zloader | hxxps://terabox[.]com/s/1xcdNB4QmXTG43Ct2o6XDtg

Analysis

max time kernel
1800s
max time network
1689s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2023 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://terabox.com/s/1xcdNB4QmXTG43Ct2o6XDtg

Score

10^/10

zloader botnet discovery persistence trojan

Malware Config

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	TeraBox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	TeraBox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe

Executes dropped EXE 24 IoCs

pid	Process
4708	TeraBox_sl_b_1.25.0.12.exe
4816	TeraBox.exe
456	YunUtilityService.exe
624	TeraBoxWebService.exe
3824	TeraBox.exe
1644	TeraBoxWebService.exe
3640	TeraBoxRender.exe
3008	TeraBoxRender.exe
2816	TeraBoxRender.exe
5040	TeraBoxRender.exe
1728	TeraBoxHost.exe
708	TeraBoxHost.exe
2360	TeraBoxRender.exe
2120	TeraBoxHost.exe
3692	TeraBoxWebService.exe
4980	TeraBox.exe
2052	TeraBoxRender.exe
1948	TeraBoxRender.exe
4532	TeraBoxRender.exe
3488	TeraBoxRender.exe
764	TeraBoxHost.exe
3212	TeraBoxHost.exe
3268	TeraBoxRender.exe
3372	TeraBoxHost.exe

Loads dropped DLL 64 IoCs

pid	Process
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4816	TeraBox.exe
4816	TeraBox.exe
4816	TeraBox.exe
4816	TeraBox.exe
4816	TeraBox.exe
4816	TeraBox.exe
1672	regsvr32.exe
2396	regsvr32.exe
1160	regsvr32.exe
3008	regsvr32.exe
2052	regsvr32.exe
456	YunUtilityService.exe
456	YunUtilityService.exe
624	TeraBoxWebService.exe
624	TeraBoxWebService.exe
3824	TeraBox.exe
3824	TeraBox.exe
3824	TeraBox.exe
3824	TeraBox.exe
3824	TeraBox.exe
3824	TeraBox.exe
1644	TeraBoxWebService.exe
1644	TeraBoxWebService.exe
3824	TeraBox.exe
3824	TeraBox.exe
3824	TeraBox.exe
3824	TeraBox.exe
3824	TeraBox.exe
3824	TeraBox.exe
3824	TeraBox.exe
3824	TeraBox.exe
3824	TeraBox.exe
3640	TeraBoxRender.exe
3640	TeraBoxRender.exe
3640	TeraBoxRender.exe
3640	TeraBoxRender.exe
3640	TeraBoxRender.exe
3640	TeraBoxRender.exe
3640	TeraBoxRender.exe
3008	TeraBoxRender.exe
3008	TeraBoxRender.exe
3008	TeraBoxRender.exe
3008	TeraBoxRender.exe
2816	TeraBoxRender.exe
2816	TeraBoxRender.exe
2816	TeraBoxRender.exe
2816	TeraBoxRender.exe
5040	TeraBoxRender.exe
5040	TeraBoxRender.exe
5040	TeraBoxRender.exe
5040	TeraBoxRender.exe
1728	TeraBoxHost.exe
1728	TeraBoxHost.exe
1728	TeraBoxHost.exe
1728	TeraBoxHost.exe
1728	TeraBoxHost.exe
1728	TeraBoxHost.exe
708	TeraBoxHost.exe
708	TeraBoxHost.exe
708	TeraBoxHost.exe
708	TeraBoxHost.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun"	TeraBox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\""	TeraBox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133447815458966671"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect\CurVer\ = "YunOfficeAddin.YunExcelConnect.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ProgID\ = "YunOfficeAddin.YunPPTConnect.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\ = "YunShellExt 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\CLSID\ = "{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\VersionIndependentProgID\ = "YunShellExt.YunShellExtContextMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ = "IWorkspaceOverlayIconSync"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ = "YunExcelConnect Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID\ = "YunOfficeAddin.YunWordConnect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1\CLSID\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID\ = "YunOfficeAddin.YunWordConnect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\YunShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect\CurVer\ = "YunOfficeAddin.YunExcelConnect.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\ = "YunExcelConnect Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\YunShellExt.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\ = "YunShellExtContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID\ = "{8C5F2E83-848F-4741-9C87-47D21BF65FC2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ProgID\ = "YunOfficeAddin.YunWordConnect.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect\CurVer\ = "YunOfficeAddin.YunPPTConnect.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ = "IWorkspaceOverlayIconSync"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\DefaultIcon	TeraBoxWebService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ = "IYunPPTConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ = "YunWordConnect Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ProgID\ = "YunOfficeAddin.YunPPTConnect.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
4508	chrome.exe
4508	chrome.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
4708	TeraBox_sl_b_1.25.0.12.exe
3824	TeraBox.exe
3824	TeraBox.exe
3824	TeraBox.exe
3824	TeraBox.exe
3640	TeraBoxRender.exe
3640	TeraBoxRender.exe
3008	TeraBoxRender.exe
3008	TeraBoxRender.exe
2816	TeraBoxRender.exe
2816	TeraBoxRender.exe
5040	TeraBoxRender.exe
5040	TeraBoxRender.exe
708	TeraBoxHost.exe
708	TeraBoxHost.exe
708	TeraBoxHost.exe
708	TeraBoxHost.exe
708	TeraBoxHost.exe
708	TeraBoxHost.exe
2360	TeraBoxRender.exe
2360	TeraBoxRender.exe
3692	TeraBoxWebService.exe
3692	TeraBoxWebService.exe
4980	TeraBox.exe
4980	TeraBox.exe
2052	TeraBoxRender.exe
2052	TeraBoxRender.exe
1948	TeraBoxRender.exe
1948	TeraBoxRender.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
3824	TeraBox.exe
3824	TeraBox.exe
3824	TeraBox.exe
4980	TeraBox.exe
4980	TeraBox.exe
4980	TeraBox.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
3824	TeraBox.exe
3824	TeraBox.exe
3824	TeraBox.exe
4980	TeraBox.exe
4980	TeraBox.exe
4980	TeraBox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4708	TeraBox_sl_b_1.25.0.12.exe
4816	TeraBox.exe
456	YunUtilityService.exe
624	TeraBoxWebService.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1032	1952	chrome.exe	86
PID 1952 wrote to memory of 1032	1952	chrome.exe	86
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2980	1952	chrome.exe	88
PID 1952 wrote to memory of 2656	1952	chrome.exe	90
PID 1952 wrote to memory of 2656	1952	chrome.exe	90
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89
PID 1952 wrote to memory of 2720	1952	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://terabox.com/s/1xcdNB4QmXTG43Ct2o6XDtg
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffacf6c9758,0x7ffacf6c9768,0x7ffacf6c9778
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:2
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:8
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:8
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5164 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5628 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5620 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5812 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2240 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:8
  2⤵
  PID:620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2244 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:8
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2752 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6164 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5944 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4956 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:8
  2⤵
  PID:1880
- C:\Users\Admin\Downloads\TeraBox_sl_b_1.25.0.12.exe
  "C:\Users\Admin\Downloads\TeraBox_sl_b_1.25.0.12.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4708
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:4816
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
    3⤵
    - Loads dropped DLL
    PID:1672
  - - C:\Windows\system32\regsvr32.exe
      "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
      4⤵
      Loads dropped DLL
      Modifies system executable filetype association
      Registers COM server for autorun
      Modifies registry class
      PID:2396
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1160
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
    3⤵
    - Loads dropped DLL
    PID:3008
  - - C:\Windows\system32\regsvr32.exe
      "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:2052
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:624
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
    C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3824
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2552,16153677312772642847,11537869611665609141,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.25.0.12;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2580 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:3640
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2552,16153677312772642847,11537869611665609141,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.25.0.12;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=1784 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:3008
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2552,16153677312772642847,11537869611665609141,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.25.0.12;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2816
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2552,16153677312772642847,11537869611665609141,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.25.0.12;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:5040
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
      -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.3824.0.9120564\867063266 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.53" -PcGuid "TBIMXV2-O_787E8A2ABF9F446590D89EDA68EACD9C-C_0-D_QM00013-M_F64A97758ABF-V_3718EBF7" -Version "1.25.0.12" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1728
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.3824.0.9120564\867063266 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.53" -PcGuid "TBIMXV2-O_787E8A2ABF9F446590D89EDA68EACD9C-C_0-D_QM00013-M_F64A97758ABF-V_3718EBF7" -Version "1.25.0.12" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:708
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2552,16153677312772642847,11537869611665609141,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.25.0.12;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2360
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.3824.1.1003885618\132722850 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.53" -PcGuid "TBIMXV2-O_787E8A2ABF9F446590D89EDA68EACD9C-C_0-D_QM00013-M_F64A97758ABF-V_3718EBF7" -Version "1.25.0.12" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
      4⤵
      Executes dropped EXE
      PID:2120
- - C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:456
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
    C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1036 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:8
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5780 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5556 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5388 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4848 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:8
  2⤵
  PID:2372
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
  "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" "terabox://launch-app/"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3692
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -start "web_launch"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4980
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2520,1945829689276982158,13840599477194760662,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.25.0.12;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2528 /prefetch:2
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2052
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2520,1945829689276982158,13840599477194760662,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.25.0.12;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2860 /prefetch:8
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1948
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2520,1945829689276982158,13840599477194760662,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.25.0.12;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4532
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2520,1945829689276982158,13840599477194760662,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.25.0.12;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3488
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
      -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.4980.0.599251075\55275801 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.53" -PcGuid "TBIMXV2-O_787E8A2ABF9F446590D89EDA68EACD9C-C_0-D_QM00013-M_F64A97758ABF-V_3718EBF7" -Version "1.25.0.12" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
      4⤵
      Executes dropped EXE
      PID:764
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.4980.0.599251075\55275801 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.53" -PcGuid "TBIMXV2-O_787E8A2ABF9F446590D89EDA68EACD9C-C_0-D_QM00013-M_F64A97758ABF-V_3718EBF7" -Version "1.25.0.12" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
      4⤵
      Executes dropped EXE
      PID:3212
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2520,1945829689276982158,13840599477194760662,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.25.0.12;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3268
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.4980.1.1748684204\1115444256 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.53" -PcGuid "TBIMXV2-O_787E8A2ABF9F446590D89EDA68EACD9C-C_0-D_QM00013-M_F64A97758ABF-V_3718EBF7" -Version "1.25.0.12" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
      4⤵
      Executes dropped EXE
      PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5432 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=4956 --field-trial-handle=1864,i,7563042547367236843,3219860404028802156,131072 /prefetch:1
  2⤵
  PID:4528

