zloader | cdd9213c986f4dcc1f2c07f584d564c6a3ba00c9c27fe016bf51fd70ff0ef973

Resubmissions

28-03-2024 13:35

240328-qvvdysfd4s 4

21-03-2024 15:21

240321-srcqvaed68 10

Analysis

max time kernel
145s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-03-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TeraBox_sl_b_1.30.0.2.exe
Size

85.5MB
MD5

bf389a8ab715cd3e1240ea6f6872023b
SHA1

ea216a5b29480223a96c609585bc37d1a2a8b658
SHA256

cdd9213c986f4dcc1f2c07f584d564c6a3ba00c9c27fe016bf51fd70ff0ef973
SHA512

f17b9411f9b2803cf4dc2d98ba529bd55eca953be340abd1da0f9fa042e61fcc181e74b0bfa7fb4e9bb1ce3d97f14ce80b2865d20f59741a594f39f7332a3505
SSDEEP

1572864:9m0dHtOx0eSgs6bZQ+/bKMN4+j6Hv5fhEk6MjHOi8IIXBBLyREG:c0jOyera+/bKMFj+x6wO0IXHyRB

Score

10^/10

zloader botnet discovery persistence trojan

Malware Config

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun"	TeraBox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\""	TeraBox.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	TeraBox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	TeraBoxRender.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Executes dropped EXE 15 IoCs

pid	Process
2232	TeraBox.exe
952	YunUtilityService.exe
1676	TeraBoxWebService.exe
1872	TeraBox.exe
1864	TeraBoxWebService.exe
2612	TeraBoxRender.exe
2516	TeraBox.exe
2496	TeraBoxRender.exe
2528	TeraBoxRender.exe
2524	TeraBoxRender.exe
1780	TeraBoxRender.exe
1232	AutoUpdate.exe
1936	TeraBoxHost.exe
2476	TeraBoxHost.exe
2980	TeraBoxHost.exe

