271de5aed87a398dedf889c16d7927e90f07facb4774a073cd4f365073fe51f8

Resubmissions

13-03-2024 20:38

240313-zeyacagb6x 10

Analysis

max time kernel
159s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TeraBox_sl_b_1.28.0.3.exe
Size

85.5MB
MD5

e1aad2c0bfbccec454765e8a030c8856
SHA1

95dd1d5a2a597f27321868d398a9701bcf0b49dc
SHA256

271de5aed87a398dedf889c16d7927e90f07facb4774a073cd4f365073fe51f8
SHA512

6167a3f6f3e405832292491e466b18dc3fded745f4f0bb5d7cb86e00a6bdcd510aa146558ed22a6a00d60ae25befa5ec123d55d65b2a2a2e6ab2d9b2c78d4530
SSDEEP

1572864:HSgue/UMXkXd9CUAMIaulHaT3hxHbpuH1yv7EjDe40REbstaa0ONE71pO2EY8fvp:ygue/Ui+d9tAYulHaT3hxpv70Doubsa

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun"	TeraBox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\""	TeraBox.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	TeraBox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 15 IoCs

pid	Process
1536	TeraBox.exe
4944	YunUtilityService.exe
1020	TeraBoxWebService.exe
2124	TeraBox.exe
992	TeraBoxWebService.exe
3624	TeraBox.exe
1968	TeraBox.exe
1508	TeraBoxRender.exe
4532	TeraBoxRender.exe
1916	TeraBoxRender.exe
3820	TeraBoxRender.exe
3264	AutoUpdate.exe
3752	TeraBoxHost.exe
1528	TeraBoxHost.exe
3004	TeraBoxHost.exe

