Analysis

  • max time kernel
    155s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-07-2024 03:42

General

  • Target

    TeraBox_1.31.0.1.exe

  • Size

    85.5MB

  • MD5

    29479b953032b1bd6ac2056691c361a7

  • SHA1

    afa4ac9af3654b2dda1d2fc4ea60fa579eaa6c34

  • SHA256

    c8909ff67ce9c7ffdebe28171f8eefb2eabbadeb8078409496b7f31803d45d9c

  • SHA512

    20894403cd64b9f174aee6a4cec239e22f7492937f0919e4add66062575dab5cef97639ba4dc38aa905d5e5c481f680a95be6b179123bee9f3a53434354a8119

  • SSDEEP

    1572864:ldJLtviAmwWBetc/tEyBVbvVnt5b5tOdX1WlCGYH1CxDMIgwMWDR8qlqmkSap1yx:ltmBH/maxt5bwEOVC5MIzML9hufp

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TeraBox_1.31.0.1.exe
    "C:\Users\Admin\AppData\Local\Temp\TeraBox_1.31.0.1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"
      2⤵
      • Adds Run key to start application
      • Executes dropped EXE
      • Loads dropped DLL
      PID:4044
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3400
      • C:\Windows\system32\regsvr32.exe
        "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
        3⤵
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Modifies registry class
        PID:404
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:3296
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3512
      • C:\Windows\system32\regsvr32.exe
        "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:4416
    • C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2344
    • C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      PID:4204
    • C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
      C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
        "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2584,7055662488105466865,12335298244315679012,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2576 /prefetch:2
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:4732
      • C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
        "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2584,7055662488105466865,12335298244315679012,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2956 /prefetch:8
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        PID:3528
      • C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
        "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2584,7055662488105466865,12335298244315679012,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:4044
      • C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
        "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2584,7055662488105466865,12335298244315679012,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:1764
      • C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
        -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.4476.0.2033742350\1372227956 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.140" -PcGuid "TBIMXV2-O_6EE81B1F42524655A9F09DC7A0471720-C_0-D_DD00013-M_FE96FDA21426-V_80093E95" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4536
      • C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
        "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.4476.0.2033742350\1372227956 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.140" -PcGuid "TBIMXV2-O_6EE81B1F42524655A9F09DC7A0471720-C_0-D_DD00013-M_FE96FDA21426-V_80093E95" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:992
      • C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
        "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.4476.1.266794995\2115951393 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.0.140" -PcGuid "TBIMXV2-O_6EE81B1F42524655A9F09DC7A0471720-C_0-D_DD00013-M_FE96FDA21426-V_80093E95" -Version "1.31.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
        3⤵
        • Executes dropped EXE
        PID:3876
      • C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
        "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2584,7055662488105466865,12335298244315679012,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.31.0.1;PC;PC-Windows;10.0.19041;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4488
      • C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe
        "C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 80298 -unlogin
        3⤵
        • Executes dropped EXE
        PID:2584
    • C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
      C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:4456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000056

    Filesize

    211KB

    MD5

    151fb811968eaf8efb840908b89dc9d4

    SHA1

    7ec811009fd9b0e6d92d12d78b002275f2f1bee1

    SHA256

    043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

    SHA512

    83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

  • C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\IndexedDB\https_www.terabox.com_0.indexeddb.leveldb\CURRENT

    Filesize

    16B

    MD5

    46295cac801e5d4857d09837238a6394

    SHA1

    44e0fa1b517dbf802b18faf0785eeea6ac51594b

    SHA256

    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

    SHA512

    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

  • C:\Users\Admin\AppData\Local\Temp\nsfAD49.tmp\NsisInstallUI.dll

    Filesize

    1.8MB

    MD5

    075abe6be6b717434cea2879a54c4714

    SHA1

    dc02581f578d22db7460352a476727ac5b2fcbb9

    SHA256

    5a5e5398424a4eab5ea1fb905313ea56a19b7210e0da44861503bbf3f9826c13

    SHA512

    90937b6aab2a4eeac74a33cf238131e011edc1b1f2bf9a9ce6dc5e0d21923330131ba5014e9ea1176ee88ee03d847cc69e6f1e91f7f68aa65c7a5ac4852f9d63

