

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TeraBox.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation	TeraBox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe

Executes dropped EXE 14 IoCs

Processes:

TeraBox.exeYunUtilityService.exeTeraBoxWebService.exeTeraBox.exeTeraBoxWebService.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxHost.exeTeraBoxHost.exeTeraBoxRender.exeTeraBoxHost.exe

pid	process
1396	TeraBox.exe
1644	YunUtilityService.exe
1796	TeraBoxWebService.exe
1580	TeraBox.exe
2004	TeraBoxWebService.exe
1924	TeraBoxRender.exe
892	TeraBoxRender.exe
928	TeraBoxRender.exe
564	TeraBoxRender.exe
2000	TeraBoxRender.exe
2480	TeraBoxHost.exe
2904	TeraBoxHost.exe
2768	TeraBoxRender.exe
2856	TeraBoxHost.exe

Loads dropped DLL 64 IoCs

Processes:

TeraBox_sl_c_1.17.0.15.exeTeraBox.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeYunUtilityService.exeTeraBoxWebService.exe

pid	process
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
1396	TeraBox.exe
840	regsvr32.exe
1520	regsvr32.exe
1432	regsvr32.exe
1952	regsvr32.exe
436	regsvr32.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1644	YunUtilityService.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1796	TeraBoxWebService.exe
1796	TeraBoxWebService.exe
1796	TeraBoxWebService.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TeraBox.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun"	TeraBox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\""	TeraBox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeTeraBoxWebService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect\ = "YunPPTConnect Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ = "YunShellExtContextMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ = "IYunShellExtContextMenu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\" \"%1\""	TeraBoxWebService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ = "IYunWordConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ = "IYunExcelConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID\ = "YunOfficeAddin.YunPPTConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID\ = "YunOfficeAddin.YunPPTConnect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect\ = "YunPPTConnect Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CurVer\ = "YunShellExt.YunShellExtContextMenu.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ = "YunWordConnect Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\URL Protocol = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe"	TeraBoxWebService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\ = "YunShellExtContextMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\VersionIndependentProgID\ = "YunOfficeAddin.YunExcelConnect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B9480AFD-C7B1-4452-BE14-BB8A9540A05D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID\ = "{8C5F2E83-848F-4741-9C87-47D21BF65FC2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\ = "YunWordConnect Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\ = "YunWordConnect Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\VersionIndependentProgID\ = "YunOfficeAddin.YunExcelConnect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID\ = "YunOfficeAddin.YunWordConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\ = "YunExcelConnect Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\HELPDIR	regsvr32.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

TeraBox.exeTeraBoxRender.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	TeraBoxRender.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

TeraBox_sl_c_1.17.0.15.exeTeraBox.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxHost.exeTeraBoxRender.exe

pid	process
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1064	TeraBox_sl_c_1.17.0.15.exe
1580	TeraBox.exe
1580	TeraBox.exe
1580	TeraBox.exe
1924	TeraBoxRender.exe
928	TeraBoxRender.exe
892	TeraBoxRender.exe
2000	TeraBoxRender.exe
564	TeraBoxRender.exe
2904	TeraBoxHost.exe
2904	TeraBoxHost.exe
2904	TeraBoxHost.exe
2768	TeraBoxRender.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TeraBoxHost.exe

description pid process

Token: SeManageVolumePrivilege 2904 TeraBoxHost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

TeraBox.exe

pid process

1580 TeraBox.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

TeraBox.exe

pid process

1580 TeraBox.exe

description	pid	process
Token: SeManageVolumePrivilege	2904	TeraBoxHost.exe

pid	process
1580	TeraBox.exe

pid	process
1580	TeraBox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TeraBox_sl_c_1.17.0.15.exeregsvr32.exeregsvr32.exeTeraBox.exe

