zloader | hxxps://www[.]terabox[.]app/spanish/sharing/link?surl=V5vnCHDVo9MA7YQoEPt-5g

Analysis

max time kernel
149s
max time network
153s
platform
windows10-1703_x64
resource
win10-20231020-es
resource tags

arch:x64arch:x86image:win10-20231020-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
19-11-2023 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.terabox.app/spanish/sharing/link?surl=V5vnCHDVo9MA7YQoEPt-5g

Score

10^/10

zloader botnet discovery persistence trojan

Malware Config

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Control Panel\International\Geo\Nation	TeraBox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe

Executes dropped EXE 14 IoCs

pid	Process
1152	TeraBox_sl_b_1.25.0.12.exe
1872	TeraBox.exe
3296	YunUtilityService.exe
3312	TeraBoxWebService.exe
5020	TeraBox.exe
2216	TeraBoxWebService.exe
1696	TeraBoxRender.exe
5008	TeraBoxRender.exe
4520	TeraBoxRender.exe
3884	TeraBoxRender.exe
1620	TeraBoxHost.exe
3236	TeraBoxHost.exe
4540	TeraBoxRender.exe
3024	TeraBoxHost.exe

Loads dropped DLL 64 IoCs

pid	Process
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1872	TeraBox.exe
1872	TeraBox.exe
1872	TeraBox.exe
1872	TeraBox.exe
1872	TeraBox.exe
1872	TeraBox.exe
1872	TeraBox.exe
4276	regsvr32.exe
3648	regsvr32.exe
2880	regsvr32.exe
1232	regsvr32.exe
4244	regsvr32.exe
3296	YunUtilityService.exe
3296	YunUtilityService.exe
3312	TeraBoxWebService.exe
3312	TeraBoxWebService.exe
5020	TeraBox.exe
5020	TeraBox.exe
5020	TeraBox.exe
5020	TeraBox.exe
5020	TeraBox.exe
5020	TeraBox.exe
2216	TeraBoxWebService.exe
2216	TeraBoxWebService.exe
5020	TeraBox.exe
5020	TeraBox.exe
5020	TeraBox.exe
5020	TeraBox.exe
5020	TeraBox.exe
5020	TeraBox.exe
5020	TeraBox.exe
5020	TeraBox.exe
5020	TeraBox.exe
1696	TeraBoxRender.exe
1696	TeraBoxRender.exe
1696	TeraBoxRender.exe
1696	TeraBoxRender.exe
1696	TeraBoxRender.exe
1696	TeraBoxRender.exe
1696	TeraBoxRender.exe
5008	TeraBoxRender.exe
5008	TeraBoxRender.exe
5008	TeraBoxRender.exe
5008	TeraBoxRender.exe
4520	TeraBoxRender.exe
4520	TeraBoxRender.exe
4520	TeraBoxRender.exe
4520	TeraBoxRender.exe
3884	TeraBoxRender.exe
3884	TeraBoxRender.exe
3884	TeraBoxRender.exe
3884	TeraBoxRender.exe
1620	TeraBoxHost.exe
1620	TeraBoxHost.exe
1620	TeraBoxHost.exe
1620	TeraBoxHost.exe
1620	TeraBoxHost.exe
3236	TeraBoxHost.exe
3236	TeraBoxHost.exe
3236	TeraBoxHost.exe
3236	TeraBoxHost.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt	regsvr32.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun"	TeraBox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\""	TeraBox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133448274115080481"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ = "IWorkspaceOverlayIconSync"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox	TeraBoxWebService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B9480AFD-C7B1-4452-BE14-BB8A9540A05D}\ = "YunShellExt"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ = "IYunShellExtContextMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ = "IWorkspaceOverlayIconOK"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ = "IWorkspaceOverlayIconError"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ProgID\ = "YunOfficeAddin.YunPPTConnect.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ = "IYunPPTConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ = "YunPPTConnect Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ = "IYunExcelConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ProgID\ = "YunOfficeAddin.YunExcelConnect.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\YunShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID\ = "{8C5F2E83-848F-4741-9C87-47D21BF65FC2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID\ = "YunOfficeAddin.YunPPTConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ = "IWorkspaceOverlayIconOK"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID\ = "{8C5F2E83-848F-4741-9C87-47D21BF65FC2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\AppID = "{B9480AFD-C7B1-4452-BE14-BB8A9540A05D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\CurVer\ = "YunOfficeAddin.YunWordConnect.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\ = "YunOfficeAddinLib"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	TeraBox.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
208	chrome.exe
208	chrome.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
1152	TeraBox_sl_b_1.25.0.12.exe
5020	TeraBox.exe
5020	TeraBox.exe
5020	TeraBox.exe
5020	TeraBox.exe
1696	TeraBoxRender.exe
1696	TeraBoxRender.exe
5008	TeraBoxRender.exe
5008	TeraBoxRender.exe
4520	TeraBoxRender.exe
4520	TeraBoxRender.exe
3884	TeraBoxRender.exe
3884	TeraBoxRender.exe
4384	chrome.exe
4384	chrome.exe
3236	TeraBoxHost.exe
3236	TeraBoxHost.exe
3236	TeraBoxHost.exe
3236	TeraBoxHost.exe
4540	TeraBoxRender.exe
4540	TeraBoxRender.exe
3236	TeraBoxHost.exe
3236	TeraBoxHost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
5020	TeraBox.exe
5020	TeraBox.exe
5020	TeraBox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1152	TeraBox_sl_b_1.25.0.12.exe
1872	TeraBox.exe
3296	YunUtilityService.exe
3312	TeraBoxWebService.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 2812	208	chrome.exe	72
PID 208 wrote to memory of 2812	208	chrome.exe	72
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 3684	208	chrome.exe	74
PID 208 wrote to memory of 2856	208	chrome.exe	76
PID 208 wrote to memory of 2856	208	chrome.exe	76
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75
PID 208 wrote to memory of 4032	208	chrome.exe	75