  • C:\Users\Admin\AppData\Local\Temp\nsfAD49.tmp\SetupCfg.ini

    Filesize

    75B

    MD5

    ac0835ca6cc22eb3547391cd28babd84

    SHA1

    6f557aeebdae72ce980b7cb0507cbdffb1c13b93

    SHA256

    fe2e95678fbd1a8b6609eb95f3e9941f67018ebab32149cf0b94b0a200354a54

    SHA512

    038269833537aab00f65a1170ff70b3e7c6ce75051ff5e8a05cf52f47438127d7df10b88c60b55996f180c0bbeeae55d58426886184f23a618447ee87aa829ec

  • C:\Users\Admin\AppData\Local\Temp\nsfAD49.tmp\System.dll

    Filesize

    12KB

    MD5

    8cf2ac271d7679b1d68eefc1ae0c5618

    SHA1

    7cc1caaa747ee16dc894a600a4256f64fa65a9b8

    SHA256

    6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

    SHA512

    ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

  • C:\Users\Admin\AppData\Local\Temp\nsfAD49.tmp\nsProcessW.dll

    Filesize

    4KB

    MD5

    f0438a894f3a7e01a4aae8d1b5dd0289

    SHA1

    b058e3fcfb7b550041da16bf10d8837024c38bf6

    SHA256

    30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

    SHA512

    f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

  • C:\Users\Admin\AppData\Roaming\TeraBox\AppUtil.dll

    Filesize

    1.5MB

    MD5

    7e489e7300d3177f64db31665a2079e0

    SHA1

    50b20f0b4e5bb5b35e68dd90a5c465dffd30260e

    SHA256

    7a426359908ae2b6ca1bc8a2773269a48126c2db23c171bc56a3456da4f0016c

    SHA512

    0b3b34c0e5e095dfd77d801cd7e85e0431da23bf1c943aacb855a40f5a0d9439d7667718abe654eac17ed474b3c9eb644b90cc8cc215c9adc99b12e29b7907d3

  • C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdateUtil.dll

    Filesize

    198KB

    MD5

    1e751e9ac7a6905d2f1b2860cc7d37a7

    SHA1

    6e7171f68a1c432a512cae3901d35faad550ca0e

    SHA256

    9b95b90e36e4f7bf257e56fadf6f7630fa70696c072f7b8d6de05eab87e0674e

    SHA512

    f54af4149c1d24f05fdb3c1d8b48f31444763e7c4effdcd9013c8c90a8aa7fa4531b00d5ee1b3f08fcfbebcd06aaf8aa318c40943a59e611d5c24435a0562034

  • C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\Download\AutoUpdate.xml

    Filesize

    24KB

    MD5

    04d397e124984b2733e542a78fec6381

    SHA1

    ffb405043e9a642d4dd4709b0b4ecd25a2527644

    SHA256

    e53ffe83942d03f6221d6c31d8dd48fe78979136c5e5e1a2996a9980606b8295

    SHA512

    9c6707554f43b1f98c9115445db3133885c32639d12a82f36f9ab0abcdcc6c564212f36eb264955a4ba96cd8814c3d29581fafbb6199c4dc12c8a9e8218f58dc

  • C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\Download\MainApp\upgrade_13101_13153.cab

    Filesize

    4.5MB

    MD5

    7a70b13ba9a7fecf2216616986563848

    SHA1

    f10f6cd99f54638717fb40b2efd014a165763c86

    SHA256

    cfec57466fc0e49ec1d51995208c0f9608bf74d6cf28124bf4860c71a17a1f52

    SHA512

    6f8d03d9bf1a086707818f1e4441fe285e6ae6523f5bb6cd3ee44d1b98df025178cabba2b353f328544967c7911e8ba1d7f8431c52f700b87190add9fc11f39b

  • C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\config.ini

    Filesize

    52B

    MD5

    5cc36a5a9945e4fbda1cc8b475f98ea9

    SHA1

    16ff4141e975705252b9c556c5da8c84e7dbc74e

    SHA256

    61d88eb427ba7668f56c7391410c4de3a8e17cde7baba80291f8a06efafbef7c

    SHA512

    8b451ca92dd61ace8fc6cc4bcfc09499aa3c006803a7bdca1bdac9ee40a7b8fc9311e28078f07fbe4fbf1d40d71ffcebcf49a440ca0c6c100391fea4ee888a9e

