lumma | d7e7b2d54cb4cfa0796049e866e9a3a4ccf400c8492876c3085b8eb45c7d754f

Resubmissions

20-09-2023 14:11

230920-rhnajsgf9z 6

16-09-2023 04:09

230916-eqv9xagg7v 10

Analysis

max time kernel
751s
max time network
445s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2023 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TeraBox_sl_b_1.23.0.9.exe
Size

84.5MB
MD5

7dcba44868b48ecdba2f73d433f169f7
SHA1

932c96465b4a459477515e40dcb2f123e90b72dd
SHA256

d7e7b2d54cb4cfa0796049e866e9a3a4ccf400c8492876c3085b8eb45c7d754f
SHA512

1733612a6d8ebb85b8e6577ed8e4eeff7f512860ab42db886b46e3301bd7c29476c3433c8c831f63a095c894355a5722dca19f62ffcd84b46982c7fd845a2e7c
SSDEEP

1572864:kTqOX2HZv0OLfmYwgDFNF69OfX5m1yysYnkLeInfMez:k258OLuYZDFv7f5NcgeEkez

Score

10^/10

lumma discovery persistence stealer

Malware Config

Signatures

Detect Lumma Stealer payload V2 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023241-232.dat	family_lumma_V2
behavioral2/files/0x0006000000023241-233.dat	family_lumma_V2

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun"	TeraBox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\""	TeraBox.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	TeraBox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 15 IoCs

pid	Process
684	TeraBox.exe
3300	YunUtilityService.exe
2660	TeraBoxWebService.exe
5056	TeraBox.exe
1252	TeraBoxWebService.exe
1648	TeraBoxRender.exe
2964	TeraBoxRender.exe
3400	TeraBoxRender.exe
1296	TeraBoxRender.exe
3812	TeraBoxHost.exe
2716	TeraBoxHost.exe
624	TeraBoxRender.exe
1640	TeraBoxHost.exe
1124	AutoUpdate.exe
4328	TeraBoxRender.exe