Loads dropped DLL 64 IoCs

pid	Process
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
2232	TeraBox.exe
1364	regsvr32.exe
1092	regsvr32.exe
980	regsvr32.exe
2996	regsvr32.exe
2992	regsvr32.exe
2764	TeraBox_sl_b_1.30.0.2.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
952	YunUtilityService.exe
2764	TeraBox_sl_b_1.30.0.2.exe
1676	TeraBoxWebService.exe
1676	TeraBoxWebService.exe
1676	TeraBoxWebService.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ = "IYunWordConnect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ = "YunPPTConnect Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ProgID\ = "YunOfficeAddin.YunWordConnect.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\CurVer\ = "YunOfficeAddin.YunWordConnect.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\CurVer\ = "YunOfficeAddin.YunWordConnect.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\ = "YunShellExtContextMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ = "IWorkspaceOverlayIconOK"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID\ = "YunOfficeAddin.YunPPTConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ = "YunShellExtContextMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CurVer\ = "YunShellExt.YunShellExtContextMenu.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect\ = "YunPPTConnect Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ = "YunPPTConnect Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\ = "YunWordConnect Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\CLSID\ = "{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ = "YunExcelConnect Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeraBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	TeraBoxRender.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
2764	TeraBox_sl_b_1.30.0.2.exe
1872	TeraBox.exe
1872	TeraBox.exe
1872	TeraBox.exe
2612	TeraBoxRender.exe
2516	TeraBox.exe
2516	TeraBox.exe
2496	TeraBoxRender.exe
2528	TeraBoxRender.exe
2524	TeraBoxRender.exe
1780	TeraBoxRender.exe
2476	TeraBoxHost.exe
2476	TeraBoxHost.exe
2476	TeraBoxHost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2476	TeraBoxHost.exe
Token: SeBackupPrivilege	2476	TeraBoxHost.exe
Token: SeSecurityPrivilege	2476	TeraBoxHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1872	TeraBox.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1872	TeraBox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2508	mspaint.exe
2508	mspaint.exe
2508	mspaint.exe
2508	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2232	2764	TeraBox_sl_b_1.30.0.2.exe	30
PID 2764 wrote to memory of 2232	2764	TeraBox_sl_b_1.30.0.2.exe	30
PID 2764 wrote to memory of 2232	2764	TeraBox_sl_b_1.30.0.2.exe	30
PID 2764 wrote to memory of 2232	2764	TeraBox_sl_b_1.30.0.2.exe	30
PID 2764 wrote to memory of 1364	2764	TeraBox_sl_b_1.30.0.2.exe	32
PID 2764 wrote to memory of 1364	2764	TeraBox_sl_b_1.30.0.2.exe	32
PID 2764 wrote to memory of 1364	2764	TeraBox_sl_b_1.30.0.2.exe	32
PID 2764 wrote to memory of 1364	2764	TeraBox_sl_b_1.30.0.2.exe	32
PID 2764 wrote to memory of 1364	2764	TeraBox_sl_b_1.30.0.2.exe	32
PID 2764 wrote to memory of 1364	2764	TeraBox_sl_b_1.30.0.2.exe	32
PID 2764 wrote to memory of 1364	2764	TeraBox_sl_b_1.30.0.2.exe	32
PID 1364 wrote to memory of 1092	1364	regsvr32.exe	33
PID 1364 wrote to memory of 1092	1364	regsvr32.exe	33
PID 1364 wrote to memory of 1092	1364	regsvr32.exe	33
PID 1364 wrote to memory of 1092	1364	regsvr32.exe	33
PID 1364 wrote to memory of 1092	1364	regsvr32.exe	33
PID 1364 wrote to memory of 1092	1364	regsvr32.exe	33
PID 1364 wrote to memory of 1092	1364	regsvr32.exe	33
PID 2764 wrote to memory of 980	2764	TeraBox_sl_b_1.30.0.2.exe	34
PID 2764 wrote to memory of 980	2764	TeraBox_sl_b_1.30.0.2.exe	34
PID 2764 wrote to memory of 980	2764	TeraBox_sl_b_1.30.0.2.exe	34
PID 2764 wrote to memory of 980	2764	TeraBox_sl_b_1.30.0.2.exe	34
PID 2764 wrote to memory of 980	2764	TeraBox_sl_b_1.30.0.2.exe	34
PID 2764 wrote to memory of 980	2764	TeraBox_sl_b_1.30.0.2.exe	34
PID 2764 wrote to memory of 980	2764	TeraBox_sl_b_1.30.0.2.exe	34
PID 2764 wrote to memory of 2996	2764	TeraBox_sl_b_1.30.0.2.exe	35
PID 2764 wrote to memory of 2996	2764	TeraBox_sl_b_1.30.0.2.exe	35
PID 2764 wrote to memory of 2996	2764	TeraBox_sl_b_1.30.0.2.exe	35
PID 2764 wrote to memory of 2996	2764	TeraBox_sl_b_1.30.0.2.exe	35
PID 2764 wrote to memory of 2996	2764	TeraBox_sl_b_1.30.0.2.exe	35
PID 2764 wrote to memory of 2996	2764	TeraBox_sl_b_1.30.0.2.exe	35
PID 2764 wrote to memory of 2996	2764	TeraBox_sl_b_1.30.0.2.exe	35
PID 2996 wrote to memory of 2992	2996	regsvr32.exe	36
PID 2996 wrote to memory of 2992	2996	regsvr32.exe	36
PID 2996 wrote to memory of 2992	2996	regsvr32.exe	36
PID 2996 wrote to memory of 2992	2996	regsvr32.exe	36
PID 2996 wrote to memory of 2992	2996	regsvr32.exe	36
PID 2996 wrote to memory of 2992	2996	regsvr32.exe	36
PID 2996 wrote to memory of 2992	2996	regsvr32.exe	36
PID 2764 wrote to memory of 952	2764	TeraBox_sl_b_1.30.0.2.exe	37
PID 2764 wrote to memory of 952	2764	TeraBox_sl_b_1.30.0.2.exe	37
PID 2764 wrote to memory of 952	2764	TeraBox_sl_b_1.30.0.2.exe	37
PID 2764 wrote to memory of 952	2764	TeraBox_sl_b_1.30.0.2.exe	37
PID 2764 wrote to memory of 1676	2764	TeraBox_sl_b_1.30.0.2.exe	38
PID 2764 wrote to memory of 1676	2764	TeraBox_sl_b_1.30.0.2.exe	38
PID 2764 wrote to memory of 1676	2764	TeraBox_sl_b_1.30.0.2.exe	38
PID 2764 wrote to memory of 1676	2764	TeraBox_sl_b_1.30.0.2.exe	38
PID 1872 wrote to memory of 2612	1872	TeraBox.exe	44
PID 1872 wrote to memory of 2612	1872	TeraBox.exe	44
PID 1872 wrote to memory of 2612	1872	TeraBox.exe	44
PID 1872 wrote to memory of 2612	1872	TeraBox.exe	44
PID 1872 wrote to memory of 2496	1872	TeraBox.exe	46
PID 1872 wrote to memory of 2496	1872	TeraBox.exe	46
PID 1872 wrote to memory of 2496	1872	TeraBox.exe	46
PID 1872 wrote to memory of 2496	1872	TeraBox.exe	46
PID 1872 wrote to memory of 2524	1872	TeraBox.exe	47
PID 1872 wrote to memory of 2524	1872	TeraBox.exe	47
PID 1872 wrote to memory of 2524	1872	TeraBox.exe	47
PID 1872 wrote to memory of 2524	1872	TeraBox.exe	47
PID 1872 wrote to memory of 2528	1872	TeraBox.exe	48
PID 1872 wrote to memory of 2528	1872	TeraBox.exe	48
PID 1872 wrote to memory of 2528	1872	TeraBox.exe	48
PID 1872 wrote to memory of 2528	1872	TeraBox.exe	48
PID 1872 wrote to memory of 1780	1872	TeraBox.exe	49