  • C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.dll

    Filesize

    3.2MB

    MD5

    b5ac5913784d34c843677547edd5c578

    SHA1

    ed2a4e165ad8b65b1699aaf048654142a66943c6

    SHA256

    3267244255376bfaf68e75ad38468ba3ca0bbb49fe260f6e05611148d5cee3c9

    SHA512

    28a29ff02d7ce6d6a74b4938a1a1388c4ad6b36600bc9e7664edf14eb8a89aee49c107c46e13aee0194a38ec506cd86094952ce9327d724a98541871ff58d6db

  • C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

    Filesize

    6.3MB

    MD5

    7ab6073a5c400a5071bfa4ef2d936425

    SHA1

    f794ea18eced4330979972da2a4bfa33c03afa2f

    SHA256

    7774449e13c24d2b0b69114d9ba044e80dc8378fa3dfb5d17a142d5cb4cde8af

    SHA512

    4371b6b49df43dab4abf90a71819276f30dca823c93335edd5513a67a646c97ef575b2ede650ceb2f0f168af13431254530e9bffc3db0f5b0eada1492c3cab73

  • C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

    Filesize

    1.1MB

    MD5

    aeff74ab7845f20f095466cc8e9c2e50

    SHA1

    990972a2f1ec7e90336b5690ef4f941efd12cbe9

    SHA256

    3a9a9852468082a13c0d483b35b3d16cabfa436774efdcfa363e6ae4c092097d

    SHA512

    ecd8f94e77d8b5f8164aba9ae484fd655939c976bcde9c07195a59f98d88ab0bc14ff041268f361b503a333827f28ce33d76c8add957297a2d056b04c32a04ca

  • C:\Users\Admin\AppData\Roaming\TeraBox\VersionInfo

    Filesize

    192B

    MD5

    351e50fed91d082778bd8e2fcf024f05

    SHA1

    b5daa528fa4088b79284f157e8be038b21e08cad

    SHA256

    17c9f4bef9776b36fac918ea1bdcc72093ecc9ada7ab2dbe0d29285a70f05c6c

    SHA512

    f6f4854b2b4b03f458b04c713a9da2eac5ba9eeb524a0c0e5317112978f3fc7935a4008251b8fd202e525275214fe821b6ebac8974914331d7ceb4ed57b4a6bc

  • C:\Users\Admin\AppData\Roaming\TeraBox\YunDb.dll

    Filesize

    777KB

    MD5

    15cf9c365b297f8206ead1d4eaef1647

    SHA1

    bb208eb293678b78f7160ec61d4045295c142652

    SHA256

    63e1783a01851c5e735bf662fc385382dcad7e4b4136ee49b48cf3d40ca15187

    SHA512

    9c59742a2cbada63971c4a70e630c10fbf22b4eee2afb11feaac8dc4402932b90e230ab77f334117ce8a5eca57d554fb9a0b651356ff14782a1df6983cece8e9

  • C:\Users\Admin\AppData\Roaming\TeraBox\YunDls.dll

    Filesize

    2.1MB

    MD5

    9c70e9bdf63d21e88e84cf598494822c

    SHA1

    192b820157b46fc45c4909535fc70856d76339b3

    SHA256

    c022f1cd8651c489339003955ec7dfb5fda353960b69e0b1a61c5379ffcc3ed4

    SHA512

    139e5f362f18678b37394b772d0f7f9a1a190cfe74886d5392d7350abbc5f8578456d85bdb2c96bfcf5b50667a27271876434b0698b59e2bd80d3473d680977b

  • C:\Users\Admin\AppData\Roaming\TeraBox\YunLogic.dll

    Filesize

    6.3MB

    MD5

    8248ebfe926cbfbe0d5413db050f1520

    SHA1

    96803b09ac1b6901cd671a8e25bca30c60bd8c26

    SHA256

    f87c4b3816e2343d4aa12426ee89365ebca40e32b232ecf9d906fb870005581b

    SHA512

    5fd6c616bf84b3c4d35f20b3f5203b641df3dba9c9e32a4c9a21fda980a5188783b331d52c21b8d00da72101d00efa9f10fcacab681c31dd987fcd245d1036ec

