Malware Analysis Report

2024-09-23 19:06

Sample ID 240614-y1wg7sthng
Target TeraBox_sl_b_1.31.0.1.exe
SHA256 09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85
Tags
qr link pdf zloader botnet discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09e65a661e85c3a3ab0e848809e44f20332b9f46cf5da364c7c8d3992c957f85

Threat Level: Known bad

The file TeraBox_sl_b_1.31.0.1.exe was found to be: Known bad.

Malicious Activity Summary

qr link pdf zloader botnet discovery persistence trojan

Zloader, Terdot, DELoader, ZeusSphinx

Adds Run key to start application

Checks computer location settings

Registers COM server for autorun

Checks installed software on the system

Modifies system executable filetype association

Loads dropped DLL

HTTP links in PDF interactive object

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

One or more HTTP URLs in qr code identified

One or more HTTP URLs in PDF identified

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 20:16

Signatures

HTTP links in PDF interactive object

pdf link
Description Indicator Process Target
N/A N/A N/A N/A

One or more HTTP URLs in PDF identified

pdf link

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 20:15

Reported

2024-06-14 20:20

Platform

win7-20240611-en

Max time kernel

145s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"

Signatures

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun" C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\"" C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A

Checks installed software on the system

discovery

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}" C:\Windows\system32\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll" C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ = "YunWordConnect Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ProgID\ = "YunOfficeAddin.YunWordConnect.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\0 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ = "IWorkspaceOverlayIconError" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\VersionIndependentProgID\ = "YunShellExt.YunShellExtContextMenu" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1\CLSID\ = "{71CD4110-1E24-4B80-B699-9A982584CD3F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CLSID\ = "{6D85624F-305A-491d-8848-C1927AA0D790}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell\open\command C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1\CLSID\ = "{6D85624F-305A-491d-8848-C1927AA0D790}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\" \"%1\"" C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ProgID\ = "YunOfficeAddin.YunExcelConnect.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\YunShellExt.DLL C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ = "YunShellExtContextMenu Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\FLAGS\ = "0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ = "IYunPPTConnect" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1\ = "YunShellExtContextMenu Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ = "IWorkspaceOverlayIconError" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\ = "YunWordConnect Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ = "IYunExcelConnect" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\ = "YunWordConnect Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID\ = "{8C5F2E83-848F-4741-9C87-47D21BF65FC2}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ = "IYunShellExtContextMenu" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 1408 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 1408 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 1408 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 1408 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1320 wrote to memory of 2964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1320 wrote to memory of 2964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1320 wrote to memory of 2964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1320 wrote to memory of 2964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1320 wrote to memory of 2964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1320 wrote to memory of 2964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1320 wrote to memory of 2964 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1408 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1408 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2492 wrote to memory of 2160 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2492 wrote to memory of 2160 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2492 wrote to memory of 2160 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2492 wrote to memory of 2160 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2492 wrote to memory of 2160 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2492 wrote to memory of 2160 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2492 wrote to memory of 2160 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1408 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 1408 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 1408 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 1408 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 1408 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 1408 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 1408 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 1408 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 1648 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 1648 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 1648 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 1648 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 1648 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 1648 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 1648 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 1648 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 1648 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 1648 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 1648 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 1648 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 1648 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 1648 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 1648 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 1648 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 1648 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"

C:\Windows\system32\regsvr32.exe

"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"

C:\Windows\system32\regsvr32.exe

"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"

C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2008,13916150946765898953,10080033296435866508,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2016 /prefetch:2

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,13916150946765898953,10080033296435866508,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2920 /prefetch:8

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2008,13916150946765898953,10080033296435866508,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2008,13916150946765898953,10080033296435866508,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2008,13916150946765898953,10080033296435866508,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 6.1; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;6.1.7601;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2016 /prefetch:2

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe

-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.1648.0.471235571\1428365113 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.83" -PcGuid "TBIMXV2-O_B9EA6F6BF16F41ED8181DAAD06CD22E8-C_0-D_4444303031302033202020202020202020202020-M_FE0070C7CB2B-V_D917A4EA" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.1648.0.471235571\1428365113 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.83" -PcGuid "TBIMXV2-O_B9EA6F6BF16F41ED8181DAAD06CD22E8-C_0-D_4444303031302033202020202020202020202020-M_FE0070C7CB2B-V_D917A4EA" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.1648.1.1025207289\147909861 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.83" -PcGuid "TBIMXV2-O_B9EA6F6BF16F41ED8181DAAD06CD22E8-C_0-D_4444303031302033202020202020202020202020-M_FE0070C7CB2B-V_D917A4EA" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 301a8 -unlogin

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.terabox.com udp
JP 111.108.51.56:80 www.terabox.com tcp
N/A 127.0.0.1:49465 tcp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:80 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
US 8.8.8.8:53 repository.certum.pl udp
NL 23.62.61.145:80 repository.certum.pl tcp
JP 210.148.85.47:443 terabox.com tcp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
US 8.8.8.8:53 www.terabox.com udp
JP 111.108.51.56:443 www.terabox.com tcp
JP 111.108.51.56:443 www.terabox.com tcp
CN 123.235.31.38:443 global-staticplat.cdn.bcebos.com tcp
N/A 127.0.0.1:49539 tcp
CN 111.170.25.38:443 global-staticplat.cdn.bcebos.com tcp
CN 120.41.32.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
CN 60.188.66.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.142.38:443 global-staticplat.cdn.bcebos.com tcp
CN 117.68.52.38:443 global-staticplat.cdn.bcebos.com tcp
CN 121.14.156.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.161.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.212.230.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
CN 123.235.31.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.170.25.38:443 global-staticplat.cdn.bcebos.com tcp
CN 120.41.32.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
CN 60.188.66.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.142.38:443 global-staticplat.cdn.bcebos.com tcp
CN 117.68.52.38:443 global-staticplat.cdn.bcebos.com tcp
CN 121.14.156.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.161.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.212.230.38:443 global-staticplat.cdn.bcebos.com tcp
CN 123.235.31.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 terabox.com tcp
CN 111.170.25.38:443 global-staticplat.cdn.bcebos.com tcp
CN 120.41.32.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
CN 60.188.66.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.142.38:443 global-staticplat.cdn.bcebos.com tcp
CN 117.68.52.38:443 global-staticplat.cdn.bcebos.com tcp
CN 121.14.156.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.161.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.212.230.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 terabox.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsi36EA.tmp\NsisInstallUI.dll

MD5 075abe6be6b717434cea2879a54c4714
SHA1 dc02581f578d22db7460352a476727ac5b2fcbb9
SHA256 5a5e5398424a4eab5ea1fb905313ea56a19b7210e0da44861503bbf3f9826c13
SHA512 90937b6aab2a4eeac74a33cf238131e011edc1b1f2bf9a9ce6dc5e0d21923330131ba5014e9ea1176ee88ee03d847cc69e6f1e91f7f68aa65c7a5ac4852f9d63

\Users\Admin\AppData\Local\Temp\nsi36EA.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

\Users\Admin\AppData\Local\Temp\nsi36EA.tmp\nsProcessW.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

memory/1408-20-0x0000000002960000-0x00000000029A0000-memory.dmp

\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

MD5 7ab6073a5c400a5071bfa4ef2d936425
SHA1 f794ea18eced4330979972da2a4bfa33c03afa2f
SHA256 7774449e13c24d2b0b69114d9ba044e80dc8378fa3dfb5d17a142d5cb4cde8af
SHA512 4371b6b49df43dab4abf90a71819276f30dca823c93335edd5513a67a646c97ef575b2ede650ceb2f0f168af13431254530e9bffc3db0f5b0eada1492c3cab73

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-conio-l1-1-0.dll

MD5 4296cf3a7180e10aaf6147f4aecd24e4
SHA1 f81e09af979a1146774d554783d1a22a03a61393
SHA256 147f86ff93d61fea256b3de9149e1b36b68a83762e62a3389466218e18359ffc
SHA512 60357edde6572c5e796f927c3e72c31a96ff700624b7366fdda64bcf51ee00bf1e9ab477a46d8d3ba7391ba10491e69f745efec3607f8f49b6e1a3a3de7a0648

\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

MD5 216a2dd23f95bdd63cd88a50eb7e69bd
SHA1 9c63635c26e276179f8dba9e02079bb3170b0321
SHA256 63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada
SHA512 390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll

MD5 b5ac5913784d34c843677547edd5c578
SHA1 ed2a4e165ad8b65b1699aaf048654142a66943c6
SHA256 3267244255376bfaf68e75ad38468ba3ca0bbb49fe260f6e05611148d5cee3c9
SHA512 28a29ff02d7ce6d6a74b4938a1a1388c4ad6b36600bc9e7664edf14eb8a89aee49c107c46e13aee0194a38ec506cd86094952ce9327d724a98541871ff58d6db

