zloader | a1fb6802f684d5bd1228000987e88bb7bd6ae3230d7b4416466f8585a53d5e49

Resubmissions

13-07-2023 14:11

230713-rhjblahh5t 1

03-07-2023 17:25

230703-vy9p9sag31 10

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
03-07-2023 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TeraBox_sl_b_1.20.0.6.exe
Size

84.4MB
MD5

add481fdab5622f0bed9624d0da23bb0
SHA1

9b2ec5159aec9b270fc89b9050ad7b405793bf53
SHA256

a1fb6802f684d5bd1228000987e88bb7bd6ae3230d7b4416466f8585a53d5e49
SHA512

6365891e241679e024e2514ca32a36baacaeaa52c3b2de8a07b6db76c8eb1d40c41061ccd26a6d24bcdabae9ad14552f1bfef54dc3f0f26bc116ca9fd7082577
SSDEEP

1572864:IddPxMVHjdsnIUnVCnvO9cHC/yp3IsxyCUgd/1l5ueG2+q7WgNaWN:6odZUn20cHCmFZtG2+tuzN

Score

10^/10

zloader botnet discovery persistence trojan

Malware Config

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun"	TeraBox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\""	TeraBox.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Control Panel\International\Geo\Nation	TeraBox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 14 IoCs

pid	Process
1200	TeraBox.exe
1948	YunUtilityService.exe
1960	TeraBoxWebService.exe
268	TeraBox.exe
1956	TeraBoxWebService.exe
1744	TeraBoxRender.exe
580	TeraBoxRender.exe
1820	TeraBoxRender.exe
1548	TeraBoxRender.exe
2540	TeraBoxHost.exe
2572	TeraBoxHost.exe
2728	TeraBoxRender.exe
2248	TeraBoxHost.exe
2312	AutoUpdate.exe

