Analysis
-
max time kernel
189s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-es -
resource tags
arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
02-03-2024 14:42
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.terabox.com/spanish/sharing/link?surl=22v9qXFNthoVYZL4KjNmLQ
Resource
win10v2004-20240226-es
General
-
Target
https://www.terabox.com/spanish/sharing/link?surl=22v9qXFNthoVYZL4KjNmLQ
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation TeraBox.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation TeraBoxRender.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation TeraBoxRender.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation TeraBoxRender.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation TeraBoxRender.exe -
Executes dropped EXE 17 IoCs
pid Process 2188 TeraBox_sl_b_1.28.0.3.exe 1532 TeraBox.exe 4112 YunUtilityService.exe 4600 TeraBoxWebService.exe 2664 TeraBox.exe 1288 TeraBoxWebService.exe 384 TeraBoxRender.exe 3312 TeraBoxRender.exe 8 TeraBoxRender.exe 5008 TeraBoxRender.exe 2160 TeraBoxHost.exe 5156 TeraBoxHost.exe 5524 TeraBoxHost.exe 5808 TeraBoxRender.exe 5260 TeraBoxWebService.exe 5972 TeraBoxRender.exe 1928 AutoUpdate.exe -
Loads dropped DLL 64 IoCs
pid Process 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 1532 TeraBox.exe 1532 TeraBox.exe 1532 TeraBox.exe 1532 TeraBox.exe 1532 TeraBox.exe 1532 TeraBox.exe 4200 regsvr32.exe 4396 regsvr32.exe 4596 regsvr32.exe 1688 regsvr32.exe 4892 regsvr32.exe 4112 YunUtilityService.exe 4112 YunUtilityService.exe 4600 TeraBoxWebService.exe 4600 TeraBoxWebService.exe 2664 TeraBox.exe 2664 TeraBox.exe 2664 TeraBox.exe 2664 TeraBox.exe 2664 TeraBox.exe 2664 TeraBox.exe 1288 TeraBoxWebService.exe 1288 TeraBoxWebService.exe 2664 TeraBox.exe 2664 TeraBox.exe 2664 TeraBox.exe 2664 TeraBox.exe 2664 TeraBox.exe 2664 TeraBox.exe 2664 TeraBox.exe 2664 TeraBox.exe 2664 TeraBox.exe 384 TeraBoxRender.exe 384 TeraBoxRender.exe 384 TeraBoxRender.exe 384 TeraBoxRender.exe 384 TeraBoxRender.exe 384 TeraBoxRender.exe 384 TeraBoxRender.exe 3312 TeraBoxRender.exe 3312 TeraBoxRender.exe 3312 TeraBoxRender.exe 3312 TeraBoxRender.exe 8 TeraBoxRender.exe 8 TeraBoxRender.exe 8 TeraBoxRender.exe 8 TeraBoxRender.exe 5008 TeraBoxRender.exe 5008 TeraBoxRender.exe 5008 TeraBoxRender.exe 5008 TeraBoxRender.exe 2160 TeraBoxHost.exe 2160 TeraBoxHost.exe 2160 TeraBoxHost.exe 2160 TeraBoxHost.exe 2160 TeraBoxHost.exe 5156 TeraBoxHost.exe 5156 TeraBoxHost.exe 5156 TeraBoxHost.exe 5156 TeraBoxHost.exe 5156 TeraBoxHost.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}" regsvr32.exe -
Registers COM server for autorun 1 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32 regsvr32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun" TeraBox.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\"" TeraBox.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 186 mediafire.com 187 mediafire.com 188 mediafire.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133538641921904137" chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1\ = "YunShellExtContextMenu Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ProgID\ = "YunShellExt.YunShellExtContextMenu.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ = "IWorkspaceOverlayIconError" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\CLSID\ = "{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{3A832678-53BC-413F-8A7D-03B3EDDF9CB8} TeraBoxRender.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\ = "YunShellExtContextMenu Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ = "YunExcelConnect Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1\CLSID\ = "{6D85624F-305A-491d-8848-C1927AA0D790}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ = "YunPPTConnect Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\ = "YunExcelConnect Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ = "YunPPTConnect Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox TeraBoxWebService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ = "IYunShellExtContextMenu" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect\CurVer\ = "YunOfficeAddin.YunPPTConnect.