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-utility-l1-1-0.dll

MD5 a0a883e26be6800508162e2a898148d9
SHA1 4f79892e7766cb7831211864978575598c86a11b
SHA256 9753ae83536767c73e340c36c5f1610bc76a3e67e033b07503ec31431cba7b90
SHA512 70904f2fd074073aebcf665178b34cf7f0f42ced7223ca296f7f202f6fa0175ace2832d9802f5bff4d67891ca09ae14fac47420d69107e72aa44b541a190f6c3

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-environment-l1-1-0.dll

MD5 6a3d5701446f6635faff87014a836eee
SHA1 7bbc9db1c9ce70e9fc7b7348a2c96681e5d8265b
SHA256 16ba05a1fa928501ffaee2e9dce449d28e8fe538df5ec6d8d1080b610b15d466
SHA512 839a1277b6dbb9f2d6e572e1b50b0ad08c93256a1367f36997db07285aa7b251346499a643a985a22d9a7618635c11964e414073aa7e1bf60d36368829de8fb3

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 4ec243792d382305db59dc78b72d0a1e
SHA1 63b7285646c72ee640d34cdc200bfc5863db3563
SHA256 56e0bdf91edb21f5f5041f052723025c059a11360bb745f965a9903de9c61756
SHA512 88f648d45927db65ff8cead4bb1959b1297410bf3f5b3b2783a173d708649260a61470342694de8b93e9c1657de64db43db40ee71acc661b03786c0921d68d4b

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-time-l1-1-0.dll

MD5 a440776e10098f3a8ef1c5eaca72958e
SHA1 7b8662714f6e44fb29a4224a038e4127964003e9
SHA256 40d8bc312ac7bca072703e5f0852228cde418f89ba9ad69551aa7a80a2b30316
SHA512 b043cd020d184a239510b2607c94210dc5fdc5d2a2b9285836bdce8934cc86a1cc3f47a2f520b15db84f755ac2e7c67e0247099648d292bbd5fb76f683d928df

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 169e20a74258b182d2cdc76f1ae77fc5
SHA1 fce3f718e6de505ac910cb7333a03a2c6544f654
SHA256 224f526871c961615de17b5d7f7bbef2f3a799055cab2c8e3447b43c10c25372
SHA512 0881c8704421a5f6e51abd22c55608dd7fb678491682ce86066e068b1973ebf11d6c2163be610a49f87e800c8563ebb41abfe36e1913d7d0b8485fd29ed81bf7

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-math-l1-1-0.dll

MD5 ab87bdae2f62e32a533f89cd362d081c
SHA1 40311859dd042a7e392877364568aad892792ba9
SHA256 0439703e47c8fce1f367f9e36248a738db6abcd9f2dd199cb190d5e59ed46978
SHA512 dbe0073da8979f3d32204680015b60435226840e732b5df964dbeeb7920c0bc5df92d866964f905518c97cc3539f628664503ffa64e50a2ef90c459b62555444

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-locale-l1-1-0.dll

MD5 8d097aa5bec8bdb5df8f39e0db30397c
SHA1 56f6da8703f8cdd4a8e4a170d1a6c0d3f2035158
SHA256 42c235914844ce5d1bb64002fca34a776ae25ee658fc2b7b9da3291e5def7d4d
SHA512 a891536e2a362fc73472fa7f5266ce29e8036959701bc0862f2b7ea5865dcd1505615edc8e064fb2f7aaa1b129e48422efe7b933b01faed9c2afadd8a64452dc

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-convert-l1-1-0.dll

MD5 5c6fd1c6a5e69313a853a224e18a7fac
SHA1 10bae352f09b214edef2dc6adcb364c45fafdbec
SHA256 3aa0eb4c47ac94b911f1a440324d26eee8ddf99557a718f0905bfee3cf56255f
SHA512 08c2b1150f6bf505d10085a515bbfab6c1e18663c6ef75ec988727e3d30210532d03bfbfbb048b1a843d4faa5d1060f9079e018a9e892bce03f899a5a85f6034

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-stdio-l1-1-0.dll

MD5 be16965acc8b0ce3a8a7c42d09329577
SHA1 6ac0f1e759781c7e5342b20f2a200a6aab66535e
SHA256 fcd55331cc1f0ff4fb44c9590a9fb8f891b161147a6947ce48b88bf708786c21
SHA512 7ba55fa204d43c15aca02031f584b3396bb175365dad88e4047b8a991f1f1ddd88d769e4d8cb93ee0ed45e060a1156e953df794f9cb8bb687c84c4a088da2edf

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-heap-l1-1-0.dll

MD5 a51cfb8cf618571215eeba7095733b25
SHA1 db4215890757c7c105a8001b41ae19ce1a5d3558
SHA256 6501894e68a3871962731282a2e70614023ec3f63f600f933ec1785400716ce1
SHA512 9ae11ab21486dea1aba607a4262f62678c5b0e9f62b6a63c76cfdc7698d872d8696ffb1aaae7aa2e2cf02c1c7eaa53d0ce503432960f4be6886fae0de2659535

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-string-l1-1-0.dll

MD5 3eae6d370f2623b37ec39c521d1f1461
SHA1 86d43e2e69b2066333e4afa28a27c7a74ff89991
SHA256 ce74bdc6999d084a1b44b2ecea42dd28849b2825d7779effdc4c18360308b79b
SHA512 30b2b6cf5cd1bbdf68de048e6d992133fe7ab0c847fa0d5eb8c681a9688d60794621a40178451a104036a0fff2e1bd66a18d9f96be6b28dbdc0bc1c8a535fc85

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l1-2-0.dll

MD5 00d8b4bed48a1bb8a0451b967a902977
SHA1 f10ef17bda66d7cab2840d7f89c6de022a7b3ff2
SHA256 568d7f8551d8b4199db3359d5145bc4cb01d6d2f1347547f47967eb06a45c3b5
SHA512 e248cbc06fc610f315d7efcadb39b5cb85dfe5d40858768d5aea8d41b3b4b23eafe0db2b38cce362fd8ba8bc5eb26e9b2dddc00e2e8615395bca818ecfe0decc

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-processthreads-l1-1-1.dll

MD5 7016bf365a155d29f01a000942a017ef
SHA1 47e25b97af56edbdd20ca72bba994c6bcf1b81e6
SHA256 b5f815d0a41add7fd9593036a8e6843fcc221298fefd61808f960eed3cc19830
SHA512 2cd7e88717a2d81811ce03990737888b8a1e9e351dcdad401ffe5924bdf97be086bd766a1a5b25411b760cbf81b68bebd94d915100b6bc1310360813af11f827

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-synch-l1-2-0.dll

MD5 9efdffac1d337807b52356413b04b97b
SHA1 2590bd486abce24312066285fa1c1feaf8332fe0
SHA256 e1a87d7d01e2376dde81a16658915ccf2ecb692739fef09adfb962523756e22d
SHA512 b3c164e50d48a78bd08cf365e02e263b97ec2dd3efcf04914c8677c838e10be23df5178a8618e3f2a6feb6faa2bb74eaf069e7e2db7c6e6fd9d0137dcffbcead

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-localization-l1-2-0.dll

MD5 73483cbc229c62e129627adbf62b0ffe
SHA1 074ce67665c86355d3218b5e3ea4b1b335095af8
SHA256 13471eb84db95f8270398ef1deb29f0ea024db17e331497545c36eea7b2a3a7c
SHA512 92f06cb8971e29da7607c6b1d1377f21c7e6f0e4a169aaa08326038d5cdb09422b91f4f2d26a7978521e0edbb9cf1235e583f2910048c917ccef8d12c5e1166a

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-file-l2-1-0.dll

MD5 534483b0f4a1924b1ae6d7e66b4a4926
SHA1 4e954316acd216007f4a0225b138e0c0a04fbbed
SHA256 c1bca1bb524c5ae3d877a099f469b6fc34288bab26ae7a7f4fc47cd869f4958d
SHA512 cfad2ddf8a9ad67e36e978726d8a12ca26b180f73122b2e8d19a83f73028a050d9f418e7525f576cc3a9601b3369d4494dddbde620b4011b7ca8a7ec4b0d1b12

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-core-timezone-l1-1-0.dll

MD5 42c72d838c34e4e7164c578a930b8fc7
SHA1 82d02cb090eb6d81a1499189e4d3e6b82aa60061
SHA256 f1667bbda1b58fc688b422fd2f9f7040919c4ababe00a4be78b258cae2dfc3d3
SHA512 1020d6010dca512adbc18f44b6453a974a200766013c39f6cb1cd0a72234a241c73587c929f1d0fcadf90c3eb71264086167f05bd7ebceb5b944f4e4a0811d92

\Users\Admin\AppData\Roaming\TeraBox\ucrtbase.dll

MD5 8ed02a1a11cec72b6a6a4989bf03cfcc
SHA1 172908ff0f8d7e1c0cbf107f7075ed1dba4b36c8
SHA256 4fd02f2699c49579319079b963425991198f59cb1589b8afa8795b5d6a0e5db3
SHA512 444fe62a5c324d38bdc055d298b5784c741f3ca8faaeaed591bd6dcf94205dbf28c7d7f7d3825ccb99eff04e3ffd831e3f98d9b314820841a0c0960ae6a5e416