description	pid	process	target process
PID 1064 wrote to memory of 1396	1064	TeraBox_sl_c_1.17.0.15.exe	TeraBox.exe
PID 1064 wrote to memory of 1396	1064	TeraBox_sl_c_1.17.0.15.exe	TeraBox.exe
PID 1064 wrote to memory of 1396	1064	TeraBox_sl_c_1.17.0.15.exe	TeraBox.exe
PID 1064 wrote to memory of 1396	1064	TeraBox_sl_c_1.17.0.15.exe	TeraBox.exe
PID 1064 wrote to memory of 840	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 840	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 840	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 840	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 840	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 840	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 840	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 840 wrote to memory of 1520	840	regsvr32.exe	regsvr32.exe
PID 840 wrote to memory of 1520	840	regsvr32.exe	regsvr32.exe
PID 840 wrote to memory of 1520	840	regsvr32.exe	regsvr32.exe
PID 840 wrote to memory of 1520	840	regsvr32.exe	regsvr32.exe
PID 840 wrote to memory of 1520	840	regsvr32.exe	regsvr32.exe
PID 840 wrote to memory of 1520	840	regsvr32.exe	regsvr32.exe
PID 840 wrote to memory of 1520	840	regsvr32.exe	regsvr32.exe
PID 1064 wrote to memory of 1432	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 1432	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 1432	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 1432	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 1432	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 1432	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 1432	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 1952	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 1952	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 1952	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 1952	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 1952	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 1952	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1064 wrote to memory of 1952	1064	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1952 wrote to memory of 436	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 436	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 436	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 436	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 436	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 436	1952	regsvr32.exe	regsvr32.exe
PID 1952 wrote to memory of 436	1952	regsvr32.exe	regsvr32.exe
PID 1064 wrote to memory of 1644	1064	TeraBox_sl_c_1.17.0.15.exe	YunUtilityService.exe
PID 1064 wrote to memory of 1644	1064	TeraBox_sl_c_1.17.0.15.exe	YunUtilityService.exe
PID 1064 wrote to memory of 1644	1064	TeraBox_sl_c_1.17.0.15.exe	YunUtilityService.exe
PID 1064 wrote to memory of 1644	1064	TeraBox_sl_c_1.17.0.15.exe	YunUtilityService.exe
PID 1064 wrote to memory of 1796	1064	TeraBox_sl_c_1.17.0.15.exe	TeraBoxWebService.exe
PID 1064 wrote to memory of 1796	1064	TeraBox_sl_c_1.17.0.15.exe	TeraBoxWebService.exe
PID 1064 wrote to memory of 1796	1064	TeraBox_sl_c_1.17.0.15.exe	TeraBoxWebService.exe
PID 1064 wrote to memory of 1796	1064	TeraBox_sl_c_1.17.0.15.exe	TeraBoxWebService.exe
PID 1580 wrote to memory of 1924	1580	TeraBox.exe	TeraBoxRender.exe
PID 1580 wrote to memory of 1924	1580	TeraBox.exe	TeraBoxRender.exe
PID 1580 wrote to memory of 1924	1580	TeraBox.exe	TeraBoxRender.exe
PID 1580 wrote to memory of 1924	1580	TeraBox.exe	TeraBoxRender.exe
PID 1580 wrote to memory of 892	1580	TeraBox.exe	TeraBoxRender.exe
PID 1580 wrote to memory of 892	1580	TeraBox.exe	TeraBoxRender.exe
PID 1580 wrote to memory of 892	1580	TeraBox.exe	TeraBoxRender.exe
PID 1580 wrote to memory of 892	1580	TeraBox.exe	TeraBoxRender.exe
PID 1580 wrote to memory of 928	1580	TeraBox.exe	TeraBoxRender.exe
PID 1580 wrote to memory of 928	1580	TeraBox.exe	TeraBoxRender.exe
PID 1580 wrote to memory of 928	1580	TeraBox.exe	TeraBoxRender.exe
PID 1580 wrote to memory of 928	1580	TeraBox.exe	TeraBoxRender.exe
PID 1580 wrote to memory of 564	1580	TeraBox.exe	TeraBoxRender.exe
PID 1580 wrote to memory of 564	1580	TeraBox.exe	TeraBoxRender.exe
PID 1580 wrote to memory of 564	1580	TeraBox.exe	TeraBoxRender.exe
PID 1580 wrote to memory of 564	1580	TeraBox.exe	TeraBoxRender.exe
PID 1580 wrote to memory of 2000	1580	TeraBox.exe	TeraBoxRender.exe

C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_c_1.17.0.15.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_c_1.17.0.15.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1396

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\system32\regsvr32.exe
"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
3⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:1520

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:1432

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\system32\regsvr32.exe
"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
3⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:436

C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1796

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=1584,2289911666793659970,4569911515790827453,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.17.0.15;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=1592 /prefetch:2
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1584,2289911666793659970,4569911515790827453,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.17.0.15;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=1824 /prefetch:8
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:892

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=1584,2289911666793659970,4569911515790827453,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.17.0.15;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=1636 /prefetch:2
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:928

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=1584,2289911666793659970,4569911515790827453,131072 --enable-features=CastMediaRouteProvider --disable-gpu-compositing --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.17.0.15;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:564

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=1584,2289911666793659970,4569911515790827453,131072 --enable-features=CastMediaRouteProvider --disable-gpu-compositing --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.17.0.15;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2112 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.1580.0.1188219780\1698705020 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.19" -PcGuid "TBIMXV2-O_8D995439490D4ECBAA974F96D84E8FAF-C_0-D_4d51303031302033202020202020202020202020-M_6AEE4B25B7A6-V_95DD9B5B" -Version "1.17.0.15" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
3⤵
- Executes dropped EXE
PID:2480

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.1580.0.1188219780\1698705020 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.19" -PcGuid "TBIMXV2-O_8D995439490D4ECBAA974F96D84E8FAF-C_0-D_4d51303031302033202020202020202020202020-M_6AEE4B25B7A6-V_95DD9B5B" -Version "1.17.0.15" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=1584,2289911666793659970,4569911515790827453,131072 --enable-features=CastMediaRouteProvider --disable-gpu-compositing --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.17.0.15;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2768

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.1580.1.2004100716\812241879 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.19" -PcGuid "TBIMXV2-O_8D995439490D4ECBAA974F96D84E8FAF-C_0-D_4d51303031302033202020202020202020202020-M_6AEE4B25B7A6-V_95DD9B5B" -Version "1.17.0.15" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
3⤵
- Executes dropped EXE
PID:2856

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
2⤵
- Executes dropped EXE
PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9423a1302194d6cb81a78319eb4dcf89

SHA1
a8b5b56391f7665563a53de09c527f91fa80f54e

SHA256
8ae07bed29a242f085ed9d0ca52678c35b32bfb7caab46058ef321662ee20d49

SHA512
257f73877fbb4e42c779b224d929452a45bf806a2d2110e014b362904450fe513be741d8189ea98a3680ac7100cac9f405970382127e945de2184c2951f6e60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7BD7.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7D5F.tmp
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7E10.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\IndexedDB\https_www.terabox.com_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1661.tmp\NsisInstallUI.dll
Filesize
2.1MB