C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.30.0.2.exe
"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.30.0.2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
  "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2232
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\system32\regsvr32.exe
    "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
    3⤵
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Modifies registry class
    PID:1092
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:980
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\system32\regsvr32.exe
    "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:2992
- C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
  "C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:952
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
  "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1676
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
  C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2044,8731860467251352324,528030662529209452,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2064 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2612
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,8731860467251352324,528030662529209452,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2984 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2496
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2044,8731860467251352324,528030662529209452,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2524
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2044,8731860467251352324,528030662529209452,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2528
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2044,8731860467251352324,528030662529209452,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.30.0.2;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2064 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1780
- - C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 3018e -unlogin
    3⤵
    - Executes dropped EXE
    PID:1232
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
    -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.1872.0.1425686047\270287155 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.119" -PcGuid "TBIMXV2-O_8F6BB3C355F14DBD8FECE23EC603D3F1-C_0-D_4d51303031302033202020202020202020202020-M_52C7B7C5B073-V_3D82F382" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Executes dropped EXE
    PID:1936
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.1872.0.1425686047\270287155 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.119" -PcGuid "TBIMXV2-O_8F6BB3C355F14DBD8FECE23EC603D3F1-C_0-D_4d51303031302033202020202020202020202020-M_52C7B7C5B073-V_3D82F382" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.1872.1.1626035562\2039741463 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.119" -PcGuid "TBIMXV2-O_8F6BB3C355F14DBD8FECE23EC603D3F1-C_0-D_4d51303031302033202020202020202020202020-M_52C7B7C5B073-V_3D82F382" -Version "1.30.0.2" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
    3⤵
    - Executes dropped EXE
    PID:2980
- C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
  C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
  2⤵
  - Executes dropped EXE
  PID:1864

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2516

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

Filesize
959B

MD5
d5e98140c51869fc462c8975620faa78

SHA1
07e032e020b72c3f192f0628a2593a19a70f069e

SHA256
5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e

SHA512
9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

Filesize
192B

MD5
b96f744600100d5229a533162637c3a7

SHA1
27fbdd3b8505ddd37854067749be8e638d8b1c90

SHA256
046cd06d22553446ac1fa70e70aaf4165cbdf199a1c6dfb4d89d88118f159230

SHA512
9c650404c09fa3ce90c8926c47ba56ae063fe32c68f35ef254eb862686e57594358aad46aea91633a9bdfbbf645107358ea229af773a26a25c0395fd55d3c59e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
96de3f59c14bb1735b43200adec93ac8

SHA1
99f476223e79cba75d8a0d651fa41dd06fdedd7f

SHA256
b2b7f7d332ddabdb4f9fe2799b8c5f90429f541a51ac267f106aad56d50692b7

SHA512
3a55c11d01a741eed6f21acbbd73e971026f836756e0251f57af05b1c22442924055017642b3b759c5eb845cd41db04ab04bcf2aabb9ae2beb7748832dcd49da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
9fa1fd70068d19dba8cbb598618bfbd3

SHA1
607833620af8ed1f6be8b43b9d1b8ba49748d304

SHA256
0bc59db90f8cd11d433a6b1a71386ee4fea0c585eb2d1e30eab9205aa3748dc1

SHA512
5f861b4fa2660ffd4ca73bda58871d9b519408b505fe3164972fc60b3fc2432f4bab7601b6e78224661e5747751829c59ad2ba5003cd1f3a57db092aa72d83a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3E1B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3FA8.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdBA1D.tmp\NsisInstallUI.dll

Filesize
869KB

MD5
56b9d72cbcd9b8abd943e989073e0218

SHA1
9e350c8033040d2025f5b17fc5214c18026e33ee

SHA256
4bd282cbb32e46e94554e6b542670a665a87386c1d87efc7799378ca8b3a91e9

SHA512
cfaedcbbe8fed75c1d4a72a01389e3fbb6aa4c7c81270a047158991fc0de47a690213f1a80f481e6b9a7f9dce8186059c37f4cb6eda97b8fd2fb6e31c517fe8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdBA1D.tmp\SetupCfg.ini