\Users\Admin\AppData\Roaming\TeraBox\api-ms-win-crt-runtime-l1-1-0.dll

MD5 49363f3cf4671baa6be1abd03033542f
SHA1 e58902a82df86adf16f44ebdc558b92ad214a979
SHA256 505d2bde0d4d7cd3900a9c795cb84ab9c05208d6e5132749ab7c554ccd3c0fcc
SHA512 98e78a607cfbb777237dc812f468ec7a1abcba9472e20a5780dfc526f7992da1841fcd9e2f76f20fa161240007f185c7fbdc120fb4c3c1f2b90fdad5913d65dd

\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

MD5 b77eeaeaf5f8493189b89852f3a7a712
SHA1 c40cf51c2eadb070a570b969b0525dc3fb684339
SHA256 b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e
SHA512 a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

MD5 1d8c79f293ca86e8857149fb4efe4452
SHA1 7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f
SHA256 c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4
SHA512 83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll

MD5 7e489e7300d3177f64db31665a2079e0
SHA1 50b20f0b4e5bb5b35e68dd90a5c465dffd30260e
SHA256 7a426359908ae2b6ca1bc8a2773269a48126c2db23c171bc56a3456da4f0016c
SHA512 0b3b34c0e5e095dfd77d801cd7e85e0431da23bf1c943aacb855a40f5a0d9439d7667718abe654eac17ed474b3c9eb644b90cc8cc215c9adc99b12e29b7907d3

\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

MD5 b9ee83666245d8de4f0709b03eac1ad3
SHA1 38eaee6757499aaf4e8869837a767708392e225e
SHA256 ce10dfac95461981072738c92ccf8b01599b5ddde2b0a21d18506d3528c83fda
SHA512 d970c2a52dfde330bd32bc6718d194b90f8bc3131d9d7905e0f438483f3030bf64dfc69091562f467cc6ea34357513614671db94d2b664208016c3c11b77f08b

C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe

MD5 bdbf614848cfc3fada7dae8a55a9ad8e
SHA1 78ad1a6c45e5df62659274c66b3c3a7a8731cdf5
SHA256 5cf7f5d5fbb371a29f45d3777860ad07df3b2e12b273076a555c65334a9702ad
SHA512 da82bdaf7785333734998c2c919242f7e0d7d585de5972efd028f283913b4a4cfa4d24c73ffba6fec3ea674e8ac69499b992090377144a1cdfe7e5575f1d7d0c

C:\Users\Admin\Desktop\TeraBox.lnk

MD5 8a9b166c4601ae211c5d2681b334abf7
SHA1 ac86ff3db1fd840009c72398db240e11ca19e86f
SHA256 e79caf96164259b8fd5bc95c4d78866030757e99e052727feab8ba3f68dc754d
SHA512 70e258e6ac4cdd1f3f7e7b75d72a290ddf27d3754d7b070019adb34773a5dd0d81e59e7798a677bc9def1e9d8899192d988c65d64b8b84994242ee6aafa33226

\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

MD5 80337d9a646974e377f3c89991ed138c
SHA1 38b7f9b0e0e138448592c9776c67e53de8ac52a5
SHA256 1cde95285c13d908720f5075a4ece533e4b98a1fefe2ebbbe71fd697f45dfd0d
SHA512 9ee967588c6f7718834b2e4d04dc2c46236b20bfcbdd9a09cf011ee3f7f6f57f66a0191ba4c2d85fb95a51f68c34de4b977cf5c099975feee5137928392c8a6e

C:\Users\Admin\AppData\Local\Temp\nsi36EA.tmp\SetupCfg.ini

MD5 86daef0a1abf90f934b20119d95e8b73
SHA1 fa9170644b102c598005d1764a16aba54314ab69
SHA256 a5b0e58f66055ba5c9730dd7983946f92075bcf7052343b8d64ee95faa99eaaa
SHA512 1e95d6b697621f5c8bd194b5252f7717c3aa48a25d91d80fcd5fb0f1d06747c5f39708255bd85f18f776468dcde5645a8ac088431d412af1b10932d7f0df67b7

C:\Users\Admin\AppData\Local\Temp\Cab676C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar681B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

MD5 1c077b85b8e642c93c56e7b5cc13913a
SHA1 bfdd85f4fab0be9e95b7659ae3399ad312d368a1
SHA256 bd00e2c669327ca9c64428409c3652e6bfac8dca5a1223ab1542297d85b0e4f8
SHA512 ac9b9e3b120865c114ad96995e6fbd9b7e283dcfe0113bcb76e01ad9093e613608b66112abde3378b06e096f3a47453abde6d581b2f3277d66f74f03d91fe090

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

MD5 d5e98140c51869fc462c8975620faa78
SHA1 07e032e020b72c3f192f0628a2593a19a70f069e
SHA256 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
SHA512 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

memory/1648-1784-0x0000000006820000-0x0000000006A20000-memory.dmp

memory/1648-1783-0x0000000006820000-0x0000000006A20000-memory.dmp

memory/2116-1790-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2116-1788-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2116-1792-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2116-1793-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2116-1795-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2116-1822-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2116-1823-0x0000000067B40000-0x0000000068F6C000-memory.dmp

memory/2116-1820-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2116-1818-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2116-1817-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2116-1815-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2116-1812-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2116-1810-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2116-1807-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2116-1805-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2116-1802-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2116-1800-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2116-1797-0x0000000000160000-0x0000000000161000-memory.dmp

C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\Download\AutoUpdate.xml

MD5 c286cd40cd06c343b0a0daba4a8787ba
SHA1 971b13c25faff896033f77e0866fe21f7b26cbd5
SHA256 0af3d4862222a6b68993220e693c2501de14d6e922c3ecce1a60754462822c60
SHA512 e4ab1154ac2ece073d33277cf8d8394cec51100014589c6d997341d3553d19734b69cfc0ce9f3c87c55e34e833b7647c70a60e1972894762dba71914e38ac10b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 20:15

Reported

2024-06-14 20:20

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun" C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\"" C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A

Checks installed software on the system

discovery

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}" C:\Windows\system32\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll" C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\ = "YunShellExt 1.0 Type Library" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect\CurVer\ = "YunOfficeAddin.YunPPTConnect.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID\ = "YunOfficeAddin.YunWordConnect" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\Programmable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ = "IWorkspaceOverlayIconOK" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ = "IYunWordConnect" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CurVer\ = "YunShellExt.YunShellExtContextMenu.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\VersionIndependentProgID\ = "YunShellExt.YunShellExtContextMenu" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect\CurVer\ = "YunOfficeAddin.YunPPTConnect.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID\ = "{8C5F2E83-848F-4741-9C87-47D21BF65FC2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\YunShellExt.DLL\AppID = "{B9480AFD-C7B1-4452-BE14-BB8A9540A05D}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1\ = "YunShellExtContextMenu Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1\ = "YunPPTConnect Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu.1 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ProxyStubClsid32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect\ = "YunPPTConnect Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ProgID\ = "YunOfficeAddin.YunWordConnect.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID\ = "YunOfficeAddin.YunPPTConnect" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4712 wrote to memory of 5388 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 4712 wrote to memory of 5388 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 4712 wrote to memory of 5388 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 4712 wrote to memory of 5416 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4712 wrote to memory of 5416 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4712 wrote to memory of 5416 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5416 wrote to memory of 5872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 5416 wrote to memory of 5872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4712 wrote to memory of 5864 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4712 wrote to memory of 5864 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4712 wrote to memory of 5864 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4712 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4712 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4712 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5060 wrote to memory of 2260 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 5060 wrote to memory of 2260 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4712 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 4712 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 4712 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 4712 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 4712 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 4712 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 2208 wrote to memory of 5664 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 5664 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 5664 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 5172 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 5172 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 5172 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 2208 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 2208 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 2208 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 2208 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 2208 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 2208 wrote to memory of 5820 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 5820 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 5820 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 2208 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 2208 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 2208 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe
PID 2208 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe
PID 2208 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe
PID 2208 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 2208 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"

C:\Windows\system32\regsvr32.exe

"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"

C:\Windows\system32\regsvr32.exe

"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"

C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2608,2229689848953241194,6069964660737850879,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2616 /prefetch:2

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2608,2229689848953241194,6069964660737850879,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2696 /prefetch:8

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2608,2229689848953241194,6069964660737850879,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2608,2229689848953241194,6069964660737850879,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe

-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.2208.0.1411348423\733386550 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.193" -PcGuid "TBIMXV2-O_9F3F1DFBB8D14AEA90BCB5FC75D13586-C_0-D_DD00013-M_429904AF4EC5-V_087625B2" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.2208.0.1411348423\733386550 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.193" -PcGuid "TBIMXV2-O_9F3F1DFBB8D14AEA90BCB5FC75D13586-C_0-D_DD00013-M_429904AF4EC5-V_087625B2" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2608,2229689848953241194,6069964660737850879,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.2208.1.28100510\1748391147 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.193" -PcGuid "TBIMXV2-O_9F3F1DFBB8D14AEA90BCB5FC75D13586-C_0-D_DD00013-M_429904AF4EC5-V_087625B2" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 60202 -unlogin

