lumma | a3ae0e066665b3209e6f5d4195201c839c5b58a698cb53e31d5dd1efbb467e03

Analysis

max time kernel
113s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2023 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TeraBox_sl_c_1.17.0.15.exe
Size

84.3MB
MD5

51a20b31858d5db4642014b2e7d36d13
SHA1

b967116a1005898007be9b0fbb996013da63e595
SHA256

a3ae0e066665b3209e6f5d4195201c839c5b58a698cb53e31d5dd1efbb467e03
SHA512

ca7755ff18e031234e6c9b4980a16212435ddd21e850136fdb001b8cfd7679474a1e2555ac173dd5957cdde71923cfd9aed87cefded452f9ec819540f6b1fa79
SSDEEP

1572864:MbaKmbV87UwAuiIHCWJKQ9bYVH5VNG/e7Q14/AA7mW58heb/141vJ:MO84cJz945VNHQ7Yr1Ih

Score

10^/10

lumma discovery persistence stealer

Malware Config

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TeraBox.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	TeraBox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe

Executes dropped EXE 15 IoCs

Processes:

TeraBox.exeYunUtilityService.exeTeraBoxWebService.exeTeraBox.exeTeraBoxWebService.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxHost.exeTeraBoxHost.exeAutoUpdate.exe

pid	process
4060	TeraBox.exe
1568	YunUtilityService.exe
3984	TeraBoxWebService.exe
1428	TeraBox.exe
4148	TeraBoxWebService.exe
1284	TeraBoxRender.exe
1080	TeraBoxRender.exe
4300	TeraBoxRender.exe
3980	TeraBoxRender.exe
3272	TeraBoxRender.exe
1016	TeraBoxRender.exe
1516	TeraBoxHost.exe
1968	TeraBoxHost.exe
1016	TeraBoxRender.exe
2924	AutoUpdate.exe

Loads dropped DLL 64 IoCs

Processes:

TeraBox_sl_c_1.17.0.15.exeTeraBox.exeregsvr32.exeregsvr32.exeTeraBoxRender.exeregsvr32.exeregsvr32.exeYunUtilityService.exeTeraBoxWebService.exeTeraBox.exeTeraBoxWebService.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxHost.exe

pid	process
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
4060	TeraBox.exe
4060	TeraBox.exe
4060	TeraBox.exe
4060	TeraBox.exe
4060	TeraBox.exe
4060	TeraBox.exe
1092	regsvr32.exe
3428	regsvr32.exe
3980	TeraBoxRender.exe
4392	regsvr32.exe
3352	regsvr32.exe
1568	YunUtilityService.exe
1568	YunUtilityService.exe
3984	TeraBoxWebService.exe
3984	TeraBoxWebService.exe
1428	TeraBox.exe
1428	TeraBox.exe
1428	TeraBox.exe
1428	TeraBox.exe
1428	TeraBox.exe
1428	TeraBox.exe
4148	TeraBoxWebService.exe
4148	TeraBoxWebService.exe
1428	TeraBox.exe
1428	TeraBox.exe
1428	TeraBox.exe
1428	TeraBox.exe
1428	TeraBox.exe
1428	TeraBox.exe
1428	TeraBox.exe
1428	TeraBox.exe
1428	TeraBox.exe
1284	TeraBoxRender.exe
1284	TeraBoxRender.exe
1284	TeraBoxRender.exe
1284	TeraBoxRender.exe
1284	TeraBoxRender.exe
1080	TeraBoxRender.exe
1080	TeraBoxRender.exe
1080	TeraBoxRender.exe
1080	TeraBoxRender.exe
4300	TeraBoxRender.exe
4300	TeraBoxRender.exe
4300	TeraBoxRender.exe
4300	TeraBoxRender.exe
4300	TeraBoxRender.exe
3980	TeraBoxRender.exe
3980	TeraBoxRender.exe
3980	TeraBoxRender.exe
3980	TeraBoxRender.exe
3272	TeraBoxRender.exe
3272	TeraBoxRender.exe
3272	TeraBoxRender.exe
3272	TeraBoxRender.exe
1016	TeraBoxRender.exe
1016	TeraBoxRender.exe
1016	TeraBoxRender.exe
1016	TeraBoxRender.exe
1016	TeraBoxRender.exe
1516	TeraBoxHost.exe
1516	TeraBoxHost.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TeraBox.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun"	TeraBox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\""	TeraBox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

regsvr32.exeTeraBoxRender.exeTeraBoxWebService.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\Version = "1.0"	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B9480AFD-C7B1-4452-BE14-BB8A9540A05D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\VersionIndependentProgID\ = "YunShellExt.YunShellExtContextMenu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32	TeraBoxRender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect	TeraBoxRender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ProgID\ = "YunOfficeAddin.YunWordConnect.1"	TeraBoxRender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib\Version = "1.0"	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ = "IYunWordConnect"	TeraBoxRender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1\ = "YunPPTConnect Class"	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}	TeraBoxRender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\" \"%1\""	TeraBoxWebService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CLSID\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\Version = "1.0"	TeraBoxRender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ProgID\ = "YunShellExt.YunShellExtContextMenu.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ = "IWorkspaceOverlayIconSync"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Programmable	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\YunShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ProgID	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID\ = "{8C5F2E83-848F-4741-9C87-47D21BF65FC2}"	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}	TeraBoxRender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\ = "YunWordConnect Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell\open	TeraBoxWebService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin.dll"	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ProgID	TeraBoxRender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ = "IYunWordConnect"	TeraBoxRender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Programmable	TeraBoxRender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	TeraBoxRender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ = "IYunExcelConnect"	TeraBoxRender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1\ = "YunShellExtContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID\ = "YunOfficeAddin.YunPPTConnect"	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\HELPDIR	TeraBoxRender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\ = "YunExcelConnect Class"	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Version	TeraBoxRender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect\ = "YunExcelConnect Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ = "IWorkspaceOverlayIconError"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ProgID\ = "YunOfficeAddin.YunPPTConnect.1"	TeraBoxRender.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

