zloader | hxxps://data[.]nephobox[.]com/issue/terabox/PCTeraBox/channel/TeraBox_sl_b_1[.]32[.]0[.]1[.]exe

Analysis

max time kernel
105s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
22-09-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://data.nephobox.com/issue/terabox/PCTeraBox/channel/TeraBox_sl_b_1.32.0.1.exe

Score

10^/10

zloader botnet defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 15 IoCs

pid	Process
2656	TeraBox_sl_b_1.32.0.1.exe
2092	TeraBox.exe
1936	YunUtilityService.exe
2424	TeraBoxWebService.exe
4520	TeraBox.exe
2176	TeraBoxWebService.exe
2072	TeraBoxRender.exe
2324	TeraBoxRender.exe
1264	TeraBoxRender.exe
4536	TeraBoxRender.exe
2312	TeraBoxHost.exe
3776	TeraBoxHost.exe
768	TeraBoxHost.exe
4552	TeraBoxRender.exe
3936	AutoUpdate.exe

Loads dropped DLL 64 IoCs

pid	Process
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2092	TeraBox.exe
2092	TeraBox.exe
2092	TeraBox.exe
2092	TeraBox.exe
2092	TeraBox.exe
2092	TeraBox.exe
3936	regsvr32.exe
2228	regsvr32.exe
4940	regsvr32.exe
2328	regsvr32.exe
2432	regsvr32.exe
1936	YunUtilityService.exe
1936	YunUtilityService.exe
2424	TeraBoxWebService.exe
2424	TeraBoxWebService.exe
4520	TeraBox.exe
4520	TeraBox.exe
4520	TeraBox.exe
4520	TeraBox.exe
4520	TeraBox.exe
4520	TeraBox.exe
2176	TeraBoxWebService.exe
2176	TeraBoxWebService.exe
4520	TeraBox.exe
4520	TeraBox.exe
4520	TeraBox.exe
4520	TeraBox.exe
4520	TeraBox.exe
4520	TeraBox.exe
4520	TeraBox.exe
4520	TeraBox.exe
4520	TeraBox.exe
2072	TeraBoxRender.exe
2072	TeraBoxRender.exe
2072	TeraBoxRender.exe
2072	TeraBoxRender.exe
2072	TeraBoxRender.exe
2072	TeraBoxRender.exe
2072	TeraBoxRender.exe
2324	TeraBoxRender.exe
2324	TeraBoxRender.exe
2324	TeraBoxRender.exe
2324	TeraBoxRender.exe
1264	TeraBoxRender.exe
1264	TeraBoxRender.exe
1264	TeraBoxRender.exe
1264	TeraBoxRender.exe
4536	TeraBoxRender.exe
4536	TeraBoxRender.exe
4536	TeraBoxRender.exe
4536	TeraBoxRender.exe
2312	TeraBoxHost.exe
2312	TeraBoxHost.exe
2312	TeraBoxHost.exe
2312	TeraBoxHost.exe
2312	TeraBoxHost.exe
3776	TeraBoxHost.exe
3776	TeraBoxHost.exe
3776	TeraBoxHost.exe
3776	TeraBoxHost.exe
3776	TeraBoxHost.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBox = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBox.exe\" AutoRun"	TeraBox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\TeraBoxWeb = "\"C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\TeraBoxWebService.exe\""	TeraBox.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpadflhmiohjfhhaehelneimpllfbpcg\0.0.5_0\manifest.json	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\TeraBox_sl_b_1.32.0.1.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBox_sl_b_1.32.0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxWebService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxWebService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YunUtilityService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxRender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeraBoxHost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133714609157433654"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunShellExt.YunShellExtContextMenu\CLSID\ = "{6D85624F-305A-491d-8848-C1927AA0D790}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E163184-F702-4DA9-972E-CC2993F9AC25}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID\ = "YunOfficeAddin.YunPPTConnect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraBox\shell\open\command	TeraBoxWebService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\ = "IYunShellExtContextMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1\ = "YunPPTConnect Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1E5FCC7-D26F-41BC-A0C1-3D584EBEEBF5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\ = "YunExcelConnect Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect\CurVer\ = "YunOfficeAddin.YunExcelConnect.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ = "YunExcelConnect Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunExcelConnect.1\CLSID\ = "{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\TypeLib\ = "{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\YunShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\VersionIndependentProgID\ = "YunOfficeAddin.YunPPTConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAC6C6DA-893B-4F4D-8CD7-153A718C6B25}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ = "IYunPPTConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ = "IYunExcelConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6D85624F-305A-491d-8848-C1927AA0D790}\TypeLib\ = "{75711486-6BB1-4c76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{75711486-6BB1-4C76-853A-F3B7763FACF4}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunShellExt64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F20F2E1A-D834-48BA-A5E2-73A31BE77EEC}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71CD4110-1E24-4B80-B699-9A982584CD3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\TeraBox\\YunOfficeAddin64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunPPTConnect.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\CLSID\ = "{8C5F2E83-848F-4741-9C87-47D21BF65FC2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C5F2E83-848F-4741-9C87-47D21BF65FC2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1434B2F5-5B9C-44C2-938D-2A11E03CEED9}\TypeLib\ = "{75711486-6BB1-4C76-853A-F3B7763FACF4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YunOfficeAddin.YunWordConnect.1\ = "YunWordConnect Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57A35E8A-E3AE-482E-9E6D-6DF71D4464AC}\VersionIndependentProgID\ = "YunOfficeAddin.YunExcelConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ = "IYunPPTConnect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FD26065-6B24-4B20-83AB-5BB041D24A79}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7AE98A84-835E-44B4-9145-9DFFA5F43F3B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21FF7AFE-087C-4A99-928B-1EF3EE99ED6C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	TeraBoxRender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa780f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c0000000100000004000000000800001900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df1040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	TeraBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	TeraBoxRender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TeraBoxRender.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\TeraBox_sl_b_1.32.0.1.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1956	chrome.exe
1956	chrome.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
2656	TeraBox_sl_b_1.32.0.1.exe
4520	TeraBox.exe
4520	TeraBox.exe
4520	TeraBox.exe
4520	TeraBox.exe
2072	TeraBoxRender.exe
2072	TeraBoxRender.exe
2324	TeraBoxRender.exe
2324	TeraBoxRender.exe
1264	TeraBoxRender.exe
1264	TeraBoxRender.exe
4536	TeraBoxRender.exe
4536	TeraBoxRender.exe
3776	TeraBoxHost.exe
3776	TeraBoxHost.exe
3776	TeraBoxHost.exe
3776	TeraBoxHost.exe
3776	TeraBoxHost.exe
3776	TeraBoxHost.exe
4552	TeraBoxRender.exe
4552	TeraBoxRender.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1956	chrome.exe
1956	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
4520	TeraBox.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
4520	TeraBox.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2656	TeraBox_sl_b_1.32.0.1.exe