Loads dropped DLL 64 IoCs

pid	Process
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
1536	TeraBox.exe
1536	TeraBox.exe
1536	TeraBox.exe
1536	TeraBox.exe
1536	TeraBox.exe
1536	TeraBox.exe
1536	TeraBox.exe
4212	regsvr32.exe
4540	regsvr32.exe
4980	regsvr32.exe
1704	regsvr32.exe
2272	regsvr32.exe
4944	YunUtilityService.exe
4944	YunUtilityService.exe
1020	TeraBoxWebService.exe
1020	TeraBoxWebService.exe
2124	TeraBox.exe
2124	TeraBox.exe
2124	TeraBox.exe
2124	TeraBox.exe
2124	TeraBox.exe
2124	TeraBox.exe
992	TeraBoxWebService.exe
992	TeraBoxWebService.exe
2124	TeraBox.exe
2124	TeraBox.exe
2124	TeraBox.exe
2124	TeraBox.exe
2124	TeraBox.exe
2124	TeraBox.exe
3624	TeraBox.exe
3624	TeraBox.exe
3624	TeraBox.exe
3624	TeraBox.exe
3624	TeraBox.exe
3624	TeraBox.exe
2124	TeraBox.exe
2124	TeraBox.exe
1968	TeraBox.exe
1968	TeraBox.exe
1968	TeraBox.exe
1968	TeraBox.exe
1968	TeraBox.exe
1968	TeraBox.exe
3484	Process not Found
2124	TeraBox.exe
1508	TeraBoxRender.exe
1508	TeraBoxRender.exe
1508	TeraBoxRender.exe
1508	TeraBoxRender.exe
4532	TeraBoxRender.exe
1508	TeraBoxRender.exe
1508	TeraBoxRender.exe
1508	TeraBoxRender.exe
4532	TeraBoxRender.exe
4532	TeraBoxRender.exe
4532	TeraBoxRender.exe
1916	TeraBoxRender.exe
1916	TeraBoxRender.exe
1916	TeraBoxRender.exe
1916	TeraBoxRender.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\VersionIndependentProgID\ = "YunShellExt.YunShellExtContextMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1\CLSID\ = "{71CD4110-1E24-4B80-B699-9A982584CD3F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\ = "YunWordConnect Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ = "YunPPTConnect Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\" \"%1\""	TeraBoxWebService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1\ = "YunPPTConnect Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ProgID\ = "YunOfficeAddin.YunPPTConnect.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\URL Protocol = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe"	TeraBoxWebService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\VersionIndependentProgID\ = "YunOfficeAddin.YunExcelConnect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ = "YunWordConnect Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1\CLSID\ = "{71CD4110-1E24-4B80-B699-9A982584CD3F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\ = "YunWordConnect Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell\open\command	TeraBoxWebService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell	TeraBoxWebService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ProgID\ = "YunOfficeAddin.YunPPTConnect.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TeraBoxRender.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
3888	TeraBox_sl_b_1.28.0.3.exe
2124	TeraBox.exe
2124	TeraBox.exe
2124	TeraBox.exe
2124	TeraBox.exe
3624	TeraBox.exe
3624	TeraBox.exe
1968	TeraBox.exe
1968	TeraBox.exe
1508	TeraBoxRender.exe
1508	TeraBoxRender.exe
4532	TeraBoxRender.exe
4532	TeraBoxRender.exe
1916	TeraBoxRender.exe
1916	TeraBoxRender.exe
3820	TeraBoxRender.exe
3820	TeraBoxRender.exe
1528	TeraBoxHost.exe
1528	TeraBoxHost.exe
1528	TeraBoxHost.exe
1528	TeraBoxHost.exe
1528	TeraBoxHost.exe
1528	TeraBoxHost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1528	TeraBoxHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2124	TeraBox.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2124	TeraBox.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 1536	3888	TeraBox_sl_b_1.28.0.3.exe	99
PID 3888 wrote to memory of 1536	3888	TeraBox_sl_b_1.28.0.3.exe	99
PID 3888 wrote to memory of 1536	3888	TeraBox_sl_b_1.28.0.3.exe	99
PID 3888 wrote to memory of 4212	3888	TeraBox_sl_b_1.28.0.3.exe	100
PID 3888 wrote to memory of 4212	3888	TeraBox_sl_b_1.28.0.3.exe	100
PID 3888 wrote to memory of 4212	3888	TeraBox_sl_b_1.28.0.3.exe	100
PID 4212 wrote to memory of 4540	4212	regsvr32.exe	101
PID 4212 wrote to memory of 4540	4212	regsvr32.exe	101
PID 3888 wrote to memory of 4980	3888	TeraBox_sl_b_1.28.0.3.exe	102
PID 3888 wrote to memory of 4980	3888	TeraBox_sl_b_1.28.0.3.exe	102
PID 3888 wrote to memory of 4980	3888	TeraBox_sl_b_1.28.0.3.exe	102
PID 3888 wrote to memory of 1704	3888	TeraBox_sl_b_1.28.0.3.exe	103
PID 3888 wrote to memory of 1704	3888	TeraBox_sl_b_1.28.0.3.exe	103
PID 3888 wrote to memory of 1704	3888	TeraBox_sl_b_1.28.0.3.exe	103
PID 1704 wrote to memory of 2272	1704	regsvr32.exe	104
PID 1704 wrote to memory of 2272	1704	regsvr32.exe	104
PID 3888 wrote to memory of 4944	3888	TeraBox_sl_b_1.28.0.3.exe	105
PID 3888 wrote to memory of 4944	3888	TeraBox_sl_b_1.28.0.3.exe	105
PID 3888 wrote to memory of 4944	3888	TeraBox_sl_b_1.28.0.3.exe	105
PID 3888 wrote to memory of 1020	3888	TeraBox_sl_b_1.28.0.3.exe	106
PID 3888 wrote to memory of 1020	3888	TeraBox_sl_b_1.28.0.3.exe	106
PID 3888 wrote to memory of 1020	3888	TeraBox_sl_b_1.28.0.3.exe	106
PID 2124 wrote to memory of 1508	2124	TeraBox.exe	118
PID 2124 wrote to memory of 1508	2124	TeraBox.exe	118
PID 2124 wrote to memory of 1508	2124	TeraBox.exe	118
PID 2124 wrote to memory of 4532	2124	TeraBox.exe	121
PID 2124 wrote to memory of 4532	2124	TeraBox.exe	121
PID 2124 wrote to memory of 4532	2124	TeraBox.exe	121
PID 2124 wrote to memory of 3820	2124	TeraBox.exe	122
PID 2124 wrote to memory of 3820	2124	TeraBox.exe	122
PID 2124 wrote to memory of 3820	2124	TeraBox.exe	122
PID 2124 wrote to memory of 1916	2124	TeraBox.exe	123
PID 2124 wrote to memory of 1916	2124	TeraBox.exe	123
PID 2124 wrote to memory of 1916	2124	TeraBox.exe	123
PID 2124 wrote to memory of 3264	2124	TeraBox.exe	127
PID 2124 wrote to memory of 3264	2124	TeraBox.exe	127
PID 2124 wrote to memory of 3264	2124	TeraBox.exe	127
PID 2124 wrote to memory of 3752	2124	TeraBox.exe	128
PID 2124 wrote to memory of 3752	2124	TeraBox.exe	128
PID 2124 wrote to memory of 3752	2124	TeraBox.exe	128
PID 2124 wrote to memory of 1528	2124	TeraBox.exe	129
PID 2124 wrote to memory of 1528	2124	TeraBox.exe	129
PID 2124 wrote to memory of 1528	2124	TeraBox.exe	129
PID 2124 wrote to memory of 3004	2124	TeraBox.exe	130
PID 2124 wrote to memory of 3004	2124	TeraBox.exe	130
PID 2124 wrote to memory of 3004	2124	TeraBox.exe	130