TeraBox.exeTeraBoxRender.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	TeraBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	TeraBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	TeraBox.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

TeraBox_sl_c_1.17.0.15.exeTeraBox.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxRender.exeTeraBoxHost.exe

pid	process
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
3756	TeraBox_sl_c_1.17.0.15.exe
1428	TeraBox.exe
1428	TeraBox.exe
1428	TeraBox.exe
1428	TeraBox.exe
1284	TeraBoxRender.exe
1284	TeraBoxRender.exe
1080	TeraBoxRender.exe
1080	TeraBoxRender.exe
4300	TeraBoxRender.exe
4300	TeraBoxRender.exe
3980	TeraBoxRender.exe
3980	TeraBoxRender.exe
3272	TeraBoxRender.exe
3272	TeraBoxRender.exe
1016	TeraBoxRender.exe
1016	TeraBoxRender.exe
1516	TeraBoxHost.exe
1516	TeraBoxHost.exe
1516	TeraBoxHost.exe
1516	TeraBoxHost.exe
1516	TeraBoxHost.exe
1516	TeraBoxHost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

TeraBoxHost.exe

description	pid	process
Token: SeManageVolumePrivilege	1516	TeraBoxHost.exe
Token: SeBackupPrivilege	1516	TeraBoxHost.exe
Token: SeSecurityPrivilege	1516	TeraBoxHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

TeraBox.exe

pid process

1428 TeraBox.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

TeraBox.exe

pid process

1428 TeraBox.exe

pid	process
1428	TeraBox.exe

pid	process
1428	TeraBox.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

TeraBox_sl_c_1.17.0.15.exeregsvr32.exeregsvr32.exeTeraBox.exe

description	pid	process	target process
PID 3756 wrote to memory of 4060	3756	TeraBox_sl_c_1.17.0.15.exe	TeraBox.exe
PID 3756 wrote to memory of 4060	3756	TeraBox_sl_c_1.17.0.15.exe	TeraBox.exe
PID 3756 wrote to memory of 4060	3756	TeraBox_sl_c_1.17.0.15.exe	TeraBox.exe
PID 3756 wrote to memory of 1092	3756	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 3756 wrote to memory of 1092	3756	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 3756 wrote to memory of 1092	3756	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 1092 wrote to memory of 3428	1092	regsvr32.exe	regsvr32.exe
PID 1092 wrote to memory of 3428	1092	regsvr32.exe	regsvr32.exe
PID 3756 wrote to memory of 3980	3756	TeraBox_sl_c_1.17.0.15.exe	TeraBoxRender.exe
PID 3756 wrote to memory of 3980	3756	TeraBox_sl_c_1.17.0.15.exe	TeraBoxRender.exe
PID 3756 wrote to memory of 3980	3756	TeraBox_sl_c_1.17.0.15.exe	TeraBoxRender.exe
PID 3756 wrote to memory of 4392	3756	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 3756 wrote to memory of 4392	3756	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 3756 wrote to memory of 4392	3756	TeraBox_sl_c_1.17.0.15.exe	regsvr32.exe
PID 4392 wrote to memory of 3352	4392	regsvr32.exe	regsvr32.exe
PID 4392 wrote to memory of 3352	4392	regsvr32.exe	regsvr32.exe
PID 3756 wrote to memory of 1568	3756	TeraBox_sl_c_1.17.0.15.exe	YunUtilityService.exe
PID 3756 wrote to memory of 1568	3756	TeraBox_sl_c_1.17.0.15.exe	YunUtilityService.exe
PID 3756 wrote to memory of 1568	3756	TeraBox_sl_c_1.17.0.15.exe	YunUtilityService.exe
PID 3756 wrote to memory of 3984	3756	TeraBox_sl_c_1.17.0.15.exe	TeraBoxWebService.exe
PID 3756 wrote to memory of 3984	3756	TeraBox_sl_c_1.17.0.15.exe	TeraBoxWebService.exe
PID 3756 wrote to memory of 3984	3756	TeraBox_sl_c_1.17.0.15.exe	TeraBoxWebService.exe
PID 1428 wrote to memory of 1284	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 1284	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 1284	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 1080	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 1080	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 1080	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 4300	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 4300	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 4300	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 3272	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 3272	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 3272	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 3980	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 3980	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 3980	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 1016	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 1016	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 1016	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 1516	1428	TeraBox.exe	TeraBoxHost.exe
PID 1428 wrote to memory of 1516	1428	TeraBox.exe	TeraBoxHost.exe
PID 1428 wrote to memory of 1516	1428	TeraBox.exe	TeraBoxHost.exe
PID 1428 wrote to memory of 1968	1428	TeraBox.exe	TeraBoxHost.exe
PID 1428 wrote to memory of 1968	1428	TeraBox.exe	TeraBoxHost.exe
PID 1428 wrote to memory of 1968	1428	TeraBox.exe	TeraBoxHost.exe
PID 1428 wrote to memory of 1016	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 1016	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 1016	1428	TeraBox.exe	TeraBoxRender.exe
PID 1428 wrote to memory of 2924	1428	TeraBox.exe	AutoUpdate.exe
PID 1428 wrote to memory of 2924	1428	TeraBox.exe	AutoUpdate.exe
PID 1428 wrote to memory of 2924	1428	TeraBox.exe	AutoUpdate.exe