2092	TeraBox.exe
1936	YunUtilityService.exe
2424	TeraBoxWebService.exe
4840	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1028	1956	chrome.exe	79
PID 1956 wrote to memory of 1028	1956	chrome.exe	79
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 3800	1956	chrome.exe	81
PID 1956 wrote to memory of 932	1956	chrome.exe	82
PID 1956 wrote to memory of 932	1956	chrome.exe	82
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83
PID 1956 wrote to memory of 3516	1956	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://data.nephobox.com/issue/terabox/PCTeraBox/channel/TeraBox_sl_b_1.32.0.1.exe
1⤵
- Drops Chrome extension
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff136acc40,0x7fff136acc4c,0x7fff136acc58
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,5487939279636702267,3262783112354805342,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2088,i,5487939279636702267,3262783112354805342,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,5487939279636702267,3262783112354805342,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2388 /prefetch:8
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3048,i,5487939279636702267,3262783112354805342,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,5487939279636702267,3262783112354805342,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4516,i,5487939279636702267,3262783112354805342,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4532 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4996,i,5487939279636702267,3262783112354805342,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4968,i,5487939279636702267,3262783112354805342,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5172,i,5487939279636702267,3262783112354805342,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1268
- C:\Users\Admin\Downloads\TeraBox_sl_b_1.32.0.1.exe
  "C:\Users\Admin\Downloads\TeraBox_sl_b_1.32.0.1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2656
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe" -install "createdetectstartup" -install "btassociation" -install "createshortcut" "0" -install "createstartup"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2092
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3936
  - - C:\Windows\system32\regsvr32.exe
      "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll"
      4⤵
      Loads dropped DLL
      Modifies system executable filetype association
      Modifies registry class
      PID:2228
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4940
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2328
  - - C:\Windows\system32\regsvr32.exe
      "/s" "C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2432
- - C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe" --install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1936
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
    "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe" reg
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2424
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
    C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4520
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=gpu-process --field-trial-handle=2536,4698660514874354225,15858979989743555959,131072 --enable-features=CastMediaRouteProvider --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.22000;WindowsTeraBox" --lang=en-US --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2548 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2072
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2536,4698660514874354225,15858979989743555959,131072 --enable-features=CastMediaRouteProvider --lang=en-US --service-sandbox-type=network --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.22000;WindowsTeraBox" --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --mojo-platform-channel-handle=2576 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:2324
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2536,4698660514874354225,15858979989743555959,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.22000;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4536
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2536,4698660514874354225,15858979989743555959,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.22000;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1264
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
      -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.4520.0.1656197412\1494200554 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.76" -PcGuid "TBIMXV2-O_7C5739A2317B4F8CA2F787CB76F7EBDF-C_0-D_232138804165-M_7E4E4CCB7521-V_AD94A806" -Version "1.32.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2312
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1502 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\kernel.dll" -ChannelName terabox.4520.0.1656197412\1494200554 -QuitEventName TERABOX_KERNEL_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.76" -PcGuid "TBIMXV2-O_7C5739A2317B4F8CA2F787CB76F7EBDF-C_0-D_232138804165-M_7E4E4CCB7521-V_AD94A806" -Version "1.32.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3776
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxHost.exe" -PluginId 1501 -PluginPath "C:\Users\Admin\AppData\Roaming\TeraBox\module\VastPlayer\VastPlayer.dll" -ChannelName terabox.4520.1.55561508\231013683 -QuitEventName TERABOX_VIDEO_PLAY_SDK_997C8EFA-C5ED-47A0-A6A8-D139CD6017F4 -TeraBoxId "" -IP "10.127.1.76" -PcGuid "TBIMXV2-O_7C5739A2317B4F8CA2F787CB76F7EBDF-C_0-D_232138804165-M_7E4E4CCB7521-V_AD94A806" -Version "1.32.0.1" -DiskApiHttps 0 -StatisticHttps 0 -ReportCrash 1
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:768
  - - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxRender.exe" --type=renderer --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --field-trial-handle=2536,4698660514874354225,15858979989743555959,131072 --enable-features=CastMediaRouteProvider --lang=en-US --locales-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres\locales" --log-file="C:\Users\Admin\AppData\Roaming\TeraBox\debug.log" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Roaming\TeraBox\browserres" --user-agent="Mozilla/5.0; (Windows NT 10.0; WOW64); AppleWebKit/537.36; (KHTML, like Gecko); Chrome/86.0.4240.198; Safari/537.36; terabox;1.32.0.1;PC;PC-Windows;10.0.22000;WindowsTeraBox" --disable-extensions --ppapi-flash-path="C:\Users\Admin\AppData\Roaming\TeraBox\pepflashplayer.dll" --ppapi-flash-version=20.0.0.306 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4552
  - - C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe
      "C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdate.exe" -client_info "C:\Users\Admin\AppData\Local\Temp\TeraBox_status" -update_cfg_url "aHR0cHM6Ly90ZXJhYm94LmNvbS9hdXRvdXBkYXRl" -srvwnd 1001ec -unlogin
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3936
- - C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
    C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5588,i,5487939279636702267,3262783112354805342,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,5487939279636702267,3262783112354805342,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5536,i,5487939279636702267,3262783112354805342,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5564,i,5487939279636702267,3262783112354805342,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:2420