Loads dropped DLL 64 IoCs

pid	Process
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1200	TeraBox.exe
1896	regsvr32.exe
2016	regsvr32.exe
624	regsvr32.exe
1816	regsvr32.exe
1028	regsvr32.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1948	YunUtilityService.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1960	TeraBoxWebService.exe
1960	TeraBoxWebService.exe
1960	TeraBoxWebService.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID\ = "{8C5F2E83-848F-4741-9C87-47D21BF65FC2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ = "YunPPTConnect Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ProgID\ = "YunShellExt.YunShellExtContextMenu.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ = "IYunPPTConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\AppID = "{B9480AFD-C7B1-4452-BE14-BB8A9540A05D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ = "IYunShellExtContextMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect\ = "YunPPTConnect Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\ = "YunShellExtContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe,0"	TeraBoxWebService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell\open\command	TeraBoxWebService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ = "IYunPPTConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\CLSID\ = "{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\URL Protocol = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe"	TeraBoxWebService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID\ = "YunOfficeAddin.YunPPTConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ = "IWorkspaceOverlayIconError"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ = "YunShellExtContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID\ = "YunOfficeAddin.YunWordConnect"	regsvr32.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	TeraBoxRender.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
1456	TeraBox_sl_b_1.20.0.6.exe
268	TeraBox.exe
268	TeraBox.exe
268	TeraBox.exe
1744	TeraBoxRender.exe
580	TeraBoxRender.exe
1820	TeraBoxRender.exe
1548	TeraBoxRender.exe
2728	TeraBoxRender.exe
2572	TeraBoxHost.exe
2572	TeraBoxHost.exe
2572	TeraBoxHost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2572	TeraBoxHost.exe
Token: SeBackupPrivilege	2572	TeraBoxHost.exe
Token: SeSecurityPrivilege	2572	TeraBoxHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
268	TeraBox.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
268	TeraBox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1200	1456	TeraBox_sl_b_1.20.0.6.exe	27
PID 1456 wrote to memory of 1200	1456	TeraBox_sl_b_1.20.0.6.exe	27
PID 1456 wrote to memory of 1200	1456	TeraBox_sl_b_1.20.0.6.exe	27
PID 1456 wrote to memory of 1200	1456	TeraBox_sl_b_1.20.0.6.exe	27
PID 1456 wrote to memory of 1896	1456	TeraBox_sl_b_1.20.0.6.exe	29
PID 1456 wrote to memory of 1896	1456	TeraBox_sl_b_1.20.0.6.exe	29
PID 1456 wrote to memory of 1896	1456	TeraBox_sl_b_1.20.0.6.exe	29
PID 1456 wrote to memory of 1896	1456	TeraBox_sl_b_1.20.0.6.exe	29
PID 1456 wrote to memory of 1896	1456	TeraBox_sl_b_1.20.0.6.exe	29
PID 1456 wrote to memory of 1896	1456	TeraBox_sl_b_1.20.0.6.exe	29
PID 1456 wrote to memory of 1896	1456	TeraBox_sl_b_1.20.0.6.exe	29
PID 1896 wrote to memory of 2016	1896	regsvr32.exe	30
PID 1896 wrote to memory of 2016	1896	regsvr32.exe	30
PID 1896 wrote to memory of 2016	1896	regsvr32.exe	30
PID 1896 wrote to memory of 2016	1896	regsvr32.exe	30
PID 1896 wrote to memory of 2016	1896	regsvr32.exe	30
PID 1896 wrote to memory of 2016	1896	regsvr32.exe	30
PID 1896 wrote to memory of 2016	1896	regsvr32.exe	30
PID 1456 wrote to memory of 624	1456	TeraBox_sl_b_1.20.0.6.exe	31
PID 1456 wrote to memory of 624	1456	TeraBox_sl_b_1.20.0.6.exe	31
PID 1456 wrote to memory of 624	1456	TeraBox_sl_b_1.20.0.6.exe	31
PID 1456 wrote to memory of 624	1456	TeraBox_sl_b_1.20.0.6.exe	31
PID 1456 wrote to memory of 624	1456	TeraBox_sl_b_1.20.0.6.exe	31
PID 1456 wrote to memory of 624	1456	TeraBox_sl_b_1.20.0.6.exe	31
PID 1456 wrote to memory of 624	1456	TeraBox_sl_b_1.20.0.6.exe	31
PID 1456 wrote to memory of 1816	1456	TeraBox_sl_b_1.20.0.6.exe	32
PID 1456 wrote to memory of 1816	1456	TeraBox_sl_b_1.20.0.6.exe	32
PID 1456 wrote to memory of 1816	1456	TeraBox_sl_b_1.20.0.6.exe	32
PID 1456 wrote to memory of 1816	1456	TeraBox_sl_b_1.20.0.6.exe	32
PID 1456 wrote to memory of 1816	1456	TeraBox_sl_b_1.20.0.6.exe	32
PID 1456 wrote to memory of 1816	1456	TeraBox_sl_b_1.20.0.6.exe	32
PID 1456 wrote to memory of 1816	1456	TeraBox_sl_b_1.20.0.6.exe	32
PID 1816 wrote to memory of 1028	1816	regsvr32.exe	33
PID 1816 wrote to memory of 1028	1816	regsvr32.exe	33
PID 1816 wrote to memory of 1028	1816	regsvr32.exe	33
PID 1816 wrote to memory of 1028	1816	regsvr32.exe	33
PID 1816 wrote to memory of 1028	1816	regsvr32.exe	33
PID 1816 wrote to memory of 1028	1816	regsvr32.exe	33
PID 1816 wrote to memory of 1028	1816	regsvr32.exe	33
PID 1456 wrote to memory of 1948	1456	TeraBox_sl_b_1.20.0.6.exe	34
PID 1456 wrote to memory of 1948	1456	TeraBox_sl_b_1.20.0.6.exe	34
PID 1456 wrote to memory of 1948	1456	TeraBox_sl_b_1.20.0.6.exe	34
PID 1456 wrote to memory of 1948	1456	TeraBox_sl_b_1.20.0.6.exe	34
PID 1456 wrote to memory of 1960	1456	TeraBox_sl_b_1.20.0.6.exe	35
PID 1456 wrote to memory of 1960	1456	TeraBox_sl_b_1.20.0.6.exe	35
PID 1456 wrote to memory of 1960	1456	TeraBox_sl_b_1.20.0.6.exe	35
PID 1456 wrote to memory of 1960	1456	TeraBox_sl_b_1.20.0.6.exe	35
PID 268 wrote to memory of 1744	268	TeraBox.exe	41
PID 268 wrote to memory of 1744	268	TeraBox.exe	41
PID 268 wrote to memory of 1744	268	TeraBox.exe	41
PID 268 wrote to memory of 1744	268	TeraBox.exe	41
PID 268 wrote to memory of 580	268	TeraBox.exe	42
PID 268 wrote to memory of 580	268	TeraBox.exe	42
PID 268 wrote to memory of 580	268	TeraBox.exe	42
PID 268 wrote to memory of 580	268	TeraBox.exe	42
PID 268 wrote to memory of 1548	268	TeraBox.exe	44
PID 268 wrote to memory of 1548	268	TeraBox.exe	44
PID 268 wrote to memory of 1548	268	TeraBox.exe	44
PID 268 wrote to memory of 1548	268	TeraBox.exe	44
PID 268 wrote to memory of 1820	268	TeraBox.exe	43
PID 268 wrote to memory of 1820	268	TeraBox.exe	43
PID 268 wrote to memory of 1820	268	TeraBox.exe	43
PID 268 wrote to memory of 1820	268	TeraBox.exe	43
PID 268 wrote to memory of 2540	268	TeraBox.exe	45

C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.20.0.6.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.20.0.6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
  "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1200
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\system32\regsvr32.exe
    "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
    3⤵
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Modifies registry class
    PID:2016
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:624
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\system32\regsvr32.exe
    "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:1028
- C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
  "C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1948
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
  "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:1960
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
  C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=1996,14130681896505668801,11618758180936289720,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.20.0.6;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2024 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1744
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,14130681896505668801,11618758180936289720,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.20.0.6;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2728 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:580
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=1996,14130681896505668801,11618758180936289720,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.20.0.6;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1820
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=1996,14130681896505668801,11618758180936289720,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.20.0.6;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1548
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
    -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.268.0.1180929775\699943712 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.76" -PcGuid "TBIMXV2-O_2AFEE0695C27418594062A7DDAB03F6E-C_0-D_4d51303031302033202020202020202020202020-M_42C84A33452B-V_92C6C835" -Version "1.20.0.6" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Executes dropped EXE
    PID:2540
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.268.0.1180929775\699943712 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.76" -PcGuid "TBIMXV2-O_2AFEE0695C27418594062A7DDAB03F6E-C_0-D_4d51303031302033202020202020202020202020-M_42C84A33452B-V_92C6C835" -Version "1.20.0.6" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=1996,14130681896505668801,11618758180936289720,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.20.0.6;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2024 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2728
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.268.1.1108490367\392087492 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.76" -PcGuid "TBIMXV2-O_2AFEE0695C27418594062A7DDAB03F6E-C_0-D_4d51303031302033202020202020202020202020-M_42C84A33452B-V_92C6C835" -Version "1.20.0.6" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Executes dropped EXE
    PID:2248
- - C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -srvwnd 101c2 -unlogin
    3⤵
    - Executes dropped EXE
    PID:2312
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
  C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
  2⤵
  - Executes dropped EXE
  PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
509f694ee8852601bd41932499575e69