Loads dropped DLL 64 IoCs

pid	Process
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
684	TeraBox.exe
684	TeraBox.exe
684	TeraBox.exe
684	TeraBox.exe
684	TeraBox.exe
684	TeraBox.exe
2940	regsvr32.exe
4780	regsvr32.exe
3652	regsvr32.exe
4664	regsvr32.exe
3272	regsvr32.exe
3300	YunUtilityService.exe
3300	YunUtilityService.exe
2660	TeraBoxWebService.exe
2660	TeraBoxWebService.exe
5056	TeraBox.exe
5056	TeraBox.exe
5056	TeraBox.exe
5056	TeraBox.exe
5056	TeraBox.exe
5056	TeraBox.exe
1252	TeraBoxWebService.exe
1252	TeraBoxWebService.exe
5056	TeraBox.exe
5056	TeraBox.exe
5056	TeraBox.exe
5056	TeraBox.exe
5056	TeraBox.exe
5056	TeraBox.exe
5056	TeraBox.exe
5056	TeraBox.exe
5056	TeraBox.exe
1648	TeraBoxRender.exe
1648	TeraBoxRender.exe
1648	TeraBoxRender.exe
1648	TeraBoxRender.exe
1648	TeraBoxRender.exe
1648	TeraBoxRender.exe
1648	TeraBoxRender.exe
2964	TeraBoxRender.exe
2964	TeraBoxRender.exe
2964	TeraBoxRender.exe
2964	TeraBoxRender.exe
3400	TeraBoxRender.exe
3400	TeraBoxRender.exe
3400	TeraBoxRender.exe
3400	TeraBoxRender.exe
1296	TeraBoxRender.exe
1296	TeraBoxRender.exe
1296	TeraBoxRender.exe
1296	TeraBoxRender.exe
3812	TeraBoxHost.exe
3812	TeraBoxHost.exe
3812	TeraBoxHost.exe
3812	TeraBoxHost.exe
3812	TeraBoxHost.exe
2716	TeraBoxHost.exe
2716	TeraBoxHost.exe
2716	TeraBoxHost.exe
2716	TeraBoxHost.exe
2716	TeraBoxHost.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1\CLSID\ = "{71CD4110-1E24-4B80-B699-9A982584CD3F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1\CLSID\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ = "IYunWordConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\ = "YunShellExtContextMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\CLSID\ = "{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ = "IYunShellExtContextMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ = "IWorkspaceOverlayIconOK"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\ = "YunExcelConnect Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\VersionIndependentProgID\ = "YunOfficeAddin.YunExcelConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\VersionIndependentProgID\ = "YunOfficeAddin.YunExcelConnect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ProgID\ = "YunOfficeAddin.YunPPTConnect.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\ = "YunShellExt 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID\ = "YunOfficeAddin.YunPPTConnect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ = "IYunPPTConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ = "IYunExcelConnect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\YunShellExt.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect\CurVer\ = "YunOfficeAddin.YunExcelConnect.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID\ = "{8C5F2E83-848F-4741-9C87-47D21BF65FC2}"	regsvr32.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	TeraBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
3844	TeraBox_sl_b_1.23.0.9.exe
5056	TeraBox.exe
5056	TeraBox.exe
5056	TeraBox.exe
5056	TeraBox.exe
1648	TeraBoxRender.exe
1648	TeraBoxRender.exe
2964	TeraBoxRender.exe
2964	TeraBoxRender.exe
3400	TeraBoxRender.exe
3400	TeraBoxRender.exe
1296	TeraBoxRender.exe
1296	TeraBoxRender.exe
624	TeraBoxRender.exe
624	TeraBoxRender.exe
2716	TeraBoxHost.exe
2716	TeraBoxHost.exe
2716	TeraBoxHost.exe
2716	TeraBoxHost.exe
2716	TeraBoxHost.exe
2716	TeraBoxHost.exe
4328	TeraBoxRender.exe
4328	TeraBoxRender.exe
4328	TeraBoxRender.exe
4328	TeraBoxRender.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2716	TeraBoxHost.exe
Token: SeBackupPrivilege	2716	TeraBoxHost.exe
Token: SeSecurityPrivilege	2716	TeraBoxHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5056	TeraBox.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
5056	TeraBox.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 684	3844	TeraBox_sl_b_1.23.0.9.exe	87
PID 3844 wrote to memory of 684	3844	TeraBox_sl_b_1.23.0.9.exe	87
PID 3844 wrote to memory of 684	3844	TeraBox_sl_b_1.23.0.9.exe	87
PID 3844 wrote to memory of 2940	3844	TeraBox_sl_b_1.23.0.9.exe	95
PID 3844 wrote to memory of 2940	3844	TeraBox_sl_b_1.23.0.9.exe	95
PID 3844 wrote to memory of 2940	3844	TeraBox_sl_b_1.23.0.9.exe	95
PID 2940 wrote to memory of 4780	2940	regsvr32.exe	88
PID 2940 wrote to memory of 4780	2940	regsvr32.exe	88
PID 3844 wrote to memory of 3652	3844	TeraBox_sl_b_1.23.0.9.exe	89
PID 3844 wrote to memory of 3652	3844	TeraBox_sl_b_1.23.0.9.exe	89
PID 3844 wrote to memory of 3652	3844	TeraBox_sl_b_1.23.0.9.exe	89
PID 3844 wrote to memory of 4664	3844	TeraBox_sl_b_1.23.0.9.exe	94
PID 3844 wrote to memory of 4664	3844	TeraBox_sl_b_1.23.0.9.exe	94
PID 3844 wrote to memory of 4664	3844	TeraBox_sl_b_1.23.0.9.exe	94
PID 4664 wrote to memory of 3272	4664	regsvr32.exe	90
PID 4664 wrote to memory of 3272	4664	regsvr32.exe	90
PID 3844 wrote to memory of 3300	3844	TeraBox_sl_b_1.23.0.9.exe	93
PID 3844 wrote to memory of 3300	3844	TeraBox_sl_b_1.23.0.9.exe	93
PID 3844 wrote to memory of 3300	3844	TeraBox_sl_b_1.23.0.9.exe	93
PID 3844 wrote to memory of 2660	3844	TeraBox_sl_b_1.23.0.9.exe	92
PID 3844 wrote to memory of 2660	3844	TeraBox_sl_b_1.23.0.9.exe	92
PID 3844 wrote to memory of 2660	3844	TeraBox_sl_b_1.23.0.9.exe	92
PID 5056 wrote to memory of 1648	5056	TeraBox.exe	99
PID 5056 wrote to memory of 1648	5056	TeraBox.exe	99
PID 5056 wrote to memory of 1648	5056	TeraBox.exe	99
PID 5056 wrote to memory of 2964	5056	TeraBox.exe	100
PID 5056 wrote to memory of 2964	5056	TeraBox.exe	100
PID 5056 wrote to memory of 2964	5056	TeraBox.exe	100
PID 5056 wrote to memory of 1296	5056	TeraBox.exe	102
PID 5056 wrote to memory of 1296	5056	TeraBox.exe	102
PID 5056 wrote to memory of 1296	5056	TeraBox.exe	102
PID 5056 wrote to memory of 3400	5056	TeraBox.exe	101
PID 5056 wrote to memory of 3400	5056	TeraBox.exe	101
PID 5056 wrote to memory of 3400	5056	TeraBox.exe	101
PID 5056 wrote to memory of 3812	5056	TeraBox.exe	103
PID 5056 wrote to memory of 3812	5056	TeraBox.exe	103
PID 5056 wrote to memory of 3812	5056	TeraBox.exe	103
PID 5056 wrote to memory of 2716	5056	TeraBox.exe	104
PID 5056 wrote to memory of 2716	5056	TeraBox.exe	104
PID 5056 wrote to memory of 2716	5056	TeraBox.exe	104
PID 5056 wrote to memory of 624	5056	TeraBox.exe	105
PID 5056 wrote to memory of 624	5056	TeraBox.exe	105
PID 5056 wrote to memory of 624	5056	TeraBox.exe	105
PID 5056 wrote to memory of 1640	5056	TeraBox.exe	106
PID 5056 wrote to memory of 1640	5056	TeraBox.exe	106
PID 5056 wrote to memory of 1640	5056	TeraBox.exe	106
PID 5056 wrote to memory of 1124	5056	TeraBox.exe	107
PID 5056 wrote to memory of 1124	5056	TeraBox.exe	107
PID 5056 wrote to memory of 1124	5056	TeraBox.exe	107
PID 5056 wrote to memory of 4328	5056	TeraBox.exe	108
PID 5056 wrote to memory of 4328	5056	TeraBox.exe	108
PID 5056 wrote to memory of 4328	5056	TeraBox.exe	108