C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.28.0.3.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.28.0.3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
  "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1536
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\system32\regsvr32.exe
    "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
    3⤵
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Modifies registry class
    PID:4540
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:4980
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\system32\regsvr32.exe
    "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:2272
- C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
  "C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4944
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
  "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:1020
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
  C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2272,6730088971121674018,17669477632600804703,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2264 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1508
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2272,6730088971121674018,17669477632600804703,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=3140 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:4532
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2272,6730088971121674018,17669477632600804703,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3820
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2272,6730088971121674018,17669477632600804703,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.28.0.3;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1916
- - C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 70208 -unlogin
    3⤵
    - Executes dropped EXE
    PID:3264
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
    -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.2124.0.1212569367\920597335 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.55" -PcGuid "TBIMXV2-O_E67CBC465A844461BF742A5A25709BAA-C_0-D_QM00013-M_5262F08EE73F-V_66B14868" -Version "1.28.0.3" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Executes dropped EXE
    PID:3752
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.2124.0.1212569367\920597335 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.55" -PcGuid "TBIMXV2-O_E67CBC465A844461BF742A5A25709BAA-C_0-D_QM00013-M_5262F08EE73F-V_66B14868" -Version "1.28.0.3" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2124.1.1493202487\1627836575 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.55" -PcGuid "TBIMXV2-O_E67CBC465A844461BF742A5A25709BAA-C_0-D_QM00013-M_5262F08EE73F-V_66B14868" -Version "1.28.0.3" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Executes dropped EXE
    PID:3004
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
  C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:992

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3624

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\IndexedDB\https_www.terabox.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\TransportSecurity

Filesize
372B

MD5
2df88bdc2459b964ba72a06c3fc0410a

SHA1
768f6c7236c70b95d887f8d13f56e31cfb580b1b

SHA256
4ad6fe5103f810b2009c1baf67d749612c9f6e7cccbf326e5ae88e9fd0fca157

SHA512
4649ffa8a7aa4e5a189998ca657fddac4657890cdbb377d0c19d550af74ab827556b6d92c91edaed4c4e4d6976889ac13c4e07273e876900eef658258e9e23c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\TransportSecurity~RFe59f514.TMP

Filesize
204B

MD5
dd8a9411f63aba0730ab18f4e30b3010

SHA1
59499f79b50f74f79c35b79b74c58a5a1ebadde5

SHA256
ac81ba3c765553b3806c0e48f2331c8f788f7887b81f858a38252b38ec668a7a

SHA512
8452c7acd1aa7a76c3b10360d9137bcf512979e146eadc127f15a738a1031b515c910a204ffa62812c15d86288d33da80dfcce171c1f3534091db379751372d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscB1CD.tmp\NsisInstallUI.dll