SHA1
75b2d14237a575b40d9358fd37e34698962323fb

SHA256
de36ddc339e751f07c586eaac5a5f9f80502ba608a3c7371ad574b08c9de2b0d

SHA512
45620fff9fcb08cd8e71ee0578fc3e06a803e2b0cb87e0c9825b8887ecf6466c0a52ed2fc9e880bb2000b9fab9d275e6472b484c55e57f6cdd8a6984400cf2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF144.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF389.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj5AB1.tmp\NsisInstallUI.dll

Filesize
2.1MB

MD5
70fba8a580e94fa8753fa71cd7703d5b

SHA1
57817a035649ed0cfb9087cb908a16bd2c8b2ddb

SHA256
98756e3b2a2a7bcc8933da9f0fe7ed29dbefa315a1192d0426d039b320965eea

SHA512
9d5c166877f427b797435939f09e5c7904dd2e8d0a36297ad22de0581435fcd53e14b6855c646c4124de332a119d8619c34ce3e657493bd73114e1bc8448207c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj5AB1.tmp\SetupCfg.ini

Filesize
80B

MD5
86daef0a1abf90f934b20119d95e8b73

SHA1
fa9170644b102c598005d1764a16aba54314ab69

SHA256
a5b0e58f66055ba5c9730dd7983946f92075bcf7052343b8d64ee95faa99eaaa

SHA512
1e95d6b697621f5c8bd194b5252f7717c3aa48a25d91d80fcd5fb0f1d06747c5f39708255bd85f18f776468dcde5645a8ac088431d412af1b10932d7f0df67b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj5AB1.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj5AB1.tmp\nsProcessW.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\Download\AutoUpdate.xml

Filesize
21KB

MD5
a8090d136201491a5e858be61db87903

SHA1
d581732d9df14610751002fa14441336960f2bdb

SHA256
aaa3435cdaeb48a2589f8c0d4382b4b49ffffa96112a9688dc301a744be82107

SHA512
aafad855e9e3fb49eadf06ccde7cf31bb2fb08113466167f9c8ee7e3d96c710d920a2689b6f1ac18e7df49762e8e3281626d60cead451bd1c23aa15a6cc62068

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.DLL

Filesize
3.2MB

MD5
a70862cf39e13bbe495c16de6716db86

SHA1
deb0be661f29f17093a112c852639beabd179d8a

SHA256
f797ab319cfe281b0bed58c879f352e96c05b26b37e0ae31c8e4cc9c36d6d635

SHA512
e86f17b452d325553f0250b802d987bc7157416b2dfbc67408d8621d9a58254a7e6d385692be4cb41344579c092881b933a46995978e1ead5233ace79237f457

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\MSVCP140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.6MB

MD5
7743590b28f6c0cd8db18da00ad2d91b

SHA1
69b5427314cf8520172ce71ee86b723c18118383

SHA256
0eb2d3987cc0fe0d2d22880329eaa58cc89f3d71070f781f4f2d4c5d5d5fc801

SHA512
57a43cba097f78ec9a6f1e0dbbc79b037ea76f10255f1fe6e0235688523c49947804e6840cad246f419a56fd1403b5047321fd1953c60ff0bdede4521d3eead0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.6MB

MD5
7743590b28f6c0cd8db18da00ad2d91b

SHA1
69b5427314cf8520172ce71ee86b723c18118383

SHA256
0eb2d3987cc0fe0d2d22880329eaa58cc89f3d71070f781f4f2d4c5d5d5fc801

SHA512
57a43cba097f78ec9a6f1e0dbbc79b037ea76f10255f1fe6e0235688523c49947804e6840cad246f419a56fd1403b5047321fd1953c60ff0bdede4521d3eead0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\VCRUNTIME140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

Filesize
996KB

MD5
8d118d52b4fed7f5f23cc9c30444e60b

SHA1
cc6c08573f0a6acb656acc1ea3a6015cd3a7a883

SHA256
4fd51aacc77e3408dd9ec493f6fc01dda7813a5a6c9bfc66898a15de9be88d28

SHA512
fddb75f9c5c53863ac3622cc2ebc2ad97a6442c821e0c9ce504f8cdf88bee4d5d8635720e1be9db35f1a8b669597361a31074c8b76594f620001c4aca4f4d12f

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
00d8b4bed48a1bb8a0451b967a902977

SHA1
f10ef17bda66d7cab2840d7f89c6de022a7b3ff2

SHA256
568d7f8551d8b4199db3359d5145bc4cb01d6d2f1347547f47967eb06a45c3b5

SHA512
e248cbc06fc610f315d7efcadb39b5cb85dfe5d40858768d5aea8d41b3b4b23eafe0db2b38cce362fd8ba8bc5eb26e9b2dddc00e2e8615395bca818ecfe0decc