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3604

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
94682dbdd2a288a8402e8651564c83fc

SHA1
8adb5d707fe47466ba952b1a78b07a24d260aaa6

SHA256
827a689d25f64cd9e78cb06a846c63215d182cfe382751a5f57d563b4f725e37

SHA512
913a4f9cfe6851881eeb6645941d86ad83cb138be2fac515bf8434141ad5bdfac135faa43dc048b370c41600144014cc1862108d62fc059c7860439c19acf894

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir1956_1728947543\CRX_INSTALL\_metadata\verified_contents.json

Filesize
2KB

MD5
3f53538fea29780d614d868ec535c656

SHA1
8a5e38c8e37b8c8c4e9c92da71b73cfd73735fd3

SHA256
3971200c9ff31a4246c2d1e5fa7b7736dbe0e08ac5e35e9193d61267e1f9beb2

SHA512
ee76edbea6b520a61ba09e18864bdf9c93d231a665ace46ab10069b14987096374c67d73626ce88aac4248240519d9a1c16a1b54b772023b0b0c9f63ff59ea9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir1956_1728947543\CRX_INSTALL\background.d0591844.js

Filesize
910B

MD5
ee3827d15e9b168553f227839314692a

SHA1
9058e257870ac5b8c3dfd689ec37ab59a4828cfd

SHA256
599bcdcaba9a6990d913c7b4a7b82e131c457bf3903a5469647a85553517a6cd

SHA512
e3cb4fe1c2e7e571767bc36382ec30bde3bfc3896a22f417168084783da4c123d7056bee4461675b1b93d8cce5f3b4f9b51bafe3c2c2362cf994abad5b48cdbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir1956_1728947543\CRX_INSTALL\icon128.plasmo.b89b7dfa.png

Filesize
5KB

MD5
3209591bb33cf1325b759a3d4a52cdf8

SHA1
5bf5d653efe8c59941db96939c882ffddddc4966

SHA256
f294dda542ccf32621e8d80806ed03ead3c800ea5ccfd73dbb8db1622de77113

SHA512
af02794bf80233644ea18bc144b46ead45b164162b871d89c2ab3db00aa45120c21ae55f8b83d67a8ea743886a6f63b6145bc58cc3b78fd894b2de3feaf82bb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir1956_1728947543\CRX_INSTALL\icon16.plasmo.00ac8b83.png