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID\ = "YunOfficeAddin.YunWordConnect" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ = "IYunShellExtContextMenu" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\ = "TeraBoxProtocol" TeraBoxWebService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\ = "YunWordConnect Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ProgID\ = "YunOfficeAddin.YunWordConnect.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID\ = "YunOfficeAddin.YunWordConnect" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ = "IYunPPTConnect" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version\ = "1.0" regsvr32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E TeraBox.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c TeraBox.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c TeraBox.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c TeraBox.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c TeraBox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4004 chrome.exe 4004 chrome.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 4100 chrome.exe 4100 chrome.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2188 TeraBox_sl_b_1.28.0.3.exe 2664 TeraBox.exe 2664 TeraBox.exe 2664 TeraBox.exe 2664 TeraBox.exe 384 TeraBoxRender.exe 384 TeraBoxRender.exe 3312 TeraBoxRender.exe 3312 TeraBoxRender.exe 8 TeraBoxRender.exe 8 TeraBoxRender.exe 5008 TeraBoxRender.exe 5008 TeraBoxRender.exe 5156 TeraBoxHost.exe 5156 TeraBoxHost.exe 5156 TeraBoxHost.exe 5156 TeraBoxHost.exe 5156 TeraBoxHost.exe 5156 TeraBoxHost.exe 5808 TeraBoxRender.exe 5808 TeraBoxRender.exe 5260 TeraBoxWebService.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 2664 TeraBox.exe 2664 TeraBox.exe 2664 TeraBox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2188 TeraBox_sl_b_1.28.0.3.exe 1532 TeraBox.exe 4112 YunUtilityService.exe 4600 TeraBoxWebService.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4004 wrote to memory of 2572 4004 chrome.exe 85 PID 4004 wrote to memory of 2572 4004 chrome.exe 85 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 3576 4004 chrome.exe 87 PID 4004 wrote to memory of 4592 4004 chrome.exe 88 PID 4004 wrote to memory of 4592 4004 chrome.exe 88 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89 PID 4004 wrote to memory of 3804 4004 chrome.exe 89
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.terabox.com/spanish/sharing/link?surl=22v9qXFNthoVYZL4KjNmLQ1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff838fc9758,0x7ff838fc9768,0x7ff838fc97782⤵PID:2572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:22⤵PID:3576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:82⤵PID:4592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:82⤵PID:3804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:12⤵PID:2220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:12⤵PID:4700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=5824 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:12⤵PID:336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4664 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:12⤵PID:3596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5916 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:12⤵PID:2924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=6104 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:12⤵PID:4304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5288 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:12⤵PID:1284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=6388 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:12⤵PID:1080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6776 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:82⤵PID:3172