C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_c_1.17.0.15.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_c_1.17.0.15.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:4060

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\system32\regsvr32.exe
"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
3⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:3428

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"
2⤵
PID:3980

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\system32\regsvr32.exe
"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
3⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:3352

C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3984

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2212,5425758362584323013,2235626698261972494,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.17.0.15;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2216 /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1284

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,5425758362584323013,2235626698261972494,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.17.0.15;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2400 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1080

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2212,5425758362584323013,2235626698261972494,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.17.0.15;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2388 /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4300

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2212,5425758362584323013,2235626698261972494,131072 --enable-features=CastMediaRouteProvider --disable-gpu-compositing --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.17.0.15;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3980

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2212,5425758362584323013,2235626698261972494,131072 --enable-features=CastMediaRouteProvider --disable-gpu-compositing --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.17.0.15;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3272

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.1428.0.724934716\939623164 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.80" -PcGuid "TBIMXV2-O_CDEB2ECBCC6A4076B80AF182030849FE-C_0-D_QM00013-M_6201C35E5273-V_569A9181" -Version "1.17.0.15" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
3⤵
PID:1016

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.1428.0.724934716\939623164 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.80" -PcGuid "TBIMXV2-O_CDEB2ECBCC6A4076B80AF182030849FE-C_0-D_QM00013-M_6201C35E5273-V_569A9181" -Version "1.17.0.15" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.1428.1.249332744\1436815851 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.80" -PcGuid "TBIMXV2-O_CDEB2ECBCC6A4076B80AF182030849FE-C_0-D_QM00013-M_6201C35E5273-V_569A9181" -Version "1.17.0.15" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
3⤵
- Executes dropped EXE
PID:1968

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2212,5425758362584323013,2235626698261972494,131072 --enable-features=CastMediaRouteProvider --disable-gpu-compositing --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.17.0.15;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -srvwnd 501d8 -unlogin
3⤵
- Executes dropped EXE
PID:2924

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000033
Filesize
163KB

MD5
109e1354dcad59ff8d3e589dcc09299a

SHA1
bc2cf564c7967a59936c2074b78e124e17439c3a

SHA256
a9f34a49984f7a94c7a522a6d171e470701d34a4b630dcb7ae673e6cfaf2e5ae

SHA512
4a85f37ac35db60a44e729a0ee842e45172657c17c71022dfa73aed445106b833cdceccf94b1735737d5b9c06da8db19a6799186bbf742544c943a4b8de737ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index
Filesize
576B

MD5
84090d0855b172caac485c3a8187b8b4

SHA1
3a6aff3c30926cdecb12a4f8623e23f4d21538b7

SHA256
df158c5f4c95ddcc047ac2c0f41f6018616456fd77d08567333b377955823685

SHA512
32ea6795a3bffcba58b5e242a7ade0ad84aa29ed48d418add0516e4bd8aac4d8d3e4ff0969b13d74f8883b4445c542f046a0625f417b3e6cc73367eba0ccb904

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe58122b.TMP
Filesize
48B

MD5
2bfbde93f01d9373ba7187df55726027

SHA1
9474e3bd5f0bae9eb02bad26ac45e379a8504958

SHA256
eab6278a197d40a466cfb03c244ad92636670ad3b845a19a35814a90728755a1

SHA512
a1c575206288d4553a0abd6ad965a9dec3f2de8e7d4188d29abe8264c3fc3ee2bbc71915a4341ead8366497df0e8da7fba9ac87877e0a94743e268141290dd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\IndexedDB\https_www.terabox.com_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\TransportSecurity
Filesize
706B

MD5
65ba3f6d4d1cce6a5339d78fb3744084

SHA1
a4b3c22f8d19c1592ba36a3cfdfe7e250cd28777

SHA256
b9299d1f908a37950cdefd83f04577c52b6c6171e34ffd0293eb2358b98509d1

SHA512
48b4213aa9d3967cc8cb93f42057b550ded61d42e4ab991763d525915920c5275746949d0e6a1a0421bc941334e80ea2450ff07d94db9e320f9fd2e9c2ee3ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\TransportSecurity~RFe57e4d2.TMP
Filesize
539B

MD5
05a1e04afcda940b37fd9e69ea3bdae5

SHA1
28dad6710868b843174fef7c03fcab61d0d1be5c

SHA256
9615f87386b10d3a7fb2c29bb482aff79cd7a55c729fa42e6d14d587c6b2fb60

SHA512
4916550bbfdeba2b7f35e2f3c86d85281321dba03f3b548b627cdab0218af79a97ba566fef776af2e33c8b129a841fe4bec20a00b24c079531691bb2a06eb153

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC451.tmp\NsisInstallUI.dll
Filesize
2.1MB