Filesize
2.1MB

MD5
7aad5c0c2a4a8e2d4f6c463b63dc0609

SHA1
f257472d5a8e441c9300a9e4dd63f6b559a98bd0

SHA256
03e2ac88d13ab95dbe53b037c458cc57e3ada6153022d9d2a4097aea938f89b6

SHA512
418498124c939a44fb1bf3ce9113bed5cf419475c430e566e93a7c493037f788d82edb4318a4f9f833e1ffb6f3dbeb145ad3ccb82517ecf4cb82bac64dd42ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscB1CD.tmp\NsisInstallUI.dll

Filesize
1.2MB

MD5
9058a519cf634e41c67d3b5231bec34f

SHA1
6f5f85c60fe90ef396a745df47e9607096e71fb6

SHA256
e26aeb3a2a61a5f8ec6fbbae545d0374f7c7a90d82d676ad4703315cb9ae985f

SHA512
d1a36c2fff4c253314f949b793482bf15fac6f028e0d14bb10f82a6f7919edddac8313849fab570fdfde3258bdda75bc0bafcb0e40feb3cdf3320bb14acc009e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscB1CD.tmp\SetupCfg.ini

Filesize
80B

MD5
86daef0a1abf90f934b20119d95e8b73

SHA1
fa9170644b102c598005d1764a16aba54314ab69

SHA256
a5b0e58f66055ba5c9730dd7983946f92075bcf7052343b8d64ee95faa99eaaa

SHA512
1e95d6b697621f5c8bd194b5252f7717c3aa48a25d91d80fcd5fb0f1d06747c5f39708255bd85f18f776468dcde5645a8ac088431d412af1b10932d7f0df67b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscB1CD.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscB1CD.tmp\nsProcessW.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll

Filesize
1.5MB

MD5
ea966aaea4634e68ddf601507bdbfbd8

SHA1
df2492ee0704ff4a49d1957bd9321c9e24b5b3e7

SHA256
2156f931969b571a01f067a61a902655af7eb0280f5476896b42a6f864ac9a07

SHA512
55c9c80b705a0621d2e7f4ca6e556581a542f69f9cb4fb6ae2997cb96b02ebc8b111a4030a967738682b46fb672adaeff2a3aa0f270a41e58c159fb49dd0f661

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdateUtil.dll

Filesize
198KB

MD5
d585f6453c8f564da8db0573ee311e0e

SHA1
81df64177e63f98ceb9f6a4e0f002493abfc1e57

SHA256
ef09b83ce0becbae769a323037e8cd9922a1f57f3fe0fd1f92957cea232f4913

SHA512
a5973907c6ab1fa956a76a107957d59952a49b190c1e4dd82b7c49796516b896d59e256dd94ca0bf56d088dabe53d1681ebfeda3405dc47646c1c33d461dd153

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\Download\AutoUpdate.xml

Filesize
22KB

MD5
50e940a33557749e8967787951b0b1f3

SHA1
5569074d7d12835f7f4a04b93f1b91b3b3da3500

SHA256
4a0fe43edb114b8df1ea5088966f71c35091e89a96894738cc61dbe59fe63559

SHA512
4011d8a6619d9b9c002dbbea6cc70db7dc894760ad9938ecf63f32e717d49b9e4f983a411d31e2cb6a30aede455ebe60db74aa2f22497667793635b2b33f56b0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\config.ini

Filesize
52B

MD5
5cc36a5a9945e4fbda1cc8b475f98ea9

SHA1
16ff4141e975705252b9c556c5da8c84e7dbc74e

SHA256
61d88eb427ba7668f56c7391410c4de3a8e17cde7baba80291f8a06efafbef7c

SHA512
8b451ca92dd61ace8fc6cc4bcfc09499aa3c006803a7bdca1bdac9ee40a7b8fc9311e28078f07fbe4fbf1d40d71ffcebcf49a440ca0c6c100391fea4ee888a9e

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.DLL

Filesize
3.2MB

MD5
b313af0c43927a6b145ad5fa4045f5d4

SHA1
6ad88405ff040bcb7950cdf5ecb6edb24cec78ac

SHA256
0dc503f6e66b641e6c83385c63e95a62b05154d209da39f9b66ed77f224626eb

SHA512
7ff74516b7268d16accada1135b4d29bec8373701851379522637becfc9a0350ec3110fc957f3f3631ef5a2779e26ff9277416dfcecacd2f40ca4f9b4cb4cba6