MD5
6375561ac8241c21ea24c1c1cbf0e7e9

SHA1
4d3168cd6132293efd86922a84c53d27aa1b7e4d

SHA256
94f0dc2612c6fe7b3c390e464378e59697db569b79560e398bae614ed6d0513a

SHA512
be88164271f1eed8aaf5c15dab2f49e753f936d0c4c72c012095d05deb5d63ff08db37e993ed61f9881ff90b2176878265308c52ff3bbcca7f55c3342f8a8206

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1661.tmp\SetupCfg.ini
Filesize
80B

MD5
72ada9373debee03b74fc2f8fb594bcf

SHA1
132cbae647eda07f5fad991c06c2ee54c923db23

SHA256
54b5603f4a0f628e12c44358c54bcd83691b36f75add65672441ee6e159e86f8

SHA512
50ca0169a2d25a545f7b335037efd3e992d98157542765c98542dcb4a457ba8636162d13171f4f2d9415054eb5258e676bab214669973397a78263456de45b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1661.tmp\System.dll
Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1661.tmp\nsProcessW.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.DLL
Filesize
3.2MB

MD5
29cc01ba0943f0181fbe0e61f2580953

SHA1
caa86e0dd6db374b2063dd3095f81a73d3b55365

SHA256
58d86e599556534c544a5359c1a121c709aa9acbf2eda42bd41649511056c23f

SHA512
a0979fc8051e49848fe5c15bc843d5993045b338b80cc94607f0212401bb4a275a59baeba547f62678d5a7e55f64e420ba947f4e2d45ca082861fb8de51729bb

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\MSVCP140.dll
Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
6.6MB

MD5
776ba6fc4e86c540c3ea13372553b84e

SHA1
78adeaf383594202bb776579741c0ce7b150f145

SHA256
c75ce1d02c8c4a4188b4d1fc928157e88bae6a8a486a28ab532f570a16aae99d

SHA512
0884dbdd7266b1baa9ab7947350f8797c2e69d083ab23fe85fa2321951ed649d20ea7c2209b5678f52927b3b76430e00058fcb918c281c1952f78cdb44093512

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
6.6MB

MD5
776ba6fc4e86c540c3ea13372553b84e

SHA1
78adeaf383594202bb776579741c0ce7b150f145

SHA256
c75ce1d02c8c4a4188b4d1fc928157e88bae6a8a486a28ab532f570a16aae99d

SHA512
0884dbdd7266b1baa9ab7947350f8797c2e69d083ab23fe85fa2321951ed649d20ea7c2209b5678f52927b3b76430e00058fcb918c281c1952f78cdb44093512

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\VCRUNTIME140.dll
Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll
Filesize
996KB

MD5
ba6cf9e796f4bae8007bb6449ce60adb

SHA1
5d92616b407d64afdfde2bd05a40d6994abab0b4

SHA256
2c344dc980bbc7ee20228eebf4536eca238a483c419707f816f0a014f483d8c4

SHA512
56bee3d27d5a3ea35774e703c1c3a0b292802a44b0c844df8f2c129c73b06b023dc6ce845e3a1944b22ad4eeb845aa5cb2448cba6cba2537caf90e8112f88663

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l1-2-0.dll
Filesize
11KB

MD5
00d8b4bed48a1bb8a0451b967a902977

SHA1
f10ef17bda66d7cab2840d7f89c6de022a7b3ff2

SHA256
568d7f8551d8b4199db3359d5145bc4cb01d6d2f1347547f47967eb06a45c3b5

SHA512
e248cbc06fc610f315d7efcadb39b5cb85dfe5d40858768d5aea8d41b3b4b23eafe0db2b38cce362fd8ba8bc5eb26e9b2dddc00e2e8615395bca818ecfe0decc

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l2-1-0.dll
Filesize
11KB

MD5
534483b0f4a1924b1ae6d7e66b4a4926

SHA1
4e954316acd216007f4a0225b138e0c0a04fbbed

SHA256
c1bca1bb524c5ae3d877a099f469b6fc34288bab26ae7a7f4fc47cd869f4958d

SHA512
cfad2ddf8a9ad67e36e978726d8a12ca26b180f73122b2e8d19a83f73028a050d9f418e7525f576cc3a9601b3369d4494dddbde620b4011b7ca8a7ec4b0d1b12

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-localization-l1-2-0.dll
Filesize
13KB

MD5
73483cbc229c62e129627adbf62b0ffe

SHA1
074ce67665c86355d3218b5e3ea4b1b335095af8

SHA256
13471eb84db95f8270398ef1deb29f0ea024db17e331497545c36eea7b2a3a7c

SHA512
92f06cb8971e29da7607c6b1d1377f21c7e6f0e4a169aaa08326038d5cdb09422b91f4f2d26a7978521e0edbb9cf1235e583f2910048c917ccef8d12c5e1166a

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
11KB

MD5
7016bf365a155d29f01a000942a017ef

SHA1
47e25b97af56edbdd20ca72bba994c6bcf1b81e6

SHA256
b5f815d0a41add7fd9593036a8e6843fcc221298fefd61808f960eed3cc19830

SHA512
2cd7e88717a2d81811ce03990737888b8a1e9e351dcdad401ffe5924bdf97be086bd766a1a5b25411b760cbf81b68bebd94d915100b6bc1310360813af11f827

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-synch-l1-2-0.dll
Filesize
11KB