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2608,2229689848953241194,6069964660737850879,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=5516 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:80 www.terabox.com tcp
US 8.8.8.8:53 47.85.148.210.in-addr.arpa udp
US 8.8.8.8:53 terabox.com udp
US 8.8.8.8:53 global-staticplat.cdn.bcebos.com udp
JP 210.148.85.47:80 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
CN 118.212.230.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 terabox.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 repository.certum.pl udp
NL 23.62.61.145:80 repository.certum.pl tcp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 145.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 terabox.com udp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
N/A 127.0.0.1:53880 tcp
N/A 127.0.0.1:53882 tcp
N/A 127.0.0.1:53884 tcp
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
US 8.8.8.8:53 www.staticcc.com udp
GB 193.118.32.52:443 www.staticcc.com tcp
GB 193.118.32.52:443 www.staticcc.com tcp
GB 193.118.32.52:443 www.staticcc.com tcp
GB 193.118.32.52:443 www.staticcc.com tcp
GB 193.118.32.52:443 www.staticcc.com tcp
US 8.8.8.8:53 52.32.118.193.in-addr.arpa udp
US 8.8.8.8:53 s2.teraboxcdn.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 static.line-scdn.net udp
US 8.8.8.8:53 sofire.bdstatic.com udp
NL 142.250.27.84:443 accounts.google.com tcp
GB 13.224.81.63:443 static.line-scdn.net tcp
CN 113.219.142.38:443 global-staticplat.cdn.bcebos.com tcp
GB 223.121.13.18:443 s2.teraboxcdn.com tcp
GB 223.121.13.18:443 s2.teraboxcdn.com tcp
GB 223.121.13.18:443 s2.teraboxcdn.com tcp
GB 223.121.13.18:443 s2.teraboxcdn.com tcp
GB 223.121.13.18:443 s2.teraboxcdn.com tcp
GB 223.121.13.18:443 s2.teraboxcdn.com tcp
CN 60.190.116.48:443 sofire.bdstatic.com tcp
CN 60.190.116.48:443 sofire.bdstatic.com tcp
US 8.8.8.8:53 firebase.googleapis.com udp
US 8.8.8.8:53 84.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 63.81.224.13.in-addr.arpa udp
US 8.8.8.8:53 18.13.121.223.in-addr.arpa udp
US 8.8.8.8:53 ymg-api.terabox.com udp
JP 210.154.124.151:443 ymg-api.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.154.124.151:443 ymg-api.terabox.com tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 71.10.230.54.in-addr.arpa udp
US 8.8.8.8:53 sofire.terabox.com udp
JP 210.148.85.32:443 sofire.terabox.com tcp
JP 210.148.85.32:443 sofire.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
US 8.8.8.8:53 connect.facebook.net udp
US 8.8.8.8:53 www.google.com udp
GB 163.70.147.23:443 connect.facebook.net tcp
GB 142.250.187.196:443 www.google.com tcp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 151.124.154.210.in-addr.arpa udp
US 8.8.8.8:53 32.85.148.210.in-addr.arpa udp
US 8.8.8.8:53 23.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 104.201.58.216.in-addr.arpa udp
JP 210.148.85.47:443 www.terabox.com tcp
US 8.8.8.8:53 www.google.co.uk udp
GB 142.250.200.3:443 www.google.co.uk tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 216.239.32.36:443 region1.analytics.google.com tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
BE 108.177.15.155:443 stats.g.doubleclick.net tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 155.15.177.108.in-addr.arpa udp
CN 117.68.52.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.170.25.38:443 global-staticplat.cdn.bcebos.com tcp
CN 120.41.32.38:443 global-staticplat.cdn.bcebos.com tcp
CN 123.235.31.38:443 global-staticplat.cdn.bcebos.com tcp
CN 121.14.156.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.161.38:443 global-staticplat.cdn.bcebos.com tcp
CN 60.188.66.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.212.230.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.169.46:443 play.google.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
CN 113.219.142.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
CN 117.68.52.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.170.25.38:443 global-staticplat.cdn.bcebos.com tcp
CN 120.41.32.38:443 global-staticplat.cdn.bcebos.com tcp
CN 123.235.31.38:443 global-staticplat.cdn.bcebos.com tcp
CN 121.14.156.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.161.38:443 global-staticplat.cdn.bcebos.com tcp
CN 60.188.66.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.212.230.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 113.219.142.38:443 global-staticplat.cdn.bcebos.com tcp
CN 118.180.40.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 117.68.52.38:443 global-staticplat.cdn.bcebos.com tcp
CN 111.170.25.38:443 global-staticplat.cdn.bcebos.com tcp
CN 120.41.32.38:443 global-staticplat.cdn.bcebos.com tcp
CN 123.235.31.38:443 global-staticplat.cdn.bcebos.com tcp
CN 121.14.156.38:443 global-staticplat.cdn.bcebos.com tcp
CN 113.219.161.38:443 global-staticplat.cdn.bcebos.com tcp
CN 60.188.66.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsy43F0.tmp\NsisInstallUI.dll

MD5 075abe6be6b717434cea2879a54c4714
SHA1 dc02581f578d22db7460352a476727ac5b2fcbb9
SHA256 5a5e5398424a4eab5ea1fb905313ea56a19b7210e0da44861503bbf3f9826c13
SHA512 90937b6aab2a4eeac74a33cf238131e011edc1b1f2bf9a9ce6dc5e0d21923330131ba5014e9ea1176ee88ee03d847cc69e6f1e91f7f68aa65c7a5ac4852f9d63

C:\Users\Admin\AppData\Local\Temp\nsy43F0.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsy43F0.tmp\nsProcessW.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

memory/4712-17-0x00000000021E0000-0x00000000021F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

MD5 7ab6073a5c400a5071bfa4ef2d936425
SHA1 f794ea18eced4330979972da2a4bfa33c03afa2f
SHA256 7774449e13c24d2b0b69114d9ba044e80dc8378fa3dfb5d17a142d5cb4cde8af
SHA512 4371b6b49df43dab4abf90a71819276f30dca823c93335edd5513a67a646c97ef575b2ede650ceb2f0f168af13431254530e9bffc3db0f5b0eada1492c3cab73

C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

MD5 b9ee83666245d8de4f0709b03eac1ad3
SHA1 38eaee6757499aaf4e8869837a767708392e225e
SHA256 ce10dfac95461981072738c92ccf8b01599b5ddde2b0a21d18506d3528c83fda
SHA512 d970c2a52dfde330bd32bc6718d194b90f8bc3131d9d7905e0f438483f3030bf64dfc69091562f467cc6ea34357513614671db94d2b664208016c3c11b77f08b

C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

MD5 1d8c79f293ca86e8857149fb4efe4452
SHA1 7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f
SHA256 c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4
SHA512 83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

MD5 b77eeaeaf5f8493189b89852f3a7a712
SHA1 c40cf51c2eadb070a570b969b0525dc3fb684339
SHA256 b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e
SHA512 a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

C:\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll

MD5 7e489e7300d3177f64db31665a2079e0
SHA1 50b20f0b4e5bb5b35e68dd90a5c465dffd30260e
SHA256 7a426359908ae2b6ca1bc8a2773269a48126c2db23c171bc56a3456da4f0016c
SHA512 0b3b34c0e5e095dfd77d801cd7e85e0431da23bf1c943aacb855a40f5a0d9439d7667718abe654eac17ed474b3c9eb644b90cc8cc215c9adc99b12e29b7907d3

C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.DLL

MD5 b5ac5913784d34c843677547edd5c578
SHA1 ed2a4e165ad8b65b1699aaf048654142a66943c6
SHA256 3267244255376bfaf68e75ad38468ba3ca0bbb49fe260f6e05611148d5cee3c9
SHA512 28a29ff02d7ce6d6a74b4938a1a1388c4ad6b36600bc9e7664edf14eb8a89aee49c107c46e13aee0194a38ec506cd86094952ce9327d724a98541871ff58d6db

C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

MD5 216a2dd23f95bdd63cd88a50eb7e69bd
SHA1 9c63635c26e276179f8dba9e02079bb3170b0321
SHA256 63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada
SHA512 390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe

MD5 bdbf614848cfc3fada7dae8a55a9ad8e
SHA1 78ad1a6c45e5df62659274c66b3c3a7a8731cdf5
SHA256 5cf7f5d5fbb371a29f45d3777860ad07df3b2e12b273076a555c65334a9702ad
SHA512 da82bdaf7785333734998c2c919242f7e0d7d585de5972efd028f283913b4a4cfa4d24c73ffba6fec3ea674e8ac69499b992090377144a1cdfe7e5575f1d7d0c