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll

Filesize
2.5MB

MD5
478e775f4dcbe0dce56c6a81441b6580

SHA1
ba21ebfc73a9892ababbd38b337c44a437bbe797

SHA256
ebf1e95daac0a91c12ae4dd77b61195ac09c6a91f37f5e00372a95ee0898400f

SHA512
9baa4a230147becd3d0a1c10cf05dd01856e2f134ff2b09e357b9e8cf32db86e1b1f22566c1745a06211875960072cdcacf81a582dc42cd6301f15c7352b99a4

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\MSVCP140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
1.3MB

MD5
a7f4333bff84c76b238ab42e31a0549b

SHA1
39d8c49478b592152bf780e67d1de0a862859e8c

SHA256
6ab4aab77cebb53b2a2d65c567a888cbbbf0ebd18224330fabc38b3692a9c6b6

SHA512
4973198cb8276796f72df0a60dcbfb26e41a5c492309ed488d3b1df186c383964cca7be839f43a0d8254500a7e79f40942de44a049b367e3995bb89f689a1c02

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
1.8MB

MD5
7ffa3a827422607afcdbea18b6474915

SHA1
5a3295040a8b659315b2ccb238ca9d46c329f6a2

SHA256
762c5e41a1b399bdba60a7a045699e3046b25cbb701c7d56715bc0e017e8e366

SHA512
fee2c413c264cefefa3e85634b32469e67ad4ac6ba133750eac51a095499ad6a31718af2a039def684d68817103acd04f1671ee22ca0042d1d7a0f0b3d5d2390

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.8MB

MD5
bce254dbffa461fd2257839b34b81b15

SHA1
e554d9d8d4775d5b5eb8bb1a2cf1cbedd53b38dc

SHA256
15a8c8ad6f8b99f758b82843d92a110616df6dd71a4c20873817db69e9b5008a

SHA512
3376c40fa1115cffe8da2b7ff2d5b3242d00b6353f0268b3e39abcc72742691e9be2392b0760b74e8a4c722c25e10f816f651082dfefe915a1c7ee2cc1398fcb

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
4.0MB

MD5
e3150a08ee287226f5124bdfdb165ec5

SHA1
b8fe5b50f9370bd4818e3180b1cf0a495d9a375c

SHA256
d8e1689a8c08e4131753114812de4678bb935b4da46f68d880fa9a770162ebbc

SHA512
a744aa1599a22d0be146b3ff0ed223c6ccd77cdf7a3e6b9cbf2e9b96722a3de766dc7ecedd8f9cefddabca51bd0cbc4ed570a429005d807854ddefec262dc949

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

Filesize
1.1MB

MD5
cf207fac306ba6ac97f64a7426af8e6d

SHA1
82eebe1113259ee70b55d28203a64ce8ae42f37f

SHA256
83eb7ba759266d38df6afa36b98f85a076c530f7d0d75729df29d6c5d8943182

SHA512
75d9beb159185f3a7e549e4605a4090aedbcb87bc216028d440fad51b804308c47c4889d488ae52cb2694d2090126b056d22ecec06200eb28a1aff6ef1dc17d5

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\VCRUNTIME140.dll

Filesize
64KB

MD5
d6f55f2dcc890e10efcddf9de9f4a7b4

SHA1
0889ebd116c8420029a560abea3c98ed254697fb

SHA256
9a06d3cb1e506f982f0e7b39b36fbf0b6e11ebab2da43ae4af835fcc9f23a54a

SHA512
05934757d2e10e1c1bf2a171036fe84c5a75e2aa28d0612102d1a71a675373c0d10bfa5cf18d7ce83eb5d7d594994c26ec591a4b8baaba8b0e5e7a272a656ea9