MD5
6375561ac8241c21ea24c1c1cbf0e7e9

SHA1
4d3168cd6132293efd86922a84c53d27aa1b7e4d

SHA256
94f0dc2612c6fe7b3c390e464378e59697db569b79560e398bae614ed6d0513a

SHA512
be88164271f1eed8aaf5c15dab2f49e753f936d0c4c72c012095d05deb5d63ff08db37e993ed61f9881ff90b2176878265308c52ff3bbcca7f55c3342f8a8206

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC451.tmp\NsisInstallUI.dll
Filesize
2.1MB

MD5
6375561ac8241c21ea24c1c1cbf0e7e9

SHA1
4d3168cd6132293efd86922a84c53d27aa1b7e4d

SHA256
94f0dc2612c6fe7b3c390e464378e59697db569b79560e398bae614ed6d0513a

SHA512
be88164271f1eed8aaf5c15dab2f49e753f936d0c4c72c012095d05deb5d63ff08db37e993ed61f9881ff90b2176878265308c52ff3bbcca7f55c3342f8a8206

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC451.tmp\SetupCfg.ini
Filesize
80B

MD5
72ada9373debee03b74fc2f8fb594bcf

SHA1
132cbae647eda07f5fad991c06c2ee54c923db23

SHA256
54b5603f4a0f628e12c44358c54bcd83691b36f75add65672441ee6e159e86f8

SHA512
50ca0169a2d25a545f7b335037efd3e992d98157542765c98542dcb4a457ba8636162d13171f4f2d9415054eb5258e676bab214669973397a78263456de45b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC451.tmp\System.dll
Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC451.tmp\nsProcessW.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC451.tmp\nsProcessW.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll
Filesize
1.5MB

MD5
b50441bd5ad11bd24629102710a291cd

SHA1
3fbc985cf7c14ca9c543a435552d2157b3433e59

SHA256
ae7ef2513ef71dd232e0c2f02995f3cd50046a4fc945018efc17291bfc12450c

SHA512
1b23beb83d6b775b30c8cdac1ebfac94e4bd247f2832454f27c8258843b351fc30df9ee59094d896b5bd51694b5f2bf2aed9aec314d891210a81b952fb58be71

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll
Filesize
1.5MB

MD5
b50441bd5ad11bd24629102710a291cd

SHA1
3fbc985cf7c14ca9c543a435552d2157b3433e59

SHA256
ae7ef2513ef71dd232e0c2f02995f3cd50046a4fc945018efc17291bfc12450c

SHA512
1b23beb83d6b775b30c8cdac1ebfac94e4bd247f2832454f27c8258843b351fc30df9ee59094d896b5bd51694b5f2bf2aed9aec314d891210a81b952fb58be71

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdateUtil.dll
Filesize
197KB

MD5
b37424956156603f819bd221df5a75eb

SHA1
252211feaf2fcd6d3b2e81b2c46943b3cf8b91d7

SHA256
5ccffe9d6f7f59cb277b47915b97bbb9e24abd273944e6103d0973e0247c60d3

SHA512
f0cabd09ecaf496a6611c57b0c9fc58403d7f46ebbd18b295de07533b6207deb274db09f5e75ab7f9e565552be30af2d213a6a01b2acdc69b1442c6f22487ced

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdateUtil.dll
Filesize
197KB

MD5
b37424956156603f819bd221df5a75eb

SHA1
252211feaf2fcd6d3b2e81b2c46943b3cf8b91d7

SHA256
5ccffe9d6f7f59cb277b47915b97bbb9e24abd273944e6103d0973e0247c60d3

SHA512
f0cabd09ecaf496a6611c57b0c9fc58403d7f46ebbd18b295de07533b6207deb274db09f5e75ab7f9e565552be30af2d213a6a01b2acdc69b1442c6f22487ced

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdateUtil.dll
Filesize
197KB

MD5
b37424956156603f819bd221df5a75eb

SHA1
252211feaf2fcd6d3b2e81b2c46943b3cf8b91d7

SHA256
5ccffe9d6f7f59cb277b47915b97bbb9e24abd273944e6103d0973e0247c60d3

SHA512
f0cabd09ecaf496a6611c57b0c9fc58403d7f46ebbd18b295de07533b6207deb274db09f5e75ab7f9e565552be30af2d213a6a01b2acdc69b1442c6f22487ced

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\config.ini
Filesize
52B

MD5
5cc36a5a9945e4fbda1cc8b475f98ea9

SHA1
16ff4141e975705252b9c556c5da8c84e7dbc74e

SHA256
61d88eb427ba7668f56c7391410c4de3a8e17cde7baba80291f8a06efafbef7c

SHA512
8b451ca92dd61ace8fc6cc4bcfc09499aa3c006803a7bdca1bdac9ee40a7b8fc9311e28078f07fbe4fbf1d40d71ffcebcf49a440ca0c6c100391fea4ee888a9e

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.DLL
Filesize
3.2MB

MD5
29cc01ba0943f0181fbe0e61f2580953

SHA1
caa86e0dd6db374b2063dd3095f81a73d3b55365

SHA256
58d86e599556534c544a5359c1a121c709aa9acbf2eda42bd41649511056c23f

SHA512
a0979fc8051e49848fe5c15bc843d5993045b338b80cc94607f0212401bb4a275a59baeba547f62678d5a7e55f64e420ba947f4e2d45ca082861fb8de51729bb