C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

MD5 80337d9a646974e377f3c89991ed138c
SHA1 38b7f9b0e0e138448592c9776c67e53de8ac52a5
SHA256 1cde95285c13d908720f5075a4ece533e4b98a1fefe2ebbbe71fd697f45dfd0d
SHA512 9ee967588c6f7718834b2e4d04dc2c46236b20bfcbdd9a09cf011ee3f7f6f57f66a0191ba4c2d85fb95a51f68c34de4b977cf5c099975feee5137928392c8a6e

C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll

MD5 f408f6d03b5f3261194d45d68d864d85
SHA1 aeaac89537e2d7f6f598fa9a2c9dcc4a9c774538
SHA256 07398bd105c98b8378be0d1f39e4e47e12bb6b1930dbe52992684837399a4b15
SHA512 b65648dcd27a94bf805d81f42a2d211b05109604b1dec7eec5eddce19456bbf1261bb27c658328947371744ba17e250d735aa30e3986f09f42844d48c913c0b3

C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll

MD5 de07d69a369e5fce7f0c939756f3840d
SHA1 7a400e65d9689274de701cbf155652e66ed6216a
SHA256 d0e606d88d036f63002ee81014de33ddac6e0a33c0c705f34aa036001d5adfa5
SHA512 6c09a4c6b9ad2b0c16fc60b89a0f27fcbd0148b1ea3a667fecbed89f393d432ece691a036b58a38aabe0f1a9fb4fd2fe62f2f408d074e1a64422730f9da38f85

C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe

MD5 32b328645a4c3a5dffccb82734ff92b2
SHA1 1058662f3692a8a921bc843c7ae81361ccf929f4
SHA256 2e1ade446b9b8502930f9ae7c34cb2eb6c27c1a4ffc09e92faf119cd8e96b9a2
SHA512 870adb70bf39e073e2996dc8ebf6d5be5dc95d8e12fcb8facff2747b7fb7937e3bceba3feea784987b163ec2ea4df6772bad1a0a56d40224d8772b2d4592cb84

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

MD5 aeff74ab7845f20f095466cc8e9c2e50
SHA1 990972a2f1ec7e90336b5690ef4f941efd12cbe9
SHA256 3a9a9852468082a13c0d483b35b3d16cabfa436774efdcfa363e6ae4c092097d
SHA512 ecd8f94e77d8b5f8164aba9ae484fd655939c976bcde9c07195a59f98d88ab0bc14ff041268f361b503a333827f28ce33d76c8add957297a2d056b04c32a04ca

C:\Users\Admin\AppData\Local\Temp\nsy43F0.tmp\SetupCfg.ini

MD5 86daef0a1abf90f934b20119d95e8b73
SHA1 fa9170644b102c598005d1764a16aba54314ab69
SHA256 a5b0e58f66055ba5c9730dd7983946f92075bcf7052343b8d64ee95faa99eaaa
SHA512 1e95d6b697621f5c8bd194b5252f7717c3aa48a25d91d80fcd5fb0f1d06747c5f39708255bd85f18f776468dcde5645a8ac088431d412af1b10932d7f0df67b7

C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdateUtil.dll

MD5 1e751e9ac7a6905d2f1b2860cc7d37a7
SHA1 6e7171f68a1c432a512cae3901d35faad550ca0e
SHA256 9b95b90e36e4f7bf257e56fadf6f7630fa70696c072f7b8d6de05eab87e0674e
SHA512 f54af4149c1d24f05fdb3c1d8b48f31444763e7c4effdcd9013c8c90a8aa7fa4531b00d5ee1b3f08fcfbebcd06aaf8aa318c40943a59e611d5c24435a0562034

C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\config.ini

MD5 5cc36a5a9945e4fbda1cc8b475f98ea9
SHA1 16ff4141e975705252b9c556c5da8c84e7dbc74e
SHA256 61d88eb427ba7668f56c7391410c4de3a8e17cde7baba80291f8a06efafbef7c
SHA512 8b451ca92dd61ace8fc6cc4bcfc09499aa3c006803a7bdca1bdac9ee40a7b8fc9311e28078f07fbe4fbf1d40d71ffcebcf49a440ca0c6c100391fea4ee888a9e

C:\Users\Admin\AppData\Roaming\TeraBox\VersionInfo

MD5 351e50fed91d082778bd8e2fcf024f05
SHA1 b5daa528fa4088b79284f157e8be038b21e08cad
SHA256 17c9f4bef9776b36fac918ea1bdcc72093ecc9ada7ab2dbe0d29285a70f05c6c
SHA512 f6f4854b2b4b03f458b04c713a9da2eac5ba9eeb524a0c0e5317112978f3fc7935a4008251b8fd202e525275214fe821b6ebac8974914331d7ceb4ed57b4a6bc

C:\Users\Admin\AppData\Roaming\TeraBox\resource.db

MD5 a9a7c807d62756fcb932fec4b18cb059
SHA1 48e3f00ae4ca04d043269eb8dcd244035f493c5f
SHA256 fc92627d4a8a09d29239acd63f1d2ba171d327349486f4bce535f1e25c489ee5
SHA512 f5ae6004e66c27c580397d3b3477bbbbf3324baf7c5d8d39955a56d3873003931782cdcf7528edfec1163ee321eee9e73b1941df1c78d70eefe76af4b83d9ec1

C:\Users\Admin\AppData\Roaming\TeraBox\YunLogic.dll

MD5 8248ebfe926cbfbe0d5413db050f1520
SHA1 96803b09ac1b6901cd671a8e25bca30c60bd8c26
SHA256 f87c4b3816e2343d4aa12426ee89365ebca40e32b232ecf9d906fb870005581b
SHA512 5fd6c616bf84b3c4d35f20b3f5203b641df3dba9c9e32a4c9a21fda980a5188783b331d52c21b8d00da72101d00efa9f10fcacab681c31dd987fcd245d1036ec

C:\Users\Admin\AppData\Roaming\TeraBox\xImage.dll

MD5 219b9b13f91fe9182c777b0f8d163dc6
SHA1 1338a33af73c076a07da9939c2e15c33070f56c1
SHA256 5003b223f937e21e91a8b130fed6a5974916264bf859ba59d2df69efeb84bde6
SHA512 099062d93ed646365e6b6c27db9c8d8dfdfb409a395317efcd7603c95b9daeaf832be6841c89050eab41b2f53925b43c93492ac535edb3512d94380cd7ec68b4

C:\Users\Admin\AppData\Roaming\TeraBox\users\localdata.dat

MD5 8b33ee873631b455610c30e89b783c93
SHA1 bb735c65e56e7345e9cc863756ec6269a4e02a42
SHA256 85479aace7f91dc6f7a84250c2e573ff4d32e7fbeed1224a430337b29d4c3b54
SHA512 587a49bea7edbec0f34bf68cfa5087fb83e1892a3a78f8abe4be349bcd202ed19eec6a762ab2ebe6aadcaf91a1fd5f46024e3099e13ed1f52c9fe5860c7f7902

C:\Users\Admin\AppData\Roaming\TeraBox\module\TeraBoxModuleList.db

MD5 1d619a9364e6ba15b9513b92aa034c00
SHA1 001af26634d76431c195a270409396958026f8fe
SHA256 a37baa0f778f7ac090d3a23fb55f3e5338d01122feb6f21caefdb23e3d8a10ea
SHA512 246781559a7a392c36a514110115d4295e343cf0795b614896a1a148abea39a2f73bd396e45dd81ea6e2a64605af9847700e170a7e6daef0ace3ef86d0b038c5

C:\Users\Admin\AppData\Roaming\TeraBox\YunDls.dll

MD5 9c70e9bdf63d21e88e84cf598494822c
SHA1 192b820157b46fc45c4909535fc70856d76339b3
SHA256 c022f1cd8651c489339003955ec7dfb5fda353960b69e0b1a61c5379ffcc3ed4
SHA512 139e5f362f18678b37394b772d0f7f9a1a190cfe74886d5392d7350abbc5f8578456d85bdb2c96bfcf5b50667a27271876434b0698b59e2bd80d3473d680977b

C:\Users\Admin\AppData\Roaming\TeraBox\YunDb.dll

MD5 15cf9c365b297f8206ead1d4eaef1647
SHA1 bb208eb293678b78f7160ec61d4045295c142652
SHA256 63e1783a01851c5e735bf662fc385382dcad7e4b4136ee49b48cf3d40ca15187
SHA512 9c59742a2cbada63971c4a70e630c10fbf22b4eee2afb11feaac8dc4402932b90e230ab77f334117ce8a5eca57d554fb9a0b651356ff14782a1df6983cece8e9