Filesize
80B

MD5
86daef0a1abf90f934b20119d95e8b73

SHA1
fa9170644b102c598005d1764a16aba54314ab69

SHA256
a5b0e58f66055ba5c9730dd7983946f92075bcf7052343b8d64ee95faa99eaaa

SHA512
1e95d6b697621f5c8bd194b5252f7717c3aa48a25d91d80fcd5fb0f1d06747c5f39708255bd85f18f776468dcde5645a8ac088431d412af1b10932d7f0df67b7

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\Download\AutoUpdate.xml

Filesize
22KB

MD5
50e940a33557749e8967787951b0b1f3

SHA1
5569074d7d12835f7f4a04b93f1b91b3b3da3500

SHA256
4a0fe43edb114b8df1ea5088966f71c35091e89a96894738cc61dbe59fe63559

SHA512
4011d8a6619d9b9c002dbbea6cc70db7dc894760ad9938ecf63f32e717d49b9e4f983a411d31e2cb6a30aede455ebe60db74aa2f22497667793635b2b33f56b0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.DLL

Filesize
896KB

MD5
3f0ae6d7c71db178e13c22830bfa4be6

SHA1
0be5b7d8bd78d4d8d27182d201f2702a75a48491

SHA256
525ae8397e23effcdbd1fb6dfb48836227f0cc84084947becb7c9629ef595c4a

SHA512
1c5c3d38f326aaa8fed4b9fa7617f3de8d1124d57abc642def63d6da0a8056edf782bbad386b1f6ebe171678556ceb00ae2da5a86a764e9e5fbd2840900b7de8

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
42KB

MD5
6a5e778b087524bc1637b395144f4fac

SHA1
39208218ec2de5142bcc02ec1a6ac894b95d80f1

SHA256
e42ca40790be42b9d2f100174e1611067a6bdc6913416e7613fcbf5700b286ac

SHA512
1784e4eb06b5461e611972c2c27d8acfa709d382e35968733b464f8b33ce4a4d775efbfb596f356fc5ce9d5eeb0d726cc079ea3ec6bc794ad20e3f97d4213c11

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
711KB

MD5
4702b2b5b9d04a05edb68f21f6bd5c07

SHA1
7992f459dc4de356c957b3be6e9da807ac343a8e

SHA256
f655d5a60e9170c781946e1b3e8d0f324397e59add6c01ffa11f99f7d928824c

SHA512
1e9589d57c8074aea16a3aeb37d5a40bc8d27c6aa7c157636e9e33feddfb4f7d885e38a401bbdef6e533bba80e1386a22f46d17f1fd60b6c0d701314fb051879

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

Filesize
281KB

MD5
a7eea485eec96d815596156d2f653248

SHA1
fc748d902e43494584a22c6ca5b6c0ddec4bc758

SHA256
fbb88429f64f37736c4511da2180dae2b003fbaf00ad5ff716f15192affac12e

SHA512
4df2187d21b1b4a4c4790cc3c4665672958801d3cf4c6bf44f0128bd9d05e5d327e19cba0f1801bd4005b2d8e3138ec949996d59d20f07249893c23889368d02

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\appUtil.DLL

Filesize
1.0MB

MD5
865dc4c4388f874e3568ea6c4f3db0b7

SHA1
81ba16293f143daec23b5c30da7048d90027d846

SHA256
c2dcbbf01120f7fb4f0758c2a1afff02e44874e5e94f97b13db214b4bb90f153

SHA512
2c4cdb16628583525a85bb3440d5efbbc513eda371582ba37a5aa332bfb2bf9d8a5bf5d1c189a2958bc0bc4ab5cbcb8451544008165fcd564039198b38620796

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

Filesize
784KB

MD5
6508b64958f2d8c62c789be2644e4296

SHA1
e14588db02f4332352990710b55571604ea644b4

SHA256
c8eee35483e047b4ffaa236b93b75c182109b472e8f5b776a22fdb6b55d004ec

SHA512
486159218fd6f5144fc7c34be1ddbd394941951b5ada29c4b37d9601487cc469ff46fc00836618cd7d5ae50fe58d3202707a9b6b4e93519420de5e93e424cd01

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe

Filesize
576KB

MD5
d75b864b5cde171fd998013f50746ff9

SHA1
ffab2a9fc517c015f0400c67245a7a51b0c68b57

SHA256
bc1a4252f4f070be833d17883da1fe70c786aa32975e2a2706a38201bb915e42

SHA512
1cc827f0e1f9fd1460c389d20dd92487f082dff59ebbb31052760f985ede01c959ae2f081eb92b4fe6a38c3f25268aec47e84d535818ff391624b2d5a1b24b40