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
534483b0f4a1924b1ae6d7e66b4a4926

SHA1
4e954316acd216007f4a0225b138e0c0a04fbbed

SHA256
c1bca1bb524c5ae3d877a099f469b6fc34288bab26ae7a7f4fc47cd869f4958d

SHA512
cfad2ddf8a9ad67e36e978726d8a12ca26b180f73122b2e8d19a83f73028a050d9f418e7525f576cc3a9601b3369d4494dddbde620b4011b7ca8a7ec4b0d1b12

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
73483cbc229c62e129627adbf62b0ffe

SHA1
074ce67665c86355d3218b5e3ea4b1b335095af8

SHA256
13471eb84db95f8270398ef1deb29f0ea024db17e331497545c36eea7b2a3a7c

SHA512
92f06cb8971e29da7607c6b1d1377f21c7e6f0e4a169aaa08326038d5cdb09422b91f4f2d26a7978521e0edbb9cf1235e583f2910048c917ccef8d12c5e1166a

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
7016bf365a155d29f01a000942a017ef

SHA1
47e25b97af56edbdd20ca72bba994c6bcf1b81e6

SHA256
b5f815d0a41add7fd9593036a8e6843fcc221298fefd61808f960eed3cc19830

SHA512
2cd7e88717a2d81811ce03990737888b8a1e9e351dcdad401ffe5924bdf97be086bd766a1a5b25411b760cbf81b68bebd94d915100b6bc1310360813af11f827

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
9efdffac1d337807b52356413b04b97b

SHA1
2590bd486abce24312066285fa1c1feaf8332fe0

SHA256
e1a87d7d01e2376dde81a16658915ccf2ecb692739fef09adfb962523756e22d

SHA512
b3c164e50d48a78bd08cf365e02e263b97ec2dd3efcf04914c8677c838e10be23df5178a8618e3f2a6feb6faa2bb74eaf069e7e2db7c6e6fd9d0137dcffbcead

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
42c72d838c34e4e7164c578a930b8fc7

SHA1
82d02cb090eb6d81a1499189e4d3e6b82aa60061

SHA256
f1667bbda1b58fc688b422fd2f9f7040919c4ababe00a4be78b258cae2dfc3d3

SHA512
1020d6010dca512adbc18f44b6453a974a200766013c39f6cb1cd0a72234a241c73587c929f1d0fcadf90c3eb71264086167f05bd7ebceb5b944f4e4a0811d92

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
4296cf3a7180e10aaf6147f4aecd24e4

SHA1
f81e09af979a1146774d554783d1a22a03a61393

SHA256
147f86ff93d61fea256b3de9149e1b36b68a83762e62a3389466218e18359ffc

SHA512
60357edde6572c5e796f927c3e72c31a96ff700624b7366fdda64bcf51ee00bf1e9ab477a46d8d3ba7391ba10491e69f745efec3607f8f49b6e1a3a3de7a0648

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
5c6fd1c6a5e69313a853a224e18a7fac

SHA1
10bae352f09b214edef2dc6adcb364c45fafdbec

SHA256
3aa0eb4c47ac94b911f1a440324d26eee8ddf99557a718f0905bfee3cf56255f

SHA512
08c2b1150f6bf505d10085a515bbfab6c1e18663c6ef75ec988727e3d30210532d03bfbfbb048b1a843d4faa5d1060f9079e018a9e892bce03f899a5a85f6034

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
6a3d5701446f6635faff87014a836eee

SHA1
7bbc9db1c9ce70e9fc7b7348a2c96681e5d8265b

SHA256
16ba05a1fa928501ffaee2e9dce449d28e8fe538df5ec6d8d1080b610b15d466

SHA512
839a1277b6dbb9f2d6e572e1b50b0ad08c93256a1367f36997db07285aa7b251346499a643a985a22d9a7618635c11964e414073aa7e1bf60d36368829de8fb3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
4ec243792d382305db59dc78b72d0a1e

SHA1
63b7285646c72ee640d34cdc200bfc5863db3563

SHA256
56e0bdf91edb21f5f5041f052723025c059a11360bb745f965a9903de9c61756

SHA512
88f648d45927db65ff8cead4bb1959b1297410bf3f5b3b2783a173d708649260a61470342694de8b93e9c1657de64db43db40ee71acc661b03786c0921d68d4b

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
a51cfb8cf618571215eeba7095733b25

SHA1
db4215890757c7c105a8001b41ae19ce1a5d3558

SHA256
6501894e68a3871962731282a2e70614023ec3f63f600f933ec1785400716ce1

SHA512
9ae11ab21486dea1aba607a4262f62678c5b0e9f62b6a63c76cfdc7698d872d8696ffb1aaae7aa2e2cf02c1c7eaa53d0ce503432960f4be6886fae0de2659535

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
8d097aa5bec8bdb5df8f39e0db30397c

SHA1
56f6da8703f8cdd4a8e4a170d1a6c0d3f2035158

SHA256
42c235914844ce5d1bb64002fca34a776ae25ee658fc2b7b9da3291e5def7d4d

SHA512
a891536e2a362fc73472fa7f5266ce29e8036959701bc0862f2b7ea5865dcd1505615edc8e064fb2f7aaa1b129e48422efe7b933b01faed9c2afadd8a64452dc

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
ab87bdae2f62e32a533f89cd362d081c