Filesize
551B

MD5
95f0cecb2dd7458e7e89435bb31dcbdb

SHA1
27c7c1313086ed3b4b03f7c578fb9ef2d23bf618

SHA256
d491250304085f79022f9751707ab692fa7499a386188e2b157ae1344be40c07

SHA512
a50aaf164720d17c2c7a1af08474291869d842cc229a0ebe1d1d557db1b7fa14584864e05f91c7c256e415ff1e9d8ff3e766d766f4a247d688a00b8b78eef4d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir1956_1728947543\CRX_INSTALL\icon32.plasmo.9ad0c5b6.png

Filesize
1KB

MD5
3e70a490ec41a716816b2c7a932eb907

SHA1
c347fa82aea65bb5b067a182f7343ae4bd78f40c

SHA256
288e661fb7827f84266d385f641514dded71eaafe6073e843e8ad7859f63db91

SHA512
91fd8e0bc1924a09b7665cd38ef3ab4baade82c0af773285eda45df33254a0d6b796c1fb4b4b6a6eeccf8a028163b2688cc8539f441f941b6edf214da585633c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir1956_1728947543\CRX_INSTALL\icon48.plasmo.cae3a6b3.png

Filesize
2KB

MD5
78c0b51f85bc143297a5219abd4e10f6

SHA1
a6f8db876af4cc28d43f91a8eed001852c7d6bf3

SHA256
e5d369ffeaa96219d797467f37827237cc307a739e428446a240c968864926c6

SHA512
e062ee1fa5dfa09aa2d0fb64b911a2ba4fde60988e22c75515f40c02cbb9519d58ebb5b8860b2672c50c1d2ce95b1757cecfda731328cc0aaa2c3768dca49c7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir1956_1728947543\CRX_INSTALL\icon512.9f01ba5c.png

Filesize
43KB

MD5
5b7857e25912eb814ad3fd6033682576

SHA1
8a6eccff0db631b298bb4ba265f9758885486c2a

SHA256
a22b5ab578c98de4113a0f0b91106a703fdb543e1a11e6d7594b48cc6090657a

SHA512
58c51b9b3bb68216437dc17f969adff663b89bde63187bc107814a0955ee0430a74063f9a2359b6445aff1909348b65f197b5143ef228238635ea2f15b811476

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir1956_1728947543\CRX_INSTALL\icon64.plasmo.e4b604fc.png

Filesize
2KB

MD5
410b633662ef1689f2ef0238442ce935

SHA1
87e5060d0fea11a07b11434b7d16b019f2896960

SHA256
8f11e60a86c5ebfb4909213048c62c641532c248a7c7ef2ca4d789cd5f2f5365

SHA512
4e64ee7d3739cda2870f27a7249e5bcabe2c516bdd956109d5193a237b499bc3035e8488da5deeb284cce3820eba4131d3f5da83e51e1ed265e3fb595527cc47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir1956_1728947543\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
82ade69e0a61d4a5a52599e47d1ded48

SHA1
b7cb43601818557e96022e6e14e14c9a608b1ac3

SHA256
13c6cd7e1c850769d452c2f971ffbd4cdd37eb6ca0deeb3e670b25766be3eec4

SHA512
ea8f112b717f96a5ec61228626ac7f520ec013d4ff9f7d139fdf113841a1ca3cab344a9adad9ce2d87bb76e286ea085a8e751d404c84c42ca6bc0392e2ac8a4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir1956_1728947543\CRX_INSTALL\popup.49fbeb31.js

Filesize
73KB

MD5
b8cb1f92eb5ff732eb84facd56739b47

SHA1
cc5719e299003ee07223eb1816ab1e8e2e39aecd

SHA256
ccf4f29d0ddb966793774f4ba875b5e39124657a8ccf0458785a4cd98145ef6e

SHA512
d5b65d551bf5be6ee8f1e58341249cd08d4c14b133c05fd5a11333dfed8bb946425869faabd05a35a5a8ea79716c842284cd034d5625f2eea1be598bb9ee847b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir1956_1728947543\CRX_INSTALL\popup.82bbf211.css

Filesize
306B

MD5
3db5fa906ed2537d677ed16ee400cee8

SHA1
1a3dd114649a3fcc7eaaf4d0853cccc2375deea6

SHA256
6e5e196aabb6097fd688f75f976dcae2d7c367f73ee29151b6fc567fb11e4f0a

SHA512
c748ba696e39bf2bf51643f5180711f38583c201eba59ee430a3e85042ff78ca4d8b9e6f80cbac83a65c40b5e5a7af5fe5ed2627c90ee0eb43eed1442e53aebf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir1956_1728947543\CRX_INSTALL\popup.html

Filesize
247B

MD5
aebaafaf40e4efbcdae29865c5f15e45

SHA1
4c8d363885b86ea344c2bb4ed56420c9c498dbf5

SHA256
6600a4b34d070ebcc773ebec3b87043772ad7c45ad46d8677d820c6a4b21c994

SHA512
12dcdaed13823c3e1e03c499fbeb51831e5318afd2ca535ea2118e53724fbdf7b533207f660d4579010a286bda494c543354e2a464651f6325b0ee07f87c6ace