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

Filesize
39KB

MD5
d240bebd1f8cb22c27b841dcc3df9be9

SHA1
3407e0f2928b5a644767d5687841bf93af03480c

SHA256
aa87c04593d3c3888af3d137a15e36e703221dca39c9e22ca661ff261b6fb285

SHA512
28141bf806bab0d8319656218b7442742912786eb29d06c2a0c0620b79ade31c1a9e25a9f32d6c5d47b87e2954552aa76eef8ed874f796a7151a2bb66e2a6d5e

Download Submit
C:\Users\Admin\Desktop\TeraBox.lnk

Filesize
840B

MD5
a86a06d72088ca20b422fce2695ea8ea

SHA1
c57eb9c20eba2f34683cd14ee83e58ffa434ff2d

SHA256
b3920ceb12e22009d75931df99c3f027592a260f3ff409bbd0acddc83ffa2d8a

SHA512
1d760e9a533dfd2edcbad045229ee2bd312bdcfedb039adf4ea1cf8a1f466caf44c814d268e3f00234480ca6367bd57645e8f18da392de56f31d748014068c03

Download Submit
\Users\Admin\AppData\Local\Temp\nsdBA1D.tmp\NsisInstallUI.dll

Filesize
2.1MB

MD5
93a820253b303c46ca5b6ba1e9ccec8d

SHA1
e691405b2906037008aa9e21817f579bf6c122ed

SHA256
6291ca8ac49760517bc06ed1f180d98ecd98b7993b32bcf6e350aa3993a42937

SHA512
708bce83e878a2a7c3dbbd888db5916e553c641915aaa182629612e8981c77a6110390569755566490615aaf6f5b4a637f47c4e8a103a158f42284b8c3bf1c6a

Download Submit
\Users\Admin\AppData\Local\Temp\nsdBA1D.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
\Users\Admin\AppData\Local\Temp\nsdBA1D.tmp\nsProcessW.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll

Filesize
1003KB

MD5
6c6023814b9423a7080139bbcce09389

SHA1
500edc226fc6cd9f695d94b303268f3c20aed7dc

SHA256
74fc3920ad2b10804a1af2a3a10158b83802becc3499d3e7894d5ebbf9426d02

SHA512
e85e7f2c377e7513dc07ed3af4da6189fb8328ac72702d73853c82db17030c1783fc92bbc2cd4039df987d9fc1462128bba02b506d752abc82241c687a1c7aa5

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll

Filesize
1.1MB

MD5
59f8eb3b0e164e67cf00881fb90ebf94

SHA1
1ba28900a402ec566d8fd492885321d81d6a1e70

SHA256
d7fd7c2b8576d5ac3ce8ec068d4a82e10fab89672f465cc22df66f3ffa762055

SHA512
2523bf6d152d641c1a532f722d0187ca5078f190bb603f8704e5b38270b2757397884eb30e40561b72d5991a3b8ff13a6d32ecd36049682033fcd0db0f325883

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
256KB

MD5
b09b5543669fd6d59089132d14d5e07d

SHA1
05a4fb0ba3afe0ae46b4b2d88f4fba622e73a806

SHA256
5d2579404c2fdf9c0e643dd7b183bf2d95e955970f5926ec7a98a6da69bd2522

SHA512
6aa27acced9e6b674e1dafcd73b9603d613e756873009141956ddc04ff98169b04cc0e4f5722319d0c45c0c95fec8647ee24a6a105bcfa370477cce527245dbf

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
544KB

MD5
b51fe0a421dace423c266da45a0929a1

SHA1
9b7672f0e38d41614922e87e4fad9a0ecf944b32

SHA256
9ff81d7416f3240fe40b308595f73efd5d898ad86d922532854bcb53594101c5

SHA512
b13deb822c39715d94b18d822b65d292132ca1b3dd92b402f0c23644c6ef27c3c67a7a07523acae82ad23e7fd0ff65c530be33e0f57012473adb9d36671dcf5c

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
646KB

MD5
7b9d2c8d3f9bd0ad0dbe68e20d632c78

SHA1
bf8e49c707b4cb13edb375d0b08359b992b058ed

SHA256
c62d0525263a0e106619e6d4527100dd6bced5a8e01cb30d0a7a00a58cc7f3d3

SHA512
7f623cbd3ffbe0c26bf765cffd02111efb402dce91ce4473915eb5cb1f64d5f80d8c67bf4b24d40b818e71152ec9eeb7365ff06f3411e63756493c73872770bd

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
488KB

MD5
52de598a4541a83e7c06c363ac6d78b8

SHA1
961e29a7fe1a2fd657e328ff39e0c03c9db008f1

SHA256
907be2ac41a3a531c90e9194f58e5ff72e462ccbce3ad8ed756e3d8506d8979e

SHA512
d351d2772a2a0b76095d741ebb9ed5f95598bc7806934b791ec5322dba9b082507eadbea27cf268c4d3e39d82b8a6f3082641f86e1a30d97674d1856f5c6e879