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll
Filesize
3.2MB

MD5
29cc01ba0943f0181fbe0e61f2580953

SHA1
caa86e0dd6db374b2063dd3095f81a73d3b55365

SHA256
58d86e599556534c544a5359c1a121c709aa9acbf2eda42bd41649511056c23f

SHA512
a0979fc8051e49848fe5c15bc843d5993045b338b80cc94607f0212401bb4a275a59baeba547f62678d5a7e55f64e420ba947f4e2d45ca082861fb8de51729bb

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll
Filesize
3.2MB

MD5
29cc01ba0943f0181fbe0e61f2580953

SHA1
caa86e0dd6db374b2063dd3095f81a73d3b55365

SHA256
58d86e599556534c544a5359c1a121c709aa9acbf2eda42bd41649511056c23f

SHA512
a0979fc8051e49848fe5c15bc843d5993045b338b80cc94607f0212401bb4a275a59baeba547f62678d5a7e55f64e420ba947f4e2d45ca082861fb8de51729bb

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\MSVCP140.dll
Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
6.6MB

MD5
776ba6fc4e86c540c3ea13372553b84e

SHA1
78adeaf383594202bb776579741c0ce7b150f145

SHA256
c75ce1d02c8c4a4188b4d1fc928157e88bae6a8a486a28ab532f570a16aae99d

SHA512
0884dbdd7266b1baa9ab7947350f8797c2e69d083ab23fe85fa2321951ed649d20ea7c2209b5678f52927b3b76430e00058fcb918c281c1952f78cdb44093512

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
6.6MB

MD5
776ba6fc4e86c540c3ea13372553b84e

SHA1
78adeaf383594202bb776579741c0ce7b150f145

SHA256
c75ce1d02c8c4a4188b4d1fc928157e88bae6a8a486a28ab532f570a16aae99d

SHA512
0884dbdd7266b1baa9ab7947350f8797c2e69d083ab23fe85fa2321951ed649d20ea7c2209b5678f52927b3b76430e00058fcb918c281c1952f78cdb44093512

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
Filesize
6.6MB

MD5
776ba6fc4e86c540c3ea13372553b84e

SHA1
78adeaf383594202bb776579741c0ce7b150f145

SHA256
c75ce1d02c8c4a4188b4d1fc928157e88bae6a8a486a28ab532f570a16aae99d

SHA512
0884dbdd7266b1baa9ab7947350f8797c2e69d083ab23fe85fa2321951ed649d20ea7c2209b5678f52927b3b76430e00058fcb918c281c1952f78cdb44093512

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
Filesize
1.1MB

MD5
9711c17a4fbb95889a713dca33ff0437

SHA1
9b2e551317924874a983db751ea78855acce1196

SHA256
a9363d9d51b43b21908e7a858aab214b140d7947e531a437b6754296c35662c5

SHA512
bd54cfc2b0e351cccec4ef4524e63e0ab3a21d99651bcdb089734b249f8b22ed7221c00703db4c47364d14be63a63290038bc93b6fa27e2dc3728dd159603aeb

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
Filesize
1.1MB

MD5
9711c17a4fbb95889a713dca33ff0437

SHA1
9b2e551317924874a983db751ea78855acce1196

SHA256
a9363d9d51b43b21908e7a858aab214b140d7947e531a437b6754296c35662c5

SHA512
bd54cfc2b0e351cccec4ef4524e63e0ab3a21d99651bcdb089734b249f8b22ed7221c00703db4c47364d14be63a63290038bc93b6fa27e2dc3728dd159603aeb

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
Filesize
1.1MB

MD5
9711c17a4fbb95889a713dca33ff0437

SHA1
9b2e551317924874a983db751ea78855acce1196

SHA256
a9363d9d51b43b21908e7a858aab214b140d7947e531a437b6754296c35662c5

SHA512
bd54cfc2b0e351cccec4ef4524e63e0ab3a21d99651bcdb089734b249f8b22ed7221c00703db4c47364d14be63a63290038bc93b6fa27e2dc3728dd159603aeb

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\VCRUNTIME140.dll
Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\VersionInfo
Filesize
192B

MD5
d30687853fb5bc82331b1f396f779f90

SHA1
4e6b22c14245678870215edf3310399f0da5c4f9

SHA256
e357d948ff05c72e3557b558633bf9392d882c424be4fa3690718a708b7ffc89

SHA512
c8f09a969f989385f36dd6af41b71809043557fbe6d4f1dbd7d2ecb9c990905601c04086f685e7cd6d746fccb80fdbacfca53628c32830f936384307008a8964

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunDb.dll
Filesize
777KB

MD5
30e81c3b38d30c76851f3de590cf96f6

SHA1
14e9079dc8b4d8911b4173f42a5ab6c2da5c1081

SHA256
40c3990c3210f15d8302839108363057b685db90fe3bcc1dc69c20231adcbcb3

SHA512
070bb84f57298b1670c947067007df5f941fe4aa04c23c5f8d50e6dd48564e27c04587c6a5e1a0160a6153bbaa0645c165bbd9c213dc0f5e51c7cf582e2400f3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunDb.dll
Filesize
777KB