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
39KB

MD5
5c85e178727da72c727024b351c807db

SHA1
f6b0022bbca92497eecc8421467ee9f2a1ca40b6

SHA256
5054becf2014298c8e5219804366e6c7e1f38f0f4b48189a4f4c134100610503

SHA512
10354583a4ebeba92723661847c4ae9f455b3df16037a6695dd9c15c65ed3526258a2b06d524dac7ba6b06c510cecc08b97010d36d722ac82790f2fa55bf56d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
17KB

MD5
bd8368f848407291928a5bf6f58570bf

SHA1
bd1a754c33a1032d914ecfd3a8a5e540630f84c9

SHA256
65d7ebf3eae86bac0ed4923dfc8beea0d755e8991cfbcaca56977800daba7ba7

SHA512
1ae5fad1eac714a9ea4dca6f7fde6e4e4dd2060c344ccbf7ccd190a05587601b21aabdb05576e56750ddbd9312a29b38ca87f092d3b72e0951cd5cc72d2550b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
40KB

MD5
262eae52eae8f89f1633eb0bca36594d

SHA1
2dca234cbc2467562ce0696cac38534286bcc240

SHA256
cdca2e254ca8b08e71139f02bd2e1b5f1492b0053fabc644a893575b20346138

SHA512
ce26f638bee33a0e320bdb69aecb159f2d0ddadea98edb3604ee7d690a26beaf76e89e18cf71a6ea944025cbadb17a770a2d4f8f9a44ae9c263acb2295fe16b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
29KB