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

Filesize
653KB

MD5
5ec8f0e97138c33b68ad49cd12580dc6

SHA1
5b8dcfc024804c07e2ac3135248e4c985a55d404

SHA256
f4dd33218185130ad86d2cabaee83b38ba111a83e216a00c63082da498279b0c

SHA512
59ef8a33cf8062f29f5cbe9125e40d54225c64810df57aee199f66e1fc6ee0c87f9fde2be71e792daf5ba23acbf0ff616faaa4f18a24c1d8e3ec569be700359d

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
00d8b4bed48a1bb8a0451b967a902977

SHA1
f10ef17bda66d7cab2840d7f89c6de022a7b3ff2

SHA256
568d7f8551d8b4199db3359d5145bc4cb01d6d2f1347547f47967eb06a45c3b5

SHA512
e248cbc06fc610f315d7efcadb39b5cb85dfe5d40858768d5aea8d41b3b4b23eafe0db2b38cce362fd8ba8bc5eb26e9b2dddc00e2e8615395bca818ecfe0decc

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
534483b0f4a1924b1ae6d7e66b4a4926

SHA1
4e954316acd216007f4a0225b138e0c0a04fbbed

SHA256
c1bca1bb524c5ae3d877a099f469b6fc34288bab26ae7a7f4fc47cd869f4958d

SHA512
cfad2ddf8a9ad67e36e978726d8a12ca26b180f73122b2e8d19a83f73028a050d9f418e7525f576cc3a9601b3369d4494dddbde620b4011b7ca8a7ec4b0d1b12

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
73483cbc229c62e129627adbf62b0ffe

SHA1
074ce67665c86355d3218b5e3ea4b1b335095af8

SHA256
13471eb84db95f8270398ef1deb29f0ea024db17e331497545c36eea7b2a3a7c

SHA512
92f06cb8971e29da7607c6b1d1377f21c7e6f0e4a169aaa08326038d5cdb09422b91f4f2d26a7978521e0edbb9cf1235e583f2910048c917ccef8d12c5e1166a

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
7016bf365a155d29f01a000942a017ef

SHA1
47e25b97af56edbdd20ca72bba994c6bcf1b81e6

SHA256
b5f815d0a41add7fd9593036a8e6843fcc221298fefd61808f960eed3cc19830

SHA512
2cd7e88717a2d81811ce03990737888b8a1e9e351dcdad401ffe5924bdf97be086bd766a1a5b25411b760cbf81b68bebd94d915100b6bc1310360813af11f827

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
9efdffac1d337807b52356413b04b97b

SHA1
2590bd486abce24312066285fa1c1feaf8332fe0

SHA256
e1a87d7d01e2376dde81a16658915ccf2ecb692739fef09adfb962523756e22d

SHA512
b3c164e50d48a78bd08cf365e02e263b97ec2dd3efcf04914c8677c838e10be23df5178a8618e3f2a6feb6faa2bb74eaf069e7e2db7c6e6fd9d0137dcffbcead

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
42c72d838c34e4e7164c578a930b8fc7

SHA1
82d02cb090eb6d81a1499189e4d3e6b82aa60061

SHA256
f1667bbda1b58fc688b422fd2f9f7040919c4ababe00a4be78b258cae2dfc3d3

SHA512
1020d6010dca512adbc18f44b6453a974a200766013c39f6cb1cd0a72234a241c73587c929f1d0fcadf90c3eb71264086167f05bd7ebceb5b944f4e4a0811d92

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
4296cf3a7180e10aaf6147f4aecd24e4

SHA1
f81e09af979a1146774d554783d1a22a03a61393

SHA256
147f86ff93d61fea256b3de9149e1b36b68a83762e62a3389466218e18359ffc

SHA512
60357edde6572c5e796f927c3e72c31a96ff700624b7366fdda64bcf51ee00bf1e9ab477a46d8d3ba7391ba10491e69f745efec3607f8f49b6e1a3a3de7a0648

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
5c6fd1c6a5e69313a853a224e18a7fac

SHA1
10bae352f09b214edef2dc6adcb364c45fafdbec

SHA256
3aa0eb4c47ac94b911f1a440324d26eee8ddf99557a718f0905bfee3cf56255f

SHA512
08c2b1150f6bf505d10085a515bbfab6c1e18663c6ef75ec988727e3d30210532d03bfbfbb048b1a843d4faa5d1060f9079e018a9e892bce03f899a5a85f6034

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
6a3d5701446f6635faff87014a836eee