C:\Users\Admin\AppData\Roaming\TeraBox\chrome_elf.dll

MD5 e95e84ff483f537c2c7d7eb6544c1b31
SHA1 ac874cca7b7960f7e8730139ea90161c68f6be64
SHA256 2a3202281bcfe55fab6872657ec0c29090d0ef3d59f3a6de8b8cfaed8112d4bd
SHA512 4052cfecc14acced013159044b2968b5c23721dafac6f4746aa8688a5aa6a6ae37b96a04577178aecd505c04ca542e2e90068b97359be0fd44476ac8507a484a

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\IndexedDB\https_www.terabox.com_0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/4376-483-0x0000000002690000-0x0000000002691000-memory.dmp

memory/4376-482-0x0000000002680000-0x0000000002681000-memory.dmp

memory/4376-481-0x0000000000D80000-0x0000000000D81000-memory.dmp

memory/4376-480-0x0000000000D50000-0x0000000000D51000-memory.dmp

memory/4376-479-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/4376-478-0x0000000000D30000-0x0000000000D31000-memory.dmp

memory/4376-484-0x00000000026A0000-0x00000000026A1000-memory.dmp

memory/4376-486-0x0000000065A10000-0x0000000066E3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000055

MD5 99916ce0720ed460e59d3fbd24d55be2
SHA1 d6bb9106eb65e3b84bfe03d872c931fb27f5a3db
SHA256 07118bf4bbc3ba87d75cbc11ddf427219a14d518436d7f3886d75301f897edaf
SHA512 8d3d52e57806d1850b57bffee12c1a8d9e1a1edcf871b2395df5c889991a183a8d652a0636d5452068f5ef78d37e08ce10b2b2f4e05c3e3c0f2f2230310418a8

C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\Download\AutoUpdate.xml

MD5 c286cd40cd06c343b0a0daba4a8787ba
SHA1 971b13c25faff896033f77e0866fe21f7b26cbd5
SHA256 0af3d4862222a6b68993220e693c2501de14d6e922c3ecce1a60754462822c60
SHA512 e4ab1154ac2ece073d33277cf8d8394cec51100014589c6d997341d3553d19734b69cfc0ce9f3c87c55e34e833b7647c70a60e1972894762dba71914e38ac10b

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

MD5 631b88faba4b1a9b0a9a1b75707b2bbd
SHA1 e1e01dcde085b7eb4551cddcf1e6ad12111486cf
SHA256 883fa1b53015e0165bc8d96fd64ffae9413b8bc16e864b29fb4c2aadcf4fb888
SHA512 cba2841029e5d7d54fc3b8e9101b7faecadfcda5540f3bf20b07a3d9a5cfdff11ac8ebcfc2ad557fdbf4f9c90dbeaacd496c01ed7f40f142edb848edd3267795

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

MD5 e7cdcdcd4473e7a7b9fce93383ef76a6
SHA1 582069b98f3cfeebc2ee4115c1f2db40ae34d848
SHA256 a141abf753d2bea1231f0c8ac909a5bca72d5da63b00b1c997e2c60abcba2470
SHA512 30cf1ba0bc229dd81936e58ddfd6ead797835a807de7c699d1accd599e85d5bca4c0d81b8bc366830b90d6b34d70f862b28cc742b51e9c5056fcef043ef965cf

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe589e1f.TMP

MD5 78bfcecb05ed1904edce3b60cb5c7e62
SHA1 bf77a7461de9d41d12aa88fba056ba758793d9ce
SHA256 c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572
SHA512 2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

MD5 d2d3aaf4a51bdd6f3736566cbd8bd680
SHA1 79d3da72ac630afa4bb510a8b02586e4679b7f60
SHA256 d82ea2b61093bf861e3c14946020c35924b61bd98b986778dbee01446a1ab28f
SHA512 1cf4210723e60307cc31bce8fca1a4f7ff501d72e9a3bdcfded14278e05fb634ae607bf69d03bd28252b6978f56eca07e1d6f26da93be90c10b7173b048a3ffb

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 20:15

Reported

2024-06-14 20:20

Platform

win11-20240611-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun" C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\"" C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Checks installed software on the system

discovery

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}" C:\Windows\system32\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\ = "YunWordConnect Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ = "IWorkspaceOverlayIconError" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\CurVer\ = "YunOfficeAddin.YunWordConnect.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\ = "YunWordConnect Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ = "IYunShellExtContextMenu" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\ = "YunWordConnect Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect\CurVer\ = "YunOfficeAddin.YunExcelConnect.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\ = "YunShellExt 1.0 Type Library" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ = "YunWordConnect Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ProgID\ = "YunOfficeAddin.YunWordConnect.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\URL Protocol = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe" C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\ = "IWorkspaceOverlayIconError" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID\ = "{8C5F2E83-848F-4741-9C87-47D21BF65FC2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ = "YunPPTConnect Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\FLAGS\ = "0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ = "YunShellExtContextMenu Class" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B9480AFD-C7B1-4452-BE14-BB8A9540A05D}\ = "YunShellExt" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}\ = "IWorkspaceOverlayIconOK" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4916 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 4916 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 4916 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
PID 4916 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4916 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4916 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2196 wrote to memory of 536 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2196 wrote to memory of 536 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4916 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4916 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4916 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4916 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4916 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4916 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4644 wrote to memory of 2132 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4644 wrote to memory of 2132 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4916 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 4916 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 4916 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
PID 4916 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 4916 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 4916 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
PID 4020 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 4020 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 4020 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 4020 wrote to memory of 104 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 4020 wrote to memory of 104 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 4020 wrote to memory of 104 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 4020 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 4020 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 4020 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
PID 4020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe
PID 4020 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe
PID 4020 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe
PID 4020 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
PID 4020 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\TeraBox_sl_b_1.31.0.1.exe"

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"

C:\Windows\system32\regsvr32.exe

"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"

C:\Windows\system32\regsvr32.exe

"/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"

C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2524,16377328776687787377,17770747898229753116,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.22000;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2532 /prefetch:2

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2524,16377328776687787377,17770747898229753116,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.22000;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2652 /prefetch:8

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2524,16377328776687787377,17770747898229753116,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.22000;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2524,16377328776687787377,17770747898229753116,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.22000;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe

-PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.4020.0.1143977174\502244790 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.12" -PcGuid "TBIMXV2-O_35D632EDEDF34DF89C63C5647A9F3E8B-C_0-D_DD00013-M_FAB45D70A648-V_1BE2D1C2" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.4020.0.1143977174\502244790 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.12" -PcGuid "TBIMXV2-O_35D632EDEDF34DF89C63C5647A9F3E8B-C_0-D_DD00013-M_FAB45D70A648-V_1BE2D1C2" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.4020.1.1143732150\584730371 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.12" -PcGuid "TBIMXV2-O_35D632EDEDF34DF89C63C5647A9F3E8B-C_0-D_DD00013-M_FAB45D70A648-V_1BE2D1C2" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2524,16377328776687787377,17770747898229753116,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.22000;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1

C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 9010a -unlogin

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe

"C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2524,16377328776687787377,17770747898229753116,131072 --enable-features=CastMediaRouteProvider --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.22000;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=4736 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.terabox.com udp
JP 210.148.85.47:80 terabox.com tcp
US 8.8.8.8:53 47.85.148.210.in-addr.arpa udp
JP 210.148.85.47:80 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
JP 210.148.85.47:443 terabox.com tcp
CN 180.97.198.38:443 global-staticplat.cdn.bcebos.com tcp
NL 23.62.61.145:80 repository.certum.pl tcp
US 8.8.8.8:53 145.61.62.23.in-addr.arpa udp
N/A 127.0.0.1:49980 tcp
N/A 127.0.0.1:49982 tcp
N/A 127.0.0.1:49984 tcp
N/A 224.0.0.251:5353 udp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
GB 193.118.32.52:443 www.staticcc.com tcp
GB 193.118.32.52:443 www.staticcc.com tcp
GB 193.118.32.52:443 www.staticcc.com tcp
GB 193.118.32.52:443 www.staticcc.com tcp
GB 193.118.32.52:443 www.staticcc.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 183.131.185.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
US 8.8.8.8:53 static.line-scdn.net udp
NL 142.250.27.84:443 accounts.google.com tcp
GB 169.197.114.137:443 s2.teraboxcdn.com tcp
GB 169.197.114.137:443 s2.teraboxcdn.com tcp
GB 169.197.114.137:443 s2.teraboxcdn.com tcp
GB 169.197.114.137:443 s2.teraboxcdn.com tcp
GB 169.197.114.137:443 s2.teraboxcdn.com tcp
GB 169.197.114.137:443 s2.teraboxcdn.com tcp
GB 13.224.81.65:443 static.line-scdn.net tcp
CN 60.190.116.48:443 sofire.bdstatic.com tcp
CN 60.190.116.48:443 sofire.bdstatic.com tcp
CN 171.214.24.38:443 global-staticplat.cdn.bcebos.com tcp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
JP 210.154.124.151:443 ymg-api.terabox.com tcp
JP 210.154.124.151:443 ymg-api.terabox.com tcp
JP 210.148.85.32:443 sofire.terabox.com tcp
CN 42.101.4.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.32:443 sofire.terabox.com tcp
GB 142.250.187.196:443 www.google.com tcp
CN 180.97.66.38:443 global-staticplat.cdn.bcebos.com tcp
GB 163.70.147.23:443 connect.facebook.net tcp
CN 42.101.56.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.64.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.81.98.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.140.225.38:443 global-staticplat.cdn.bcebos.com tcp
BE 108.177.15.157:443 stats.g.doubleclick.net tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
CN 58.57.102.38:443 global-staticplat.cdn.bcebos.com tcp
GB 142.250.200.3:443 www.google.co.uk tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
CN 180.97.198.38:443 global-staticplat.cdn.bcebos.com tcp
CN 183.131.185.38:443 global-staticplat.cdn.bcebos.com tcp
GB 172.217.169.46:443 play.google.com tcp
CN 171.214.24.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.101.4.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.66.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.101.56.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.64.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.81.98.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.140.225.38:443 global-staticplat.cdn.bcebos.com tcp
CN 58.57.102.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.198.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 183.131.185.38:443 global-staticplat.cdn.bcebos.com tcp
JP 210.148.85.47:443 www.terabox.com tcp
CN 171.214.24.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.101.4.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.66.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.101.56.38:443 global-staticplat.cdn.bcebos.com tcp
CN 180.97.64.38:443 global-staticplat.cdn.bcebos.com tcp
CN 42.81.98.38:443 global-staticplat.cdn.bcebos.com tcp
CN 182.140.225.38:443 global-staticplat.cdn.bcebos.com tcp
CN 58.57.102.38:443 global-staticplat.cdn.bcebos.com tcp
US 52.111.227.11:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsd4289.tmp\NsisInstallUI.dll