MD5
6424a9644c32b97dbc8da57d38750516

SHA1
9feeb33707e5688df2b9d68ddf506772d5cbf1ba

SHA256
96017aaa9eaa9b3d75b56440d05677b8bb20ade02ff2af86b39e560b1fa5b69a

SHA512
f7d22ef2f599df2c35fabfc6328241ea9624f2915af78a5b81ad89442dc4fa5c0a30d5a2f8b425e56e2dbb5e4a39397dda8b32424106ec493afa900cc631eb9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000049

Filesize
84KB

MD5
cdaf05235da9a0d0e86011f35c9a21b6

SHA1
feecd792483db0fbde0354392889f3b4a8510ac0

SHA256
b7e376f19c957e81193d64239ee2eb252f1ec76f077a8dbc001f9e5edd053116

SHA512
77b42b64c338b9a9ce270b4b88feb05608e3958cbdf5b3c5ba6bdfe4e530927716969818b294179f0dc217aafb294d7fd14eb1c8fe570d3c061587dfc9b25677

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
1f67b67929b0c0cd5021aad0e7a16b6b

SHA1
ec72119a00a21199f7423560ade4bfd0768103df

SHA256
ea0a4c4de22fb3acfffa60bcacf106370147b1808c3e122c89bb828621bda8a7

SHA512
df5499852b0ffdd458c667a05bbb72e22c3c0b8e402faaaf3b797fc004f50e47a93b2bfa3e53d6e296aa05ca4de89586e6767ccf4b18d7da695b472026ec1a11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
3e3c1d026c8f2f5e9731baf07bc49163

SHA1
bc78dc8dc05eb6203f737183868a14afe3591360

SHA256
e16469811b3edf36a4ca7a1c585b44c7a517a53efcc4244978f6fbbd4100736a

SHA512
83fc59b92172ca5aa23de93a67afabdecfe85e1126f8abfb6898df9b84df85bfd3df30e59b9a2a83c7418e1410ea8c3d19a7579fe12f83f0dfa5dcf23e0b3374

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d3383dd959fcabdd460b44705e0032ec

SHA1
9d1b20711fb12bbbd4d311ee5d982694a7fb04d6

SHA256
869417de354a7fda9edc2fc4f3761e5a3777c07e2a3d048554a581eb31fa0ba5

SHA512
17db7c2c37934eb4e88a3831529d487c7be31138915594ebde5ce7218eff6393312548b80cd350ade71ee6a521fcdcdb6987cce92c2a3ba7ec3be927b8fca2b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
836ba99c4ffc74437836f0fbfcfbe238

SHA1
8b211189e03ab0b0d0dd72c9c34e61b4ed8a3fb8

SHA256
f11bc6723fb6bf28d029354b616ffdf941dbd5776390a185e6fa95008c6d35ab

SHA512
0bd5db29d395d033d0df4593f32723eacf3f1d0615adb94a5cc86e942c1f52ba1577d412501e1b3a3bc2a504439e7c03deb1975d3deb3d9b803cd04d36738ca5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1fd3dfc3b519fefe20419dc04a6d457d

SHA1
b8446ddf36bd176f067924177bc0f3c52a4889e6

SHA256
cc742d5e9c405f189aa35b80655a2c98774f8c206d8b868705dbff4d4a11bb94

SHA512
6e607b77e6ced8264d5ae9629ad4375b3cf175684b9641432f3f4a57e39327e4fd8bc9b52ec9fd0a89ba00a536a820aeb125bab76313a6e68af03725c792d0b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a6a4949cca6b93dfb0443a5c7dcd8617

SHA1
59b2032abfa88b5fa436fe896462e8249512b38d

SHA256
a2e302ece427c249461b114ba7b34de0e8ceb0e6c24ddd4cad7514f8e4893a66

SHA512
a2fd59706dccec84e57f2637f1210bc4df15c09b472963cf89e4ad1ea8a0b46d0c2ad63edfca4c7a9fe95e69f53845108a54753395737f8d6de2bb141a832cec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
791435875ad0d2a5f352347fded34e7f

SHA1
12fdf5267c5975f55d32d89c0b803f27977a3141

SHA256
e6cb1c4284fd457f316feb7bfa742a233c7bda3966f6612e280bde5c28dd389a

SHA512
b1ed49dda9cda08590e2b5bea9b28f46187d5c8bcb3782cc5c04679f16256330fdc985669b139ed7a74401c7d2d648a21d2c4f72c135ee035fca0f1774db605e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
5a8894040daa74bd09dd408aa885ecab

SHA1
d4bfb0e1458fc0e3eb42a5cad462298cb0eb93fe

SHA256
55c5958a62fed1d9fed088945079739b33c2d0ff9236d6c2d3dd8e40af2745c0

SHA512
8500238cde30f745d50e53c6085217dfee4affe5f1f834812072e383b449b312894f224c41b015807fb857dade12a2fcfadbcfe8be9337ea0c35273271a12da3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1ca0d02b5b3ab5823c87b20d4707d7ee

SHA1
b82e3215f8a1b6b1d285dad004a13c272df1eb9c

SHA256
3797e9c468dc5d1abe1319bf150468abe6ce752e5d49d10910a32a23a7ca6cb7

SHA512
80730b7a84248afaad40909c0ffc557f047e428a4d16489f2409c302f9f02c24abe405548e8fd8c3276ba1af7be2e39c8bd1fd07c3703ab3cf89dd90c146d082

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5b7e2e1235c7726edc23133a17ce482e

SHA1
054c96ffd4c79136522b748a8e863629b1c170fd

SHA256
4260c3e7848b7f2e68fc9e6fea470203475540fbe9464824d2aed377043b95fd

SHA512
2672b0ed0dc1ce9ba894bdf266bd0a57dfb9bf8fbc561c956f00de3beae47264c19e40f44c681391c436d7215f6ad8b9a6e62993342d70db40fafed01ec6ef14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
674119002d60c1c16a1ef8847bee027a

SHA1
c38b269eea82a5dcbeb094bd025d1499cdc46f77

SHA256
91fe85c63b74348d974cf3a4295986a587ddf08ba389d7b7fd1c00aa3462fa91

SHA512
58f994832ed7d4572ca8105fc4befb09b571d144628b24913dd0b0c0e8510487499de5a30287c3e0b47902bf6e65efa35924dd586e9ec6df508ad53df7e95a98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b972c9ba0e3beac0cd9a4bbee64f9cb3