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.terabox.app/spanish/sharing/link?surl=V5vnCHDVo9MA7YQoEPt-5g
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe2ea69758,0x7ffe2ea69768,0x7ffe2ea69778
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:2
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2892 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:1
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=6192 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:1
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2512 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2912 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:8
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6220 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6240 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5496 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6228 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:8
  2⤵
  PID:4276
- C:\Users\Admin\Downloads\TeraBox_sl_b_1.25.0.12.exe
  "C:\Users\Admin\Downloads\TeraBox_sl_b_1.25.0.12.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1152
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:1872
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
    3⤵
    - Loads dropped DLL
    PID:4276
  - - C:\Windows\system32\regsvr32.exe
      "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
      4⤵
      Loads dropped DLL
      Modifies system executable filetype association
      Registers COM server for autorun
      Modifies registry class
      PID:3648
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2880
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
    3⤵
    - Loads dropped DLL
    PID:1232
  - - C:\Windows\system32\regsvr32.exe
      "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:4244
- - C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3296
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3312
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
    C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SendNotifyMessage
    PID:5020
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2388,2084845176404109302,3925418880116138091,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.25.0.12;PC;PC-Windows;10.0.15063;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2396 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:1696
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2388,2084845176404109302,3925418880116138091,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.25.0.12;PC;PC-Windows;10.0.15063;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2772 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:5008
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2388,2084845176404109302,3925418880116138091,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.25.0.12;PC;PC-Windows;10.0.15063;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:4520
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2388,2084845176404109302,3925418880116138091,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.25.0.12;PC;PC-Windows;10.0.15063;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:3884
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
      -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.5020.0.192718152\515322865 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.80" -PcGuid "TBIMXV2-O_4910D93F5FFF4CC39A9FF1E7DEDCBF3E-C_0-D_QM00013-M_CA1FADDD4180-V_5B2A37BC" -Version "1.25.0.12" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1620
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.5020.0.192718152\515322865 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.80" -PcGuid "TBIMXV2-O_4910D93F5FFF4CC39A9FF1E7DEDCBF3E-C_0-D_QM00013-M_CA1FADDD4180-V_5B2A37BC" -Version "1.25.0.12" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:3236
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2388,2084845176404109302,3925418880116138091,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.25.0.12;PC;PC-Windows;10.0.15063;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4540
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.5020.1.1012148436\1073957462 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.80" -PcGuid "TBIMXV2-O_4910D93F5FFF4CC39A9FF1E7DEDCBF3E-C_0-D_QM00013-M_CA1FADDD4180-V_5B2A37BC" -Version "1.25.0.12" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
      4⤵
      Executes dropped EXE
      PID:3024
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
    C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1648 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2840 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:8
  2⤵
  PID:168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6216 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5392 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:8
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5176 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=764 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 --field-trial-handle=1716,i,18180948563056872159,6758174419558106825,131072 /prefetch:8
  2⤵
  PID:4880
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
  "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" "terabox://launch-app/"
  2⤵
  PID:380
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -start "web_launch"
    3⤵
    PID:3928

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\65ac92a1-5551-46da-ad78-89ea1cc10d28.tmp

Filesize
106KB

MD5
9390c64fb8fd0be9ffd15e4d881347b0

SHA1
cbff336208f8b5025bd17c75729bc1b826575533

SHA256
e16e2c38e5628c5619d826fa3fc1fd12ab5c379abdf3fa46fbce1253c76f10cf

SHA512
a6971a7550d977cc6780de4183548da408d41079d17f6589c9a59afeb92556611f4dc9724d1839b7497affacf8081e3052367257d3e39635f263563f971d9cfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
d013a94fce74b92ef85b9d8ac3bf139f