MD5
30e81c3b38d30c76851f3de590cf96f6

SHA1
14e9079dc8b4d8911b4173f42a5ab6c2da5c1081

SHA256
40c3990c3210f15d8302839108363057b685db90fe3bcc1dc69c20231adcbcb3

SHA512
070bb84f57298b1670c947067007df5f941fe4aa04c23c5f8d50e6dd48564e27c04587c6a5e1a0160a6153bbaa0645c165bbd9c213dc0f5e51c7cf582e2400f3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunDls.dll
Filesize
2.1MB

MD5
69f31cde1bd40ed42e3f3c6afc987fdc

SHA1
eec862e9dbf6d2ac929046d6c7a7d1ce9dfd7678

SHA256
e0e6a556c40b25e2040647fc4d6e5af8ec152ef08cb19167ccca53d605275133

SHA512
0199e27c11cf1a41c7d965f04271dc5c823b52dbef99ec364995ad9eba5b84f82ca05d2f4c8d170c5fece91f5a25b3f35eefc652729ea081a274a92a12e124aa

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunDls.dll
Filesize
2.1MB

MD5
69f31cde1bd40ed42e3f3c6afc987fdc

SHA1
eec862e9dbf6d2ac929046d6c7a7d1ce9dfd7678

SHA256
e0e6a556c40b25e2040647fc4d6e5af8ec152ef08cb19167ccca53d605275133

SHA512
0199e27c11cf1a41c7d965f04271dc5c823b52dbef99ec364995ad9eba5b84f82ca05d2f4c8d170c5fece91f5a25b3f35eefc652729ea081a274a92a12e124aa

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunLogic.dll
Filesize
6.3MB

MD5
b82611710e27421c12f9907911fd1249

SHA1
92bf3f4bc0af426339bc278018d72cbbb9decf62

SHA256
5d31c43305620c3f77c9e2d79beee7959a600da8da0bcc617d9ae3d614e01da5

SHA512
af5bd8764ac2de2d09915acc3912d093601f30dc954ab8bfb6b2a20c50c756ebda9f244cc9e67f0ebfc8929b92d2b52c13f5f5ae4a05d5416cbb849268162ec4

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunLogic.dll
Filesize
6.3MB

MD5
b82611710e27421c12f9907911fd1249

SHA1
92bf3f4bc0af426339bc278018d72cbbb9decf62

SHA256
5d31c43305620c3f77c9e2d79beee7959a600da8da0bcc617d9ae3d614e01da5

SHA512
af5bd8764ac2de2d09915acc3912d093601f30dc954ab8bfb6b2a20c50c756ebda9f244cc9e67f0ebfc8929b92d2b52c13f5f5ae4a05d5416cbb849268162ec4

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll
Filesize
373KB

MD5
e04e1b560a59131181b50ef77f508888

SHA1
d88942c50dd5c96263b782199b1f18ebd8cbc6d0

SHA256
9e1b8838bbf85209435839c467a773bc413eb1bf85eb515f29347dfa97cca137

SHA512
fa85baef98f85baf7f1d6177386a37ff99cb10b7cb711c422bd7fea0e10f858b3f9d24bc91bbe6e4e892c61f67947b722e10bb9f21173456c876cfcbbd86cc8e

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll
Filesize
373KB

MD5
e04e1b560a59131181b50ef77f508888

SHA1
d88942c50dd5c96263b782199b1f18ebd8cbc6d0

SHA256
9e1b8838bbf85209435839c467a773bc413eb1bf85eb515f29347dfa97cca137

SHA512
fa85baef98f85baf7f1d6177386a37ff99cb10b7cb711c422bd7fea0e10f858b3f9d24bc91bbe6e4e892c61f67947b722e10bb9f21173456c876cfcbbd86cc8e

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll
Filesize
482KB

MD5
3867609467318c6ee9e591f1cc647ce0

SHA1
3cb73a853439ad2872a0596d9b73360a0b979d61

SHA256
e76965376e839919e9e20e4ebed99bdb76b23c7d3593ecb53f24746a4c14290d

SHA512
88f01b4a79374a3466f661df0d4eaf4cacacf49f717a1e64b4b184dfc1879f9bf60d296820e6a6609fc7f407450f91e02f3224020d9768015b4d758141a4932c

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll
Filesize
482KB

MD5
3867609467318c6ee9e591f1cc647ce0

SHA1
3cb73a853439ad2872a0596d9b73360a0b979d61

SHA256
e76965376e839919e9e20e4ebed99bdb76b23c7d3593ecb53f24746a4c14290d

SHA512
88f01b4a79374a3466f661df0d4eaf4cacacf49f717a1e64b4b184dfc1879f9bf60d296820e6a6609fc7f407450f91e02f3224020d9768015b4d758141a4932c

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll
Filesize
482KB

MD5
3867609467318c6ee9e591f1cc647ce0

SHA1
3cb73a853439ad2872a0596d9b73360a0b979d61

SHA256
e76965376e839919e9e20e4ebed99bdb76b23c7d3593ecb53f24746a4c14290d

SHA512
88f01b4a79374a3466f661df0d4eaf4cacacf49f717a1e64b4b184dfc1879f9bf60d296820e6a6609fc7f407450f91e02f3224020d9768015b4d758141a4932c

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll
Filesize
996KB

MD5
ba6cf9e796f4bae8007bb6449ce60adb

SHA1
5d92616b407d64afdfde2bd05a40d6994abab0b4

SHA256
2c344dc980bbc7ee20228eebf4536eca238a483c419707f816f0a014f483d8c4

SHA512
56bee3d27d5a3ea35774e703c1c3a0b292802a44b0c844df8f2c129c73b06b023dc6ce845e3a1944b22ad4eeb845aa5cb2448cba6cba2537caf90e8112f88663