SHA1
2ad63c99e413cf7fbe1f11c515444db030ff18de

SHA256
131aefdecf57a5a7015211e2414fb718bf2745bf9ebc9eaec9bdf031bbe31fe4

SHA512
ff193e4f25cadd17f24c35500096a2a3585139520847f3a12649380cceea47c0495c89dfe61abdd7fe9a68856b0f299af6b508ae0f93df8e05615f7bb6bc1f9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5a71784de4ef624ec102be06d39d6d28

SHA1
b5fd3819b0b7526a7562574588337d2248fb53aa

SHA256
120e3707fd76e11186e00d00f32c4049890fcc7769518ba85cdc96186774d701

SHA512
1a82b64a4ffde87092045b9d1133854b749189b2709493d32b39f5c22965e92a16267845ac929dd82cd4a3d6c80c681c3ca67020f0b8150b5e2c84ed02754158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cad3bc94f5beec90ec889fabd2dda7bd

SHA1
e7e653de9d1605e20431b296de68cf3ae0a77196

SHA256
f670a007b9f4ab256a269cf28af7be75a622316c701a20acfd3a6f825edee017

SHA512
35951d36e3ac1903cf5a1626d5574628e39b598ea41ecc154d22be2c23025fd7d400457353c643b61c218de50d5ced8b41b04fa0a627b463aedd296f7a3abbcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
39d6128947961409832a4a4db13afd51

SHA1
459fe281fe3ed7cf04e739e87407fd8a7245e82b

SHA256
fbccecbf9d5d58a86955bafcfac37a475ae7d6e6af524d294b9b5f2833048dc4

SHA512
068af294d59babd48752becc7fa3bdcef9d1b8e9ce6565431e439863384ea4edb98d74b8356ebcb8dc27c285e6e9eee282d11db5f6d8ff57451df15a1c8152cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
424e2c48fc9f8253b760cbca725df8d9

SHA1
ecdabb586e850d820b925beae2cc5356dd41e85d

SHA256
6a1e685148058cafae1dc63c61a0ec847b319e794fda563544fbdac2e9262d79

SHA512
e246f57b927a8a2f9bc82cddb6316322a2bcf98b3e6a4a13aa3a2bd1da66e3dd1f26f9e4f8e9be59c43c2f722f683348275c8b867afbe5df1f4db1f5c0d70159

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
298606a030d0fc86026cb2a37cb1925d

SHA1
a6b408b85cdaba79ae659044835cdfbad5c4c11c

SHA256
576e123cce30b17852feed53130285f3d93086996b9ea343887c0e03ed65016d

SHA512
3a63db20ae655324d7160bb51c07264cf788433aa35c63896fa9bad8c1f4d5ed62cc3ef18315184ae0aaecaaf604e29e4b8be90d0764a24e377a9e21b86f5309

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
53a7292e0b7a759152447c5dca6470bf

SHA1
8221ac1cad4100f1cc7ed63400a821070f1c04bb

SHA256
313f1c3fbcbeb919128c39c9c26ccab8f56ef9d7b4a9553542436632d01e37b7

SHA512
50a0d2c41e757c10d7b69dd5c36c9ca77b0104a5bfc0dfa3d4a12d7df355e22f87e45f9aa69645c8c6d58a32d4d03591e5aac4f07a7d7d1dca34f8ddcaf82f4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
c9eeacd508b22d66b1343e3da463949a

SHA1
ecc3551ffb0c33ccde56bfe6b9fb87498aa71b1a

SHA256
41937730be8c4d9f6af3beb489aba0f95ccf65b812b387ed0e820f9787d7c05e

SHA512
7427fe197edbf1d917cfb3b844a78a1c582b9cda541df4b2282014e761a0a6c89e29b25e1c60fabd28a2c4a8e9785cd947584a8a37c4b7c5ef9bb285d67f874c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
0bf2407645e8c06dcdd4a47da935941e

SHA1
e8fc758bd1492ad18b4a971dca0ef2509b02d2f1

SHA256
ad9ed67f6cadbaaf8392d9ce25d896620c819b34dafd68167e43f7ac2cbc8507

SHA512
a46a327d65e6b00ae399a09171a1899a8b801643400030c3feca7a7177170912aa7ec917abb7dd21abc4175c5b1c657e10f4a2224ad9bcf073e6548314bf5b46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
121KB

MD5
4d8169c2dda76a76331a7f90d0976997

SHA1
2d2f9fac3b088940d3c9a4bbc7dcd7a9c62d1c6c

SHA256
aab365ae215b4e3d71b2d8f6a2bbda5a21c71758c08bcd37a378332748513146

SHA512
c17d89d00bb7cef63e7267b58d48af205a3497ef2b8830378c6cd9192db7358cfa99c108ed2f0dbdecbfd131b8255fd69c4f9b4de9257404343dd2874ad2cff7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
119KB

MD5
078245bb15259edf2de4a0aea70f2133

SHA1
48849ec377d3f21b122b11622e5bf94f0e2a1617

SHA256
b85ec95dd0d78b91f948c00febfa00b04809cc82f6e987ec04531c16da01de8f

SHA512
1b111c3bee5fcff3c750d6cb3ca2f8e8f149e3e25da2eebbe93ddb976901da46d723fa08e0520cb626792974b8656dbde22d86ebb888a7f12fdfc387fbac8226

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5af8f8.TMP

Filesize
106KB

MD5
11a4e84ad410f88a4330b6d4b206a2ff

SHA1
5a4198468d982ef92d166ea5574de608daf112f3

SHA256
6f5a8ea05789205b158a3a07d34edef5f8d6d742f49e6440babe04f1750fefb1

SHA512
0b0ea44f0237e94fe7b810c59e4731799e23c220f45acf7c45c0b20e1a023c4f6e4aa5a9f2020775f5284ef23bd6839fbc6f478c2a40037d6d1c7415620fe2ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000014