SHA1
dcd2ba0a247e0e10f739dc10c2d585e1fcb1a534

SHA256
540013485be94452f1bd9fcab83e47799ee5d28204004490900fcbba3227f3fa

SHA512
94ef0571a0cbc9b4886d59a521b0d2f3ab1fedab68989a6ec12bfc82f88c2cb0515c52f3d953bb8e46d890ca0b5fc3aaabe438c267c72b7f0fbc68cb29d9a88c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
7f5ca56e57b5977c8c6dbe4dd85502bc

SHA1
f81002a187629926fca4d47456c356bca61925d8

SHA256
6c33d036a01f624c3c0dc7e74f3d93b070f5dd2df854c947c3e43636c3c62656

SHA512
709b39f7057ca5149203635c4ae9395df247047270d14c47b268b210238e5ba91a51bcb0d8857f9dbd60c239bcec581bc74af08606286395ab27aad93a0b988a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8f5292c404d882029ef941e415514a97

SHA1
523de0273e4cd242c17291a33c48cdcbab2cce4a

SHA256
a1dd7ad43932e7da61ba79f28e0af8061b1d44b651c1bbdc9d63f526a9f8a65a

SHA512
19c5bc11411b40919b6ccbfdc27fc542cbc813c0cd01c2fb0d53c4ce6b042e02c07b0c6a3a4dd7b7e7c86a84d7d5b8727730cf6979f9dc0b7654bb04d129b872

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
05f8f6cf7f006d4410c1e8aaac5e7d1a

SHA1
6a743de3876ebca1ac7e777e7f4930dd90b39a00

SHA256
fd412b37014b60afc322402545e95dd16d742354ca7341df25fad161d60416fd

SHA512
09ede910e5b921aba8e9bb5d43173574ccf5fe7bcea50c028a8525ea931f43f23280028e7babe3e15fef280f1fb03e65b76c0cf1203b7030b72e8c885819b679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
515fc6b14ab4a7fa55767ed0a1edcda1

SHA1
71f2748a8489b1ba1368481f10497dbf9b2bf65e

SHA256
1d7b2feb3fec2478e4758b59fafead1755ce78e8e9f1dfb72aa60b3a941d0a20

SHA512
d08c8d1b432f590f727a1a9eb58ec2ff2e7e2ac7ba458425799eb59a0eab35798a1b90564d3767aa6ffe0a99bc04372b6a1192cb129e139324ee0ad6fb8fa5f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
00cd0bd88cd073e32a71981d86735130

SHA1
12f9cfeabc201ae2c56253dd5b97b02acc853585

SHA256
1eecf6834c3208d8c5d8414f102114c68c7ed61d6f632af9a430d9c7a598c0bf

SHA512
ffb668ac4b23c57104d16e52d21ce4706081bb996b89a640fbe59b556cfce638f8720e3fdf966b02a731d62f513f110a175abd2b9c713b4fd4587f05b2b7a3af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fc9c957e402631455614e9e22818147c

SHA1
1f66170c376aaf54291651ff06a72d7cf5d44b69

SHA256
034528e92501d91ac9911cbd949a9632f3fb2f547ce4b85bdda7543523374ebf

SHA512
50f128be8d17d682924084e02de6b4e9c182b96c75bb72808e90732403e920722b7170ba2e4443e515cc6c8d87977cd80b708e7f349d195001901fdbb8e22eaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6af2e90dcb849647eb9ca08bbeb2864c

SHA1
6cd3e48b65778c2559f114124fe105ede7b27f37

SHA256
d39b2bf8420b10e2ecdeb565406680bdd32aeff2bdc9ba0d1f6a52d624c88eae

SHA512
6d3a3f10cd00cc0ad76fd043177eabacc2f94c89c0d522889393d003f90a7b33c9db9ec886a4ff80a8389f41ad7b69e3a040203e1e11d71cedd642a1f90ed0af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
13984149f2e8419a3facd1e7d8e79ac8

SHA1
708ec3f3dcd025e377e4220be3b086e865e52350

SHA256
852304e47dcb55ce090e59f92a454c4dc6d5e1bf7ef054a84ba72c5871a848d3

SHA512
1e5778ba9167e1a0357f3341f69861415947d0015a492c3354d9f566015d0e63e74fe8568381552e447ccc22af0c0dee73ab54b59d34a54e2043750ffb9eeb67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
106KB

MD5
9ff62521502fc5a37ec4ddb188b92799

SHA1
0bb3b6d50dd10b7bfa92538eb95522f9d9c4939c

SHA256
82cf42fef14da285ded619005e129a4dfd3833e803dc7b2a5f76a6a1908473e1

SHA512
a561132eb1d4f98c6826cf2368d97b1e81e83baf56d1438b2506e3754436ad09bfca376a626a70752eb73ffe9feba37c0008e53fcff8cc287da633ff1b293dfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
117KB