C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.23.0.9.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.23.0.9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
  "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  PID:684
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:3652
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
  "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2660
- C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
  "C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3300
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4664
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2940
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
  C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2596,274003656330146975,14924343038995449342,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.23.0.9;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2584 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1648
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2596,274003656330146975,14924343038995449342,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.23.0.9;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2804 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2964
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2596,274003656330146975,14924343038995449342,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.23.0.9;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3400
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2596,274003656330146975,14924343038995449342,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.23.0.9;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1296
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
    -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.5056.0.1392587159\1369820689 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.181" -PcGuid "TBIMXV2-O_78D2F954AB8E43049209AEA9B0873C0E-C_0-D_QM00013-M_DA5D5E1D8AF4-V_C29B2F7F" -Version "1.23.0.9" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3812
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.5056.0.1392587159\1369820689 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.181" -PcGuid "TBIMXV2-O_78D2F954AB8E43049209AEA9B0873C0E-C_0-D_QM00013-M_DA5D5E1D8AF4-V_C29B2F7F" -Version "1.23.0.9" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2596,274003656330146975,14924343038995449342,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.23.0.9;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:624
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.5056.1.84010192\1141847562 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.181" -PcGuid "TBIMXV2-O_78D2F954AB8E43049209AEA9B0873C0E-C_0-D_QM00013-M_DA5D5E1D8AF4-V_C29B2F7F" -Version "1.23.0.9" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Executes dropped EXE
    PID:1640
- - C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -srvwnd 501e0 -unlogin
    3⤵
    - Executes dropped EXE
    PID:1124
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2596,274003656330146975,14924343038995449342,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.23.0.9;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=4660 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4328
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
  C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1252

C:\Windows\system32\regsvr32.exe
"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:4780

C:\Windows\system32\regsvr32.exe
"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
1⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000015

Filesize
181KB

MD5
f4d077fdd3bad1c3730c23cc2dea0538

SHA1
55bca2302e887ed5e238ed93ec228b46cdfb7d7f

SHA256
450d9f7f377f988975ef34a223a85831d1f9f862d5052f834efcda8146142e3a

SHA512
0b3754e2c994e97be8e84d3b239661bf08134d39921b4a9d1e41d26c2779c5ac5a106f71ca2b7bb6997d6ea1457d1225414129a8826a9a4388b7ace66cc008cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
02a6cee8f52a1abd794124836fc8d1d3

SHA1
085471503ab6426de6225d8909941a8006823782

SHA256
f669058fafb99466ee86dd983db69bac4d8b7df86ae2f2e0ba86c40494024f25

SHA512
0d9afaf1923bb2e7d4766d23b2401d8e5310d83615ebee71e80e94800519b73e424ab36e960cdf14b103d255652b50023420660b759bdb02c74388d642374733

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe599fe0.TMP

Filesize
48B

MD5
165b91b1d99a75e18068010f1b76f87c

SHA1
21a8683fd6e2c50144667aa4144df11ff9f23515

SHA256
d7edc3aa894225a4a650358d7906afda5a253bd8aad407e1fe0008b94a22c4bf

SHA512
ca12460e774d86e236cc58988e291ff9113f79eb545f349d2bcbf1bdc6b261b1c3b73b9dc1770756e6e2fa74da86f0f717fc473d62f32f173acaca6349a06eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

Filesize
1KB

MD5
aac4b1d154d0165c949d29f174e301a3

SHA1
c1204fc0da3357b067ccb87bc744d6c1d83af139

SHA256
9289a2d130de0dd5452b320eebf36313680bb948da8cdc505c55728de5378423

SHA512
165223c8ff45bd44417fa044b440cca1b63b7676f2400f8318e337bd9136264060e5ac8fbf57751d4e2806bca81cbabea1eb24fe57e258b905e52fc0b3292a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe5a5351.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr8B1B.tmp\NsisInstallUI.dll

Filesize
2.1MB

MD5
714055df53d8869cfd459e28cf18152a

SHA1
e6680ed8c7eb67db0352c8c287af5011e7d8712f

SHA256
b2d3a17f8d5b092649eb1c1bd819fdbff00f16b29eb5af57072404fa0390ebf6

SHA512
0397a4d04ae00690a9c550a44ce1e5f1c71b8da72aafa325163d5055b55c5d49bec559c2098269c163b18eb5426a44b33f102ac8144c5bdaa74033b1e4748ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr8B1B.tmp\NsisInstallUI.dll

Filesize
2.1MB

MD5
714055df53d8869cfd459e28cf18152a

SHA1
e6680ed8c7eb67db0352c8c287af5011e7d8712f

SHA256
b2d3a17f8d5b092649eb1c1bd819fdbff00f16b29eb5af57072404fa0390ebf6

SHA512
0397a4d04ae00690a9c550a44ce1e5f1c71b8da72aafa325163d5055b55c5d49bec559c2098269c163b18eb5426a44b33f102ac8144c5bdaa74033b1e4748ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr8B1B.tmp\SetupCfg.ini

Filesize
80B

MD5
86daef0a1abf90f934b20119d95e8b73

SHA1
fa9170644b102c598005d1764a16aba54314ab69

SHA256
a5b0e58f66055ba5c9730dd7983946f92075bcf7052343b8d64ee95faa99eaaa

SHA512
1e95d6b697621f5c8bd194b5252f7717c3aa48a25d91d80fcd5fb0f1d06747c5f39708255bd85f18f776468dcde5645a8ac088431d412af1b10932d7f0df67b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr8B1B.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr8B1B.tmp\nsProcessW.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr8B1B.tmp\nsProcessW.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll