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir1956_1728947543\CRX_INSTALL\tabs\upload.fff2005f.js

Filesize
72KB

MD5
bf8ee3296e5286ce9cfe4d5bfd0dcf05

SHA1
3caa16b5e1f2393b6d5e4f1d0c92344e30b02982

SHA256
388db65bc068294f230d3b29e4f57899b2fd8a8b33bb597fa277db4d7bad9726

SHA512
2de06740275131e5b0edabedbfa07ef86431f41c55ae7d7c896d051fbf71cb59d4c9cfd9a53ff89a47468ca378b5c2a0092ce5e556a83b4b38084159cc781b74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir1956_1728947543\CRX_INSTALL\tabs\upload.html

Filesize
203B

MD5
ce0dbe45c168444b4044186fe777ae6e

SHA1
10935a714d607e9c187922990d758d9c44707892

SHA256
0a38553872d8ba828acd117a9351495d8751e37068b889583821f18e759ba18c

SHA512
aad5cf5b199bc0b2a1d4d057dd18153159a80bfc64ed73610dd3d7700e4a8d2a595109a9e6d1b76f7de58d9ff19809d5ef4c2e7ff1281ca2f31edcf4b89f5ce7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d7b9c97fa74e66561b7cf16aea7018fd

SHA1
5b86732b2795e496af7a3625dffb01e057e7bcbe

SHA256
70187b45e81bbd8d058af0886b60599ed6e05e04902fbd0d076e094d009ad339

SHA512
0f5a0d3a865fa29f62f015726d1362063769c78157d8729ccfc55aaf28f1e9a4c70c0b80c88bb4f01620776b7fcf0ef44f9a611add45110f6f4e518e5af514bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
397d09d6a1c87353866dadf7b7277eb1

SHA1
67188f76c2ac9ad2030238715e1cc8cceb5dc00c

SHA256
e8c971e83c4d71d0bc665df324e5f75440e2ed9e8a4e882daac9d07e77680116

SHA512
bdbf21114bfcc6a97a468884691e5bb1b7511e043f21a99d694342e5a0ebfe43b491ad73455670b27561f594f1ca1af2bc1e20c9e35af51898e7a7aa5a3042de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dde67fb615016ea9fd1714d9c17d3ae9

SHA1
48f9841c04e87a5ddb19d24c787e6a207190d7be

SHA256
71c458aa23b27ce54de5e01576fdd975b0650b4296039855e91a0fe298a02f83

SHA512
b66f26d01e49a670d61edab39c0f34aa3ee0d4a04f8a109e1d929d1269ab4966b743f6d06acf8c891fddac6dd50faf3d7ab3952016899cbb73efeb5ff183e733

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
69011a250604bd20f655ee813ec2af0a

SHA1
1ef1c4908429b800deec01d1732ed002485c435f

SHA256
cd30cac72e1e4a3903120286fdd72bcd7b6063e65ae65ff6e9f1f74234784aea

SHA512
4aea3436cd1c7a22dcac6d5de76ec2a3a70cab225cd8ff5a03f62dbd4c89b2953c3ddf613e172515c1f164e8418369a2b9252c2593b972afce213d093f7435cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9837f849e061eaafa0d23bf6c7207495

SHA1
e91022e641b4d48a66d10119291cbca6f3435112

SHA256
7d112ac2c155882cb00f60286975e482040a3f94db03b41d770159efde88da8e

SHA512
72de65963644bc26982053eda3398a00942816c21075fc89c5776e651caa5bde27f9002e268fcc95775c572378234fc37225b6dbff81d317d5f5a4a9c2615e86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7d39a724dac68ca18987c080464ec655

SHA1
0ea0993cd399a0a5664ef1b69de21bb178f93670

SHA256
a1bf2797dfe81c52bac43c776561ab7183dbabb271eb262cfd5f7e4ad64e4a5c

SHA512
823e441b4569e22561b94e1c794d3052e650ee3187ca9c64c286b8dfacbd1f7d1e84b6f1bda4fbf322daf58a6e16fd595b5592f7704bf819a0c1ea1a3b38a691

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d9eb649fad891ffd1a54bc874b6e4b30

SHA1
d153c88eee97169b190e0e22a487cf586dccbe91

SHA256
740be8267538826181ee4f0c3542d31f81c651059c3b23fcee6d99c73177fba5

SHA512
903ef47c66c600098d4bcfeb403c3501b3330fa49516bd4fa94092c789c45e52e0f32c2f4e4698c166fd1842da3b6bac3922e6050439d47af16f6d6c12d69c31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f1cb38d9720d047db4c86729b331a214

SHA1
bbd58735ba793da95a9acb2eea933e778f78edf2

SHA256
eed6a5414b18a1af55f3c0d46af6d27cb4c2cd628f09a0fd01536b38ee3a56cf

SHA512
cd51196db5c395a27e55c63835a52f31b6a2b67fe1bf3644fbe5629690a85e6f58f9829c5e10b790d36eae155f87626933ad9d2443ba8f0f383670d388918504