MD5
cae05c0fcfa8116e50df58d747effdc0

SHA1
998ae37f423aa812dbbe39406163c452d86422fe

SHA256
f9b6b53981150bd39f43945cceb0091f1465204b170a3da5e398fbce25c36f9e

SHA512
531bdd3ac8e7e6bf3595179b412293b5b1be64a09fce6a3eeeb37130ea611777a8f01e697d556b52e4c95f1c1a0047a9740d45046d62c8bd755c22471e9e0011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
75c4da67a6597feb391e643efb92065c

SHA1
db8380d62ed2902eaf33d222803ae792a5a97839

SHA256
11e7028415d251553354da6fcc6b6c475bf61b3789d5678281ac07c1a26971a6

SHA512
c3fd8efb45ff3b1b5637563284dcac2585d787b57bdcc19d8b44b6eb78ced1f153b8d61883596df3954184b950bb5f0e058290c77c834d8baf7edc7663925efa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58a822.TMP

Filesize
104KB

MD5
8769c85e216d11e17c31d7ec7bd99dc3

SHA1
ba68ac4660251029ef9be88f43f5901fc89699f3

SHA256
1bc8e58d5be44ded83d32cfd7f49ab999a3862b4372a263bc7150b3af753783a

SHA512
8b5726648de7554daeca77e7b7c1b91009ed342fbf03b8a64713ed0752e52fb11dcc1a8d7096dbcd57a47003bec381db08fffa5ddc3b63a83f60973c8b4f2074

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000015

Filesize
186KB

MD5
9f61d7b1098e9a21920cf7abd68ca471

SHA1
c2a75ba9d5e426f34290ebda3e7b3874a4c26a50

SHA256
2c209fbd64803b50d0275cfd977c57965ee91410ecf0cafa70d9f249d6357c71

SHA512
3d4f945783809a88e717f583f8805da1786770d024897c8a21d758325bcd4743ff48e32a275fe2f04236248393e580d40ae5caf5d3258054ea94d20b65b2c029

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
d16fe5d199bc83874dfd732fee92561e

SHA1
6cec8188189c97013079df6b89f4fc9f2f887b20

SHA256
80b2cc686899af7268042452d44db2353ec485755dafafcbde44c22c7dc85c30

SHA512
b4f926430330a39fba889c68d5b86b386622b209b68759acce90af1526278a4d7920333e45ec895323b22b3a5b53d7c1f476158d3f94d2a3ad41bf486f6ae1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe59ee7d.TMP

Filesize
48B

MD5
8d8fd39a5cc77ec8a6ddb4124ef01c16

SHA1
d612230f37a21c86dc215c9c60bc9067dbbf7f4e

SHA256
a4f2e8758961e5353f25b490ae06aee2494a9b4d75dd886196d90c385df3b3eb

SHA512
80bf6341bea8eaf0ea8c3a5b674aea79cf17e606d51f6e16b318860c715ea39d9f3f79407feafd722aaa00933d63f850fd04192888e90212bc1bf27ddc0b5c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\IndexedDB\https_www.terabox.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

Filesize
962B

MD5
407316f9c04792db257b61f59b7ddab7

SHA1
2b249d1f7614d8b8277379ddb487a525d9ea8382

SHA256
0a58943f1200c6170fe4f5a3e097e25f689077d7171102172cb716ccb0fb40f4

SHA512
d5557639bfca19fb40f0ff3c527257041235d3f9924440b18e74895dd7bb1b8f32fec625c1c3118cca042c12bf5179bef202f5b26987a6f9c26d53bcc7f0fd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe59eebb.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD95.tmp\NsisInstallUI.dll

Filesize
2.1MB

MD5
86839695db3d70bd8d2680fb22dd2b63

SHA1
6de71007fb9c75bd7dbdb2df8727fc7fc832f670

SHA256
fcf4d306acb8e51a7c9ff33394f37a2329015b84e5a43e6f2385fe67da8884dd

SHA512
da6e4be510127fd6c62d3877d6fcc800b4f2426decbf30e9284a49b008931e15ba5b3ebff89d423d9d71f49e9e2f664c835a2f8465038607da7fb2a23326301f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD95.tmp\SetupCfg.ini

Filesize
80B

MD5
86daef0a1abf90f934b20119d95e8b73

SHA1
fa9170644b102c598005d1764a16aba54314ab69

SHA256
a5b0e58f66055ba5c9730dd7983946f92075bcf7052343b8d64ee95faa99eaaa

SHA512
1e95d6b697621f5c8bd194b5252f7717c3aa48a25d91d80fcd5fb0f1d06747c5f39708255bd85f18f776468dcde5645a8ac088431d412af1b10932d7f0df67b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD95.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszD95.tmp\nsProcessW.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir208_137769676\terabox_ext_chrome.crx