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6356 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:82⤵PID:2372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6560 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:12⤵PID:3312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5396 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:82⤵PID:3184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5880 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:82⤵PID:4412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4508 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:12⤵PID:3988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5336 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:12⤵PID:1548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5884 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:12⤵PID:4576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6948 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:12⤵PID:2772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:82⤵PID:832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7116 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:82⤵PID:640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7092 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:82⤵PID:396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:82⤵PID:1648
-
-
C:\Users\Admin\Downloads\TeraBox_sl_b_1.28.0.3.exe"C:\Users\Admin\Downloads\TeraBox_sl_b_1.28.0.3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2188 -
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1532
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"3⤵
- Loads dropped DLL
PID:4200 -
C:\Windows\system32\regsvr32.exe"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"4⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:4396
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:4596
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"3⤵
- Loads dropped DLL
PID:1688 -
C:\Windows\system32\regsvr32.exe"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4892
-
-
-
C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe"C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4112
-
-
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4600
-
-
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exeC:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2664 -
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2564,16051332870136409488,17454480364097085837,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2584 /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:384
-
-
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2564,16051332870136409488,17454480364097085837,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2984 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3312
-
-
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2564,16051332870136409488,17454480364097085837,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:8
-
-
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2564,16051332870136409488,17454480364097085837,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5008
-
-
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.2664.0.600785321\2017088104 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.28" -PcGuid "TBIMXV2-O_7D6E870CA65342A99018A79F05A5E703-C_0-D_QM00013-M_42032C623A80-V_628B780F" -Version "1.28.0.3" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160
-
-
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.2664.0.600785321\2017088104 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.28" -PcGuid "TBIMXV2-O_7D6E870CA65342A99018A79F05A5E703-C_0-D_QM00013-M_42032C623A80-V_628B780F" -Version "1.28.0.3" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5156
-
-
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2664.1.1597034431\1294634327 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.28" -PcGuid "TBIMXV2-O_7D6E870CA65342A99018A79F05A5E703-C_0-D_QM00013-M_42032C623A80-V_628B780F" -Version "1.28.0.3" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 14⤵
- Executes dropped EXE
PID:5524
-
-