MD5
9efdffac1d337807b52356413b04b97b

SHA1
2590bd486abce24312066285fa1c1feaf8332fe0

SHA256
e1a87d7d01e2376dde81a16658915ccf2ecb692739fef09adfb962523756e22d

SHA512
b3c164e50d48a78bd08cf365e02e263b97ec2dd3efcf04914c8677c838e10be23df5178a8618e3f2a6feb6faa2bb74eaf069e7e2db7c6e6fd9d0137dcffbcead

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-timezone-l1-1-0.dll
Filesize
11KB

MD5
42c72d838c34e4e7164c578a930b8fc7

SHA1
82d02cb090eb6d81a1499189e4d3e6b82aa60061

SHA256
f1667bbda1b58fc688b422fd2f9f7040919c4ababe00a4be78b258cae2dfc3d3

SHA512
1020d6010dca512adbc18f44b6453a974a200766013c39f6cb1cd0a72234a241c73587c929f1d0fcadf90c3eb71264086167f05bd7ebceb5b944f4e4a0811d92

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-conio-l1-1-0.dll
Filesize
12KB

MD5
4296cf3a7180e10aaf6147f4aecd24e4

SHA1
f81e09af979a1146774d554783d1a22a03a61393

SHA256
147f86ff93d61fea256b3de9149e1b36b68a83762e62a3389466218e18359ffc

SHA512
60357edde6572c5e796f927c3e72c31a96ff700624b7366fdda64bcf51ee00bf1e9ab477a46d8d3ba7391ba10491e69f745efec3607f8f49b6e1a3a3de7a0648

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-convert-l1-1-0.dll
Filesize
15KB

MD5
5c6fd1c6a5e69313a853a224e18a7fac

SHA1
10bae352f09b214edef2dc6adcb364c45fafdbec

SHA256
3aa0eb4c47ac94b911f1a440324d26eee8ddf99557a718f0905bfee3cf56255f

SHA512
08c2b1150f6bf505d10085a515bbfab6c1e18663c6ef75ec988727e3d30210532d03bfbfbb048b1a843d4faa5d1060f9079e018a9e892bce03f899a5a85f6034

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-environment-l1-1-0.dll
Filesize
11KB

MD5
6a3d5701446f6635faff87014a836eee

SHA1
7bbc9db1c9ce70e9fc7b7348a2c96681e5d8265b

SHA256
16ba05a1fa928501ffaee2e9dce449d28e8fe538df5ec6d8d1080b610b15d466

SHA512
839a1277b6dbb9f2d6e572e1b50b0ad08c93256a1367f36997db07285aa7b251346499a643a985a22d9a7618635c11964e414073aa7e1bf60d36368829de8fb3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-filesystem-l1-1-0.dll
Filesize
13KB

MD5
4ec243792d382305db59dc78b72d0a1e

SHA1
63b7285646c72ee640d34cdc200bfc5863db3563

SHA256
56e0bdf91edb21f5f5041f052723025c059a11360bb745f965a9903de9c61756

SHA512
88f648d45927db65ff8cead4bb1959b1297410bf3f5b3b2783a173d708649260a61470342694de8b93e9c1657de64db43db40ee71acc661b03786c0921d68d4b

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-heap-l1-1-0.dll
Filesize
12KB

MD5
a51cfb8cf618571215eeba7095733b25

SHA1
db4215890757c7c105a8001b41ae19ce1a5d3558

SHA256
6501894e68a3871962731282a2e70614023ec3f63f600f933ec1785400716ce1

SHA512
9ae11ab21486dea1aba607a4262f62678c5b0e9f62b6a63c76cfdc7698d872d8696ffb1aaae7aa2e2cf02c1c7eaa53d0ce503432960f4be6886fae0de2659535

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-locale-l1-1-0.dll
Filesize
11KB

MD5
8d097aa5bec8bdb5df8f39e0db30397c

SHA1
56f6da8703f8cdd4a8e4a170d1a6c0d3f2035158

SHA256
42c235914844ce5d1bb64002fca34a776ae25ee658fc2b7b9da3291e5def7d4d

SHA512
a891536e2a362fc73472fa7f5266ce29e8036959701bc0862f2b7ea5865dcd1505615edc8e064fb2f7aaa1b129e48422efe7b933b01faed9c2afadd8a64452dc

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-math-l1-1-0.dll
Filesize
21KB

MD5
ab87bdae2f62e32a533f89cd362d081c

SHA1
40311859dd042a7e392877364568aad892792ba9

SHA256
0439703e47c8fce1f367f9e36248a738db6abcd9f2dd199cb190d5e59ed46978

SHA512
dbe0073da8979f3d32204680015b60435226840e732b5df964dbeeb7920c0bc5df92d866964f905518c97cc3539f628664503ffa64e50a2ef90c459b62555444

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-multibyte-l1-1-0.dll
Filesize
19KB

MD5
169e20a74258b182d2cdc76f1ae77fc5

SHA1
fce3f718e6de505ac910cb7333a03a2c6544f654

SHA256
224f526871c961615de17b5d7f7bbef2f3a799055cab2c8e3447b43c10c25372

SHA512
0881c8704421a5f6e51abd22c55608dd7fb678491682ce86066e068b1973ebf11d6c2163be610a49f87e800c8563ebb41abfe36e1913d7d0b8485fd29ed81bf7

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-runtime-l1-1-0.dll
Filesize
15KB