Filesize
169KB

MD5
8b62fae8abb6a0ad718f2159032d96ec

SHA1
24b7c81b4562b9c104b281fbdecd1772b8aafdda

SHA256
838bf0a9e53138a59fc4c5d4712eea6605b1d60867c6549d97bd6411e6bd5585

SHA512
ef8ea529f1e1de211f69c6f58661ea6c55954e7d6b3fe0586978103d1b257581f0d007c77b03622ee122265abec259f85362d93803d74137fddba11da499e8ff

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.DLL

Filesize
3.2MB

MD5
255b4d3d4d95800d8b65504b745dba35

SHA1
c48c8c6815818e5207be89ea2cb37718cd68f2da

SHA256
d84da66a80d9ea1ac0287d00f435c4323d2caea5b85de32a3277aeb628a7087e

SHA512
61c5ca11ae8a2a9d44d27b43c1d955e984e44eaa138eb79eb0bb51677ac7d122fddad8c81169a2d2c51fcb7a185c4f1595d75d42e7067dbe3d4baa50100e48cc

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\MSVCP140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.8MB

MD5
a71babaa6745006255c5a3a119289776

SHA1
a5865f948faa9240a12a8b7b0b6f3b2fb053e48c

SHA256
9a48dd0fc943f27ae1ac6d02d2aee9dc5ebe1cc1e6a3ac047f8d86bdee63b44d

SHA512
b44363cb041e4f985dc22d2f0948f7390a0b39c506e56cd24823c6484b2438d6a11c257150ff99317a946e513ac8ed1ddd5d9b39792e721635cccb93c9137f66

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.8MB

MD5
a71babaa6745006255c5a3a119289776

SHA1
a5865f948faa9240a12a8b7b0b6f3b2fb053e48c

SHA256
9a48dd0fc943f27ae1ac6d02d2aee9dc5ebe1cc1e6a3ac047f8d86bdee63b44d

SHA512
b44363cb041e4f985dc22d2f0948f7390a0b39c506e56cd24823c6484b2438d6a11c257150ff99317a946e513ac8ed1ddd5d9b39792e721635cccb93c9137f66

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.8MB

MD5
a71babaa6745006255c5a3a119289776

SHA1
a5865f948faa9240a12a8b7b0b6f3b2fb053e48c

SHA256
9a48dd0fc943f27ae1ac6d02d2aee9dc5ebe1cc1e6a3ac047f8d86bdee63b44d

SHA512
b44363cb041e4f985dc22d2f0948f7390a0b39c506e56cd24823c6484b2438d6a11c257150ff99317a946e513ac8ed1ddd5d9b39792e721635cccb93c9137f66

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

Filesize
1.1MB

MD5
705922884571aee04f5056c607e6684b

SHA1
391fc666956ba01367654c4bff8115cf232e9bf0

SHA256
c2d02ba58d767694f10520fccfb152960046aae0b1c1bcbc2f70b6bb8846eb53

SHA512
57408fb8a9bf5046bde67fe04fc4293bfd12783c1b10612d99e94797a3d3d8bb0799156498e2cf93308553b82502add5c5be4f932cba805a49304eb62e136ae4

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

Filesize
1.1MB

MD5
705922884571aee04f5056c607e6684b

SHA1
391fc666956ba01367654c4bff8115cf232e9bf0

SHA256
c2d02ba58d767694f10520fccfb152960046aae0b1c1bcbc2f70b6bb8846eb53

SHA512
57408fb8a9bf5046bde67fe04fc4293bfd12783c1b10612d99e94797a3d3d8bb0799156498e2cf93308553b82502add5c5be4f932cba805a49304eb62e136ae4

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\VCRUNTIME140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll

Filesize
378KB

MD5
c07c002c68d5bd4c4210a4a0f6268f93

SHA1
b642f0caddeb3c9b00c9eb2e8ea7bd17c929791a

SHA256
eed412fbb7ce707aa024cffb554b8ee0235d6b0c9528bcc67ec90a4fa223df7f

SHA512
860aa6bb8f725460670c26ed4c0ca696c478572ffc085df4f52c8de933f74a4564b2682f3f213c04d86f1d387fda6dff9c864527221e62af267bbede89494b91

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll

Filesize
492KB

MD5
8c3dfd8b1d03b026d3085bbf18d3b96f

SHA1
1774d6b38a0eefaef73b011c29e94473ba605c3a

SHA256
ae4f9ef0b33456999d4b630a0b05194c3ed84527194e55caf4657b0984676028

SHA512
9a7cd2f23c534e23e6f35bbf8c0250755c0a4db08ebe182d463029913dc27cd2a58039033cf2db1dbf9f1ec47e38b07d7b0e4cb162c04996bddabda224889c38