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2564,16051332870136409488,17454480364097085837,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5808
-
-
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2564,16051332870136409488,17454480364097085837,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
PID:5972
-
-
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe"C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 202ac -unlogin4⤵
- Executes dropped EXE
PID:1928
-
-
-
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exeC:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4724 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5676 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:82⤵PID:2456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:82⤵PID:4520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4816 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:82⤵PID:4960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:82⤵PID:64
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=3920 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:12⤵PID:5148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7036 --field-trial-handle=1772,i,7846827381661976478,10663502558825533217,131072 /prefetch:82⤵PID:5320
-
-
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" "terabox://launch-app/"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5260
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1244
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
195KB
MD589d79dbf26a3c2e22ddd95766fe3173d
SHA1f38fd066eef4cf4e72a934548eafb5f6abb00b53
SHA256367ef9ec8dc07f84fed51cac5c75dc1ac87688bbf8f5da8e17655e7917bd7b69
SHA512ab7ce168e6f59e2250b82ec62857c2f2b08e5a548de85ac82177ac550729287ead40382a7c8a92fbce7f53b106d199b1c8adbb770e47287fc70ea0ea858faba6
-
Filesize
1KB
MD50c3a5be1409119fc01206bd4eea993c3
SHA1a4d80d2b7b6c494602cfc8840dbe38d616dc7f7a
SHA256b1c3f8358e4b852b3ff8eeea9e406b1e81ac7bd6a3dfcb01dfc1da78dd81f252
SHA51273b7b8c6846839492b69d0ee1b9bf38805d7446263795d78461f2f278ad4e0e1de5170662fe81f3959d6ce6df0bdc01f485e0667f2b5c2e149f14ac9c9adb395
-
Filesize
1008B
MD59e2ffec620842b44cad68e1692b6d08e
SHA1406bba4734b43a856f8579c1aa27ba957090cd40
SHA2562d055ee73c9e8a1068b8f177e1c6fe77f6f1c40f8aa5324f80732f9acf52d734
SHA5122ee967580c0b58789704725d6e7db0b05fdb5c62e438ba489dbe50d16d70da76177e095ad56850970e8a4d3817cce48c9adc6c0b74e9005decf18b27558f4d45
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.mediafire.com_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.mediafire.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
7KB
MD51dafaa5a0244fd36bc85335fdb7163cc
SHA1f6b59660117ffef4aa4c1fc30b70527d2b6f6cf5
SHA256927181d27d44b329d29996f4a5febdcdaf207c7d0574f38afc36f9b172d8c0dc
SHA5125ab855e7c6fdd3f61cb0f033299bc410b2064b4e96599d67985be8cddd6cbc50e02cdb209e026b8385de715c13473834a6ab67114ce33aee337d5a7a468c01e3
-
Filesize
5KB
MD5dbe3a000fac8e8593c8b5cd71b389135
SHA193b603577fb7ece7d0a326fe529da5bd375b7bcd
SHA2566ef63031f1aecbc6f2313cf680d97d09fa3231da8f1a1a80818f4ef7b36ed083
SHA5126c3e7f65f978428aebfcba1a9f7835f8d032a2832df7a3e3ce7e5a47c4a6e55d3983baf23122fc7fcd6caa54b9a2d162bc50cd6e9a4bb82f099d162d29c895ca
-
Filesize
1KB
MD54b6b39ec87d074a13c90359456b97a3c
SHA147ea1e490ac3ca8cfc546d43deaa9fdbdc394771
SHA256b527f78806399491e9f92c49b05771fe12803291fa062177c4ce6d6111ed8bc3
SHA5121e9897cbeaccd1dadb0a97fab1bd7352b730ca281232b9cb8c17f7b6ba016c7034d77e1d184eca055176457d49199bd8fb93ed84c21543cf5d31227030492170
-
Filesize
1KB
MD520fd456110818698294608a150446431
SHA17092496dddec868c1cfbe48655aa68a91ade3b92
SHA256a38f72ebfd9b51ba0267e041cefc08d0414d2d56a719265aedefa5bcea66230a
SHA512bc115b23fe538215850544eff44e073005723e1232959002c19c3dcfa945de620796d5302dd6b4436e98b0f5f6e63c2e347b35c0025dd3d4cdbd44e870d236a5
-
Filesize
2KB
MD578a2c99a8e8807b1f2d3e611b3533959
SHA1b95884b2f9408819ec52801003f80f4ed850f900
SHA25640224ec0ac800be6aba19687ad967446a31c03f006f41a7465a2eec89208be4a
SHA512d03518dd4bce03c940805c86f08d0ded4635054f13178239aadf25fe6fe3456f338b1d96e84e6f5238fcfa298f84a5ba794bc991b7e144f8c759e45b42c7ceb5