MD5
49363f3cf4671baa6be1abd03033542f

SHA1
e58902a82df86adf16f44ebdc558b92ad214a979

SHA256
505d2bde0d4d7cd3900a9c795cb84ab9c05208d6e5132749ab7c554ccd3c0fcc

SHA512
98e78a607cfbb777237dc812f468ec7a1abcba9472e20a5780dfc526f7992da1841fcd9e2f76f20fa161240007f185c7fbdc120fb4c3c1f2b90fdad5913d65dd

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-stdio-l1-1-0.dll
Filesize
17KB

MD5
be16965acc8b0ce3a8a7c42d09329577

SHA1
6ac0f1e759781c7e5342b20f2a200a6aab66535e

SHA256
fcd55331cc1f0ff4fb44c9590a9fb8f891b161147a6947ce48b88bf708786c21

SHA512
7ba55fa204d43c15aca02031f584b3396bb175365dad88e4047b8a991f1f1ddd88d769e4d8cb93ee0ed45e060a1156e953df794f9cb8bb687c84c4a088da2edf

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-string-l1-1-0.dll
Filesize
17KB

MD5
3eae6d370f2623b37ec39c521d1f1461

SHA1
86d43e2e69b2066333e4afa28a27c7a74ff89991

SHA256
ce74bdc6999d084a1b44b2ecea42dd28849b2825d7779effdc4c18360308b79b

SHA512
30b2b6cf5cd1bbdf68de048e6d992133fe7ab0c847fa0d5eb8c681a9688d60794621a40178451a104036a0fff2e1bd66a18d9f96be6b28dbdc0bc1c8a535fc85

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-time-l1-1-0.dll
Filesize
13KB

MD5
a440776e10098f3a8ef1c5eaca72958e

SHA1
7b8662714f6e44fb29a4224a038e4127964003e9

SHA256
40d8bc312ac7bca072703e5f0852228cde418f89ba9ad69551aa7a80a2b30316

SHA512
b043cd020d184a239510b2607c94210dc5fdc5d2a2b9285836bdce8934cc86a1cc3f47a2f520b15db84f755ac2e7c67e0247099648d292bbd5fb76f683d928df

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-utility-l1-1-0.dll
Filesize
11KB

MD5
a0a883e26be6800508162e2a898148d9

SHA1
4f79892e7766cb7831211864978575598c86a11b

SHA256
9753ae83536767c73e340c36c5f1610bc76a3e67e033b07503ec31431cba7b90

SHA512
70904f2fd074073aebcf665178b34cf7f0f42ced7223ca296f7f202f6fa0175ace2832d9802f5bff4d67891ca09ae14fac47420d69107e72aa44b541a190f6c3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\appUtil.DLL
Filesize
1.5MB

MD5
b50441bd5ad11bd24629102710a291cd

SHA1
3fbc985cf7c14ca9c543a435552d2157b3433e59

SHA256
ae7ef2513ef71dd232e0c2f02995f3cd50046a4fc945018efc17291bfc12450c

SHA512
1b23beb83d6b775b30c8cdac1ebfac94e4bd247f2832454f27c8258843b351fc30df9ee59094d896b5bd51694b5f2bf2aed9aec314d891210a81b952fb58be71

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll
Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\ucrtbase.DLL
Filesize
863KB

MD5
8ed02a1a11cec72b6a6a4989bf03cfcc

SHA1
172908ff0f8d7e1c0cbf107f7075ed1dba4b36c8

SHA256
4fd02f2699c49579319079b963425991198f59cb1589b8afa8795b5d6a0e5db3

SHA512
444fe62a5c324d38bdc055d298b5784c741f3ca8faaeaed591bd6dcf94205dbf28c7d7f7d3825ccb99eff04e3ffd831e3f98d9b314820841a0c0960ae6a5e416

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe
Filesize
697KB

MD5
afcd02dfad59da94b3d01840c447211c

SHA1
a28b6f021a431677ee69566f3ff18fa90846bb7d

SHA256
120f201fda702abb1b11e98ccd6a2eff7860489931ab9af09e2a391bd33281a6

SHA512
aac514d82b7a68f027f26ed9b94520ae39ad8d3be1fbd881e769dac58af02f256383917f9dfb0454cecbe41304019b37054872176baa4fd047059177309f4bf4

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll
Filesize
1.1MB

MD5
2b76151fcfd8e136b46c8cfed9d18806

SHA1
0c90be5c1d1a1b40786f685a59b8c1b253afd763

SHA256
23265ac70d135e945036c56850a0fc00d747ee381a963bc1d9490783677297d6

SHA512
898c861c162ae2e1ee72dd2242e10f4810f80e51555ada91f8560ad2143f03faf919c80b00772beb5b9d3d9f5df596fe42056a8a8e120507263f7ae89d86a678

Download Submit
C:\Users\Admin\Desktop\TeraBox.lnk
Filesize
840B

MD5
8dbd59835e6fe66b1a333fdcaf64dbf7

SHA1
89ac6759c39e22f00f66cfc8944cb5de2081eec7

SHA256
2ecc7d847fd266e5a64e68b94d91db7e141dcb18ddefd07137bb1db30b3fa64a

SHA512
096eba845dbd60b18bf7ce62e2353a99e7eab55ad12f4b3830b6cbaab41cd5310b95f8cec46c226b94c11fc9547de2ff797f3e21438c8f46cfcb21ca2e444094

Download Submit
\Users\Admin\AppData\Local\Temp\nst1661.tmp\NsisInstallUI.dll
Filesize
2.1MB