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
156f2b058ceca4def98cd7b8d3d40103

SHA1
62abd8ac977f75d286e9a829a5571e1400d201ac

SHA256
d2cf6c86c3d983434ead94d3dd30d1d809e587fd21427c28d8824213cf7b601d

SHA512
932564cea94b77d63317d90e7f99d825ccb492a822d06ab373688c84ce803ca6d22f0d44c5d35fdfcc2b81bf7093a1c4c309c28d6e60498d272d39f634c8c4cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
cd0e9541733483828dbedb0409141bee

SHA1
7c064a4856e5de420d8f6765d303e5ad56918fe9

SHA256
89016e9f24edbe7960b2708e5668d5e37dc86b42d58ef9b5bc764322a5efcd57

SHA512
4c8578f426a365af6f63af7db0e59c7d0e7d0fd37b4adf66fa9b158f97e5bf3cc3a6d7deee7419a9bbc1def6a89c0fe107eea14a1134b9c021d1dc1000baf163

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
d8d239b8a0fce2b5517c3fcd5cf72119

SHA1
c20bb0af9eae274fca61374bb203b577e10e29a8

SHA256
3e0441734a53b7ed97820fe9a336c7f55ee14c589f8ee4a1f3db5cd9700d22c9

SHA512
81f1f2f9954f67d2a4d1553db2bcf95899e2701b347618ca0f616b13f78633067ba9936a78f2cc7795ba99d4e348a01e2804341a96f70bb9365b5b2f01657bfd

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
6bf98831a201afd4f5bc0de861999eca

SHA1
96d534d1e22d37a70ad3e9eb271edb3afe76f65b

SHA256
1a8505322472480b627d3b14d20a0f573b79b543453774d1946f4771539b204d

SHA512
633cbf7269bd5b70ead66d23f095b75af11b7ed10e41a067e1562278a33cff9ce023df7a5b37ff8b8ced880fa0278b49bb225c85697edcf4018e7c05bc0032a8

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
fadef3e4ad65a1eb0f91683b7ec189c5

SHA1
2dfaf13098f8570fd2dacfbbc27fd2bcc8f39c89

SHA256
dd2ce96e542590448fa8849366e618d8613406fc3261d9ce9319d4424caf470e

SHA512
ed8df3a7bd2bdadf8f62356b44c1678f8f007289361abeac528c21ccedeab2d349d4301ea7da703f88915f43980e934a2196d8e2868bd49894ef4cb49998b650

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Cache\f_000057

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
cef1d338ecd43fd0a118183300ccf017

SHA1
fa15652a56dd1a5075284c5123eed033fb52d713

SHA256
d723676f4dbef380b1cb068f37023d0b19697245c582817994d21fe51b5d8d08

SHA512
fb034540698982a4e9274bc01a1e2fdd6fb0cf8671aac8ebc7d4fd90f62c5aeb60c22aaa409817809f87657ef23c6e9974d13faa655a33bf719ffbb30b64cc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
e0391137742fac4d53ae909a0e164907

SHA1
6988eb7057eaab71eeefd3922a34b6c5cab3f21f

SHA256
b8e0f41eceaf7a8c783615591150fc22ade34e5cccf34dd3fac4b8c48dbbd499

SHA512
5b257310b48c4235acc1f1344f1ab52e72bed69227a3e75b53ff3e0ac3c8235947c7f581feac704058e9e354aed0d7d551dccfc76091225212d6495dd875a705

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeraBox\browsercache\IndexedDB\https_www.terabox.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgD9D4.tmp\NsisInstallUI.dll

Filesize
1.8MB

MD5
69b36f5513e880105fe0994feef54e70

SHA1
57b689dbf36719e17a9f16ad5245c8605d59d4c0

SHA256
531d1191eded0bf76abb40f0367efa2f4e4554123dc2373cf23ee3af983b6d5f

SHA512
c5c09d81a601f8060acf6d9eeaa9e417843bb37b81d5de6b5c70fb404a529c2b906d4bb0995d574dd5a3b4986e3cbe20882aa3e8349e31ff26bdb832692596bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgD9D4.tmp\SetupCfg.ini

Filesize
80B

MD5
86daef0a1abf90f934b20119d95e8b73

SHA1
fa9170644b102c598005d1764a16aba54314ab69

SHA256
a5b0e58f66055ba5c9730dd7983946f92075bcf7052343b8d64ee95faa99eaaa

SHA512
1e95d6b697621f5c8bd194b5252f7717c3aa48a25d91d80fcd5fb0f1d06747c5f39708255bd85f18f776468dcde5645a8ac088431d412af1b10932d7f0df67b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgD9D4.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgD9D4.tmp\nsProcessW.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1956_212078853\CRX_INSTALL\contents.4683de87.js