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll
Filesize
996KB

MD5
ba6cf9e796f4bae8007bb6449ce60adb

SHA1
5d92616b407d64afdfde2bd05a40d6994abab0b4

SHA256
2c344dc980bbc7ee20228eebf4536eca238a483c419707f816f0a014f483d8c4

SHA512
56bee3d27d5a3ea35774e703c1c3a0b292802a44b0c844df8f2c129c73b06b023dc6ce845e3a1944b22ad4eeb845aa5cb2448cba6cba2537caf90e8112f88663

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll
Filesize
996KB

MD5
ba6cf9e796f4bae8007bb6449ce60adb

SHA1
5d92616b407d64afdfde2bd05a40d6994abab0b4

SHA256
2c344dc980bbc7ee20228eebf4536eca238a483c419707f816f0a014f483d8c4

SHA512
56bee3d27d5a3ea35774e703c1c3a0b292802a44b0c844df8f2c129c73b06b023dc6ce845e3a1944b22ad4eeb845aa5cb2448cba6cba2537caf90e8112f88663

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
Filesize
110KB

MD5
992e52343ee1b163556ac8a6c4cdf3ad

SHA1
92870fb5ca23277dfb9179fd2a697bec7312ec1d

SHA256
a91bbef30cab354f93592c0bcf33305f0fa00971ecbd1c2de95ad4544e0303a2

SHA512
4d2642f8c99812b3c9a67c57cdce2f0bb7c2f81eae0d42eeab2afe11c82d84111550992e085c795932ebb8f79c88431ec6784a94f50c47771a00548540cce8ef

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
Filesize
110KB

MD5
992e52343ee1b163556ac8a6c4cdf3ad

SHA1
92870fb5ca23277dfb9179fd2a697bec7312ec1d

SHA256
a91bbef30cab354f93592c0bcf33305f0fa00971ecbd1c2de95ad4544e0303a2

SHA512
4d2642f8c99812b3c9a67c57cdce2f0bb7c2f81eae0d42eeab2afe11c82d84111550992e085c795932ebb8f79c88431ec6784a94f50c47771a00548540cce8ef

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\appUtil.DLL
Filesize
1.5MB

MD5
b50441bd5ad11bd24629102710a291cd

SHA1
3fbc985cf7c14ca9c543a435552d2157b3433e59

SHA256
ae7ef2513ef71dd232e0c2f02995f3cd50046a4fc945018efc17291bfc12450c

SHA512
1b23beb83d6b775b30c8cdac1ebfac94e4bd247f2832454f27c8258843b351fc30df9ee59094d896b5bd51694b5f2bf2aed9aec314d891210a81b952fb58be71

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\chrome_elf.dll
Filesize
844KB

MD5
0fdaa27cf4287104f720ea3f0cae15f6

SHA1
76d354fe280127b0899bdad475d1ecc0b2a90ac8

SHA256
6d0e5cee92854bf21d44d3913d775f4a41746e2854ffe3d5e6ebadcb6ddb0003

SHA512
7354ed1eba5923587aee5a85f3c4793cd85b6c530c6f7a1f1551e37df7ff54b173bf8f117dd41c52a030a3d94bb93a4e6e14542b22f9c778bd8626ca435cab3a

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\chrome_elf.dll
Filesize
844KB

MD5
0fdaa27cf4287104f720ea3f0cae15f6

SHA1
76d354fe280127b0899bdad475d1ecc0b2a90ac8

SHA256
6d0e5cee92854bf21d44d3913d775f4a41746e2854ffe3d5e6ebadcb6ddb0003

SHA512
7354ed1eba5923587aee5a85f3c4793cd85b6c530c6f7a1f1551e37df7ff54b173bf8f117dd41c52a030a3d94bb93a4e6e14542b22f9c778bd8626ca435cab3a

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\libcef.dll
Filesize
113.1MB

MD5
105b050e516f29303f478831370e473c

SHA1
35232465eef9e6f5e63a906d940a546d363f71f7

SHA256
f37aa912666d495ec3b039e78efc133cc401ec29c85dd8b96d8a8e1999bc8d2b

SHA512
0fa7fc3e9309af9dd5bd361d41a184a4524fd2a73467485a31dfb7176293bdec68b857fb33d9841bfee92c1212d1d3bf43b0bc906545f1af19fb7fcfd77a26fc

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\libcef.dll
Filesize
113.1MB

MD5
105b050e516f29303f478831370e473c

SHA1
35232465eef9e6f5e63a906d940a546d363f71f7

SHA256
f37aa912666d495ec3b039e78efc133cc401ec29c85dd8b96d8a8e1999bc8d2b

SHA512
0fa7fc3e9309af9dd5bd361d41a184a4524fd2a73467485a31dfb7176293bdec68b857fb33d9841bfee92c1212d1d3bf43b0bc906545f1af19fb7fcfd77a26fc

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll
Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll
Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll
Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\module\TeraBoxModuleList.db
Filesize
16KB