MD5
6375561ac8241c21ea24c1c1cbf0e7e9

SHA1
4d3168cd6132293efd86922a84c53d27aa1b7e4d

SHA256
94f0dc2612c6fe7b3c390e464378e59697db569b79560e398bae614ed6d0513a

SHA512
be88164271f1eed8aaf5c15dab2f49e753f936d0c4c72c012095d05deb5d63ff08db37e993ed61f9881ff90b2176878265308c52ff3bbcca7f55c3342f8a8206

Download Submit
\Users\Admin\AppData\Local\Temp\nst1661.tmp\System.dll
Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
\Users\Admin\AppData\Local\Temp\nst1661.tmp\nsProcessW.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll
Filesize
1.5MB

MD5
b50441bd5ad11bd24629102710a291cd

SHA1
3fbc985cf7c14ca9c543a435552d2157b3433e59

SHA256
ae7ef2513ef71dd232e0c2f02995f3cd50046a4fc945018efc17291bfc12450c

SHA512
1b23beb83d6b775b30c8cdac1ebfac94e4bd247f2832454f27c8258843b351fc30df9ee59094d896b5bd51694b5f2bf2aed9aec314d891210a81b952fb58be71

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll
Filesize
3.2MB

MD5
29cc01ba0943f0181fbe0e61f2580953

SHA1
caa86e0dd6db374b2063dd3095f81a73d3b55365

SHA256
58d86e599556534c544a5359c1a121c709aa9acbf2eda42bd41649511056c23f

SHA512
a0979fc8051e49848fe5c15bc843d5993045b338b80cc94607f0212401bb4a275a59baeba547f62678d5a7e55f64e420ba947f4e2d45ca082861fb8de51729bb

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
6.6MB

MD5
776ba6fc4e86c540c3ea13372553b84e

SHA1
78adeaf383594202bb776579741c0ce7b150f145

SHA256
c75ce1d02c8c4a4188b4d1fc928157e88bae6a8a486a28ab532f570a16aae99d

SHA512
0884dbdd7266b1baa9ab7947350f8797c2e69d083ab23fe85fa2321951ed649d20ea7c2209b5678f52927b3b76430e00058fcb918c281c1952f78cdb44093512

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
6.6MB

MD5
776ba6fc4e86c540c3ea13372553b84e

SHA1
78adeaf383594202bb776579741c0ce7b150f145

SHA256
c75ce1d02c8c4a4188b4d1fc928157e88bae6a8a486a28ab532f570a16aae99d

SHA512
0884dbdd7266b1baa9ab7947350f8797c2e69d083ab23fe85fa2321951ed649d20ea7c2209b5678f52927b3b76430e00058fcb918c281c1952f78cdb44093512

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
6.6MB

MD5
776ba6fc4e86c540c3ea13372553b84e

SHA1
78adeaf383594202bb776579741c0ce7b150f145

SHA256
c75ce1d02c8c4a4188b4d1fc928157e88bae6a8a486a28ab532f570a16aae99d

SHA512
0884dbdd7266b1baa9ab7947350f8797c2e69d083ab23fe85fa2321951ed649d20ea7c2209b5678f52927b3b76430e00058fcb918c281c1952f78cdb44093512

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
6.6MB

MD5
776ba6fc4e86c540c3ea13372553b84e

SHA1
78adeaf383594202bb776579741c0ce7b150f145

SHA256
c75ce1d02c8c4a4188b4d1fc928157e88bae6a8a486a28ab532f570a16aae99d

SHA512
0884dbdd7266b1baa9ab7947350f8797c2e69d083ab23fe85fa2321951ed649d20ea7c2209b5678f52927b3b76430e00058fcb918c281c1952f78cdb44093512

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll
Filesize
996KB

MD5
ba6cf9e796f4bae8007bb6449ce60adb

SHA1
5d92616b407d64afdfde2bd05a40d6994abab0b4

SHA256
2c344dc980bbc7ee20228eebf4536eca238a483c419707f816f0a014f483d8c4

SHA512
56bee3d27d5a3ea35774e703c1c3a0b292802a44b0c844df8f2c129c73b06b023dc6ce845e3a1944b22ad4eeb845aa5cb2448cba6cba2537caf90e8112f88663

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l1-2-0.dll
Filesize
11KB

MD5
00d8b4bed48a1bb8a0451b967a902977

SHA1
f10ef17bda66d7cab2840d7f89c6de022a7b3ff2

SHA256
568d7f8551d8b4199db3359d5145bc4cb01d6d2f1347547f47967eb06a45c3b5

SHA512
e248cbc06fc610f315d7efcadb39b5cb85dfe5d40858768d5aea8d41b3b4b23eafe0db2b38cce362fd8ba8bc5eb26e9b2dddc00e2e8615395bca818ecfe0decc

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l2-1-0.dll
Filesize
11KB

MD5
534483b0f4a1924b1ae6d7e66b4a4926

SHA1
4e954316acd216007f4a0225b138e0c0a04fbbed

SHA256
c1bca1bb524c5ae3d877a099f469b6fc34288bab26ae7a7f4fc47cd869f4958d

SHA512
cfad2ddf8a9ad67e36e978726d8a12ca26b180f73122b2e8d19a83f73028a050d9f418e7525f576cc3a9601b3369d4494dddbde620b4011b7ca8a7ec4b0d1b12

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-localization-l1-2-0.dll
Filesize
13KB