SHA1
40311859dd042a7e392877364568aad892792ba9

SHA256
0439703e47c8fce1f367f9e36248a738db6abcd9f2dd199cb190d5e59ed46978

SHA512
dbe0073da8979f3d32204680015b60435226840e732b5df964dbeeb7920c0bc5df92d866964f905518c97cc3539f628664503ffa64e50a2ef90c459b62555444

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
19KB

MD5
169e20a74258b182d2cdc76f1ae77fc5

SHA1
fce3f718e6de505ac910cb7333a03a2c6544f654

SHA256
224f526871c961615de17b5d7f7bbef2f3a799055cab2c8e3447b43c10c25372

SHA512
0881c8704421a5f6e51abd22c55608dd7fb678491682ce86066e068b1973ebf11d6c2163be610a49f87e800c8563ebb41abfe36e1913d7d0b8485fd29ed81bf7

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
49363f3cf4671baa6be1abd03033542f

SHA1
e58902a82df86adf16f44ebdc558b92ad214a979

SHA256
505d2bde0d4d7cd3900a9c795cb84ab9c05208d6e5132749ab7c554ccd3c0fcc

SHA512
98e78a607cfbb777237dc812f468ec7a1abcba9472e20a5780dfc526f7992da1841fcd9e2f76f20fa161240007f185c7fbdc120fb4c3c1f2b90fdad5913d65dd

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
be16965acc8b0ce3a8a7c42d09329577

SHA1
6ac0f1e759781c7e5342b20f2a200a6aab66535e

SHA256
fcd55331cc1f0ff4fb44c9590a9fb8f891b161147a6947ce48b88bf708786c21

SHA512
7ba55fa204d43c15aca02031f584b3396bb175365dad88e4047b8a991f1f1ddd88d769e4d8cb93ee0ed45e060a1156e953df794f9cb8bb687c84c4a088da2edf

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
3eae6d370f2623b37ec39c521d1f1461

SHA1
86d43e2e69b2066333e4afa28a27c7a74ff89991

SHA256
ce74bdc6999d084a1b44b2ecea42dd28849b2825d7779effdc4c18360308b79b

SHA512
30b2b6cf5cd1bbdf68de048e6d992133fe7ab0c847fa0d5eb8c681a9688d60794621a40178451a104036a0fff2e1bd66a18d9f96be6b28dbdc0bc1c8a535fc85

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
a440776e10098f3a8ef1c5eaca72958e

SHA1
7b8662714f6e44fb29a4224a038e4127964003e9

SHA256
40d8bc312ac7bca072703e5f0852228cde418f89ba9ad69551aa7a80a2b30316

SHA512
b043cd020d184a239510b2607c94210dc5fdc5d2a2b9285836bdce8934cc86a1cc3f47a2f520b15db84f755ac2e7c67e0247099648d292bbd5fb76f683d928df

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
a0a883e26be6800508162e2a898148d9

SHA1
4f79892e7766cb7831211864978575598c86a11b

SHA256
9753ae83536767c73e340c36c5f1610bc76a3e67e033b07503ec31431cba7b90

SHA512
70904f2fd074073aebcf665178b34cf7f0f42ced7223ca296f7f202f6fa0175ace2832d9802f5bff4d67891ca09ae14fac47420d69107e72aa44b541a190f6c3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\appUtil.DLL

Filesize
1.5MB

MD5
4369ca36ec48a55ac6cd95124f57c7c0

SHA1
c059631e2be8702bae14ddf03be4d2273757a30c

SHA256
c45823b0a5f82eb805d0880aa42c54517e0370c3182b96acee37a93ee731f6b8

SHA512
11cf92d1c0bce056e28e7f4c73fcfb649cdca6e72c9aa1fe0595f4585c3f1d2f9f64439fffa3fe705b49409cfc840f74ac9988fe1a8c4c147172397e2f8cd0ab

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\ucrtbase.DLL

Filesize
863KB

MD5
8ed02a1a11cec72b6a6a4989bf03cfcc

SHA1
172908ff0f8d7e1c0cbf107f7075ed1dba4b36c8

SHA256
4fd02f2699c49579319079b963425991198f59cb1589b8afa8795b5d6a0e5db3

SHA512
444fe62a5c324d38bdc055d298b5784c741f3ca8faaeaed591bd6dcf94205dbf28c7d7f7d3825ccb99eff04e3ffd831e3f98d9b314820841a0c0960ae6a5e416

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe

Filesize
697KB

MD5
bb724837daef7b61fd5e7ef6f21b1098

SHA1
9035820674cb10c7ba87c639f3a7fd70d4aed52f

SHA256
ad31cf8e92c99b0aa625bd4909aa4d2233687cff04a27ec9205fe13e04087a00

SHA512
a2f876f640bfcfee294571e3b94b91e8fe450271267f117d59b0ae3daa04a9f6b3a9b13ae9cc465b71b9c4c97700d3a5a5d59d9e95ea30a340f4e321d53a869e

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

Filesize
1.1MB

MD5
c22f4d0c37a4098c4cbef734814b2d6f

SHA1
977b2644d34feb966276a8d02bfb5a25ddeb0735

SHA256
b1dcb6383689f7b1d271868f225a1bd486b92e5ad87e7f12bd365e1bb1cfcb39

SHA512
e96d96a5753ba3efd11790eba5d8c0890489d1858fd403d858a003047a65f84fd2d792f5e089a3425d4903ad2eabc1e082c9c4548a527ab18442c92a113b4e18