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\VersionInfo

Filesize
192B

MD5
ea13d4be5591a94723695cf320078686

SHA1
42e46f334d5c35a0bbe8760639da5ff9b22df25b

SHA256
4027ba07ee466f6b1691cfda9eb1bd9d806c543ce38e1544cc4a0eb42f938f97

SHA512
c2ab256dfad9836975f545b0bb82bed19972c402959334cf43c006a45547861281215a8239102f335119394fc8d57d53bd2986e24e0a606f9ba82986d9ed2eb3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunDb.dll

Filesize
777KB

MD5
e5052a15451b530407d4efe5c9d563a6

SHA1
a6143bad9dba4aada2f390132a52f95e2d997e01

SHA256
49fb754862d7cddbf8bacf6d12d3ed9cd118d6951dc6c377232f732f3393b87f

SHA512
25ddac8a154d9f0f79a77b2c35d9f59001a5ebdee559b5617fa338a4c418a002c65d8a2112546b069877cb19c1cee6a6c84a04041b98e4e8ea6ea48f812e210c

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunDls.dll

Filesize
2.1MB

MD5
6d2b868a16e9c8e77abeeb25d7f6964d

SHA1
f06526f34115b73958b6f0a6be1f91db796e04b0

SHA256
698884840e45a96aad08cd7707458bd623b81bac90ae202ad0d102648e3e93cc

SHA512
b7fddee1ed9fdf483855b7d0eafbfe8d741b70dc64b2d1c5bee0fb05d70b69ed660d8b3c0b823762d7bf5f17652ba2aa7aad4774bc18be25b6655e0dc1a2f4ef

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunLogic.dll

Filesize
6.3MB

MD5
7ffc495cb6bb22f55c07ee0a347a7218

SHA1
81ae4025348a5bfd450abf230cb8763cb9d7520a

SHA256
5f0021b3eea912bf0d0f9a78d62a6ee00204712c7ff9d21f65c2c58da19f987e

SHA512
3c121da851b82a4fccc7bbea51a52982aeee8363092373c774ac8d4450f886ba917bea1414005a6cb758add26372eb8c09b3533fa7de5cf546560a54bc73d4f4

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll

Filesize
378KB

MD5
6cba734e4869ed04b2ccef600108f20e

SHA1
1c340c0ae8d24237ef2d073b3c1a80afac372f9b

SHA256
6ac1b5ba0719b1cb9d41eddc105acc6efc41e7515070ce304181140c6c91d806

SHA512
4660326b4be06ff96ad516dd7d92b511834309ebafae534d373002c1659c59e454a749c6bc2f04ffc24bc72786b86563f74b7e6c33c32b6fb29f76d154c1be73

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll

Filesize
492KB

MD5
eaa3632ba4e15795986d89f85561ab2b

SHA1
0bb4aea61a195755ab904fa99b9c8cdb74d587e3

SHA256
2af36eabf3a0c101348e38c7dffcfc0b8209f104f13c0febe796491e0ed7e05b

SHA512
40e11fc522048bf48ecbaca394e76e115d9f7d1991b0cec10d1d8d290c10905655d0ab911416207e3b6eca3d479da6f962f4255126b0a75ed84a671a5f0aae7c

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

Filesize
1011KB

MD5
82179b4413766e62e7092357a2d7d04a

SHA1
6de04f0ff641b065e2e19a5533a6bede85719a0d

SHA256
8416ce1d616f9a2c94769f2f685474bc6a9dfc16af754c0e076016a34f9153b2

SHA512
5305f40e29a3fd47baf3fd3275c72635d760fd5d65c13bda4f0bd8e91dce819da78d4c6c9809633d54cc5bc017cd0df2b8f37ab274fa23374bd74801a3dfe308

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe

Filesize
111KB

MD5
8fb3601137a9e65aacfd5d17cb4f1b23

SHA1
fab0cefb670b446165bc08ee97165ad20ce2ab65

SHA256
6ad80c67aa7c9ddba7ef788a7967bab06174bb541ff6e34d25f7ec0fa1ecc122

SHA512
9a1d07aa836aaed9d271cbe4954aff7c8e47882df0f149036d8de033f6989d13eae22752d61fad9cdf7cf3c6f329b549bd6764477cecd102e6754f18ce1a89dd