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

Filesize
1011KB

MD5
71b0e4b9d4a6ebc865e98e22afd05d46

SHA1
4d7f0391c32efec8306939bc65bb4bf88db8d801

SHA256
78e7fa4d22e846353c77bae01186701a5b934d5979e3442a58f30ce05601357b

SHA512
442a025077e40b6aadf61d5453047bda134398dcb81009d3b0503ab9c512969caf5524bc1a314b075161a837dc6234270351e687b0f14c8d9f802e32d183dd4b

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe

Filesize
111KB

MD5
c5a41b35d77e99663a8dbd405bbf4871

SHA1
61a097bf51b463cdb62b82c8fe4725cb320979e7

SHA256
18fb2366b81b11aea28646de1b293078b71bc8a9bc91f699e3476935b2dd6b76

SHA512
ddab29f27f087de94ae746550ff70424719646aeebb58dd3d224f9c821c0525449cb88fcc32238d2b61de21ff79b477e2e8f1b36dfe99b06506bd7ae94ac410d

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe

Filesize
111KB

MD5
c5a41b35d77e99663a8dbd405bbf4871

SHA1
61a097bf51b463cdb62b82c8fe4725cb320979e7

SHA256
18fb2366b81b11aea28646de1b293078b71bc8a9bc91f699e3476935b2dd6b76

SHA512
ddab29f27f087de94ae746550ff70424719646aeebb58dd3d224f9c821c0525449cb88fcc32238d2b61de21ff79b477e2e8f1b36dfe99b06506bd7ae94ac410d

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\appUtil.DLL

Filesize
1.5MB

MD5
f069b0edc8c18df61b3594bc73a1f47e

SHA1
05739c3152969f8fe2bcfecfc67cb7186122524e

SHA256
795d0e4b3e7a5a42a7bc1024045d2d2e8f7952c395d228c0ac7e71c88414afce

SHA512
defc0297961056e28782f35ccaa8a6531a3e17c3bbd7dd139f7274ccdd640559b57a50ed324d5a712b3a8176e0f16e3708b1e22183aad14b745db68e98bc4ce2

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\terabox_ext_chrome.crx

Filesize
169KB

MD5
8b62fae8abb6a0ad718f2159032d96ec

SHA1
24b7c81b4562b9c104b281fbdecd1772b8aafdda

SHA256
838bf0a9e53138a59fc4c5d4712eea6605b1d60867c6549d97bd6411e6bd5585

SHA512
ef8ea529f1e1de211f69c6f58661ea6c55954e7d6b3fe0586978103d1b257581f0d007c77b03622ee122265abec259f85362d93803d74137fddba11da499e8ff

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe

Filesize
697KB

MD5
d14a330bcd1891dd9cfc390f9100f7a6

SHA1
04a4f1945a70a59c8630889027fae1b2ccfc3e98

SHA256
8c449bc0298a6663ea98501103c3c5dc9cecfe254e17a16ed3518986b9ea86a3

SHA512
90e43a4a70af97b05ac7d08022e84f5e2940d58ca6b266fb2bb4dbdee8fee53499538696c6606b4ed7add2ee066969413646152523dbcd8cbaf4cd295210b9ff

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

Filesize
1.1MB

MD5
eb4da4e8b9cc0d785ff1c01b7f884bc4

SHA1
0ec3f369a0119e4dfd15b6a9441d834a47610df8

SHA256
ba8c43ad34ce08dd168d79d31131edde6ba3464528bd6f7e99ebe57764df2549

SHA512
8226bc40fd81c5b0fbc2d5e3215982ca7620e58c172ecbad64eb0a67d43fa727249113385aff1f39479a3bf70de7e17608b8c7b7f04b4ea29c7b36b7f11dc9c9

Download Submit
C:\Users\Admin\Downloads\TeraBox_sl_b_1.25.0.12.exe

Filesize
85.5MB

MD5
7406c232ef9c34ae65ffd3ec2d78dd66

SHA1
11993e79b43e05715a3dd6fb226b1b0609e8c960

SHA256
6dbdf60d5cfc9be29a899eddc759cf2b63362393ad72155c51b635672fa97853

SHA512
111a0068c0aa573da761189c61a040aef946ec7b0afaa749b292e5bd0a0d8c7f9d8be3c97cc5b643db80abce4211f6c51318db8d95035cf29f23453522f2717b

Download Submit
C:\Users\Admin\Downloads\TeraBox_sl_b_1.25.0.12.exe

Filesize
85.5MB

MD5
7406c232ef9c34ae65ffd3ec2d78dd66

SHA1
11993e79b43e05715a3dd6fb226b1b0609e8c960

SHA256
6dbdf60d5cfc9be29a899eddc759cf2b63362393ad72155c51b635672fa97853

SHA512
111a0068c0aa573da761189c61a040aef946ec7b0afaa749b292e5bd0a0d8c7f9d8be3c97cc5b643db80abce4211f6c51318db8d95035cf29f23453522f2717b