Download Submit
C:\Users\Admin\Desktop\TeraBox.lnk

Filesize
840B

MD5
50f21886c803350620311603fd12b451

SHA1
965966b9556fb1783f6d574636caf30f7be4c5a6

SHA256
f14420b3554d22093fc22209ee926ac6f5c3a150c3585b62b0ef3ff1cd9f900b

SHA512
bde717fc652266f882c33f2b8935cfdc3ce76abfcec2a2306363afc13c974b4a4f122aa21f62895a3a67f919ecb388563ef862b352880d162ddb2fd7a30f87f1

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5AB1.tmp\NsisInstallUI.dll

Filesize
2.1MB

MD5
70fba8a580e94fa8753fa71cd7703d5b

SHA1
57817a035649ed0cfb9087cb908a16bd2c8b2ddb

SHA256
98756e3b2a2a7bcc8933da9f0fe7ed29dbefa315a1192d0426d039b320965eea

SHA512
9d5c166877f427b797435939f09e5c7904dd2e8d0a36297ad22de0581435fcd53e14b6855c646c4124de332a119d8619c34ce3e657493bd73114e1bc8448207c

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5AB1.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
\Users\Admin\AppData\Local\Temp\nsj5AB1.tmp\nsProcessW.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll

Filesize
1.5MB

MD5
4369ca36ec48a55ac6cd95124f57c7c0

SHA1
c059631e2be8702bae14ddf03be4d2273757a30c

SHA256
c45823b0a5f82eb805d0880aa42c54517e0370c3182b96acee37a93ee731f6b8

SHA512
11cf92d1c0bce056e28e7f4c73fcfb649cdca6e72c9aa1fe0595f4585c3f1d2f9f64439fffa3fe705b49409cfc840f74ac9988fe1a8c4c147172397e2f8cd0ab

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll

Filesize
3.2MB

MD5
a70862cf39e13bbe495c16de6716db86

SHA1
deb0be661f29f17093a112c852639beabd179d8a

SHA256
f797ab319cfe281b0bed58c879f352e96c05b26b37e0ae31c8e4cc9c36d6d635

SHA512
e86f17b452d325553f0250b802d987bc7157416b2dfbc67408d8621d9a58254a7e6d385692be4cb41344579c092881b933a46995978e1ead5233ace79237f457

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.6MB

MD5
7743590b28f6c0cd8db18da00ad2d91b

SHA1
69b5427314cf8520172ce71ee86b723c18118383

SHA256
0eb2d3987cc0fe0d2d22880329eaa58cc89f3d71070f781f4f2d4c5d5d5fc801

SHA512
57a43cba097f78ec9a6f1e0dbbc79b037ea76f10255f1fe6e0235688523c49947804e6840cad246f419a56fd1403b5047321fd1953c60ff0bdede4521d3eead0

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.6MB

MD5
7743590b28f6c0cd8db18da00ad2d91b

SHA1
69b5427314cf8520172ce71ee86b723c18118383

SHA256
0eb2d3987cc0fe0d2d22880329eaa58cc89f3d71070f781f4f2d4c5d5d5fc801

SHA512
57a43cba097f78ec9a6f1e0dbbc79b037ea76f10255f1fe6e0235688523c49947804e6840cad246f419a56fd1403b5047321fd1953c60ff0bdede4521d3eead0

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.6MB

MD5
7743590b28f6c0cd8db18da00ad2d91b

SHA1
69b5427314cf8520172ce71ee86b723c18118383

SHA256
0eb2d3987cc0fe0d2d22880329eaa58cc89f3d71070f781f4f2d4c5d5d5fc801

SHA512
57a43cba097f78ec9a6f1e0dbbc79b037ea76f10255f1fe6e0235688523c49947804e6840cad246f419a56fd1403b5047321fd1953c60ff0bdede4521d3eead0

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.6MB

MD5
7743590b28f6c0cd8db18da00ad2d91b

SHA1
69b5427314cf8520172ce71ee86b723c18118383

SHA256
0eb2d3987cc0fe0d2d22880329eaa58cc89f3d71070f781f4f2d4c5d5d5fc801

SHA512
57a43cba097f78ec9a6f1e0dbbc79b037ea76f10255f1fe6e0235688523c49947804e6840cad246f419a56fd1403b5047321fd1953c60ff0bdede4521d3eead0

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

Filesize
996KB

MD5
8d118d52b4fed7f5f23cc9c30444e60b

SHA1
cc6c08573f0a6acb656acc1ea3a6015cd3a7a883

SHA256
4fd51aacc77e3408dd9ec493f6fc01dda7813a5a6c9bfc66898a15de9be88d28

SHA512
fddb75f9c5c53863ac3622cc2ebc2ad97a6442c821e0c9ce504f8cdf88bee4d5d8635720e1be9db35f1a8b669597361a31074c8b76594f620001c4aca4f4d12f

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
00d8b4bed48a1bb8a0451b967a902977

SHA1
f10ef17bda66d7cab2840d7f89c6de022a7b3ff2

SHA256
568d7f8551d8b4199db3359d5145bc4cb01d6d2f1347547f47967eb06a45c3b5

SHA512
e248cbc06fc610f315d7efcadb39b5cb85dfe5d40858768d5aea8d41b3b4b23eafe0db2b38cce362fd8ba8bc5eb26e9b2dddc00e2e8615395bca818ecfe0decc