  • C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll

    Filesize

    378KB

    MD5

    f408f6d03b5f3261194d45d68d864d85

    SHA1

    aeaac89537e2d7f6f598fa9a2c9dcc4a9c774538

    SHA256

    07398bd105c98b8378be0d1f39e4e47e12bb6b1930dbe52992684837399a4b15

    SHA512

    b65648dcd27a94bf805d81f42a2d211b05109604b1dec7eec5eddce19456bbf1261bb27c658328947371744ba17e250d735aa30e3986f09f42844d48c913c0b3

  • C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll

    Filesize

    491KB

    MD5

    de07d69a369e5fce7f0c939756f3840d

    SHA1

    7a400e65d9689274de701cbf155652e66ed6216a

    SHA256

    d0e606d88d036f63002ee81014de33ddac6e0a33c0c705f34aa036001d5adfa5

    SHA512

    6c09a4c6b9ad2b0c16fc60b89a0f27fcbd0148b1ea3a667fecbed89f393d432ece691a036b58a38aabe0f1a9fb4fd2fe62f2f408d074e1a64422730f9da38f85

  • C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

    Filesize

    1011KB

    MD5

    80337d9a646974e377f3c89991ed138c

    SHA1

    38b7f9b0e0e138448592c9776c67e53de8ac52a5

    SHA256

    1cde95285c13d908720f5075a4ece533e4b98a1fefe2ebbbe71fd697f45dfd0d

    SHA512

    9ee967588c6f7718834b2e4d04dc2c46236b20bfcbdd9a09cf011ee3f7f6f57f66a0191ba4c2d85fb95a51f68c34de4b977cf5c099975feee5137928392c8a6e

  • C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe

    Filesize

    111KB

    MD5

    32b328645a4c3a5dffccb82734ff92b2

    SHA1

    1058662f3692a8a921bc843c7ae81361ccf929f4

    SHA256

    2e1ade446b9b8502930f9ae7c34cb2eb6c27c1a4ffc09e92faf119cd8e96b9a2

    SHA512

    870adb70bf39e073e2996dc8ebf6d5be5dc95d8e12fcb8facff2747b7fb7937e3bceba3feea784987b163ec2ea4df6772bad1a0a56d40224d8772b2d4592cb84

  • C:\Users\Admin\AppData\Roaming\TeraBox\chrome_elf.dll

    Filesize

    845KB

    MD5

    e95e84ff483f537c2c7d7eb6544c1b31

    SHA1

    ac874cca7b7960f7e8730139ea90161c68f6be64

    SHA256

    2a3202281bcfe55fab6872657ec0c29090d0ef3d59f3a6de8b8cfaed8112d4bd

    SHA512

    4052cfecc14acced013159044b2968b5c23721dafac6f4746aa8688a5aa6a6ae37b96a04577178aecd505c04ca542e2e90068b97359be0fd44476ac8507a484a

  • C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

    Filesize

    2.9MB

    MD5

    216a2dd23f95bdd63cd88a50eb7e69bd

    SHA1

    9c63635c26e276179f8dba9e02079bb3170b0321

    SHA256

    63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

    SHA512

    390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

  • C:\Users\Admin\AppData\Roaming\TeraBox\module\TeraBoxModuleList.db

    Filesize

    16KB

    MD5

    1d619a9364e6ba15b9513b92aa034c00

    SHA1

    001af26634d76431c195a270409396958026f8fe

    SHA256

    a37baa0f778f7ac090d3a23fb55f3e5338d01122feb6f21caefdb23e3d8a10ea

    SHA512

    246781559a7a392c36a514110115d4295e343cf0795b614896a1a148abea39a2f73bd396e45dd81ea6e2a64605af9847700e170a7e6daef0ace3ef86d0b038c5