MD5 075abe6be6b717434cea2879a54c4714
SHA1 dc02581f578d22db7460352a476727ac5b2fcbb9
SHA256 5a5e5398424a4eab5ea1fb905313ea56a19b7210e0da44861503bbf3f9826c13
SHA512 90937b6aab2a4eeac74a33cf238131e011edc1b1f2bf9a9ce6dc5e0d21923330131ba5014e9ea1176ee88ee03d847cc69e6f1e91f7f68aa65c7a5ac4852f9d63

C:\Users\Admin\AppData\Local\Temp\nsd4289.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsd4289.tmp\nsProcessW.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

memory/4916-17-0x0000000003320000-0x0000000003330000-memory.dmp

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

MD5 7ab6073a5c400a5071bfa4ef2d936425
SHA1 f794ea18eced4330979972da2a4bfa33c03afa2f
SHA256 7774449e13c24d2b0b69114d9ba044e80dc8378fa3dfb5d17a142d5cb4cde8af
SHA512 4371b6b49df43dab4abf90a71819276f30dca823c93335edd5513a67a646c97ef575b2ede650ceb2f0f168af13431254530e9bffc3db0f5b0eada1492c3cab73

C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

MD5 b9ee83666245d8de4f0709b03eac1ad3
SHA1 38eaee6757499aaf4e8869837a767708392e225e
SHA256 ce10dfac95461981072738c92ccf8b01599b5ddde2b0a21d18506d3528c83fda
SHA512 d970c2a52dfde330bd32bc6718d194b90f8bc3131d9d7905e0f438483f3030bf64dfc69091562f467cc6ea34357513614671db94d2b664208016c3c11b77f08b

C:\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll

MD5 7e489e7300d3177f64db31665a2079e0
SHA1 50b20f0b4e5bb5b35e68dd90a5c465dffd30260e
SHA256 7a426359908ae2b6ca1bc8a2773269a48126c2db23c171bc56a3456da4f0016c
SHA512 0b3b34c0e5e095dfd77d801cd7e85e0431da23bf1c943aacb855a40f5a0d9439d7667718abe654eac17ed474b3c9eb644b90cc8cc215c9adc99b12e29b7907d3

C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

MD5 216a2dd23f95bdd63cd88a50eb7e69bd
SHA1 9c63635c26e276179f8dba9e02079bb3170b0321
SHA256 63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada
SHA512 390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

MD5 b77eeaeaf5f8493189b89852f3a7a712
SHA1 c40cf51c2eadb070a570b969b0525dc3fb684339
SHA256 b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e
SHA512 a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

MD5 1d8c79f293ca86e8857149fb4efe4452
SHA1 7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f
SHA256 c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4
SHA512 83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe

MD5 bdbf614848cfc3fada7dae8a55a9ad8e
SHA1 78ad1a6c45e5df62659274c66b3c3a7a8731cdf5
SHA256 5cf7f5d5fbb371a29f45d3777860ad07df3b2e12b273076a555c65334a9702ad
SHA512 da82bdaf7785333734998c2c919242f7e0d7d585de5972efd028f283913b4a4cfa4d24c73ffba6fec3ea674e8ac69499b992090377144a1cdfe7e5575f1d7d0c

C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

MD5 80337d9a646974e377f3c89991ed138c
SHA1 38b7f9b0e0e138448592c9776c67e53de8ac52a5
SHA256 1cde95285c13d908720f5075a4ece533e4b98a1fefe2ebbbe71fd697f45dfd0d
SHA512 9ee967588c6f7718834b2e4d04dc2c46236b20bfcbdd9a09cf011ee3f7f6f57f66a0191ba4c2d85fb95a51f68c34de4b977cf5c099975feee5137928392c8a6e

C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll

MD5 f408f6d03b5f3261194d45d68d864d85
SHA1 aeaac89537e2d7f6f598fa9a2c9dcc4a9c774538
SHA256 07398bd105c98b8378be0d1f39e4e47e12bb6b1930dbe52992684837399a4b15
SHA512 b65648dcd27a94bf805d81f42a2d211b05109604b1dec7eec5eddce19456bbf1261bb27c658328947371744ba17e250d735aa30e3986f09f42844d48c913c0b3

C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll

MD5 de07d69a369e5fce7f0c939756f3840d
SHA1 7a400e65d9689274de701cbf155652e66ed6216a
SHA256 d0e606d88d036f63002ee81014de33ddac6e0a33c0c705f34aa036001d5adfa5
SHA512 6c09a4c6b9ad2b0c16fc60b89a0f27fcbd0148b1ea3a667fecbed89f393d432ece691a036b58a38aabe0f1a9fb4fd2fe62f2f408d074e1a64422730f9da38f85

C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

MD5 aeff74ab7845f20f095466cc8e9c2e50
SHA1 990972a2f1ec7e90336b5690ef4f941efd12cbe9
SHA256 3a9a9852468082a13c0d483b35b3d16cabfa436774efdcfa363e6ae4c092097d
SHA512 ecd8f94e77d8b5f8164aba9ae484fd655939c976bcde9c07195a59f98d88ab0bc14ff041268f361b503a333827f28ce33d76c8add957297a2d056b04c32a04ca

C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe

MD5 32b328645a4c3a5dffccb82734ff92b2
SHA1 1058662f3692a8a921bc843c7ae81361ccf929f4
SHA256 2e1ade446b9b8502930f9ae7c34cb2eb6c27c1a4ffc09e92faf119cd8e96b9a2
SHA512 870adb70bf39e073e2996dc8ebf6d5be5dc95d8e12fcb8facff2747b7fb7937e3bceba3feea784987b163ec2ea4df6772bad1a0a56d40224d8772b2d4592cb84

C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll

MD5 b5ac5913784d34c843677547edd5c578
SHA1 ed2a4e165ad8b65b1699aaf048654142a66943c6
SHA256 3267244255376bfaf68e75ad38468ba3ca0bbb49fe260f6e05611148d5cee3c9
SHA512 28a29ff02d7ce6d6a74b4938a1a1388c4ad6b36600bc9e7664edf14eb8a89aee49c107c46e13aee0194a38ec506cd86094952ce9327d724a98541871ff58d6db

C:\Users\Admin\AppData\Local\Temp\nsd4289.tmp\SetupCfg.ini

MD5 86daef0a1abf90f934b20119d95e8b73
SHA1 fa9170644b102c598005d1764a16aba54314ab69
SHA256 a5b0e58f66055ba5c9730dd7983946f92075bcf7052343b8d64ee95faa99eaaa
SHA512 1e95d6b697621f5c8bd194b5252f7717c3aa48a25d91d80fcd5fb0f1d06747c5f39708255bd85f18f776468dcde5645a8ac088431d412af1b10932d7f0df67b7

C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdateUtil.dll

MD5 1e751e9ac7a6905d2f1b2860cc7d37a7
SHA1 6e7171f68a1c432a512cae3901d35faad550ca0e
SHA256 9b95b90e36e4f7bf257e56fadf6f7630fa70696c072f7b8d6de05eab87e0674e
SHA512 f54af4149c1d24f05fdb3c1d8b48f31444763e7c4effdcd9013c8c90a8aa7fa4531b00d5ee1b3f08fcfbebcd06aaf8aa318c40943a59e611d5c24435a0562034