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
534483b0f4a1924b1ae6d7e66b4a4926

SHA1
4e954316acd216007f4a0225b138e0c0a04fbbed

SHA256
c1bca1bb524c5ae3d877a099f469b6fc34288bab26ae7a7f4fc47cd869f4958d

SHA512
cfad2ddf8a9ad67e36e978726d8a12ca26b180f73122b2e8d19a83f73028a050d9f418e7525f576cc3a9601b3369d4494dddbde620b4011b7ca8a7ec4b0d1b12

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
73483cbc229c62e129627adbf62b0ffe

SHA1
074ce67665c86355d3218b5e3ea4b1b335095af8

SHA256
13471eb84db95f8270398ef1deb29f0ea024db17e331497545c36eea7b2a3a7c

SHA512
92f06cb8971e29da7607c6b1d1377f21c7e6f0e4a169aaa08326038d5cdb09422b91f4f2d26a7978521e0edbb9cf1235e583f2910048c917ccef8d12c5e1166a

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
7016bf365a155d29f01a000942a017ef

SHA1
47e25b97af56edbdd20ca72bba994c6bcf1b81e6

SHA256
b5f815d0a41add7fd9593036a8e6843fcc221298fefd61808f960eed3cc19830

SHA512
2cd7e88717a2d81811ce03990737888b8a1e9e351dcdad401ffe5924bdf97be086bd766a1a5b25411b760cbf81b68bebd94d915100b6bc1310360813af11f827

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
9efdffac1d337807b52356413b04b97b

SHA1
2590bd486abce24312066285fa1c1feaf8332fe0

SHA256
e1a87d7d01e2376dde81a16658915ccf2ecb692739fef09adfb962523756e22d

SHA512
b3c164e50d48a78bd08cf365e02e263b97ec2dd3efcf04914c8677c838e10be23df5178a8618e3f2a6feb6faa2bb74eaf069e7e2db7c6e6fd9d0137dcffbcead

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
42c72d838c34e4e7164c578a930b8fc7

SHA1
82d02cb090eb6d81a1499189e4d3e6b82aa60061

SHA256
f1667bbda1b58fc688b422fd2f9f7040919c4ababe00a4be78b258cae2dfc3d3

SHA512
1020d6010dca512adbc18f44b6453a974a200766013c39f6cb1cd0a72234a241c73587c929f1d0fcadf90c3eb71264086167f05bd7ebceb5b944f4e4a0811d92

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
4296cf3a7180e10aaf6147f4aecd24e4

SHA1
f81e09af979a1146774d554783d1a22a03a61393

SHA256
147f86ff93d61fea256b3de9149e1b36b68a83762e62a3389466218e18359ffc

SHA512
60357edde6572c5e796f927c3e72c31a96ff700624b7366fdda64bcf51ee00bf1e9ab477a46d8d3ba7391ba10491e69f745efec3607f8f49b6e1a3a3de7a0648

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
5c6fd1c6a5e69313a853a224e18a7fac

SHA1
10bae352f09b214edef2dc6adcb364c45fafdbec

SHA256
3aa0eb4c47ac94b911f1a440324d26eee8ddf99557a718f0905bfee3cf56255f

SHA512
08c2b1150f6bf505d10085a515bbfab6c1e18663c6ef75ec988727e3d30210532d03bfbfbb048b1a843d4faa5d1060f9079e018a9e892bce03f899a5a85f6034

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
6a3d5701446f6635faff87014a836eee

SHA1
7bbc9db1c9ce70e9fc7b7348a2c96681e5d8265b

SHA256
16ba05a1fa928501ffaee2e9dce449d28e8fe538df5ec6d8d1080b610b15d466

SHA512
839a1277b6dbb9f2d6e572e1b50b0ad08c93256a1367f36997db07285aa7b251346499a643a985a22d9a7618635c11964e414073aa7e1bf60d36368829de8fb3

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
4ec243792d382305db59dc78b72d0a1e

SHA1
63b7285646c72ee640d34cdc200bfc5863db3563

SHA256
56e0bdf91edb21f5f5041f052723025c059a11360bb745f965a9903de9c61756

SHA512
88f648d45927db65ff8cead4bb1959b1297410bf3f5b3b2783a173d708649260a61470342694de8b93e9c1657de64db43db40ee71acc661b03786c0921d68d4b

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
a51cfb8cf618571215eeba7095733b25

SHA1
db4215890757c7c105a8001b41ae19ce1a5d3558

SHA256
6501894e68a3871962731282a2e70614023ec3f63f600f933ec1785400716ce1

SHA512
9ae11ab21486dea1aba607a4262f62678c5b0e9f62b6a63c76cfdc7698d872d8696ffb1aaae7aa2e2cf02c1c7eaa53d0ce503432960f4be6886fae0de2659535

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
8d097aa5bec8bdb5df8f39e0db30397c

SHA1
56f6da8703f8cdd4a8e4a170d1a6c0d3f2035158

SHA256
42c235914844ce5d1bb64002fca34a776ae25ee658fc2b7b9da3291e5def7d4d

SHA512
a891536e2a362fc73472fa7f5266ce29e8036959701bc0862f2b7ea5865dcd1505615edc8e064fb2f7aaa1b129e48422efe7b933b01faed9c2afadd8a64452dc

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
ab87bdae2f62e32a533f89cd362d081c