Filesize
1.5MB

MD5
ea5015d80909fdf1d623a39489eaace4

SHA1
f595bacbbcfa359072b0f0c04e18b09cfced5a25

SHA256
54e905b86520af922b3ae0ac331a55852f04f89bf31868728d2dff0b49657121

SHA512
5236c7a6bc5f6ac6720740d41b332e5855e355c00a677c191b52596883805e83d4d49994964cd5674d388a6bd5ce8a86a6d19976749b2e55a658dd9256944037

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll

Filesize
1.5MB

MD5
ea5015d80909fdf1d623a39489eaace4

SHA1
f595bacbbcfa359072b0f0c04e18b09cfced5a25

SHA256
54e905b86520af922b3ae0ac331a55852f04f89bf31868728d2dff0b49657121

SHA512
5236c7a6bc5f6ac6720740d41b332e5855e355c00a677c191b52596883805e83d4d49994964cd5674d388a6bd5ce8a86a6d19976749b2e55a658dd9256944037

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdateUtil.dll

Filesize
198KB

MD5
f7c346a7c9f0a5d41d27a570a615dda3

SHA1
798e51f3d30a1e78570955aa5ed652eb9e6a3ff0

SHA256
4e2b9a7125dc06498d6dfc281fd762f20a4be86f08941bb4a0e34e89d54c357d

SHA512
b3fee43a7894eefb72d836ad4afeee64fb7f6e9ed8801c0856b7a411abf9df7b446666c4fd3b2b6ff18fe65698e69d0f3caeab16452bc63ec4ae76024de92abb

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdateUtil.dll

Filesize
198KB

MD5
f7c346a7c9f0a5d41d27a570a615dda3

SHA1
798e51f3d30a1e78570955aa5ed652eb9e6a3ff0

SHA256
4e2b9a7125dc06498d6dfc281fd762f20a4be86f08941bb4a0e34e89d54c357d

SHA512
b3fee43a7894eefb72d836ad4afeee64fb7f6e9ed8801c0856b7a411abf9df7b446666c4fd3b2b6ff18fe65698e69d0f3caeab16452bc63ec4ae76024de92abb

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdateUtil.dll

Filesize
198KB

MD5
f7c346a7c9f0a5d41d27a570a615dda3

SHA1
798e51f3d30a1e78570955aa5ed652eb9e6a3ff0

SHA256
4e2b9a7125dc06498d6dfc281fd762f20a4be86f08941bb4a0e34e89d54c357d

SHA512
b3fee43a7894eefb72d836ad4afeee64fb7f6e9ed8801c0856b7a411abf9df7b446666c4fd3b2b6ff18fe65698e69d0f3caeab16452bc63ec4ae76024de92abb

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\Download\AutoUpdate.xml

Filesize
21KB

MD5
4df4746f78ca1b6c7892f197858fee7e

SHA1
b44363e1c41e7df5bef82ba0a056e7103239cd63

SHA256
5f4a3b4e1aa1fe5a5d7f4082d949d57d7e45b053238cdda6cddf043a44f34ea8

SHA512
80d253a9e205a08c04b8811e37bee501255d470e2c0f6ac64ef412fb8aedaa95fa765be5c45235b7f06a3bda8d10eb674dbb128bf57c75990cac1ad5a6a18cc9

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\config.ini

Filesize
52B

MD5
5cc36a5a9945e4fbda1cc8b475f98ea9

SHA1
16ff4141e975705252b9c556c5da8c84e7dbc74e

SHA256
61d88eb427ba7668f56c7391410c4de3a8e17cde7baba80291f8a06efafbef7c

SHA512
8b451ca92dd61ace8fc6cc4bcfc09499aa3c006803a7bdca1bdac9ee40a7b8fc9311e28078f07fbe4fbf1d40d71ffcebcf49a440ca0c6c100391fea4ee888a9e

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.DLL

Filesize
3.2MB

MD5
534aa8a02644b7855b96f9ad8b34884b

SHA1
997f8c63f17d82b83f9d79992d5cf6bca70c5ea3

SHA256
10e48a190e092483c0e3f3aadbec3c0c6c20262a4339ef8a225339ee66a97a86

SHA512
a9b94df050cc55e02e1be60a4da8595f949bb3b78d374c35b3767ccf6a7a4228becee619836e99834f804de4ee2cdc0634969c0d9d380e233760c73ca5d64c09

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll

Filesize
3.2MB

MD5
534aa8a02644b7855b96f9ad8b34884b

SHA1
997f8c63f17d82b83f9d79992d5cf6bca70c5ea3

SHA256
10e48a190e092483c0e3f3aadbec3c0c6c20262a4339ef8a225339ee66a97a86

SHA512
a9b94df050cc55e02e1be60a4da8595f949bb3b78d374c35b3767ccf6a7a4228becee619836e99834f804de4ee2cdc0634969c0d9d380e233760c73ca5d64c09