Download Submit
C:\Users\Admin\Downloads\TeraBox_sl_b_1.25.0.12.exe

Filesize
85.5MB

MD5
7406c232ef9c34ae65ffd3ec2d78dd66

SHA1
11993e79b43e05715a3dd6fb226b1b0609e8c960

SHA256
6dbdf60d5cfc9be29a899eddc759cf2b63362393ad72155c51b635672fa97853

SHA512
111a0068c0aa573da761189c61a040aef946ec7b0afaa749b292e5bd0a0d8c7f9d8be3c97cc5b643db80abce4211f6c51318db8d95035cf29f23453522f2717b

Download Submit
\Users\Admin\AppData\Local\Temp\nszD95.tmp\NsisInstallUI.dll

Filesize
2.1MB

MD5
86839695db3d70bd8d2680fb22dd2b63

SHA1
6de71007fb9c75bd7dbdb2df8727fc7fc832f670

SHA256
fcf4d306acb8e51a7c9ff33394f37a2329015b84e5a43e6f2385fe67da8884dd

SHA512
da6e4be510127fd6c62d3877d6fcc800b4f2426decbf30e9284a49b008931e15ba5b3ebff89d423d9d71f49e9e2f664c835a2f8465038607da7fb2a23326301f

Download Submit
\Users\Admin\AppData\Local\Temp\nszD95.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
\Users\Admin\AppData\Local\Temp\nszD95.tmp\nsProcessW.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll

Filesize
1.5MB

MD5
f069b0edc8c18df61b3594bc73a1f47e

SHA1
05739c3152969f8fe2bcfecfc67cb7186122524e

SHA256
795d0e4b3e7a5a42a7bc1024045d2d2e8f7952c395d228c0ac7e71c88414afce

SHA512
defc0297961056e28782f35ccaa8a6531a3e17c3bbd7dd139f7274ccdd640559b57a50ed324d5a712b3a8176e0f16e3708b1e22183aad14b745db68e98bc4ce2

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll

Filesize
1.5MB

MD5
f069b0edc8c18df61b3594bc73a1f47e

SHA1
05739c3152969f8fe2bcfecfc67cb7186122524e

SHA256
795d0e4b3e7a5a42a7bc1024045d2d2e8f7952c395d228c0ac7e71c88414afce

SHA512
defc0297961056e28782f35ccaa8a6531a3e17c3bbd7dd139f7274ccdd640559b57a50ed324d5a712b3a8176e0f16e3708b1e22183aad14b745db68e98bc4ce2

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll

Filesize
3.2MB

MD5
255b4d3d4d95800d8b65504b745dba35

SHA1
c48c8c6815818e5207be89ea2cb37718cd68f2da

SHA256
d84da66a80d9ea1ac0287d00f435c4323d2caea5b85de32a3277aeb628a7087e

SHA512
61c5ca11ae8a2a9d44d27b43c1d955e984e44eaa138eb79eb0bb51677ac7d122fddad8c81169a2d2c51fcb7a185c4f1595d75d42e7067dbe3d4baa50100e48cc

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll

Filesize
3.2MB

MD5
255b4d3d4d95800d8b65504b745dba35

SHA1
c48c8c6815818e5207be89ea2cb37718cd68f2da

SHA256
d84da66a80d9ea1ac0287d00f435c4323d2caea5b85de32a3277aeb628a7087e

SHA512
61c5ca11ae8a2a9d44d27b43c1d955e984e44eaa138eb79eb0bb51677ac7d122fddad8c81169a2d2c51fcb7a185c4f1595d75d42e7067dbe3d4baa50100e48cc

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll

Filesize
378KB

MD5
c07c002c68d5bd4c4210a4a0f6268f93

SHA1
b642f0caddeb3c9b00c9eb2e8ea7bd17c929791a

SHA256
eed412fbb7ce707aa024cffb554b8ee0235d6b0c9528bcc67ec90a4fa223df7f

SHA512
860aa6bb8f725460670c26ed4c0ca696c478572ffc085df4f52c8de933f74a4564b2682f3f213c04d86f1d387fda6dff9c864527221e62af267bbede89494b91

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll

Filesize
492KB

MD5
8c3dfd8b1d03b026d3085bbf18d3b96f

SHA1
1774d6b38a0eefaef73b011c29e94473ba605c3a

SHA256
ae4f9ef0b33456999d4b630a0b05194c3ed84527194e55caf4657b0984676028

SHA512
9a7cd2f23c534e23e6f35bbf8c0250755c0a4db08ebe182d463029913dc27cd2a58039033cf2db1dbf9f1ec47e38b07d7b0e4cb162c04996bddabda224889c38

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll

Filesize
492KB

MD5
8c3dfd8b1d03b026d3085bbf18d3b96f

SHA1
1774d6b38a0eefaef73b011c29e94473ba605c3a

SHA256
ae4f9ef0b33456999d4b630a0b05194c3ed84527194e55caf4657b0984676028

SHA512
9a7cd2f23c534e23e6f35bbf8c0250755c0a4db08ebe182d463029913dc27cd2a58039033cf2db1dbf9f1ec47e38b07d7b0e4cb162c04996bddabda224889c38