MD5
73483cbc229c62e129627adbf62b0ffe

SHA1
074ce67665c86355d3218b5e3ea4b1b335095af8

SHA256
13471eb84db95f8270398ef1deb29f0ea024db17e331497545c36eea7b2a3a7c

SHA512
92f06cb8971e29da7607c6b1d1377f21c7e6f0e4a169aaa08326038d5cdb09422b91f4f2d26a7978521e0edbb9cf1235e583f2910048c917ccef8d12c5e1166a

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
11KB

MD5
7016bf365a155d29f01a000942a017ef

SHA1
47e25b97af56edbdd20ca72bba994c6bcf1b81e6

SHA256
b5f815d0a41add7fd9593036a8e6843fcc221298fefd61808f960eed3cc19830

SHA512
2cd7e88717a2d81811ce03990737888b8a1e9e351dcdad401ffe5924bdf97be086bd766a1a5b25411b760cbf81b68bebd94d915100b6bc1310360813af11f827

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-synch-l1-2-0.dll
Filesize
11KB

MD5
9efdffac1d337807b52356413b04b97b

SHA1
2590bd486abce24312066285fa1c1feaf8332fe0

SHA256
e1a87d7d01e2376dde81a16658915ccf2ecb692739fef09adfb962523756e22d

SHA512
b3c164e50d48a78bd08cf365e02e263b97ec2dd3efcf04914c8677c838e10be23df5178a8618e3f2a6feb6faa2bb74eaf069e7e2db7c6e6fd9d0137dcffbcead

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-timezone-l1-1-0.dll
Filesize
11KB

MD5
42c72d838c34e4e7164c578a930b8fc7

SHA1
82d02cb090eb6d81a1499189e4d3e6b82aa60061

SHA256
f1667bbda1b58fc688b422fd2f9f7040919c4ababe00a4be78b258cae2dfc3d3

SHA512
1020d6010dca512adbc18f44b6453a974a200766013c39f6cb1cd0a72234a241c73587c929f1d0fcadf90c3eb71264086167f05bd7ebceb5b944f4e4a0811d92

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-conio-l1-1-0.dll
Filesize
12KB

MD5
4296cf3a7180e10aaf6147f4aecd24e4

SHA1
f81e09af979a1146774d554783d1a22a03a61393

SHA256
147f86ff93d61fea256b3de9149e1b36b68a83762e62a3389466218e18359ffc

SHA512
60357edde6572c5e796f927c3e72c31a96ff700624b7366fdda64bcf51ee00bf1e9ab477a46d8d3ba7391ba10491e69f745efec3607f8f49b6e1a3a3de7a0648

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-convert-l1-1-0.dll
Filesize
15KB

MD5
5c6fd1c6a5e69313a853a224e18a7fac

SHA1
10bae352f09b214edef2dc6adcb364c45fafdbec

SHA256
3aa0eb4c47ac94b911f1a440324d26eee8ddf99557a718f0905bfee3cf56255f

SHA512
08c2b1150f6bf505d10085a515bbfab6c1e18663c6ef75ec988727e3d30210532d03bfbfbb048b1a843d4faa5d1060f9079e018a9e892bce03f899a5a85f6034

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-environment-l1-1-0.dll
Filesize
11KB

MD5
6a3d5701446f6635faff87014a836eee

SHA1
7bbc9db1c9ce70e9fc7b7348a2c96681e5d8265b

SHA256
16ba05a1fa928501ffaee2e9dce449d28e8fe538df5ec6d8d1080b610b15d466

SHA512
839a1277b6dbb9f2d6e572e1b50b0ad08c93256a1367f36997db07285aa7b251346499a643a985a22d9a7618635c11964e414073aa7e1bf60d36368829de8fb3

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-filesystem-l1-1-0.dll
Filesize
13KB

MD5
4ec243792d382305db59dc78b72d0a1e

SHA1
63b7285646c72ee640d34cdc200bfc5863db3563

SHA256
56e0bdf91edb21f5f5041f052723025c059a11360bb745f965a9903de9c61756

SHA512
88f648d45927db65ff8cead4bb1959b1297410bf3f5b3b2783a173d708649260a61470342694de8b93e9c1657de64db43db40ee71acc661b03786c0921d68d4b

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-heap-l1-1-0.dll
Filesize
12KB

MD5
a51cfb8cf618571215eeba7095733b25

SHA1
db4215890757c7c105a8001b41ae19ce1a5d3558

SHA256
6501894e68a3871962731282a2e70614023ec3f63f600f933ec1785400716ce1

SHA512
9ae11ab21486dea1aba607a4262f62678c5b0e9f62b6a63c76cfdc7698d872d8696ffb1aaae7aa2e2cf02c1c7eaa53d0ce503432960f4be6886fae0de2659535

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-locale-l1-1-0.dll
Filesize
11KB

MD5
8d097aa5bec8bdb5df8f39e0db30397c

SHA1
56f6da8703f8cdd4a8e4a170d1a6c0d3f2035158

SHA256
42c235914844ce5d1bb64002fca34a776ae25ee658fc2b7b9da3291e5def7d4d

SHA512
a891536e2a362fc73472fa7f5266ce29e8036959701bc0862f2b7ea5865dcd1505615edc8e064fb2f7aaa1b129e48422efe7b933b01faed9c2afadd8a64452dc

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-math-l1-1-0.dll
Filesize
21KB

MD5
ab87bdae2f62e32a533f89cd362d081c

SHA1
40311859dd042a7e392877364568aad892792ba9

SHA256
0439703e47c8fce1f367f9e36248a738db6abcd9f2dd199cb190d5e59ed46978

SHA512
dbe0073da8979f3d32204680015b60435226840e732b5df964dbeeb7920c0bc5df92d866964f905518c97cc3539f628664503ffa64e50a2ef90c459b62555444