Filesize
71KB

MD5
66fd5b0645cff76133c84e98227fa5ef

SHA1
415c40936b7440d23695e9d5229ea0da3d640c7e

SHA256
8100e3821f040f50b51a5224736f629b01e6b38acaea835eba1d6c68bcfca189

SHA512
9bfc3b173ab90a9a39ba5efca4d78bc5c10a71da8dc84f1f5e2cb141704a03c02e8104432f8bc8c538d030bd3ba69071d5912dea46f4990d4c2f5dce8ccde16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1956_212078853\CRX_INSTALL\contents.c10c11b1.js

Filesize
75KB

MD5
16b38d2d77cb0b5da5d28403946a6a2f

SHA1
9b129decbf92a0c40006cb08c4d5dd80094676b7

SHA256
30994e98ee7992ff32bf1ae2fe6ae5341074ffd29dac3cf3c23569a6549a0571

SHA512
c1c575204e49b642ad7db2c7534d33509debb705a6ff66888220a783bcc80d19ad82d9297523e50bd10dc2a30a2b9bd9f215f3c9371d99c731b03c2b7905f290

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\AutoUpdateUtil.dll

Filesize
198KB

MD5
bf5e773b31cea30b6a8388c719cf0342

SHA1
db300c09fce3c878225146f0ef1d07dcc15e54af

SHA256
7a7e10507d07f8da2866233143e77ce7a3590c745300f08334d8e6308ab39115

SHA512
52d37d86de26635caf46f49fd3c03d2530b57402a3dfbb21e6281c0331ec6e53a730ef0ab55c39d56eaf92308fe2efeb8c1ea4cfe1fed0b03f459fbe450e7a06

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\AutoUpdate\Download\AutoUpdate.xml

Filesize
34KB

MD5
3c20637d0f03f1d738b7ed4bd188f6cc

SHA1
962dfe88ea36e784041153b7bc8d590aadaad8bc

SHA256
74d964f69c722b49398f949a76a8e2d7546c8fbd0148e7ebec9834a374386066

SHA512
7c3cbdffcb4eec2789f30cea93a58bfc90e7f11625b5ba915a2986aff7f818a92aa8ab134efffe2f3b8d6d4efed389ae547a3aca5ed42af8b031e47af29f5dac

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\Bull140U.DLL

Filesize
3.2MB

MD5
aed059c46be32077f7b63ab9349eee76

SHA1
cc84ed3fe63e110f489111d7acefe9effb389aac

SHA256
b7234ea6641f484834412a6edf820a56b7b26257e8780bff70f1c9d7cf02b9ee

SHA512
f829e6d503f88f3cb50c1142a024368ca8cd787a9a85f6955fa5092cb5c06f679bdf5377718f97e1077a89a8606c3698839e344524f9d43629cdf02a4306da27

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBox.exe

Filesize
6.3MB

MD5
117c541f80c5e6706e722f9431d9fef6

SHA1
d19eb357c221f4802e0c342da69bcdd463400b80

SHA256
e6435157581258557202d04b08ebda3c87d52e5354ccc33825d80673c6b16e30

SHA512
8239044b8b08d5743d09118c5db1a0e5dac8b77482b8d9b6146130df397d4a1b00427b6049bc82f14e6f6cf67a5dc8cdc3387931e28544277fe4fd9c912c0328

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\TeraBoxWebService.exe

Filesize
1.1MB

MD5
1e77999ac64fd309a200921c646ef7c0

SHA1
53679977c98b484e24e7d8c0810c695c99c98be5

SHA256
5700ddbcd18561e1bd14c1de034fff226038e36e3bfd2451b5678fd6028d5aab

SHA512
e1cd7332d9aaf6dd1de0cd053e47d54334b6fadd2fdf78fba33420cd9437d3ace463222bd62ef974a68ac0f752d052f73e45a92899e0ff4a926612ee07d34b17

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\VersionInfo

Filesize
192B

MD5
aef980496e31ca94eddcff0044a32549

SHA1
ed3f1474c6c8b09c8da07bbac61f5c03aa60d992

SHA256
7c71738efeb52cc51e923b4aa64fa29af5a99f60802fd922394e7ad30d25574f

SHA512
5144db5524ddf448a7764b7c5c9312c335a4b19365ba813303a0dd1abdbe2a6fc74291bf39df27416cd7503cd3ba85eaaca5e4a3c59c44e655292dadf4b31fbc

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin.dll

Filesize
378KB

MD5
4fffd9ffde2d48f474f9280c944b6940

SHA1
2dc56ab63e3241eadbb3e39ef697d2d468d4a57e

SHA256
635e8364383318f04667524663191e03fbcab9359006a1e829902bce7e19544d

SHA512
d40e5ff0a2f1a8ff38c159c149bb71456f59b9ca277b0e8a2c88e61b258db8142c7ab942817a0c28cac47635cfc300b10dd955fdf1bcb8078122a6d66cd10f85