SHA1
7bbc9db1c9ce70e9fc7b7348a2c96681e5d8265b

SHA256
16ba05a1fa928501ffaee2e9dce449d28e8fe538df5ec6d8d1080b610b15d466

SHA512
839a1277b6dbb9f2d6e572e1b50b0ad08c93256a1367f36997db07285aa7b251346499a643a985a22d9a7618635c11964e414073aa7e1bf60d36368829de8fb3

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
4ec243792d382305db59dc78b72d0a1e

SHA1
63b7285646c72ee640d34cdc200bfc5863db3563

SHA256
56e0bdf91edb21f5f5041f052723025c059a11360bb745f965a9903de9c61756

SHA512
88f648d45927db65ff8cead4bb1959b1297410bf3f5b3b2783a173d708649260a61470342694de8b93e9c1657de64db43db40ee71acc661b03786c0921d68d4b

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
a51cfb8cf618571215eeba7095733b25

SHA1
db4215890757c7c105a8001b41ae19ce1a5d3558

SHA256
6501894e68a3871962731282a2e70614023ec3f63f600f933ec1785400716ce1

SHA512
9ae11ab21486dea1aba607a4262f62678c5b0e9f62b6a63c76cfdc7698d872d8696ffb1aaae7aa2e2cf02c1c7eaa53d0ce503432960f4be6886fae0de2659535

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
8d097aa5bec8bdb5df8f39e0db30397c

SHA1
56f6da8703f8cdd4a8e4a170d1a6c0d3f2035158

SHA256
42c235914844ce5d1bb64002fca34a776ae25ee658fc2b7b9da3291e5def7d4d

SHA512
a891536e2a362fc73472fa7f5266ce29e8036959701bc0862f2b7ea5865dcd1505615edc8e064fb2f7aaa1b129e48422efe7b933b01faed9c2afadd8a64452dc

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
ab87bdae2f62e32a533f89cd362d081c

SHA1
40311859dd042a7e392877364568aad892792ba9

SHA256
0439703e47c8fce1f367f9e36248a738db6abcd9f2dd199cb190d5e59ed46978

SHA512
dbe0073da8979f3d32204680015b60435226840e732b5df964dbeeb7920c0bc5df92d866964f905518c97cc3539f628664503ffa64e50a2ef90c459b62555444

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
19KB

MD5
169e20a74258b182d2cdc76f1ae77fc5

SHA1
fce3f718e6de505ac910cb7333a03a2c6544f654

SHA256
224f526871c961615de17b5d7f7bbef2f3a799055cab2c8e3447b43c10c25372

SHA512
0881c8704421a5f6e51abd22c55608dd7fb678491682ce86066e068b1973ebf11d6c2163be610a49f87e800c8563ebb41abfe36e1913d7d0b8485fd29ed81bf7

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
49363f3cf4671baa6be1abd03033542f

SHA1
e58902a82df86adf16f44ebdc558b92ad214a979

SHA256
505d2bde0d4d7cd3900a9c795cb84ab9c05208d6e5132749ab7c554ccd3c0fcc

SHA512
98e78a607cfbb777237dc812f468ec7a1abcba9472e20a5780dfc526f7992da1841fcd9e2f76f20fa161240007f185c7fbdc120fb4c3c1f2b90fdad5913d65dd

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
be16965acc8b0ce3a8a7c42d09329577

SHA1
6ac0f1e759781c7e5342b20f2a200a6aab66535e

SHA256
fcd55331cc1f0ff4fb44c9590a9fb8f891b161147a6947ce48b88bf708786c21

SHA512
7ba55fa204d43c15aca02031f584b3396bb175365dad88e4047b8a991f1f1ddd88d769e4d8cb93ee0ed45e060a1156e953df794f9cb8bb687c84c4a088da2edf

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
3eae6d370f2623b37ec39c521d1f1461

SHA1
86d43e2e69b2066333e4afa28a27c7a74ff89991

SHA256
ce74bdc6999d084a1b44b2ecea42dd28849b2825d7779effdc4c18360308b79b

SHA512
30b2b6cf5cd1bbdf68de048e6d992133fe7ab0c847fa0d5eb8c681a9688d60794621a40178451a104036a0fff2e1bd66a18d9f96be6b28dbdc0bc1c8a535fc85

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
a440776e10098f3a8ef1c5eaca72958e

SHA1
7b8662714f6e44fb29a4224a038e4127964003e9

SHA256
40d8bc312ac7bca072703e5f0852228cde418f89ba9ad69551aa7a80a2b30316

SHA512
b043cd020d184a239510b2607c94210dc5fdc5d2a2b9285836bdce8934cc86a1cc3f47a2f520b15db84f755ac2e7c67e0247099648d292bbd5fb76f683d928df

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
a0a883e26be6800508162e2a898148d9