-
Filesize
1KB
MD55e6c6ab4dda4475eb75f5052b4d548e7
SHA130cdf23f74c86a1bd898823eb6ed1b49cef8a9d3
SHA256aeffab299188a5a400dbc4ca6c7a4d34189b221de19ae7116785c55a1af40c6d
SHA512d5fe114424f77bd09b2c2f7921ab5fc1ed62f440d0a5288a3ae637f47084ae005d35eef649c5928af377f54114de8e35d37bea89a5abb2cbee21cd800f4d12f2
-
Filesize
6KB
MD5f269ef88c836b98e1f45af16d63714a6
SHA19951d912b78f67b0f114b0cd036ea980d2433a18
SHA2560d57b8197d89777fbffe46be9e54fdccb9de22f7e1c9b4a6baa6769e47500528
SHA512358b85fc97b1bca28027655864346479c6107876a0d6a3432de8ff6d6e25cadafa04e2b311387f4733086dcb6a4df74392dd00c6151ff0105668064c6338c4f7
-
Filesize
6KB
MD5e6fc64ab3030733a40334f8a08cb8ef6
SHA1172f34669f4cc0face85d146b9e4d04f6bebe0f3
SHA256230033e4a9a1bd1bf3d26e733b858ce7929df8876e38832ff2b0ca460fb699b9
SHA5127c5702154be035129aae64e93d733e6d2f6ad9d410fbc1e30ded4b0b44cf5c56c17fec2bf1fef239a175e30d8909e1ac603114726e1dfa4c92b2d392dd62fbe3
-
Filesize
6KB
MD5634ec6d0f11f98bf16a3fe0b9b390d6a
SHA1b9bc4310b0f9f2f9f3a0f8fa7587a546783bbd2d
SHA256612dbfbc0a55e229def41255b4e58128befb75aaf0e21420e337735398f30907
SHA512095ac60ab8dfc46293b653667423e653554531bd99f6760273cdf6a0a6044c6708576afb12e7360fc534d2251f3f112bf20c4f65121f5509fbdbfdbcc869465c
-
Filesize
6KB
MD51c7c399a518b718c216e5efee7c29070
SHA1f0153d78a72693e7c5713d1f28557363a1a46905
SHA256062f7387fde12293bb6389d8d03e3a67b9eea5beaefe8b49545f9b6808e0f7e9
SHA5128c565761487f04bde7053aa81788d01c8d0766d3a80acf2b4f13fc8a11bf370bba6647f6e0718eb587f3078b4f02b99e92c6cd10f6420587cd543f4e330f3d48
-
Filesize
6KB
MD5106ae9456cfe155e02101fbe329e69a6
SHA165281cfb4e992046287625907aa9c21513e087f6
SHA256ba90237adc43762a2aea99041d5b8052de8b9045e668f106eb7b7c6d8b1318f7
SHA512f434be227b906c196e4d8f016406c3c233a2ed0b14c7c673c9891cc9c0b3fec365e61aaf8b5e7749dc4178536f491e7dabd0f242c434ab3429519cb3525cd6bb
-
Filesize
6KB
MD593725ea2e0433a5dae4c01e0ead1e53e
SHA1859941c8bbcbc6530244b76db683dd485922cede
SHA25669a4b9b18ce40f1b479f9afd0cc763718d811b60549af4396e5111a0e1e37817
SHA51214c8c704bfa498388901a5825a91c7b3200caaae681f1b69e9f9457fcd72065b2dd28321e7858efc07f5377da0167261a02ca754c2e2a9d7557328bcf2934f62
-
Filesize
6KB
MD500b2e125666577286db0660c9382ec40
SHA1d2d7b586ae7c8d242f7d4d74254036ad5df2c644
SHA256b900ef624bce9bbc694e2f3590fd8e9e36869f781b02d7391a109fc334a234a7
SHA51201cbd2fe72f6cb58a197b2f38b934ec910033881bdc42895c92a0b0730eef978584554c8bc471d3214fe3dc63a897bc2da0348c805fa428863913cd7c0ba9e5d
-
Filesize
17KB
MD512c7b58ed83cbdef2a9c29f29d01aff9
SHA1fe4e122e9b5063f2e34f380f0ce3728ece817202
SHA25608193eaa19ae27d35ce4de5778d9b6172d5e6ad2adb54a3375b41db7883e485e
SHA5128042625aa9eed313f7545b8a16ff56e0c2363b332c2f1b238464253e87154f8acdb220ffb2b709004dc389284268f415cf65c4b28c564be6c9f8f725dd37b923
-
Filesize
128KB
MD5a143c8f671cb9602d9fcc9d95c527a03
SHA1be8f17cc581b10185a2b382973d8f26b12472e05
SHA256ed27c41e8ce3dee7e8a7187b4032a35eb666a91210147eb863b04aa60608acee
SHA5128582d5d38acc8fab75ec5539fcfead0d53f7c41bbb430edce3337d35bb215bc3af6f4421420643a41d3c179d9e7eba0aa0645a6f9bfbdf121093d3671b50791f
-
Filesize
128KB
MD52ca27b77a0f0683feaac09b8bf8dfcbc
SHA1b8716c72c584317972081b3c80ae5019dea9ebd6
SHA256ac5f1197dea55df2a40d64d09b7a2689dc1eb61246e6ceeb185eef166348b2bd
SHA512a4227fb53681809b9c76a2f87707eaca15d353f8c5e5696f0273e5aba17865107646f24115fd82d6418ac97afab32ac871f6b2b655228ebd2823d3ea7c784f53
-
Filesize
128KB
MD57bd2c28b60fd332166fe565a2c2149c6
SHA1d2da3bf64652d64edbef34b01f3387f5aa66b93b
SHA256e04f026e84b0fd68a98b4a806c36538c1d50ae37efed07311ef739d8af2d9632
SHA512e54715beb5941d26e0972012f9e9a177968277ff5a938b3c3f35a77989a322638101de6680c7cf06b83aedc127b34000012336dbb8e00b874bce102ad461d6d1
-
Filesize
122KB
MD5ae6725034ad9ccd50ef8b59111827f45
SHA115a9fd29ed64cb97650fddf288c5303020868734
SHA256f394c16a3ec735d431a7f37ff982b4c54df2abf8db2925db73bf1cc9ed808f7d
SHA5126f0a05e5b6ed6ca15b4728aa0aaf3efde868b8694f55b68792395ffe5b07a940927483e6a56576606af4f9cf68fde7b8106eb309afff659df7c25bdd04a8716a
-
Filesize
119KB
MD5a5c36ba35087a7e0ff048ae2c7340816