Filesize
186KB

MD5
9f61d7b1098e9a21920cf7abd68ca471

SHA1
c2a75ba9d5e426f34290ebda3e7b3874a4c26a50

SHA256
2c209fbd64803b50d0275cfd977c57965ee91410ecf0cafa70d9f249d6357c71

SHA512
3d4f945783809a88e717f583f8805da1786770d024897c8a21d758325bcd4743ff48e32a275fe2f04236248393e580d40ae5caf5d3258054ea94d20b65b2c029

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000017

Filesize
32KB

MD5
5cd8203d2c9b40c2c57293d3e6dca860

SHA1
d4b4ffe5e0ad92ad51b00601115ff527759a24e0

SHA256
0d75d54ae63a83b4aa924d57207f305c6a0b12ea005200550837b3ba48b6533f

SHA512
a07cbd95b7d1fdc4de4a1462a18fd6112fbcd3298aca6dc2862b915390a45035435b0e267984e5f1f004737ca9b53c13e99ae1d6e1f64ca173a17a02b5e6867a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
7345e0ff536255481922da48858c512e

SHA1
3a334bee7dabc64c5932d8a77b7ab2a4ed526c1d

SHA256
21cbba51355b30b53ffe0ec3d836c29a7305227db36db533ea3c37f6ad7285ee

SHA512
de55375c2783cad379fdc4250279d4beb7d6337d6280683e6f17501a668b5054cd5a87ec52bc8046a82c7911d154f8d233c00f83bc707310ed0f6590f37dd90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
3987f6df8c0ef722dd646a9e56c5f097

SHA1
27f05831fc214c0119d8712809b134bcec717528

SHA256
a9f4a8dada073cc9400dcfb4402b661fe91c16d9f1b0f7563a5b528582ef364d

SHA512
4901e753f5901edcf8c04226ac614305e86776835237fdf3c6ffeffa29e3a03517295c57e4319ab82d9818a6c4aa8ef13c979b8db517d819b526b0b480caf15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe5c7ba0.TMP

Filesize
48B

MD5
d8b3b6d528068627efbe3b97eb9dd8f9

SHA1
0395938b6e75f9fbdb5889f06640250e80614cf7

SHA256
bf367a9f9700e0cdab0c5ec4744a645a6b9b390a20abad75e1c753cc8424aa6d

SHA512
97ff1b76424ef5039b44b6bde3a740b16ee7abeb938ed1aa4f9b659fe4d281f0542179de61b2884a7c984880506ded03c2fa003822258ae16c0bda3ad7421d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\IndexedDB\https_www.terabox.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

Filesize
962B

MD5
e5bdd4a39f05a4909dd68e682bd9f62c

SHA1
5b84434c776aa8437cab2963dff0aee57dbc64a8

SHA256
483d5d8cb69b20ec2f007a3b25629685898a9b1bbd12a54878190a84eccd9ad7

SHA512
c54fc4056f140764b4f307ac060fe6daa9ddd41c58b02a41297dd2dfa9a4ba1278ab818939cede973bf9c4f6b688d7b80f8060fa037c0041ff9fd209a306ba44

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

Filesize
962B

MD5
379e691f536329b3c48653d555b5d146

SHA1
5504eb14aeb11f5a1c3c916aa3b54e19dbc93869

SHA256
01bc5ab2e4997ed2c86499fab4481ebdb248137da800db3a334de917af613316

SHA512
d20676ac895aea752bec7149de8281376f654b8fe38f1c57256467ded372263ea24b030782f1c24f41c31840de032bdd55e6c33e6fa5a02bb4a1704ea8b5a2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

Filesize
962B

MD5
6b286c6861ea0bc6330daed68c8919a0

SHA1
8d74ad670a7aef7e530a98d72a437eb5529cd40f

SHA256
3dd638bdeff632017614d18f9c40ffba9b575faef8ed06195d5d70da24c22ab8

SHA512
f2ed70c27639e60c8a4e13f5021040af22fc1925f4860fb381665008208cb15639af61c9e7e2b901223215254353c6818ddcbf68733d3b1d47bcb4872d24e57c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe5c7bee.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\TransportSecurity

Filesize
706B

MD5
fbde6f804fafa281bfdd679eb9883151

SHA1
9b48e569b212a454f956afaf6460b987c269dfb7

SHA256
d70a95f831349f60e234c7c75e2288ed2218bdbc1c697e59814555453acc4ddb

SHA512
319b5777f652b5b03071546e3833871b06e00c39aa8418ab1fd0a4753002ee4cc2c7f980c417168f297b27c20df74fd8f1fb73b2fc0ad8985b304aa9eec1cd8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfFFDF.tmp\NsisInstallUI.dll

Filesize
2.1MB

MD5
86839695db3d70bd8d2680fb22dd2b63

SHA1
6de71007fb9c75bd7dbdb2df8727fc7fc832f670

SHA256
fcf4d306acb8e51a7c9ff33394f37a2329015b84e5a43e6f2385fe67da8884dd

SHA512
da6e4be510127fd6c62d3877d6fcc800b4f2426decbf30e9284a49b008931e15ba5b3ebff89d423d9d71f49e9e2f664c835a2f8465038607da7fb2a23326301f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfFFDF.tmp\NsisInstallUI.dll

Filesize
2.1MB

MD5
86839695db3d70bd8d2680fb22dd2b63

SHA1
6de71007fb9c75bd7dbdb2df8727fc7fc832f670

SHA256
fcf4d306acb8e51a7c9ff33394f37a2329015b84e5a43e6f2385fe67da8884dd

SHA512
da6e4be510127fd6c62d3877d6fcc800b4f2426decbf30e9284a49b008931e15ba5b3ebff89d423d9d71f49e9e2f664c835a2f8465038607da7fb2a23326301f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfFFDF.tmp\SetupCfg.ini

Filesize
80B

MD5
86daef0a1abf90f934b20119d95e8b73

SHA1
fa9170644b102c598005d1764a16aba54314ab69

SHA256
a5b0e58f66055ba5c9730dd7983946f92075bcf7052343b8d64ee95faa99eaaa

SHA512
1e95d6b697621f5c8bd194b5252f7717c3aa48a25d91d80fcd5fb0f1d06747c5f39708255bd85f18f776468dcde5645a8ac088431d412af1b10932d7f0df67b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfFFDF.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfFFDF.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfFFDF.tmp\nsProcessW.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfFFDF.tmp\nsProcessW.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1952_780006110\terabox_ext_chrome.crx