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll

Filesize
3.2MB

MD5
534aa8a02644b7855b96f9ad8b34884b

SHA1
997f8c63f17d82b83f9d79992d5cf6bca70c5ea3

SHA256
10e48a190e092483c0e3f3aadbec3c0c6c20262a4339ef8a225339ee66a97a86

SHA512
a9b94df050cc55e02e1be60a4da8595f949bb3b78d374c35b3767ccf6a7a4228becee619836e99834f804de4ee2cdc0634969c0d9d380e233760c73ca5d64c09

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\MSVCP140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.7MB

MD5
648d65c513f514fb815a1fdc6207505b

SHA1
11fc369991c6af82c38ae3162510579501596e68

SHA256
0507c6656ec7275f4f56b49a4e2c30c4eee747a7b4fccbf18d3164cdc96cbab4

SHA512
5f259bae411e11d6e68ef99b594852ae0b092e6a2c455b2df90045280552f35d701bd9ae0390d3015bd37ec2c47c27d3781f860b1803f76b2c0c44e58e6f54d6

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.7MB

MD5
648d65c513f514fb815a1fdc6207505b

SHA1
11fc369991c6af82c38ae3162510579501596e68

SHA256
0507c6656ec7275f4f56b49a4e2c30c4eee747a7b4fccbf18d3164cdc96cbab4

SHA512
5f259bae411e11d6e68ef99b594852ae0b092e6a2c455b2df90045280552f35d701bd9ae0390d3015bd37ec2c47c27d3781f860b1803f76b2c0c44e58e6f54d6

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.7MB

MD5
648d65c513f514fb815a1fdc6207505b

SHA1
11fc369991c6af82c38ae3162510579501596e68

SHA256
0507c6656ec7275f4f56b49a4e2c30c4eee747a7b4fccbf18d3164cdc96cbab4

SHA512
5f259bae411e11d6e68ef99b594852ae0b092e6a2c455b2df90045280552f35d701bd9ae0390d3015bd37ec2c47c27d3781f860b1803f76b2c0c44e58e6f54d6

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

Filesize
1.1MB

MD5
e0cda8fac89ab8ee0c8ed2be92e422e9

SHA1
9800cd7084f250b906b6b67fb88f7d39b9a4b9f9

SHA256
6104a967cbfbd456f5f1741d1b485d20a9bf144b785f3712b4c261c53c657f7f

SHA512
777016b21d892321644dad995697aa63edffbcf27622c0dc5daca321c3df494d4872e6a4cb5ba0067c99d274c4ab0326badaefc85f50c8079cc4bca7dc0a3b96

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

Filesize
1.1MB

MD5
e0cda8fac89ab8ee0c8ed2be92e422e9

SHA1
9800cd7084f250b906b6b67fb88f7d39b9a4b9f9

SHA256
6104a967cbfbd456f5f1741d1b485d20a9bf144b785f3712b4c261c53c657f7f

SHA512
777016b21d892321644dad995697aa63edffbcf27622c0dc5daca321c3df494d4872e6a4cb5ba0067c99d274c4ab0326badaefc85f50c8079cc4bca7dc0a3b96

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

Filesize
1.1MB

MD5
e0cda8fac89ab8ee0c8ed2be92e422e9

SHA1
9800cd7084f250b906b6b67fb88f7d39b9a4b9f9

SHA256
6104a967cbfbd456f5f1741d1b485d20a9bf144b785f3712b4c261c53c657f7f

SHA512
777016b21d892321644dad995697aa63edffbcf27622c0dc5daca321c3df494d4872e6a4cb5ba0067c99d274c4ab0326badaefc85f50c8079cc4bca7dc0a3b96

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\VCRUNTIME140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\VersionInfo

Filesize
192B

MD5
742b270a20540850b6f580822701543b

SHA1
2093949f4f02e2282ef75925bbc49fee904bc4e5

SHA256
c7d6eacc3fafb0081589e31c3fb5146094a857489798e82c7efbde8732d16293

SHA512
fe55db7c58fb66e40fa85edb65872404ffb2c3bd1540981d7bbceb37015fc323a16e825e49e5a404e402e037c8a648c3e4e9d55e3b122b2b626b9043206ee612

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunDb.dll

Filesize
777KB

MD5
480c1f2325722cf8782c32a484a7f23d

SHA1
b62dbceaa383a859af4158b7fbcb70efbfa4b9b2

SHA256
7a3b48b87145d6ddaca49916f307b4b76dd72bf4a0be3a0362fa97418a19f524

SHA512
4a2df47c7c80e05c8a7f59540d9601fac9dd4086dd14bddcd13c20acdfa4db6aa2033700b41dd50d443d9e333ef43a60ebe3df89394b152bf9ac9c3eedf1073d

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunDb.dll

Filesize
777KB

MD5
480c1f2325722cf8782c32a484a7f23d

SHA1
b62dbceaa383a859af4158b7fbcb70efbfa4b9b2

SHA256
7a3b48b87145d6ddaca49916f307b4b76dd72bf4a0be3a0362fa97418a19f524

SHA512
4a2df47c7c80e05c8a7f59540d9601fac9dd4086dd14bddcd13c20acdfa4db6aa2033700b41dd50d443d9e333ef43a60ebe3df89394b152bf9ac9c3eedf1073d

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunDls.dll

Filesize
2.1MB

MD5
570e6b911e4ee48189cb4e3ee55ad619

SHA1
f4b145e501149abc23d50826c45d5727245ae323

SHA256
7f2e5557126646ca0a6524fdc775520fa10c67c9e4e52e4280ffc42c69fb289b

SHA512
4d906d707ef7dd877c0e22eb2b144f1bf22aed504ed37cfae9986fa5981f3ccb828332d173acdcbead9a493c3b6b7903dfe8da229abf0d300a38ac4a82706859