SHA1de1d82646bf3fdb4a3243200b1e24c4006788c14
SHA25664a186fa134b44dc3f032755ceff10f808f8adf595f75d1f85d12a9c5e77c7df
SHA51249b6696e0c6977c6088fc81f9d31fa642f20be180602fdb1c92175d8d17c557b43ec0b029eb0950578e7d8cf4a822f385fcb44b896e18ddfb98cd440c2ef778e
-
Filesize
111KB
MD5e6bea7cb57ba984bbd5b9e7f2a24a5d0
SHA146724cfa5d022cf4b37cadd25217e3f22b35c773
SHA2569cd1b8c36421a7ab9d823607ae9e17f7720e6c9612ccb3ebdd468d602c91e8a7
SHA512e1b3f4653d45f03d517ca1a7e310c8770dc4320ea33e0e06d381ada4fd5549d53decf743000d7f7865a2beb3d5fb99d3bfc7989b1cc70cd0e3d631f1c7257f1b
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
17KB
MD597c96f912c155602a68b1af506205f35
SHA1456b48e4fd238b75b2b5001d44886ef092a6ef2c
SHA256edca08abd469d6495520acea7868584b6355a4111b15a1beb72e44b0862a1836
SHA51288095aad0c92d6db76791f607a0a98a1988b164ccac3fc4088e61f315ff443b0d2462373a27078b79e36d5f4447031faf209cce1a888054646479048402188a8
-
Filesize
81KB
MD5767bfc5a7775bed67353483b1fa453b1
SHA1f5320c46db85979e482f7ce00da1bb29f100c472
SHA256b3c05e112c942af1e82a83d3e93591129ba6635b414b484cd980d805ead50f25
SHA51292f08f9605d5274c40e64059dc0fc5f93fb77d16bd39a51506072591488d665e09797e01c16d8d2883a17fdc1edc97f2307735da125166ba95e9c5af5397d7c9
-
Filesize
36KB
MD58b0f7f0b1d3875e84b572a4b8da14d5a
SHA178079f8d4d5512d24244b0e2a3ba6a2880af5bc1
SHA256e635ce270e45d33ae75ee0b14f4598cfcd5c20c93abfd0bf562e952b95a35198
SHA512e6038835d5b0030a0b3a93133e506af11cd79df4c4914d9d8be2aec8c1be4866ee65e3808108f1d0cc2abb4a8c553044bd14d3736cafd760dd10bffea8aa2485
-
Filesize
30KB
MD5dc13edb4710d26a04e5cc0df97a438c5
SHA15ec051b5bdcf442cdabaca912271bc06974dea39
SHA256d5fdfc459418a052b5f0635de2fae7202fa8c580e0a26ffb84e6c0e121ac3734
SHA5128b9718b958d765629350bcc6b2cfca91b3aacb6cbd7b6c53187f5632a5fe4166adb0264b411b179da3aa02d46d5e2df2717ade3a6374447a4cd2d1ccb1a5e45a
-
Filesize
26KB
MD51ccb9483a38bace92af2fc0bd59b3a8d
SHA1ccd0d85e72223234e51e7e6ff81030186ceaf636
SHA256ed6237029c64f97d51d29a4f042921a7c9a4024cb748b9227f039a186531e11b
SHA51278275dcd8d761821ae043cf5ce57295fa2a4956a63347f877cfca59f5a6d8e6baedfe59ec763b51d37b9c9250ba05085637caf0855efc448bd06519b3ee70b17
-
Filesize
41KB
MD5b01f195e94b0848122ac3314f5395721
SHA1b87bc53a44a6234f7c089f3119066f9647d21903
SHA25609ae6d6c48f2c2b47426e8c362471444673201e2583c5525b442133a8b5c80cb
SHA512692fcb42a168ddb939ee04daa11982030e9b3f0a7f9c5b2af35873f8257de0579a758a3f514b555f813e54bcbc5aceaa240e1b0f383133daef9c19b7ea5611d9
-
Filesize
64KB
MD56253f54ffe983308f48d3e031ba2aee4
SHA167c2f52a26f4476ed51c6131c9a5309e0dab9d71
SHA256dbd84583a764243b3aff51d77b76f323db102bbcaf2b0b3d4f6913758e0ce842
SHA5126aaa73db325861ac4d8ac59b8f7b82d0e65f230399a65a7a51c576035b511fa3748e9a2d9c5c947b70eb391a7eeac946652dcb34cef8a19ae290b83500cf6e5f
-
Filesize
85KB
MD5e616cd1a4cbdc5a8652f1dae78b00b8e
SHA1a2365d66beb708d09f0155cb24800d1ae18b9e41
SHA2565c58de0f0d6a7dbd9e61924a6e4c4e41489c2c00a143b27977c555b64b564b12
SHA512c02785f007c21c952fd0ded21b721980bbea5c7c50938d730c6a9b42eb14dd7962ae7ceff27e7ade90ff621a3b821deec9603a0fa94787eb44048885708e5e23
-
Filesize
24KB
MD5b82ca47ee5d42100e589bdd94e57936e
SHA10dad0cd7d0472248b9b409b02122d13bab513b4c
SHA256d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d
SHA51258840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383
-
Filesize
1KB
MD520983087edff30cf559fab39083eb9da
SHA10f220bcff58e38e77dd680b477a47a37a1def2d9
SHA2565a119adeaeb9539f2738bf88db7c434dc99ded2f4d1d6427d3dc122128fba1ca
SHA512dfe9746054553ad57ad53928761236a34a9054a34698be2931d5248ddf9ce140211ff0ac6646fa4527c9d36a974ffc578d735a3d6b45d0d80afe2bf3d9de5ed6
-
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index~RFe5a41dd.TMP
Filesize48B
MD5b45ae7a356bb87236783d543d6e05aad
SHA1944e310477592cc23cb202ed670d88e224bde134
SHA256e65b19be27811573bc531f912288513c5208dc488c674c54aa84cd818025515d
SHA51254d74296026e119ce3fd5e6e9579f7842ca783735c98e6c6fb8a9595eb5794e76ad79056464a73a869c6b5fb0a45c335b4b9e442aab645a934b0009074feb12c
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD5c1998b2e53e17b14a1260308a8e399b6