Filesize
169KB

MD5
8b62fae8abb6a0ad718f2159032d96ec

SHA1
24b7c81b4562b9c104b281fbdecd1772b8aafdda

SHA256
838bf0a9e53138a59fc4c5d4712eea6605b1d60867c6549d97bd6411e6bd5585

SHA512
ef8ea529f1e1de211f69c6f58661ea6c55954e7d6b3fe0586978103d1b257581f0d007c77b03622ee122265abec259f85362d93803d74137fddba11da499e8ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll

Filesize
1.5MB

MD5
f069b0edc8c18df61b3594bc73a1f47e

SHA1
05739c3152969f8fe2bcfecfc67cb7186122524e

SHA256
795d0e4b3e7a5a42a7bc1024045d2d2e8f7952c395d228c0ac7e71c88414afce

SHA512
defc0297961056e28782f35ccaa8a6531a3e17c3bbd7dd139f7274ccdd640559b57a50ed324d5a712b3a8176e0f16e3708b1e22183aad14b745db68e98bc4ce2

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll

Filesize
1.5MB

MD5
f069b0edc8c18df61b3594bc73a1f47e

SHA1
05739c3152969f8fe2bcfecfc67cb7186122524e

SHA256
795d0e4b3e7a5a42a7bc1024045d2d2e8f7952c395d228c0ac7e71c88414afce

SHA512
defc0297961056e28782f35ccaa8a6531a3e17c3bbd7dd139f7274ccdd640559b57a50ed324d5a712b3a8176e0f16e3708b1e22183aad14b745db68e98bc4ce2

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.DLL

Filesize
3.2MB

MD5
255b4d3d4d95800d8b65504b745dba35

SHA1
c48c8c6815818e5207be89ea2cb37718cd68f2da

SHA256
d84da66a80d9ea1ac0287d00f435c4323d2caea5b85de32a3277aeb628a7087e

SHA512
61c5ca11ae8a2a9d44d27b43c1d955e984e44eaa138eb79eb0bb51677ac7d122fddad8c81169a2d2c51fcb7a185c4f1595d75d42e7067dbe3d4baa50100e48cc

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll

Filesize
3.2MB

MD5
255b4d3d4d95800d8b65504b745dba35

SHA1
c48c8c6815818e5207be89ea2cb37718cd68f2da

SHA256
d84da66a80d9ea1ac0287d00f435c4323d2caea5b85de32a3277aeb628a7087e

SHA512
61c5ca11ae8a2a9d44d27b43c1d955e984e44eaa138eb79eb0bb51677ac7d122fddad8c81169a2d2c51fcb7a185c4f1595d75d42e7067dbe3d4baa50100e48cc

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll

Filesize
3.2MB

MD5
255b4d3d4d95800d8b65504b745dba35

SHA1
c48c8c6815818e5207be89ea2cb37718cd68f2da

SHA256
d84da66a80d9ea1ac0287d00f435c4323d2caea5b85de32a3277aeb628a7087e

SHA512
61c5ca11ae8a2a9d44d27b43c1d955e984e44eaa138eb79eb0bb51677ac7d122fddad8c81169a2d2c51fcb7a185c4f1595d75d42e7067dbe3d4baa50100e48cc

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\MSVCP140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.8MB

MD5
a71babaa6745006255c5a3a119289776

SHA1
a5865f948faa9240a12a8b7b0b6f3b2fb053e48c

SHA256
9a48dd0fc943f27ae1ac6d02d2aee9dc5ebe1cc1e6a3ac047f8d86bdee63b44d

SHA512
b44363cb041e4f985dc22d2f0948f7390a0b39c506e56cd24823c6484b2438d6a11c257150ff99317a946e513ac8ed1ddd5d9b39792e721635cccb93c9137f66

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.8MB

MD5
a71babaa6745006255c5a3a119289776

SHA1
a5865f948faa9240a12a8b7b0b6f3b2fb053e48c

SHA256
9a48dd0fc943f27ae1ac6d02d2aee9dc5ebe1cc1e6a3ac047f8d86bdee63b44d

SHA512
b44363cb041e4f985dc22d2f0948f7390a0b39c506e56cd24823c6484b2438d6a11c257150ff99317a946e513ac8ed1ddd5d9b39792e721635cccb93c9137f66

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.8MB

MD5
a71babaa6745006255c5a3a119289776

SHA1
a5865f948faa9240a12a8b7b0b6f3b2fb053e48c

SHA256
9a48dd0fc943f27ae1ac6d02d2aee9dc5ebe1cc1e6a3ac047f8d86bdee63b44d

SHA512
b44363cb041e4f985dc22d2f0948f7390a0b39c506e56cd24823c6484b2438d6a11c257150ff99317a946e513ac8ed1ddd5d9b39792e721635cccb93c9137f66

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

Filesize
1.1MB

MD5
705922884571aee04f5056c607e6684b

SHA1
391fc666956ba01367654c4bff8115cf232e9bf0

SHA256
c2d02ba58d767694f10520fccfb152960046aae0b1c1bcbc2f70b6bb8846eb53

SHA512
57408fb8a9bf5046bde67fe04fc4293bfd12783c1b10612d99e94797a3d3d8bb0799156498e2cf93308553b82502add5c5be4f932cba805a49304eb62e136ae4

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

Filesize
1.1MB

MD5
705922884571aee04f5056c607e6684b

SHA1
391fc666956ba01367654c4bff8115cf232e9bf0

SHA256
c2d02ba58d767694f10520fccfb152960046aae0b1c1bcbc2f70b6bb8846eb53

SHA512
57408fb8a9bf5046bde67fe04fc4293bfd12783c1b10612d99e94797a3d3d8bb0799156498e2cf93308553b82502add5c5be4f932cba805a49304eb62e136ae4

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\VCRUNTIME140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll

Filesize
378KB

MD5
c07c002c68d5bd4c4210a4a0f6268f93

SHA1
b642f0caddeb3c9b00c9eb2e8ea7bd17c929791a

SHA256
eed412fbb7ce707aa024cffb554b8ee0235d6b0c9528bcc67ec90a4fa223df7f

SHA512
860aa6bb8f725460670c26ed4c0ca696c478572ffc085df4f52c8de933f74a4564b2682f3f213c04d86f1d387fda6dff9c864527221e62af267bbede89494b91