MD5
8dfc682b42b2b7c0fddb2d9846c5275e

SHA1
8b5b83e9d3c56df95033cfaba65b9601cc18d27e

SHA256
0e6182f9c60af6061e736845750a20870952780bf5315d8fab64cef62ee6f7c5

SHA512
8fc2fa34e59c8c67c979f7c8174b66f1a4486a8d277286e3de5d56cbb651f493288af8353ae7a8e9852a6d75fc47dcfb84c6e384056282fb521cdee115ccd4dc

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll
Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll
Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll
Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll
Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll
Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\resource.db
Filesize
51KB

MD5
8d1178159b7f72fb60d27abfc41e144a

SHA1
8dae29d27a9caba079656241a38b9bb0cd84a62f

SHA256
e7f70f87a86f0c66364f0f66a171c76dbf8c6c69bbf7601b6b8e78fe48cb36e1

SHA512
55c4d62e658c2c4d5dd335b53996ee502c3bc2b6cf016e215f4469e37025728471b67d7129c2e9718544010eb6f68606e6bfcf7a2d680385379bee8b6ba40a40

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe
Filesize
697KB

MD5
afcd02dfad59da94b3d01840c447211c

SHA1
a28b6f021a431677ee69566f3ff18fa90846bb7d

SHA256
120f201fda702abb1b11e98ccd6a2eff7860489931ab9af09e2a391bd33281a6

SHA512
aac514d82b7a68f027f26ed9b94520ae39ad8d3be1fbd881e769dac58af02f256383917f9dfb0454cecbe41304019b37054872176baa4fd047059177309f4bf4

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll
Filesize
1.1MB

MD5
2b76151fcfd8e136b46c8cfed9d18806

SHA1
0c90be5c1d1a1b40786f685a59b8c1b253afd763

SHA256
23265ac70d135e945036c56850a0fc00d747ee381a963bc1d9490783677297d6

SHA512
898c861c162ae2e1ee72dd2242e10f4810f80e51555ada91f8560ad2143f03faf919c80b00772beb5b9d3d9f5df596fe42056a8a8e120507263f7ae89d86a678

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll
Filesize
1.1MB

MD5
2b76151fcfd8e136b46c8cfed9d18806

SHA1
0c90be5c1d1a1b40786f685a59b8c1b253afd763

SHA256
23265ac70d135e945036c56850a0fc00d747ee381a963bc1d9490783677297d6

SHA512
898c861c162ae2e1ee72dd2242e10f4810f80e51555ada91f8560ad2143f03faf919c80b00772beb5b9d3d9f5df596fe42056a8a8e120507263f7ae89d86a678

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll
Filesize
1.1MB

MD5
2b76151fcfd8e136b46c8cfed9d18806

SHA1
0c90be5c1d1a1b40786f685a59b8c1b253afd763

SHA256
23265ac70d135e945036c56850a0fc00d747ee381a963bc1d9490783677297d6

SHA512
898c861c162ae2e1ee72dd2242e10f4810f80e51555ada91f8560ad2143f03faf919c80b00772beb5b9d3d9f5df596fe42056a8a8e120507263f7ae89d86a678

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\users\localdata.dat
Filesize
135B

MD5
8b33ee873631b455610c30e89b783c93

SHA1
bb735c65e56e7345e9cc863756ec6269a4e02a42

SHA256
85479aace7f91dc6f7a84250c2e573ff4d32e7fbeed1224a430337b29d4c3b54

SHA512
587a49bea7edbec0f34bf68cfa5087fb83e1892a3a78f8abe4be349bcd202ed19eec6a762ab2ebe6aadcaf91a1fd5f46024e3099e13ed1f52c9fe5860c7f7902

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll
Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll
Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll
Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll
Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll
Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\xImage.dll
Filesize
1.1MB

MD5
6eef41ac32db621f5c4bf31911df0441

SHA1
cced5052c27e2502205ccbcecdf7fbdc3af28cee

SHA256
4666521a4d08655623f456c9a7b52ac5a07efd76b587d5a073d73515d1738dad

SHA512
c44c8dddac693a9e49b9d8a9b624ea44e538c1d6fcd062e68d6e19544605ef48f8b7833c55070f3145274ab600e2ad39b4c84c2bef841f9b7a5493be1176b265

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\xImage.dll
Filesize
1.1MB

MD5
6eef41ac32db621f5c4bf31911df0441

SHA1
cced5052c27e2502205ccbcecdf7fbdc3af28cee

SHA256
4666521a4d08655623f456c9a7b52ac5a07efd76b587d5a073d73515d1738dad

SHA512
c44c8dddac693a9e49b9d8a9b624ea44e538c1d6fcd062e68d6e19544605ef48f8b7833c55070f3145274ab600e2ad39b4c84c2bef841f9b7a5493be1176b265

Download Submit
memory/1428-541-0x00000000044C0000-0x00000000044D0000-memory.dmp

Filesize
64KB

Download
memory/1428-501-0x0000000008600000-0x0000000008601000-memory.dmp

Filesize
4KB

Download
memory/1428-369-0x0000000008600000-0x0000000008601000-memory.dmp

Filesize
4KB

Download
memory/1428-376-0x00000000044C0000-0x00000000044D0000-memory.dmp

Filesize
64KB

Download
memory/1516-571-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1516-573-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/1516-572-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/1516-574-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1516-575-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/1516-576-0x0000000066DE0000-0x0000000068212000-memory.dmp

Filesize
20.2MB

Download
memory/1516-570-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1516-569-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/3756-226-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/3756-150-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download