SHA1
4f79892e7766cb7831211864978575598c86a11b

SHA256
9753ae83536767c73e340c36c5f1610bc76a3e67e033b07503ec31431cba7b90

SHA512
70904f2fd074073aebcf665178b34cf7f0f42ced7223ca296f7f202f6fa0175ace2832d9802f5bff4d67891ca09ae14fac47420d69107e72aa44b541a190f6c3

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

Filesize
886KB

MD5
28e156969d85aa2eb728bcde94f1536c

SHA1
e36a4af76afb9c5e9cd871391f86667dfaed40d6

SHA256
fc9bb6a088c000b9f549ef66fe28e58b153b656a6cbd8ea1964d59b5fb2d55bb

SHA512
895cb78da59a54e46b840c5b02b7112efe8ebb22e0d26b5fc576a1a0ca6b813afe5a1c87b3ac900a73db4d21f65dd84e96c8da87851a4dc84177266bb8dbf02a

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\ucrtbase.dll

Filesize
863KB

MD5
8ed02a1a11cec72b6a6a4989bf03cfcc

SHA1
172908ff0f8d7e1c0cbf107f7075ed1dba4b36c8

SHA256
4fd02f2699c49579319079b963425991198f59cb1589b8afa8795b5d6a0e5db3

SHA512
444fe62a5c324d38bdc055d298b5784c741f3ca8faaeaed591bd6dcf94205dbf28c7d7f7d3825ccb99eff04e3ffd831e3f98d9b314820841a0c0960ae6a5e416

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

Filesize
8KB

MD5
c610817daf60d09876195d5e334379f8

SHA1
04f5c327ae7575be55f86c728a56ea8de3b05b59

SHA256
f97cd04f4bd2b79a81acef2c8a6cb3e1373df16701d1541ad1c13c42baa6fe26

SHA512
5a2ea10f01e30e85659e564bb578af7eb304759c64200991e035efdcb71415c964349dce294c254eff55bca68325e28712f926603c032884c4e2701e4c4c45e4

Download Submit
\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
memory/1232-1324-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1864-221-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1872-247-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1872-260-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/1872-412-0x0000000000E00000-0x00000000014E5000-memory.dmp

Filesize
6.9MB

Download
memory/1872-475-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1872-246-0x0000000000E00000-0x00000000014E5000-memory.dmp

Filesize
6.9MB

Download
memory/1872-261-0x0000000004500000-0x0000000004540000-memory.dmp

Filesize
256KB

Download
memory/1872-682-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/1872-805-0x0000000004500000-0x0000000004540000-memory.dmp

Filesize
256KB

Download
memory/1872-890-0x0000000004F90000-0x0000000005190000-memory.dmp

Filesize
2.0MB

Download
memory/1872-891-0x0000000004F90000-0x0000000005190000-memory.dmp

Filesize
2.0MB

Download
memory/2476-1458-0x00000000775B0000-0x00000000775B1000-memory.dmp

Filesize
4KB

Download
memory/2476-1444-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2476-1593-0x0000000067F30000-0x000000006935C000-memory.dmp

Filesize
20.2MB

Download
memory/2476-1418-0x00000000013C0000-0x0000000001460000-memory.dmp

Filesize
640KB

Download
memory/2476-1419-0x00000000013C0000-0x0000000001460000-memory.dmp

Filesize
640KB

Download
memory/2476-1420-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2476-1421-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2476-1424-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2476-1427-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2476-1426-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2476-1423-0x0000000067F30000-0x000000006935C000-memory.dmp

Filesize
20.2MB

Download
memory/2476-1429-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2476-1431-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2476-1436-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2476-1434-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2476-1441-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2476-1439-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2476-1592-0x00000000013C0000-0x0000000001460000-memory.dmp

Filesize
640KB

Download
memory/2476-1446-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2476-1449-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2476-1451-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2476-1452-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2476-1454-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2476-1456-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2508-1597-0x000007FEF7710000-0x000007FEF775C000-memory.dmp

Filesize
304KB

Download
memory/2508-1598-0x0000000001C00000-0x0000000001C01000-memory.dmp

Filesize
4KB

Download
memory/2516-275-0x0000000000E00000-0x00000000014E5000-memory.dmp

Filesize
6.9MB

Download
memory/2516-273-0x0000000000E00000-0x00000000014E5000-memory.dmp

Filesize
6.9MB

Download
memory/2764-198-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2764-20-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2764-219-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2980-1589-0x00000000013C0000-0x0000000001460000-memory.dmp

Filesize
640KB

Download
memory/2980-1590-0x00000000013C0000-0x0000000001460000-memory.dmp

Filesize
640KB

Download
memory/2980-1591-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2980-1594-0x00000000013C0000-0x0000000001460000-memory.dmp

Filesize
640KB

Download