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll

Filesize
378KB

MD5
c07c002c68d5bd4c4210a4a0f6268f93

SHA1
b642f0caddeb3c9b00c9eb2e8ea7bd17c929791a

SHA256
eed412fbb7ce707aa024cffb554b8ee0235d6b0c9528bcc67ec90a4fa223df7f

SHA512
860aa6bb8f725460670c26ed4c0ca696c478572ffc085df4f52c8de933f74a4564b2682f3f213c04d86f1d387fda6dff9c864527221e62af267bbede89494b91

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll

Filesize
492KB

MD5
8c3dfd8b1d03b026d3085bbf18d3b96f

SHA1
1774d6b38a0eefaef73b011c29e94473ba605c3a

SHA256
ae4f9ef0b33456999d4b630a0b05194c3ed84527194e55caf4657b0984676028

SHA512
9a7cd2f23c534e23e6f35bbf8c0250755c0a4db08ebe182d463029913dc27cd2a58039033cf2db1dbf9f1ec47e38b07d7b0e4cb162c04996bddabda224889c38

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll

Filesize
492KB

MD5
8c3dfd8b1d03b026d3085bbf18d3b96f

SHA1
1774d6b38a0eefaef73b011c29e94473ba605c3a

SHA256
ae4f9ef0b33456999d4b630a0b05194c3ed84527194e55caf4657b0984676028

SHA512
9a7cd2f23c534e23e6f35bbf8c0250755c0a4db08ebe182d463029913dc27cd2a58039033cf2db1dbf9f1ec47e38b07d7b0e4cb162c04996bddabda224889c38

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll

Filesize
492KB

MD5
8c3dfd8b1d03b026d3085bbf18d3b96f

SHA1
1774d6b38a0eefaef73b011c29e94473ba605c3a

SHA256
ae4f9ef0b33456999d4b630a0b05194c3ed84527194e55caf4657b0984676028

SHA512
9a7cd2f23c534e23e6f35bbf8c0250755c0a4db08ebe182d463029913dc27cd2a58039033cf2db1dbf9f1ec47e38b07d7b0e4cb162c04996bddabda224889c38

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

Filesize
1011KB

MD5
71b0e4b9d4a6ebc865e98e22afd05d46

SHA1
4d7f0391c32efec8306939bc65bb4bf88db8d801

SHA256
78e7fa4d22e846353c77bae01186701a5b934d5979e3442a58f30ce05601357b

SHA512
442a025077e40b6aadf61d5453047bda134398dcb81009d3b0503ab9c512969caf5524bc1a314b075161a837dc6234270351e687b0f14c8d9f802e32d183dd4b

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

Filesize
1011KB

MD5
71b0e4b9d4a6ebc865e98e22afd05d46

SHA1
4d7f0391c32efec8306939bc65bb4bf88db8d801

SHA256
78e7fa4d22e846353c77bae01186701a5b934d5979e3442a58f30ce05601357b

SHA512
442a025077e40b6aadf61d5453047bda134398dcb81009d3b0503ab9c512969caf5524bc1a314b075161a837dc6234270351e687b0f14c8d9f802e32d183dd4b

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

Filesize
1011KB

MD5
71b0e4b9d4a6ebc865e98e22afd05d46

SHA1
4d7f0391c32efec8306939bc65bb4bf88db8d801

SHA256
78e7fa4d22e846353c77bae01186701a5b934d5979e3442a58f30ce05601357b

SHA512
442a025077e40b6aadf61d5453047bda134398dcb81009d3b0503ab9c512969caf5524bc1a314b075161a837dc6234270351e687b0f14c8d9f802e32d183dd4b

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe

Filesize
111KB

MD5
c5a41b35d77e99663a8dbd405bbf4871

SHA1
61a097bf51b463cdb62b82c8fe4725cb320979e7

SHA256
18fb2366b81b11aea28646de1b293078b71bc8a9bc91f699e3476935b2dd6b76

SHA512
ddab29f27f087de94ae746550ff70424719646aeebb58dd3d224f9c821c0525449cb88fcc32238d2b61de21ff79b477e2e8f1b36dfe99b06506bd7ae94ac410d

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe

Filesize
111KB

MD5
c5a41b35d77e99663a8dbd405bbf4871

SHA1
61a097bf51b463cdb62b82c8fe4725cb320979e7

SHA256
18fb2366b81b11aea28646de1b293078b71bc8a9bc91f699e3476935b2dd6b76

SHA512
ddab29f27f087de94ae746550ff70424719646aeebb58dd3d224f9c821c0525449cb88fcc32238d2b61de21ff79b477e2e8f1b36dfe99b06506bd7ae94ac410d

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\appUtil.DLL

Filesize
1.5MB

MD5
f069b0edc8c18df61b3594bc73a1f47e

SHA1
05739c3152969f8fe2bcfecfc67cb7186122524e

SHA256
795d0e4b3e7a5a42a7bc1024045d2d2e8f7952c395d228c0ac7e71c88414afce

SHA512
defc0297961056e28782f35ccaa8a6531a3e17c3bbd7dd139f7274ccdd640559b57a50ed324d5a712b3a8176e0f16e3708b1e22183aad14b745db68e98bc4ce2

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\terabox_ext_chrome.crx

Filesize
169KB

MD5
8b62fae8abb6a0ad718f2159032d96ec

SHA1
24b7c81b4562b9c104b281fbdecd1772b8aafdda

SHA256
838bf0a9e53138a59fc4c5d4712eea6605b1d60867c6549d97bd6411e6bd5585

SHA512
ef8ea529f1e1de211f69c6f58661ea6c55954e7d6b3fe0586978103d1b257581f0d007c77b03622ee122265abec259f85362d93803d74137fddba11da499e8ff

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe

Filesize
697KB

MD5
d14a330bcd1891dd9cfc390f9100f7a6

SHA1
04a4f1945a70a59c8630889027fae1b2ccfc3e98

SHA256
8c449bc0298a6663ea98501103c3c5dc9cecfe254e17a16ed3518986b9ea86a3

SHA512
90e43a4a70af97b05ac7d08022e84f5e2940d58ca6b266fb2bb4dbdee8fee53499538696c6606b4ed7add2ee066969413646152523dbcd8cbaf4cd295210b9ff