SHA1f9de48340d84a7abbba2cc4d035c353ea0aecc83
SHA256f82e6d412d31cf15591033a14647b0615128911c43135f2f8f59d5d0b45b4ee9
SHA51240391566b774e5bcabebefce526f44fa3fb7c07f2956309c68cd14a8089a0af366dc6b06988b0941c2faf7c9199db6f01fb5f60a10deb36310dbb90ab0f888c9
-
Filesize
59B
MD578bfcecb05ed1904edce3b60cb5c7e62
SHA1bf77a7461de9d41d12aa88fba056ba758793d9ce
SHA256c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572
SHA5122420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73
-
Filesize
704B
MD5dcb10b481698e749f5806abc76b3079e
SHA1c43a70cb05ab5f0fbceafcdbdefab446a6ad1a13
SHA25671dc4aefcdb0747f9fb7e1954205f3d33f57d84cdfeaea6835fca93f3699075e
SHA512b824f4b0eced41761550e8d220d5ca5a9a74facabdbbe2ce183cbd8624171b264d8ca47c75121fde412a1b711b9a53b971b9d4da6780b8d2334dda6c788ae04a
-
Filesize
702B
MD5b547329e23f63722b9a8ab931e7e4715
SHA1ae4b5a3bfaf2f027e816bf15d878f58f46f3a3ea
SHA2561dc69e282b191a9e41dea1771ca03c13514e5eaaa05fbf8a5e2ec7c21f1eb0fb
SHA512506ff7e16d31a4219902d7d7fe667d622adef493aa0092c71d5eb85d99c5988c46f3477a5329fb59fc748db185143624bf028588f4e91207c6fc99c32f9ecdaf
-
Filesize
2.1MB
MD57aad5c0c2a4a8e2d4f6c463b63dc0609
SHA1f257472d5a8e441c9300a9e4dd63f6b559a98bd0
SHA25603e2ac88d13ab95dbe53b037c458cc57e3ada6153022d9d2a4097aea938f89b6
SHA512418498124c939a44fb1bf3ce9113bed5cf419475c430e566e93a7c493037f788d82edb4318a4f9f833e1ffb6f3dbeb145ad3ccb82517ecf4cb82bac64dd42ccf
-
Filesize
80B
MD586daef0a1abf90f934b20119d95e8b73
SHA1fa9170644b102c598005d1764a16aba54314ab69
SHA256a5b0e58f66055ba5c9730dd7983946f92075bcf7052343b8d64ee95faa99eaaa
SHA5121e95d6b697621f5c8bd194b5252f7717c3aa48a25d91d80fcd5fb0f1d06747c5f39708255bd85f18f776468dcde5645a8ac088431d412af1b10932d7f0df67b7
-
Filesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
Filesize
4KB
MD5f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
-
Filesize
768KB
MD5e7396b3cf2c1298f6f5cf3ad15608475
SHA1fb275b64612116f198d0bba08e2e9d790f474f8b
SHA2566802d90c869c02816ab168936652ec35976e3b1cbb36fe045d8d9a7897fa9565
SHA51298506a8d69ae5e3d31566c2cda5fbd2bb4b137807e43cb08fb7b58be155a0a33631a68f04fdddb143bf8b6d2a4912d9e76ef8ce7be05d2cfe43ac06354c3e890
-
Filesize
22KB
MD59829c6f33fab4cfca817101396683384
SHA14049f1fd48d260fbbb1c263db460a8d0c8519aa8
SHA2562e76b17632034cfe30226199971403c0d86e0224c07979ca4b43cc224cebf1d2
SHA512281a2215afea6f8abbb737ca3cb911fdff003bcb1dd9f2ebd58d7b9a9fffa20c3a2b9afa1cff8f0b2a2fd09bda7ab52616c134a93f0128e4cf8b0f82fea2400a
-
Filesize
896KB
MD56ff9fb813af4f4c03dac62bb3bbdf9cf
SHA124073474cdadeae2731fa40e439c718e75e5644c
SHA256b33229f5e85f4e7b3c770782813a1b6b7b4b157c8f25923a94315fad033c95fe
SHA512a0c8e4410ea22cb1b8aa119be4a1b5f0b27e2504acc405265d50e8afb06c89cfebcaef62fa13b5f3c50a5fb22857dee3923f295904f82b183c2a11cf40f64380
-
Filesize
1.1MB
MD581e3b7d0e34e4ba6f87957a19ca93637
SHA1fde8bc7bf17a84afbb203672f4a3be246f81346f
SHA256fe1fcc57aec813253593c43833b3bad104e81c84763eb20b7addd09ebbc327c0
SHA51268f79944c556bda4bb41ef3e11e34c1710d877cfe9f97c94907dd8c26e8a3672931c5ba0005ea1e938994c9f3be39060c72eb36b4057ba282f2d34240f68b6f2
-
Filesize
896KB
MD51f6581b96874d6c42426c5c3630802da
SHA1678d2b1774054bf5018e475a005b5fdf8c4f08aa
SHA256147f14c4177a87de8b587fb40273a5f5907b1272fc988b7c1ce646df5f96e1db
SHA5123e540e2931adf49fbb232224dda92a3254eb7ab906dd6113107d4ce24ecabd39b9d5314b4d89d70795c52a7ac06a3635ce949a7ca617153147a0dc0016e00682
-
Filesize
1.1MB
MD5cf207fac306ba6ac97f64a7426af8e6d
SHA182eebe1113259ee70b55d28203a64ce8ae42f37f
SHA25683eb7ba759266d38df6afa36b98f85a076c530f7d0d75729df29d6c5d8943182
SHA51275d9beb159185f3a7e549e4605a4090aedbcb87bc216028d440fad51b804308c47c4889d488ae52cb2694d2090126b056d22ecec06200eb28a1aff6ef1dc17d5
-
Filesize
378KB
MD56cba734e4869ed04b2ccef600108f20e
SHA11c340c0ae8d24237ef2d073b3c1a80afac372f9b
SHA2566ac1b5ba0719b1cb9d41eddc105acc6efc41e7515070ce304181140c6c91d806
SHA5124660326b4be06ff96ad516dd7d92b511834309ebafae534d373002c1659c59e454a749c6bc2f04ffc24bc72786b86563f74b7e6c33c32b6fb29f76d154c1be73
-
Filesize
492KB
MD5eaa3632ba4e15795986d89f85561ab2b
SHA10bb4aea61a195755ab904fa99b9c8cdb74d587e3