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunDls.dll

Filesize
2.1MB

MD5
570e6b911e4ee48189cb4e3ee55ad619

SHA1
f4b145e501149abc23d50826c45d5727245ae323

SHA256
7f2e5557126646ca0a6524fdc775520fa10c67c9e4e52e4280ffc42c69fb289b

SHA512
4d906d707ef7dd877c0e22eb2b144f1bf22aed504ed37cfae9986fa5981f3ccb828332d173acdcbead9a493c3b6b7903dfe8da229abf0d300a38ac4a82706859

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunLogic.dll

Filesize
6.3MB

MD5
ce7ac027fa8d1b0c461de588071986ac

SHA1
e6ae1c363bc308e61857af96892b80b9eb0687cd

SHA256
540b818c8625c56453474fba934831e76915cd045f949997a065d054ff0084ce

SHA512
5bc004bd5ea12e72591c07dd26b161ed2805efa6ed75432ff65b9168d5677ed9af9dfff9c8e6510b6fb26c63356d288b297168cbd7e5c07c1f99d584130c7c36

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunLogic.dll

Filesize
6.3MB

MD5
ce7ac027fa8d1b0c461de588071986ac

SHA1
e6ae1c363bc308e61857af96892b80b9eb0687cd

SHA256
540b818c8625c56453474fba934831e76915cd045f949997a065d054ff0084ce

SHA512
5bc004bd5ea12e72591c07dd26b161ed2805efa6ed75432ff65b9168d5677ed9af9dfff9c8e6510b6fb26c63356d288b297168cbd7e5c07c1f99d584130c7c36

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll

Filesize
375KB

MD5
046b9674c66df83495eeed005056ed6c

SHA1
7f02b8963a216d16b12026578604b361372e7e99

SHA256
36702a1f7ebfe76bd5e6f33ab2babf229052354b54dd4f24c03dd030287f6859

SHA512
da9996981f04dadc84e4599109fdacade3903d82ba611665c8554202f807074649355ca704b4b5f7564ad0cc516203dda16956d019963e79d6a7f227d0cb52ab

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll

Filesize
375KB

MD5
046b9674c66df83495eeed005056ed6c

SHA1
7f02b8963a216d16b12026578604b361372e7e99

SHA256
36702a1f7ebfe76bd5e6f33ab2babf229052354b54dd4f24c03dd030287f6859

SHA512
da9996981f04dadc84e4599109fdacade3903d82ba611665c8554202f807074649355ca704b4b5f7564ad0cc516203dda16956d019963e79d6a7f227d0cb52ab

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll

Filesize
484KB

MD5
ef2e2bb1f936cf7b92ef8b891251605f

SHA1
f8d91decb7bfe56a042fff58499c23d49b80aa24

SHA256
326c7e155a0a9b2dd4c0c64d6d06e36815672ff15e5956c0f1a7d210b7439d2f

SHA512
575849cdd806266a278e5380039329759bd8247625413d375a7b33ecb5e891c5b46a28b75f0e6cd8acee84da5d0351e5e0cb681c4e819ee12d87e0dad7c2f40d

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll

Filesize
484KB

MD5
ef2e2bb1f936cf7b92ef8b891251605f

SHA1
f8d91decb7bfe56a042fff58499c23d49b80aa24

SHA256
326c7e155a0a9b2dd4c0c64d6d06e36815672ff15e5956c0f1a7d210b7439d2f

SHA512
575849cdd806266a278e5380039329759bd8247625413d375a7b33ecb5e891c5b46a28b75f0e6cd8acee84da5d0351e5e0cb681c4e819ee12d87e0dad7c2f40d

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll

Filesize
484KB

MD5
ef2e2bb1f936cf7b92ef8b891251605f

SHA1
f8d91decb7bfe56a042fff58499c23d49b80aa24

SHA256
326c7e155a0a9b2dd4c0c64d6d06e36815672ff15e5956c0f1a7d210b7439d2f

SHA512
575849cdd806266a278e5380039329759bd8247625413d375a7b33ecb5e891c5b46a28b75f0e6cd8acee84da5d0351e5e0cb681c4e819ee12d87e0dad7c2f40d

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

Filesize
998KB

MD5
2b6c2528952af7bf7dc6bbcafd5ea6f3

SHA1
c2f5e58f2a9d2dbf7a2a4fd1f6c57853cb18ee0f

SHA256
db59969e932f0c9330dc9ada89b6f73b509d630358b8d8a7e6b13e9c7f4bbb7e

SHA512
1ede956addac49a8ff16b9edf28faf21ffa4fffd5633c2648c5a3242bd5b486f558046a08a8319468c776cd5e49a05dc414d0e61679b6400e3561cf5c2e6e6cf

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

Filesize
998KB

MD5
2b6c2528952af7bf7dc6bbcafd5ea6f3

SHA1
c2f5e58f2a9d2dbf7a2a4fd1f6c57853cb18ee0f

SHA256
db59969e932f0c9330dc9ada89b6f73b509d630358b8d8a7e6b13e9c7f4bbb7e

SHA512
1ede956addac49a8ff16b9edf28faf21ffa4fffd5633c2648c5a3242bd5b486f558046a08a8319468c776cd5e49a05dc414d0e61679b6400e3561cf5c2e6e6cf