C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\config.ini

MD5 5cc36a5a9945e4fbda1cc8b475f98ea9
SHA1 16ff4141e975705252b9c556c5da8c84e7dbc74e
SHA256 61d88eb427ba7668f56c7391410c4de3a8e17cde7baba80291f8a06efafbef7c
SHA512 8b451ca92dd61ace8fc6cc4bcfc09499aa3c006803a7bdca1bdac9ee40a7b8fc9311e28078f07fbe4fbf1d40d71ffcebcf49a440ca0c6c100391fea4ee888a9e

C:\Users\Admin\AppData\Roaming\TeraBox\VersionInfo

MD5 351e50fed91d082778bd8e2fcf024f05
SHA1 b5daa528fa4088b79284f157e8be038b21e08cad
SHA256 17c9f4bef9776b36fac918ea1bdcc72093ecc9ada7ab2dbe0d29285a70f05c6c
SHA512 f6f4854b2b4b03f458b04c713a9da2eac5ba9eeb524a0c0e5317112978f3fc7935a4008251b8fd202e525275214fe821b6ebac8974914331d7ceb4ed57b4a6bc

C:\Users\Admin\AppData\Roaming\TeraBox\resource.db

MD5 a9a7c807d62756fcb932fec4b18cb059
SHA1 48e3f00ae4ca04d043269eb8dcd244035f493c5f
SHA256 fc92627d4a8a09d29239acd63f1d2ba171d327349486f4bce535f1e25c489ee5
SHA512 f5ae6004e66c27c580397d3b3477bbbbf3324baf7c5d8d39955a56d3873003931782cdcf7528edfec1163ee321eee9e73b1941df1c78d70eefe76af4b83d9ec1

C:\Users\Admin\AppData\Roaming\TeraBox\xImage.dll

MD5 219b9b13f91fe9182c777b0f8d163dc6
SHA1 1338a33af73c076a07da9939c2e15c33070f56c1
SHA256 5003b223f937e21e91a8b130fed6a5974916264bf859ba59d2df69efeb84bde6
SHA512 099062d93ed646365e6b6c27db9c8d8dfdfb409a395317efcd7603c95b9daeaf832be6841c89050eab41b2f53925b43c93492ac535edb3512d94380cd7ec68b4

C:\Users\Admin\AppData\Roaming\TeraBox\users\localdata.dat

MD5 8b33ee873631b455610c30e89b783c93
SHA1 bb735c65e56e7345e9cc863756ec6269a4e02a42
SHA256 85479aace7f91dc6f7a84250c2e573ff4d32e7fbeed1224a430337b29d4c3b54
SHA512 587a49bea7edbec0f34bf68cfa5087fb83e1892a3a78f8abe4be349bcd202ed19eec6a762ab2ebe6aadcaf91a1fd5f46024e3099e13ed1f52c9fe5860c7f7902

C:\Users\Admin\AppData\Roaming\TeraBox\YunLogic.dll

MD5 8248ebfe926cbfbe0d5413db050f1520
SHA1 96803b09ac1b6901cd671a8e25bca30c60bd8c26
SHA256 f87c4b3816e2343d4aa12426ee89365ebca40e32b232ecf9d906fb870005581b
SHA512 5fd6c616bf84b3c4d35f20b3f5203b641df3dba9c9e32a4c9a21fda980a5188783b331d52c21b8d00da72101d00efa9f10fcacab681c31dd987fcd245d1036ec

C:\Users\Admin\AppData\Roaming\TeraBox\module\TeraBoxModuleList.db

MD5 1d619a9364e6ba15b9513b92aa034c00
SHA1 001af26634d76431c195a270409396958026f8fe
SHA256 a37baa0f778f7ac090d3a23fb55f3e5338d01122feb6f21caefdb23e3d8a10ea
SHA512 246781559a7a392c36a514110115d4295e343cf0795b614896a1a148abea39a2f73bd396e45dd81ea6e2a64605af9847700e170a7e6daef0ace3ef86d0b038c5

C:\Users\Admin\AppData\Roaming\TeraBox\YunDls.dll

MD5 9c70e9bdf63d21e88e84cf598494822c
SHA1 192b820157b46fc45c4909535fc70856d76339b3
SHA256 c022f1cd8651c489339003955ec7dfb5fda353960b69e0b1a61c5379ffcc3ed4
SHA512 139e5f362f18678b37394b772d0f7f9a1a190cfe74886d5392d7350abbc5f8578456d85bdb2c96bfcf5b50667a27271876434b0698b59e2bd80d3473d680977b

C:\Users\Admin\AppData\Roaming\TeraBox\YunDb.dll

MD5 15cf9c365b297f8206ead1d4eaef1647
SHA1 bb208eb293678b78f7160ec61d4045295c142652
SHA256 63e1783a01851c5e735bf662fc385382dcad7e4b4136ee49b48cf3d40ca15187
SHA512 9c59742a2cbada63971c4a70e630c10fbf22b4eee2afb11feaac8dc4402932b90e230ab77f334117ce8a5eca57d554fb9a0b651356ff14782a1df6983cece8e9

C:\Users\Admin\AppData\Roaming\TeraBox\chrome_elf.dll

MD5 e95e84ff483f537c2c7d7eb6544c1b31
SHA1 ac874cca7b7960f7e8730139ea90161c68f6be64
SHA256 2a3202281bcfe55fab6872657ec0c29090d0ef3d59f3a6de8b8cfaed8112d4bd
SHA512 4052cfecc14acced013159044b2968b5c23721dafac6f4746aa8688a5aa6a6ae37b96a04577178aecd505c04ca542e2e90068b97359be0fd44476ac8507a484a

memory/104-274-0x0000000001300000-0x0000000001301000-memory.dmp

memory/104-275-0x0000000002D40000-0x0000000002D41000-memory.dmp

memory/104-277-0x0000000003410000-0x0000000003411000-memory.dmp

memory/104-278-0x0000000003420000-0x0000000003421000-memory.dmp

memory/104-279-0x0000000003430000-0x0000000003431000-memory.dmp

memory/104-276-0x0000000002D50000-0x0000000002D51000-memory.dmp

memory/104-280-0x0000000003440000-0x0000000003441000-memory.dmp

memory/104-281-0x0000000065260000-0x000000006668C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\IndexedDB\https_www.terabox.com_0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000055

MD5 99916ce0720ed460e59d3fbd24d55be2
SHA1 d6bb9106eb65e3b84bfe03d872c931fb27f5a3db
SHA256 07118bf4bbc3ba87d75cbc11ddf427219a14d518436d7f3886d75301f897edaf
SHA512 8d3d52e57806d1850b57bffee12c1a8d9e1a1edcf871b2395df5c889991a183a8d652a0636d5452068f5ef78d37e08ce10b2b2f4e05c3e3c0f2f2230310418a8

C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\Download\AutoUpdate.xml

MD5 c286cd40cd06c343b0a0daba4a8787ba
SHA1 971b13c25faff896033f77e0866fe21f7b26cbd5
SHA256 0af3d4862222a6b68993220e693c2501de14d6e922c3ecce1a60754462822c60
SHA512 e4ab1154ac2ece073d33277cf8d8394cec51100014589c6d997341d3553d19734b69cfc0ce9f3c87c55e34e833b7647c70a60e1972894762dba71914e38ac10b

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

MD5 05c9adf802dee10aaf9f2de87c64facb
SHA1 c1c52ff997e0bd491ca4320a45258bb4bff7225c
SHA256 23c9fedd7022aed9e21c4f621b662efd05857fc0a82e86fc95ed0bd4db72043e
SHA512 50cb479c47aecb3d7d6433e161955ca0b7f75dc64b38018d24108a7d796c50a6cc7a74e0449b12bf85e47a43d92db70debfdc178fcd5a2c4489985e11b55bca3

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

MD5 080da5416d78e64f47cba96410c22f69
SHA1 bb2e7b87b6e8ae5ddd7f7f8bad2a52abd5c4611d
SHA256 ec26d30d7c9af4a4cf4db67e0b3f1350a97a665152aeb9aaefd5dd29f29060cd
SHA512 0e1f91f7e5215ef1274b3f48996e2bbdc6d4308179b79a946ad08b721d8ef4d5c23af39a0021150779e2dc706c629da3ac5a2fa9cbfca2ffc05df76bb6d06f8b

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State

MD5 3f989feef28e33b74abad7458a83bcc4
SHA1 2022bca9de0c395bc3fdbe58d1631294b7977012
SHA256 e9e3c9f0d324de69620d0680451d5a08b1d645e57df967376620d725274817f6
SHA512 18f938547006594e266fe018caa7441c14215a8b96cf95f6cfd32c44a52bcf5a713024bcc1802807a76b03589e509dd21ce43138296db91ed3c6042387a775ec

C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Network Persistent State~RFe589ad4.TMP

MD5 78bfcecb05ed1904edce3b60cb5c7e62
SHA1 bf77a7461de9d41d12aa88fba056ba758793d9ce
SHA256 c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572
SHA512 2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73