SHA2562af36eabf3a0c101348e38c7dffcfc0b8209f104f13c0febe796491e0ed7e05b
SHA51240e11fc522048bf48ecbaca394e76e115d9f7d1991b0cec10d1d8d290c10905655d0ab911416207e3b6eca3d479da6f962f4255126b0a75ed84a671a5f0aae7c
-
Filesize
1011KB
MD582179b4413766e62e7092357a2d7d04a
SHA16de04f0ff641b065e2e19a5533a6bede85719a0d
SHA2568416ce1d616f9a2c94769f2f685474bc6a9dfc16af754c0e076016a34f9153b2
SHA5125305f40e29a3fd47baf3fd3275c72635d760fd5d65c13bda4f0bd8e91dce819da78d4c6c9809633d54cc5bc017cd0df2b8f37ab274fa23374bd74801a3dfe308
-
Filesize
111KB
MD58fb3601137a9e65aacfd5d17cb4f1b23
SHA1fab0cefb670b446165bc08ee97165ad20ce2ab65
SHA2566ad80c67aa7c9ddba7ef788a7967bab06174bb541ff6e34d25f7ec0fa1ecc122
SHA5129a1d07aa836aaed9d271cbe4954aff7c8e47882df0f149036d8de033f6989d13eae22752d61fad9cdf7cf3c6f329b549bd6764477cecd102e6754f18ce1a89dd
-
Filesize
704KB
MD5166db09fb659c1ab987d509c49f77667
SHA17eff619d3490835ff922d32c732141a3ca061d99
SHA2562b732ac8b369f1958be8d65dd5fe82b420db49e6c9ec77b89abdbc6537500df3
SHA512e18dd3936c62d8f8ac7ddf89690328342ccb9a2e23dbb54ba2405e31c94a96dde69d7750311040e610ba2d60cda5d29d43d984f42834723ab9018c08f2d910d7
-
Filesize
640KB
MD5e742a68936858fd53ac6bc3af2f25c09
SHA116ee109b9efaf94e0e09216d72ab913e6530d10d
SHA25626ba47720e2a36867275e82df0fe660204e4d026ae02383fed720e3ae20cee5f
SHA5120613a5832cbcfc1259ccef008c55da41bf3fbfe81ae6c386004e0455b05deb7c42a375a17a7b8f88933cc73eda0b54ac0e481ad5fa75c07926f190eddadb7e76
-
Filesize
429KB
MD51d8c79f293ca86e8857149fb4efe4452
SHA17474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f
SHA256c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4
SHA51283c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1
-
Filesize
169KB
MD5d1228d3f6008b5ab6bfeae22e47163d5
SHA1c9daa88047adaf64f79ab8eb39c638fb49d7c40c
SHA256abd139cf05cfb99922766f68292791ef239b589acd0e78e6623b6cd57dcfbee2
SHA5123fab9d678d9a890cd954958fc06b9d97d09bbe843d2c6a563c7a42ac615d2e36c4255a0a362f716e0549282d635ae8532d68c4da6513e345511fc31c791be5b4
-
Filesize
697KB
MD53c2b6acab01820bd74fc22be0b07614b
SHA1dd6e56ee9855a12db7b8bc315fa21c03186ec072
SHA2568d6ec84fd334f9816c9bbc751587ceaa7c1f1029be8497241fe22c237e937094
SHA5124e69d8b534242c84b489405651915b4c1b567c71a4018f953ed6c3c8a466941fcf780c4b40ce0f16125556ee41dc7672177c81aef270c43ac59958157392c6d5
-
Filesize
1.1MB
MD5635b7ae278f9b9cb4427f81bdf6ef41b
SHA1598f211f3a15d98788d0428e0c2bb2b23625e349
SHA256f15129d4cb3440c003e3847519957ab367dc95cde15aa5087f8286374b924fc3
SHA51262a3e11f8a922f349b30811cbf44503eb0f96b5121c131f407e766a31ade85926a9c4fd4fe6327e8120970a4a23ad38f62541a9681d11b875fa93fe50c4c28d8
-
Filesize
1024KB
MD5797d0f1de6dc1ffd16578eebbbca924d
SHA1c1cf87c0855396af8c307898fd353e3e10572f4b
SHA2566e25a4d4d4a1207d1960adee5eeef9a34df8356990efb5e4ebe0852c7ce0ec7c
SHA51290e0ea994073d81c2feb17e696171f1e3bd9dfcd8dd1716622cc960548e223944a7bb84789d2f503e2a77b16709c8a75d2fb2f05012cd2e1128d43a5ac3ce312
-
Filesize
83KB
MD5b77eeaeaf5f8493189b89852f3a7a712
SHA1c40cf51c2eadb070a570b969b0525dc3fb684339
SHA256b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e
SHA512a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3
-
Filesize
16.3MB
MD5951a1cbaf78565d47547bbfb86c44eff
SHA14c5c7ce8fa628b86df65f8025b0f68b532bf4914
SHA2565291d08a8ea0153f952d6e25802e2bcd642d320f85a0ecccd816a682e8907b70
SHA5129ac2051f39f4259c6e6c639fa3748aa202d7ae8c96ea3348d7e6462a5dae4aa947fc4ecd788225d726f3f6d80cb62c080ff75c6494e70aceafd593530f38de32
-
Filesize
4.5MB
MD53cca2b9d9df38943e8a18bf52f9c4fea
SHA1019d1da89a1dca223c65a7f325becf2a8db92035
SHA256f283f1ba17e0305c33d326a0f797ab2ef27aa0c51cef7f83ab579c0f91fb5422
SHA5121704b82233ce99fa7a8802eb8abb6b28c3c5f00288d5d589522c646ff81be09cd1fad286061d8b19994cd68ecd4b2cde1035d903587f47a566348ba5a7e01c3f
-
Filesize
4.6MB
MD5e5087bb6266c083e1ab0f76058614d83
SHA1552d72288d40178a549c3028f3cb49a2e496c96e
SHA25642ed4ae76d5624a92c8bc5e5e99f4df88dc2777862f70bd9433e8cf4d3a72aa8
SHA512111e8ee454385ad0d1af452377e618f6cad1413b04e122981c30561ff65c37abdd260b540e90f1ea731581ad704bdee4740b78ab135a6efb8b54f2b6d19e5032