SHA1
40311859dd042a7e392877364568aad892792ba9

SHA256
0439703e47c8fce1f367f9e36248a738db6abcd9f2dd199cb190d5e59ed46978

SHA512
dbe0073da8979f3d32204680015b60435226840e732b5df964dbeeb7920c0bc5df92d866964f905518c97cc3539f628664503ffa64e50a2ef90c459b62555444

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
19KB

MD5
169e20a74258b182d2cdc76f1ae77fc5

SHA1
fce3f718e6de505ac910cb7333a03a2c6544f654

SHA256
224f526871c961615de17b5d7f7bbef2f3a799055cab2c8e3447b43c10c25372

SHA512
0881c8704421a5f6e51abd22c55608dd7fb678491682ce86066e068b1973ebf11d6c2163be610a49f87e800c8563ebb41abfe36e1913d7d0b8485fd29ed81bf7

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
49363f3cf4671baa6be1abd03033542f

SHA1
e58902a82df86adf16f44ebdc558b92ad214a979

SHA256
505d2bde0d4d7cd3900a9c795cb84ab9c05208d6e5132749ab7c554ccd3c0fcc

SHA512
98e78a607cfbb777237dc812f468ec7a1abcba9472e20a5780dfc526f7992da1841fcd9e2f76f20fa161240007f185c7fbdc120fb4c3c1f2b90fdad5913d65dd

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
be16965acc8b0ce3a8a7c42d09329577

SHA1
6ac0f1e759781c7e5342b20f2a200a6aab66535e

SHA256
fcd55331cc1f0ff4fb44c9590a9fb8f891b161147a6947ce48b88bf708786c21

SHA512
7ba55fa204d43c15aca02031f584b3396bb175365dad88e4047b8a991f1f1ddd88d769e4d8cb93ee0ed45e060a1156e953df794f9cb8bb687c84c4a088da2edf

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
3eae6d370f2623b37ec39c521d1f1461

SHA1
86d43e2e69b2066333e4afa28a27c7a74ff89991

SHA256
ce74bdc6999d084a1b44b2ecea42dd28849b2825d7779effdc4c18360308b79b

SHA512
30b2b6cf5cd1bbdf68de048e6d992133fe7ab0c847fa0d5eb8c681a9688d60794621a40178451a104036a0fff2e1bd66a18d9f96be6b28dbdc0bc1c8a535fc85

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
a440776e10098f3a8ef1c5eaca72958e

SHA1
7b8662714f6e44fb29a4224a038e4127964003e9

SHA256
40d8bc312ac7bca072703e5f0852228cde418f89ba9ad69551aa7a80a2b30316

SHA512
b043cd020d184a239510b2607c94210dc5fdc5d2a2b9285836bdce8934cc86a1cc3f47a2f520b15db84f755ac2e7c67e0247099648d292bbd5fb76f683d928df

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
a0a883e26be6800508162e2a898148d9

SHA1
4f79892e7766cb7831211864978575598c86a11b

SHA256
9753ae83536767c73e340c36c5f1610bc76a3e67e033b07503ec31431cba7b90

SHA512
70904f2fd074073aebcf665178b34cf7f0f42ced7223ca296f7f202f6fa0175ace2832d9802f5bff4d67891ca09ae14fac47420d69107e72aa44b541a190f6c3

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\ucrtbase.dll

Filesize
863KB

MD5
8ed02a1a11cec72b6a6a4989bf03cfcc

SHA1
172908ff0f8d7e1c0cbf107f7075ed1dba4b36c8

SHA256
4fd02f2699c49579319079b963425991198f59cb1589b8afa8795b5d6a0e5db3

SHA512
444fe62a5c324d38bdc055d298b5784c741f3ca8faaeaed591bd6dcf94205dbf28c7d7f7d3825ccb99eff04e3ffd831e3f98d9b314820841a0c0960ae6a5e416

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

Filesize
1.1MB

MD5
c22f4d0c37a4098c4cbef734814b2d6f

SHA1
977b2644d34feb966276a8d02bfb5a25ddeb0735

SHA256
b1dcb6383689f7b1d271868f225a1bd486b92e5ad87e7f12bd365e1bb1cfcb39

SHA512
e96d96a5753ba3efd11790eba5d8c0890489d1858fd403d858a003047a65f84fd2d792f5e089a3425d4903ad2eabc1e082c9c4548a527ab18442c92a113b4e18

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
memory/268-486-0x0000000003D30000-0x0000000003D70000-memory.dmp

Filesize
256KB

Download
memory/268-455-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/268-288-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/268-347-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/268-349-0x0000000003D30000-0x0000000003D70000-memory.dmp

Filesize
256KB

Download
memory/1456-178-0x0000000003A30000-0x0000000003A70000-memory.dmp

Filesize
256KB

Download
memory/1456-74-0x0000000003A30000-0x0000000003A70000-memory.dmp

Filesize
256KB

Download
memory/1456-275-0x0000000003990000-0x0000000003991000-memory.dmp

Filesize
4KB

Download
memory/1956-278-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2248-485-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2312-492-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2572-442-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2572-445-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2572-435-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2572-436-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2572-438-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2572-439-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2572-441-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2572-399-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2572-444-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2572-433-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2572-446-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2572-447-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2572-448-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2572-449-0x0000000068370000-0x000000006979C000-memory.dmp

Filesize
20.2MB

Download
memory/2572-432-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2572-431-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2572-430-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2572-429-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2572-428-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download