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

Filesize
1.1MB

MD5
eb4da4e8b9cc0d785ff1c01b7f884bc4

SHA1
0ec3f369a0119e4dfd15b6a9441d834a47610df8

SHA256
ba8c43ad34ce08dd168d79d31131edde6ba3464528bd6f7e99ebe57764df2549

SHA512
8226bc40fd81c5b0fbc2d5e3215982ca7620e58c172ecbad64eb0a67d43fa727249113385aff1f39479a3bf70de7e17608b8c7b7f04b4ea29c7b36b7f11dc9c9

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

Filesize
1.1MB

MD5
eb4da4e8b9cc0d785ff1c01b7f884bc4

SHA1
0ec3f369a0119e4dfd15b6a9441d834a47610df8

SHA256
ba8c43ad34ce08dd168d79d31131edde6ba3464528bd6f7e99ebe57764df2549

SHA512
8226bc40fd81c5b0fbc2d5e3215982ca7620e58c172ecbad64eb0a67d43fa727249113385aff1f39479a3bf70de7e17608b8c7b7f04b4ea29c7b36b7f11dc9c9

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

Filesize
1.1MB

MD5
eb4da4e8b9cc0d785ff1c01b7f884bc4

SHA1
0ec3f369a0119e4dfd15b6a9441d834a47610df8

SHA256
ba8c43ad34ce08dd168d79d31131edde6ba3464528bd6f7e99ebe57764df2549

SHA512
8226bc40fd81c5b0fbc2d5e3215982ca7620e58c172ecbad64eb0a67d43fa727249113385aff1f39479a3bf70de7e17608b8c7b7f04b4ea29c7b36b7f11dc9c9

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\Downloads\TeraBox_sl_b_1.25.0.12.exe

Filesize
85.5MB

MD5
7406c232ef9c34ae65ffd3ec2d78dd66

SHA1
11993e79b43e05715a3dd6fb226b1b0609e8c960

SHA256
6dbdf60d5cfc9be29a899eddc759cf2b63362393ad72155c51b635672fa97853

SHA512
111a0068c0aa573da761189c61a040aef946ec7b0afaa749b292e5bd0a0d8c7f9d8be3c97cc5b643db80abce4211f6c51318db8d95035cf29f23453522f2717b

Download Submit
C:\Users\Admin\Downloads\TeraBox_sl_b_1.25.0.12.exe

Filesize
85.5MB

MD5
7406c232ef9c34ae65ffd3ec2d78dd66

SHA1
11993e79b43e05715a3dd6fb226b1b0609e8c960

SHA256
6dbdf60d5cfc9be29a899eddc759cf2b63362393ad72155c51b635672fa97853

SHA512
111a0068c0aa573da761189c61a040aef946ec7b0afaa749b292e5bd0a0d8c7f9d8be3c97cc5b643db80abce4211f6c51318db8d95035cf29f23453522f2717b

Download Submit
C:\Users\Admin\Downloads\TeraBox_sl_b_1.25.0.12.exe

Filesize
85.5MB

MD5
7406c232ef9c34ae65ffd3ec2d78dd66

SHA1
11993e79b43e05715a3dd6fb226b1b0609e8c960

SHA256
6dbdf60d5cfc9be29a899eddc759cf2b63362393ad72155c51b635672fa97853

SHA512
111a0068c0aa573da761189c61a040aef946ec7b0afaa749b292e5bd0a0d8c7f9d8be3c97cc5b643db80abce4211f6c51318db8d95035cf29f23453522f2717b

Download Submit
memory/708-816-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/708-817-0x0000000003020000-0x0000000003021000-memory.dmp

Filesize
4KB

Download
memory/708-976-0x0000000064C80000-0x00000000660AC000-memory.dmp

Filesize
20.2MB

Download
memory/708-814-0x0000000001560000-0x0000000001561000-memory.dmp

Filesize
4KB

Download
memory/708-815-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/708-812-0x0000000001550000-0x0000000001551000-memory.dmp

Filesize
4KB

Download
memory/708-975-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/708-818-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/708-748-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/708-819-0x0000000064C80000-0x00000000660AC000-memory.dmp

Filesize
20.2MB

Download
memory/708-822-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/708-747-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/2120-880-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/2120-973-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/2120-881-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/3212-1028-0x0000000064F30000-0x000000006635C000-memory.dmp

Filesize
20.2MB

Download
memory/3212-1121-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/3212-1032-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/3212-1026-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/3212-1122-0x0000000064F30000-0x000000006635C000-memory.dmp

Filesize
20.2MB

Download
memory/3212-1031-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/3212-1030-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/3212-1029-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/3212-1027-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/3212-1025-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/3212-992-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/3212-991-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/3372-1049-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/3372-1048-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/3372-1119-0x0000000000100000-0x00000000001A0000-memory.dmp

Filesize
640KB

Download
memory/3824-709-0x0000000009C90000-0x0000000009C91000-memory.dmp

Filesize
4KB

Download
memory/3824-712-0x0000000003F70000-0x0000000003F80000-memory.dmp

Filesize
64KB

Download
memory/3824-695-0x0000000000390000-0x0000000000A74000-memory.dmp

Filesize
6.9MB

Download
memory/3824-983-0x0000000000390000-0x0000000000A74000-memory.dmp

Filesize
6.9MB

Download
memory/4708-428-0x0000000003400000-0x0000000003410000-memory.dmp

Filesize
64KB

Download
memory/4708-546-0x0000000003400000-0x0000000003410000-memory.dmp

Filesize
64KB

Download
memory/4980-1126-0x0000000000390000-0x0000000000A74000-memory.dmp

Filesize
6.9MB

Download
memory/4980-986-0x0000000000390000-0x0000000000A74000-memory.dmp

Filesize
6.9MB

Download
memory/4980-987-0x0000000009150000-0x0000000009151000-memory.dmp

Filesize
4KB

Download
memory/4980-988-0x00000000037E0000-0x00000000037F0000-memory.dmp

Filesize
64KB

Download