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\appUtil.DLL

Filesize
192KB

MD5
b759cf465c8cc390d642b0e5c9fc5707

SHA1
52aeb2147054a81dbf98e23bd524a404860cc36d

SHA256
b763a068b99f38f599a4378b3ed7fbf167ecebef10faa6b4279aacf1bc6323a2

SHA512
20584547982f6919d8b3feb2453fd0194f2f2e5b80f15c0b89e5815c2a916afe723a2f995c20a0ae22fff03b4759eeb4d2f3486ea65d8bf38a7e943bb21ccbc3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

Filesize
2.1MB

MD5
a7ac871cb3f12314c6343285366694da

SHA1
7c07202eefe4cd79ae91b07ec6c6a3846d4025b6

SHA256
e103c83ffb7761e8842062e502937b859ddbb67adc7fcfffd6c4a33e884631f9

SHA512
572f9030b757b7a5662322d14dd8b868e64172a51c64613ad9e8206b6826001cb2b0435a3c4f8a1cbc4872399d4f3d3d669e1ddc5c42c5994ec5c286b886a051

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

Filesize
128KB

MD5
1cb16d948d547888cb1fe078508833c5

SHA1
809c8d8b255317a312b3811f4757494b4fa8eae1

SHA256
99fa4477776b5f13c27282d069f4a86ce6b48276a0044da1f7b374e43036c0eb

SHA512
f4ed7674659674619a81333f6c18dddde7a2bd8579a297432ecadfbd34f27bb11efe112d709e6a06b2dd9d73d95a2cfd01a49c4331537a644ec78f29d9b290f9

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\module\TeraBoxModuleList.db

Filesize
16KB

MD5
9500db720bac9e21df66e62a2d0ae452

SHA1
01ad0a09c41e83449fc9fefc668009f75345bebc

SHA256
067596f9349a8998c39f9ce9c3c258967c8002c7220d83d6616c855102b30c03

SHA512
485fd5d38a20115a7ed4c148b1db7190fa5065b041f821159171f90ae5ac492bd16951a3e2b6ef83d079368fc1eabcb64f432e3cdc5b85f64e945323e1dfd952

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
128KB

MD5
ab6d9edc326c1d43c15c8d7d621e04fa

SHA1
7ec553b62bed2b7b21edf4ae8eae457f5e1d87dd

SHA256
517677e4430e08d3d848179921b170978647da11d0ebb715ab71c113c0dd6442

SHA512
b228bd6b53732d2b7d4e28767093cb40d4a240cfcc0375a4c29a580491af1f1439319408cf038dc6a46b939ebbbc97c8fc05f30ee8dfec896e0598534843a762

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\resource.db

Filesize
52KB

MD5
4e763bf1c22fc2436b2ebeb570650141

SHA1
710aae9f8a389c7158b899d69da305327d410024

SHA256
6af91d2c0015f2355f3559c21185945d0d7c269c4423f020f62ce5855888acc3

SHA512
2a1bd50196f8a079b59d7a826b2350d3290c3e3006d3512485ebcc5340a624c53176981f6fc539f92f39027e574cda1c566106c221ef6a0bc437017b46b0f765

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe

Filesize
697KB

MD5
3c2b6acab01820bd74fc22be0b07614b

SHA1
dd6e56ee9855a12db7b8bc315fa21c03186ec072

SHA256
8d6ec84fd334f9816c9bbc751587ceaa7c1f1029be8497241fe22c237e937094

SHA512
4e69d8b534242c84b489405651915b4c1b567c71a4018f953ed6c3c8a466941fcf780c4b40ce0f16125556ee41dc7672177c81aef270c43ac59958157392c6d5

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

Filesize
384KB

MD5
df8efb3f33d026d3e1d532cb67b8fd83

SHA1
aa30c2d4f13f5b7c930a64a29307ee1fa47c63a8

SHA256
8021d9af781e2d36fce39601b4d60b0eec0ccf8c435a3d8f3fb552499c01c922

SHA512
dcdcf8cda55879bc77c74b51919275fd50faf871529993b9f50bce4ad95d75021e4ae8af13e4f80bb1dadc7daecb21c90dd6d1e4e011ff1daa2ea4aa27964070