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

Filesize
998KB

MD5
2b6c2528952af7bf7dc6bbcafd5ea6f3

SHA1
c2f5e58f2a9d2dbf7a2a4fd1f6c57853cb18ee0f

SHA256
db59969e932f0c9330dc9ada89b6f73b509d630358b8d8a7e6b13e9c7f4bbb7e

SHA512
1ede956addac49a8ff16b9edf28faf21ffa4fffd5633c2648c5a3242bd5b486f558046a08a8319468c776cd5e49a05dc414d0e61679b6400e3561cf5c2e6e6cf

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe

Filesize
111KB

MD5
b5aabbef0650e541a9e57f89187b84fc

SHA1
82d1ff446a5df7e31e3a1caca8067f62423bd233

SHA256
57ad5d4fdd3ce259b33357ac85c048754655400ec122d10a0b1d33b29ea43180

SHA512
3c5f35062a73c6aff96bf99f534d3bf79073199ad779dbf1e92e70ca682654ba4be1ddbf5b386e42716270f628f3b81de878a53feca837510425871377b1ef44

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe

Filesize
111KB

MD5
b5aabbef0650e541a9e57f89187b84fc

SHA1
82d1ff446a5df7e31e3a1caca8067f62423bd233

SHA256
57ad5d4fdd3ce259b33357ac85c048754655400ec122d10a0b1d33b29ea43180

SHA512
3c5f35062a73c6aff96bf99f534d3bf79073199ad779dbf1e92e70ca682654ba4be1ddbf5b386e42716270f628f3b81de878a53feca837510425871377b1ef44

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\appUtil.DLL

Filesize
1.5MB

MD5
ea5015d80909fdf1d623a39489eaace4

SHA1
f595bacbbcfa359072b0f0c04e18b09cfced5a25

SHA256
54e905b86520af922b3ae0ac331a55852f04f89bf31868728d2dff0b49657121

SHA512
5236c7a6bc5f6ac6720740d41b332e5855e355c00a677c191b52596883805e83d4d49994964cd5674d388a6bd5ce8a86a6d19976749b2e55a658dd9256944037

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\chrome_elf.dll

Filesize
845KB

MD5
884521d700c0b5ad1b8874101ae3bcf1

SHA1
c073278f5e8dcc4b9d7425f0c469223e0f1d4d25

SHA256
904be312a25c3daf4550e921863f47e683b709c2172f6d62141f01b9025a017c

SHA512
af8a4f0343e203e2579add8d74bb90b7bf5c13795b40ae66842bda066f4c13ced5dd36861ab3136678fdc92102fe6381748db2537cbf16de515613f5a4bcdc28

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\chrome_elf.dll

Filesize
845KB

MD5
884521d700c0b5ad1b8874101ae3bcf1

SHA1
c073278f5e8dcc4b9d7425f0c469223e0f1d4d25

SHA256
904be312a25c3daf4550e921863f47e683b709c2172f6d62141f01b9025a017c

SHA512
af8a4f0343e203e2579add8d74bb90b7bf5c13795b40ae66842bda066f4c13ced5dd36861ab3136678fdc92102fe6381748db2537cbf16de515613f5a4bcdc28

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\libcef.dll

Filesize
113.1MB

MD5
fa864d9e3c810655a329c95764e8ccd8

SHA1
00f275281c1561e8cfcc90f7000426d9ccdc7ea3

SHA256
9f654cb530e01f391ddfd98830227df90c8ac504911c296e471dfeeb293d265f

SHA512
4b493331b0e021f239b8164e42e87dbd5e9cc60ef65b1d852bc62b92d69d72dbb66de8f83334d1fe3b5891b7e88f5113a188bfad57126e4b918b85d8fe989139

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\libcef.dll

Filesize
113.1MB

MD5
fa864d9e3c810655a329c95764e8ccd8

SHA1
00f275281c1561e8cfcc90f7000426d9ccdc7ea3

SHA256
9f654cb530e01f391ddfd98830227df90c8ac504911c296e471dfeeb293d265f

SHA512
4b493331b0e021f239b8164e42e87dbd5e9cc60ef65b1d852bc62b92d69d72dbb66de8f83334d1fe3b5891b7e88f5113a188bfad57126e4b918b85d8fe989139

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\module\TeraBoxModuleList.db

Filesize
16KB

MD5
856baa039a79b49512a7871d31ea0fa2

SHA1
60af2285f13acafdd68f9e4373e941cf33464947

SHA256
1f185e63ae610d4a9c573538a8dca2083130303d8640779a7a844b709f18cdd9

SHA512
f21d3cff698a7eba209472453f02e572bc41e841d134f3a305552233d6426e60fa639777b5736f11fac5bda4f0f023846ff383fd2ca0847b00ca8c03462f29a7

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\resource.db

Filesize
52KB

MD5
d763e36d58497f179adbed8442ac2aa0

SHA1
16e9612b70fde89f2eba1245897f6c49ed4e1053

SHA256
f5af58da4b68615e6edcf282ef56a552bcaead92b4ca17626c856cd08e9acc64

SHA512
ca2106a2eae822eeeb08aa9812c3ddaf61ff82424f092189b5a075958f829d88744efd7913dcce6939f934ea7181b4d1b4f026993762242f2d719c58aaf15929