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

Filesize
1011KB

MD5
71b0e4b9d4a6ebc865e98e22afd05d46

SHA1
4d7f0391c32efec8306939bc65bb4bf88db8d801

SHA256
78e7fa4d22e846353c77bae01186701a5b934d5979e3442a58f30ce05601357b

SHA512
442a025077e40b6aadf61d5453047bda134398dcb81009d3b0503ab9c512969caf5524bc1a314b075161a837dc6234270351e687b0f14c8d9f802e32d183dd4b

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

Filesize
1011KB

MD5
71b0e4b9d4a6ebc865e98e22afd05d46

SHA1
4d7f0391c32efec8306939bc65bb4bf88db8d801

SHA256
78e7fa4d22e846353c77bae01186701a5b934d5979e3442a58f30ce05601357b

SHA512
442a025077e40b6aadf61d5453047bda134398dcb81009d3b0503ab9c512969caf5524bc1a314b075161a837dc6234270351e687b0f14c8d9f802e32d183dd4b

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

Filesize
1.1MB

MD5
eb4da4e8b9cc0d785ff1c01b7f884bc4

SHA1
0ec3f369a0119e4dfd15b6a9441d834a47610df8

SHA256
ba8c43ad34ce08dd168d79d31131edde6ba3464528bd6f7e99ebe57764df2549

SHA512
8226bc40fd81c5b0fbc2d5e3215982ca7620e58c172ecbad64eb0a67d43fa727249113385aff1f39479a3bf70de7e17608b8c7b7f04b4ea29c7b36b7f11dc9c9

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

Filesize
1.1MB

MD5
eb4da4e8b9cc0d785ff1c01b7f884bc4

SHA1
0ec3f369a0119e4dfd15b6a9441d834a47610df8

SHA256
ba8c43ad34ce08dd168d79d31131edde6ba3464528bd6f7e99ebe57764df2549

SHA512
8226bc40fd81c5b0fbc2d5e3215982ca7620e58c172ecbad64eb0a67d43fa727249113385aff1f39479a3bf70de7e17608b8c7b7f04b4ea29c7b36b7f11dc9c9

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
memory/1152-370-0x00000000032E0000-0x00000000032F0000-memory.dmp

Filesize
64KB

Download
memory/1152-612-0x00000000032E0000-0x00000000032F0000-memory.dmp

Filesize
64KB

Download
memory/3024-819-0x0000000074800000-0x00000000748D0000-memory.dmp

Filesize
832KB

Download
memory/3024-891-0x0000000074800000-0x00000000748D0000-memory.dmp

Filesize
832KB

Download
memory/3024-818-0x0000000000820000-0x00000000008C0000-memory.dmp

Filesize
640KB

Download
memory/3236-739-0x0000000074800000-0x00000000748D0000-memory.dmp

Filesize
832KB

Download
memory/3236-893-0x0000000000820000-0x00000000008C0000-memory.dmp

Filesize
640KB

Download
memory/3236-777-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/3236-779-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3236-780-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/3236-781-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/3236-784-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/3236-775-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/3236-776-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/3236-895-0x000000006CD40000-0x000000006E16C000-memory.dmp

Filesize
20.2MB

Download
memory/3236-738-0x0000000000820000-0x00000000008C0000-memory.dmp

Filesize
640KB

Download
memory/3236-894-0x0000000074800000-0x00000000748D0000-memory.dmp

Filesize
832KB

Download
memory/3236-778-0x000000006CD40000-0x000000006E16C000-memory.dmp

Filesize
20.2MB

Download
memory/3928-915-0x0000000074800000-0x00000000748D0000-memory.dmp

Filesize
832KB

Download
memory/3928-916-0x0000000000F40000-0x0000000001624000-memory.dmp

Filesize
6.9MB

Download
memory/5020-639-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/5020-638-0x000000000A070000-0x000000000A071000-memory.dmp

Filesize
4KB

Download
memory/5020-620-0x0000000000F40000-0x0000000001624000-memory.dmp

Filesize
6.9MB

Download
memory/5020-671-0x0000000000F40000-0x0000000001624000-memory.dmp

Filesize
6.9MB

Download
memory/5020-700-0x0000000074800000-0x00000000748D0000-memory.dmp

Filesize
832KB

Download
memory/5020-817-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/5020-902-0x0000000074800000-0x00000000748D0000-memory.dmp

Filesize
832KB

Download
memory/5020-903-0x0000000000F40000-0x0000000001624000-memory.dmp

Filesize
6.9MB

Download
memory/5020-619-0x0000000074800000-0x00000000748D0000-memory.dmp

Filesize
832KB

Download