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

Filesize
1.1MB

MD5
635b7ae278f9b9cb4427f81bdf6ef41b

SHA1
598f211f3a15d98788d0428e0c2bb2b23625e349

SHA256
f15129d4cb3440c003e3847519957ab367dc95cde15aa5087f8286374b924fc3

SHA512
62a3e11f8a922f349b30811cbf44503eb0f96b5121c131f407e766a31ade85926a9c4fd4fe6327e8120970a4a23ad38f62541a9681d11b875fa93fe50c4c28d8

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\users\localdata.dat

Filesize
135B

MD5
8b33ee873631b455610c30e89b783c93

SHA1
bb735c65e56e7345e9cc863756ec6269a4e02a42

SHA256
85479aace7f91dc6f7a84250c2e573ff4d32e7fbeed1224a430337b29d4c3b54

SHA512
587a49bea7edbec0f34bf68cfa5087fb83e1892a3a78f8abe4be349bcd202ed19eec6a762ab2ebe6aadcaf91a1fd5f46024e3099e13ed1f52c9fe5860c7f7902

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
42KB

MD5
138a1f7ec0786b1c078c8adbaa87886b

SHA1
0964b25415913342e01e30fcc63e58f01ee8de3e

SHA256
3ec182ab438ab62d320471759cc2181b1527a274976ef868d47e2ad41a905738

SHA512
588e5b4bb99bafe9d594cf19fe23c50f6557ca681deb7c8acd11267ce6ef731b1968081029e0419c872cb8a847f3eb3321edd09c418e779db27ae4767eb7b9bc

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\xImage.dll

Filesize
1.1MB

MD5
f3bfc402fa3f63e35c30eb0269b39a66

SHA1
71b5a5b7102a43ecf6441bb949c9075c2e9609ff

SHA256
9a64c2fe4edf3dfa7305f009ec4686abce7f60aa486062842995bb4b6dc91753

SHA512
d9738e9f5d4309bd10c83a5171b5af61fda39aad8ca1c569d683fb546430e2eb74d88eff3618cfef98190e298b692b76f316abd5dcd164457a23009dfdd84cf3

Download Submit
memory/1528-369-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/1528-375-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/1528-455-0x00000000001C0000-0x0000000000260000-memory.dmp

Filesize
640KB

Download
memory/1528-370-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1528-356-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/1528-357-0x0000000065640000-0x0000000066A6C000-memory.dmp

Filesize
20.2MB

Download
memory/1528-353-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/1528-349-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/1528-316-0x00000000001C0000-0x0000000000260000-memory.dmp

Filesize
640KB

Download
memory/1528-317-0x00000000001C0000-0x0000000000260000-memory.dmp

Filesize
640KB

Download
memory/1528-348-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/1968-255-0x00000000002C0000-0x00000000009A4000-memory.dmp

Filesize
6.9MB

Download
memory/1968-239-0x00000000002C0000-0x00000000009A4000-memory.dmp

Filesize
6.9MB

Download
memory/2124-238-0x00000000002C0000-0x00000000009A4000-memory.dmp

Filesize
6.9MB

Download
memory/2124-201-0x00000000002C0000-0x00000000009A4000-memory.dmp

Filesize
6.9MB

Download
memory/2124-284-0x0000000009970000-0x0000000009971000-memory.dmp

Filesize
4KB

Download
memory/2124-278-0x0000000004220000-0x0000000004230000-memory.dmp

Filesize
64KB

Download
memory/2124-248-0x0000000009970000-0x0000000009971000-memory.dmp

Filesize
4KB

Download
memory/2124-243-0x0000000004220000-0x0000000004230000-memory.dmp

Filesize
64KB

Download
memory/3004-402-0x00000000001C0000-0x0000000000260000-memory.dmp

Filesize
640KB

Download
memory/3004-403-0x00000000001C0000-0x0000000000260000-memory.dmp

Filesize
640KB

Download
memory/3624-234-0x00000000002C0000-0x00000000009A4000-memory.dmp

Filesize
6.9MB

Download
memory/3624-236-0x00000000002C0000-0x00000000009A4000-memory.dmp

Filesize
6.9MB

Download
memory/3888-167-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3888-17-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download