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe

Filesize
697KB

MD5
311e395e98fa959f806f9647cbda4143

SHA1
7787739bd2ae5767dbf226203d291b058f584a10

SHA256
16f9f89d162d38a15c30d00ef3a7a79eb544e89176c7b7ce15a58dab4f24cac5

SHA512
42fca46c4fcbb77c1683d3d59912db3f59fd8664c19b181dac674fb8ea6aef2372b3831624f7adb908fdb8cb40941b560a6865a9745973f61bcd3e6b16763c58

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

Filesize
1.1MB

MD5
a05f8ef22b2407cc16ae2bea3b17d05a

SHA1
2c83d17afc06baa5842ae8be298a3ab14969af65

SHA256
b16eba8b2cb270f3d8ef65fa60521b1db68da07bf3fdee7436f2299515ed45d8

SHA512
f0226c4e97e4934970a61af4c9a1214620f7fc35d7da370a4f093df99380b28d05a3ec792bfc1e8b1ec23c914778f6b8c286769ffd079f30eb9578c1f357c1a1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

Filesize
1.1MB

MD5
a05f8ef22b2407cc16ae2bea3b17d05a

SHA1
2c83d17afc06baa5842ae8be298a3ab14969af65

SHA256
b16eba8b2cb270f3d8ef65fa60521b1db68da07bf3fdee7436f2299515ed45d8

SHA512
f0226c4e97e4934970a61af4c9a1214620f7fc35d7da370a4f093df99380b28d05a3ec792bfc1e8b1ec23c914778f6b8c286769ffd079f30eb9578c1f357c1a1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

Filesize
1.1MB

MD5
a05f8ef22b2407cc16ae2bea3b17d05a

SHA1
2c83d17afc06baa5842ae8be298a3ab14969af65

SHA256
b16eba8b2cb270f3d8ef65fa60521b1db68da07bf3fdee7436f2299515ed45d8

SHA512
f0226c4e97e4934970a61af4c9a1214620f7fc35d7da370a4f093df99380b28d05a3ec792bfc1e8b1ec23c914778f6b8c286769ffd079f30eb9578c1f357c1a1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\users\localdata.dat

Filesize
135B

MD5
8b33ee873631b455610c30e89b783c93

SHA1
bb735c65e56e7345e9cc863756ec6269a4e02a42

SHA256
85479aace7f91dc6f7a84250c2e573ff4d32e7fbeed1224a430337b29d4c3b54

SHA512
587a49bea7edbec0f34bf68cfa5087fb83e1892a3a78f8abe4be349bcd202ed19eec6a762ab2ebe6aadcaf91a1fd5f46024e3099e13ed1f52c9fe5860c7f7902

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\xImage.dll

Filesize
1.1MB

MD5
77cc128418b7eaa32f84f016bc43b4fe

SHA1
1dedd205b03204d66bd5fb5ab2176f6c7ca0267f

SHA256
ad65d96546fbeaa06bef881ae5b5561a90b8612c6e5ffabae88b586eae9086b5

SHA512
4372d9ed984c4789acdd903ba336657731c9335b09280e8e3fd21a4e0bd23456c1594e1d983a3bd05940c9acebc3d23360b0459f21b2891705c2f3626fb23f57

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\xImage.dll

Filesize
1.1MB

MD5
77cc128418b7eaa32f84f016bc43b4fe

SHA1
1dedd205b03204d66bd5fb5ab2176f6c7ca0267f

SHA256
ad65d96546fbeaa06bef881ae5b5561a90b8612c6e5ffabae88b586eae9086b5

SHA512
4372d9ed984c4789acdd903ba336657731c9335b09280e8e3fd21a4e0bd23456c1594e1d983a3bd05940c9acebc3d23360b0459f21b2891705c2f3626fb23f57

Download Submit
memory/1640-423-0x0000000000130000-0x00000000001D0000-memory.dmp

Filesize
640KB

Download
memory/2716-389-0x0000000065940000-0x0000000066D6C000-memory.dmp

Filesize
20.2MB

Download
memory/2716-390-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/2716-383-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2716-385-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2716-384-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2716-387-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/2716-386-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download
memory/2716-330-0x0000000000130000-0x00000000001D0000-memory.dmp

Filesize
640KB

Download
memory/2716-388-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2716-331-0x0000000000130000-0x00000000001D0000-memory.dmp

Filesize
640KB

Download
memory/2716-429-0x0000000065940000-0x0000000066D6C000-memory.dmp

Filesize
20.2MB

Download
memory/2716-426-0x0000000000130000-0x00000000001D0000-memory.dmp

Filesize
640KB

Download
memory/3844-93-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/3844-17-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/5056-248-0x00000000002B0000-0x000000000097E000-memory.dmp

Filesize
6.8MB

Download
memory/5056-395-0x0000000004400000-0x0000000004410000-memory.dmp

Filesize
64KB

Download
memory/5056-393-0x0000000009660000-0x0000000009661000-memory.dmp

Filesize
4KB

Download
memory/5056-238-0x0000000004400000-0x0000000004410000-memory.dmp

Filesize
64KB

Download
memory/5056-237-0x0000000009660000-0x0000000009661000-memory.dmp

Filesize
4KB

Download
memory/5056-206-0x00000000002B0000-0x000000000097E000-memory.dmp

Filesize
6.8MB

Download