  • C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

    Filesize

    429KB

    MD5

    1d8c79f293ca86e8857149fb4efe4452

    SHA1

    7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

    SHA256

    c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

    SHA512

    83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

  • C:\Users\Admin\AppData\Roaming\TeraBox\resource.db

    Filesize

    52KB

    MD5

    a9a7c807d62756fcb932fec4b18cb059

    SHA1

    48e3f00ae4ca04d043269eb8dcd244035f493c5f

    SHA256

    fc92627d4a8a09d29239acd63f1d2ba171d327349486f4bce535f1e25c489ee5

    SHA512

    f5ae6004e66c27c580397d3b3477bbbbf3324baf7c5d8d39955a56d3873003931782cdcf7528edfec1163ee321eee9e73b1941df1c78d70eefe76af4b83d9ec1

  • C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe

    Filesize

    697KB

    MD5

    bdbf614848cfc3fada7dae8a55a9ad8e

    SHA1

    78ad1a6c45e5df62659274c66b3c3a7a8731cdf5

    SHA256

    5cf7f5d5fbb371a29f45d3777860ad07df3b2e12b273076a555c65334a9702ad

    SHA512

    da82bdaf7785333734998c2c919242f7e0d7d585de5972efd028f283913b4a4cfa4d24c73ffba6fec3ea674e8ac69499b992090377144a1cdfe7e5575f1d7d0c

  • C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

    Filesize

    1.1MB

    MD5

    b9ee83666245d8de4f0709b03eac1ad3

    SHA1

    38eaee6757499aaf4e8869837a767708392e225e

    SHA256

    ce10dfac95461981072738c92ccf8b01599b5ddde2b0a21d18506d3528c83fda

    SHA512

    d970c2a52dfde330bd32bc6718d194b90f8bc3131d9d7905e0f438483f3030bf64dfc69091562f467cc6ea34357513614671db94d2b664208016c3c11b77f08b

  • C:\Users\Admin\AppData\Roaming\TeraBox\users\localdata.dat

    Filesize

    135B

    MD5

    8b33ee873631b455610c30e89b783c93

    SHA1

    bb735c65e56e7345e9cc863756ec6269a4e02a42

    SHA256

    85479aace7f91dc6f7a84250c2e573ff4d32e7fbeed1224a430337b29d4c3b54

    SHA512

    587a49bea7edbec0f34bf68cfa5087fb83e1892a3a78f8abe4be349bcd202ed19eec6a762ab2ebe6aadcaf91a1fd5f46024e3099e13ed1f52c9fe5860c7f7902

  • C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

    Filesize

    83KB

    MD5

    b77eeaeaf5f8493189b89852f3a7a712

    SHA1

    c40cf51c2eadb070a570b969b0525dc3fb684339

    SHA256

    b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

    SHA512

    a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

  • C:\Users\Admin\AppData\Roaming\TeraBox\xImage.dll

    Filesize

    1.1MB

    MD5

    219b9b13f91fe9182c777b0f8d163dc6

    SHA1

    1338a33af73c076a07da9939c2e15c33070f56c1

    SHA256

    5003b223f937e21e91a8b130fed6a5974916264bf859ba59d2df69efeb84bde6

    SHA512

    099062d93ed646365e6b6c27db9c8d8dfdfb409a395317efcd7603c95b9daeaf832be6841c89050eab41b2f53925b43c93492ac535edb3512d94380cd7ec68b4

  • memory/992-317-0x0000000001710000-0x0000000001711000-memory.dmp

    Filesize

    4KB

  • memory/992-328-0x0000000003950000-0x0000000003951000-memory.dmp

    Filesize

    4KB

  • memory/992-322-0x0000000003940000-0x0000000003941000-memory.dmp

    Filesize

    4KB

  • memory/992-321-0x0000000003930000-0x0000000003931000-memory.dmp

    Filesize

    4KB

  • memory/992-320-0x0000000003920000-0x0000000003921000-memory.dmp

    Filesize

    4KB

  • memory/992-319-0x00000000038F0000-0x00000000038F1000-memory.dmp

    Filesize

    4KB

  • memory/992-318-0x0000000001720000-0x0000000001721000-memory.dmp

    Filesize

    4KB

  • memory/992-329-0x0000000065910000-0x0000000066D3C000-memory.dmp

    Filesize

    20.2MB

  • memory/4824-126-0x0000000003200000-0x0000000003210000-memory.dmp

    Filesize

    64KB

  • memory/4824-17-0x0000000003200000-0x0000000003210000-memory.dmp

    Filesize

    64KB