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-multibyte-l1-1-0.dll
Filesize
19KB

MD5
169e20a74258b182d2cdc76f1ae77fc5

SHA1
fce3f718e6de505ac910cb7333a03a2c6544f654

SHA256
224f526871c961615de17b5d7f7bbef2f3a799055cab2c8e3447b43c10c25372

SHA512
0881c8704421a5f6e51abd22c55608dd7fb678491682ce86066e068b1973ebf11d6c2163be610a49f87e800c8563ebb41abfe36e1913d7d0b8485fd29ed81bf7

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-runtime-l1-1-0.dll
Filesize
15KB

MD5
49363f3cf4671baa6be1abd03033542f

SHA1
e58902a82df86adf16f44ebdc558b92ad214a979

SHA256
505d2bde0d4d7cd3900a9c795cb84ab9c05208d6e5132749ab7c554ccd3c0fcc

SHA512
98e78a607cfbb777237dc812f468ec7a1abcba9472e20a5780dfc526f7992da1841fcd9e2f76f20fa161240007f185c7fbdc120fb4c3c1f2b90fdad5913d65dd

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-stdio-l1-1-0.dll
Filesize
17KB

MD5
be16965acc8b0ce3a8a7c42d09329577

SHA1
6ac0f1e759781c7e5342b20f2a200a6aab66535e

SHA256
fcd55331cc1f0ff4fb44c9590a9fb8f891b161147a6947ce48b88bf708786c21

SHA512
7ba55fa204d43c15aca02031f584b3396bb175365dad88e4047b8a991f1f1ddd88d769e4d8cb93ee0ed45e060a1156e953df794f9cb8bb687c84c4a088da2edf

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-string-l1-1-0.dll
Filesize
17KB

MD5
3eae6d370f2623b37ec39c521d1f1461

SHA1
86d43e2e69b2066333e4afa28a27c7a74ff89991

SHA256
ce74bdc6999d084a1b44b2ecea42dd28849b2825d7779effdc4c18360308b79b

SHA512
30b2b6cf5cd1bbdf68de048e6d992133fe7ab0c847fa0d5eb8c681a9688d60794621a40178451a104036a0fff2e1bd66a18d9f96be6b28dbdc0bc1c8a535fc85

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-time-l1-1-0.dll
Filesize
13KB

MD5
a440776e10098f3a8ef1c5eaca72958e

SHA1
7b8662714f6e44fb29a4224a038e4127964003e9

SHA256
40d8bc312ac7bca072703e5f0852228cde418f89ba9ad69551aa7a80a2b30316

SHA512
b043cd020d184a239510b2607c94210dc5fdc5d2a2b9285836bdce8934cc86a1cc3f47a2f520b15db84f755ac2e7c67e0247099648d292bbd5fb76f683d928df

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-utility-l1-1-0.dll
Filesize
11KB

MD5
a0a883e26be6800508162e2a898148d9

SHA1
4f79892e7766cb7831211864978575598c86a11b

SHA256
9753ae83536767c73e340c36c5f1610bc76a3e67e033b07503ec31431cba7b90

SHA512
70904f2fd074073aebcf665178b34cf7f0f42ced7223ca296f7f202f6fa0175ace2832d9802f5bff4d67891ca09ae14fac47420d69107e72aa44b541a190f6c3

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll
Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll
Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\ucrtbase.dll
Filesize
863KB

MD5
8ed02a1a11cec72b6a6a4989bf03cfcc

SHA1
172908ff0f8d7e1c0cbf107f7075ed1dba4b36c8

SHA256
4fd02f2699c49579319079b963425991198f59cb1589b8afa8795b5d6a0e5db3

SHA512
444fe62a5c324d38bdc055d298b5784c741f3ca8faaeaed591bd6dcf94205dbf28c7d7f7d3825ccb99eff04e3ffd831e3f98d9b314820841a0c0960ae6a5e416

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll
Filesize
1.1MB

MD5
2b76151fcfd8e136b46c8cfed9d18806

SHA1
0c90be5c1d1a1b40786f685a59b8c1b253afd763

SHA256
23265ac70d135e945036c56850a0fc00d747ee381a963bc1d9490783677297d6

SHA512
898c861c162ae2e1ee72dd2242e10f4810f80e51555ada91f8560ad2143f03faf919c80b00772beb5b9d3d9f5df596fe42056a8a8e120507263f7ae89d86a678

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll
Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
memory/1064-273-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

Filesize
4KB

Download
memory/1064-182-0x0000000003890000-0x00000000038D0000-memory.dmp

Filesize
256KB

Download
memory/1064-90-0x0000000003890000-0x00000000038D0000-memory.dmp

Filesize
256KB

Download
memory/1580-335-0x0000000003AD0000-0x0000000003B10000-memory.dmp

Filesize
256KB

Download
memory/1580-333-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/1580-299-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1580-424-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1580-688-0x0000000003AD0000-0x0000000003B10000-memory.dmp

Filesize
256KB

Download
memory/2004-276-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2856-680-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2904-579-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2904-581-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2904-582-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2904-583-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2904-584-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2904-587-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2904-586-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2904-589-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2904-590-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2904-592-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2904-593-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2904-595-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2904-596-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2904-597-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2904-598-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2904-599-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2904-600-0x0000000069500000-0x000000006A932000-memory.dmp

Filesize
20.2MB

Download
memory/2904-580-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2904-526-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download