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunOfficeAddin64.dll

Filesize
491KB

MD5
aa257db82af0ce00192bfc3a72c47d56

SHA1
bbfa65b9512dbca06985fca1534c1178b331ab7b

SHA256
1083ea29c46cc3fdd3324a1887b6e3489e98076e9cc1b941f363ebd2225cbbff

SHA512
b45706e23f8f394e2693c49ad1410ddd3012fda01c3d88778f9d8c0ecf23b498fcd9e75d2eb45bb7032ec940bd81f568ace9830d0ef634d989f7408b03104b78

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunShellExt64.dll

Filesize
1011KB

MD5
3a70aef3153e58a9624ef1bcaa63fbbb

SHA1
9f6a9f877a2153294687cdc5e661c6c539b3136d

SHA256
aede12d6e7221cdf81ca4dd73c7961a7d5bd4313f7793f5437a64ac271844317

SHA512
4d131f536f560207f7d259144327625d7c352c93979f663212d0fc430840757239e9be9c7030bc1826765d078fdaa9cb730e0cf2d217ff8203f6742547ffdaac

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\YunUtilityService.exe

Filesize
111KB

MD5
666302bb1ecf9edb2445d390e52c737e

SHA1
df8272fcabaa673bfe2e135d9f351f5ec366f077

SHA256
48a15f0945dd83ec074066e7a47131f1f48e85e31fb26280c8a70753d7584b2b

SHA512
ad0850f7d8985dca12cb06b2837c3791e75aba35e74243f13e143c423b116338b4ff5531e2f77b5c778a83926f5dc5ce801f23013ca1e5334ceca36ebd302e6a

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\appUtil.DLL

Filesize
1.5MB

MD5
2b01d156bf9857a17daa46979218fa4c

SHA1
591285020e8525ca51d1021ef8b4267d22b07329

SHA256
b36a5d808f8e64ba0635c72c7c9049453a98edf160083df05a0311dff471030f

SHA512
8afcfdf2d745cc634fa9440b7792b5d1477b1a15838a787aab9f4be4ee5cf0b81e08f4322a96ece37ff31f19fa4bf1f74463b3c908f0d532d1b25cee0d59bd3e

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\minosagent.dll

Filesize
2.9MB

MD5
216a2dd23f95bdd63cd88a50eb7e69bd

SHA1
9c63635c26e276179f8dba9e02079bb3170b0321

SHA256
63da24020a82333c79806f3f8aa92fb9103f20b0b90ab095ee52601f6b154ada

SHA512
390ff16e8b0c07c1bda03584096404bdd22d69a0eb39a76fc6155c81584e1a7737f8f9d359a7be8e861bcfb02ced46950a8ef6c20a896774647086c21ee7edf0

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\terabox_ext_chrome.crx

Filesize
169KB

MD5
d1228d3f6008b5ab6bfeae22e47163d5

SHA1
c9daa88047adaf64f79ab8eb39c638fb49d7c40c

SHA256
abd139cf05cfb99922766f68292791ef239b589acd0e78e6623b6cd57dcfbee2

SHA512
3fab9d678d9a890cd954958fc06b9d97d09bbe843d2c6a563c7a42ac615d2e36c4255a0a362f716e0549282d635ae8532d68c4da6513e345511fc31c791be5b4

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\uninst.exe

Filesize
697KB

MD5
af58fb8e4130fd3779a743f05a17524d

SHA1
c1b1d0e256a58c3f148d818aa79b2a7429e8a8ea

SHA256
e02a12cda93ff7f02539661d5e7459550cb2c72047c034e357af3d641785ab5f

SHA512
27a7681a07d6c3f3f5f18ab8c9ad3fafd2352c6fd10e00544b51bf7314e5e603e556b153ffdfdfa0ccaa0110a53022ea535549de8886f689ff9ebbec25262480

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\updateagent.dll

Filesize
1.1MB

MD5
1605626fc49e04528739581c8805e227

SHA1
c3a3f8b626b99c5c8ca41b5fa181681f571f4825

SHA256
8ed13ef0a5372d46ecfa82dd66e3f8bb963c3db7d9442d11ac33aa9ad34d37e6

SHA512
975e211ec53d54d434692c48cbb86bb843f314bd2c6ac5dbeed6155097c7a7a59cb7e3df119ce463c2895755be9ded6012bab59b2a7b7dd22dc6acc600a7ef8a

Download Submit
C:\Users\Admin\AppData\Roaming\TeraBox\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\Downloads\TeraBox_sl_b_1.32.0.1.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2656-101-0x0000000003380000-0x0000000003390000-memory.dmp

Filesize
64KB

Download
memory/3776-528-0x0000000065A10000-0x0000000066E3C000-memory.dmp

Filesize
20.2MB

Download
memory/3776-527-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/3776-525-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/3776-526-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3776-523-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/3776-524-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/3776-522-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/3776-521-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download