ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
18-06-2024 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

teracopy-3-17.exe
Size

11.8MB
MD5

d704e453e065a23ed414927d9b203086
SHA1

352e4b98faebc35f5c8cfeaebb7bcb36d7c7fbfc
SHA256

ac03db52bb68a013d3a8bf4db703ec11976fa1d0aa557eb988e3f926a26656cf
SHA512

0ec2c8cd14a7f4dfd704b19729239ee78e54fc1fb87ba1a2a80da4b7d595fd573861271ca220c3a7b264209ceed1ca96da12d6bdf2b34c35771790cd6337cf49
SSDEEP

196608:AAKBx4px+sN23RSEfvYfXf1v3j+FX3/yXg3Kf5T72gFUbUamFbSf4k5EBGUQ:AAK/4px/23bfvYvf1bI/8RfVGwdFbSfD

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

teracopy-3-17.exemsiexec.exeteracopy-3-17.exe

description	ioc	process
File opened (read-only)	\??\H:	teracopy-3-17.exe
File opened (read-only)	\??\Z:	teracopy-3-17.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	teracopy-3-17.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	teracopy-3-17.exe
File opened (read-only)	\??\J:	teracopy-3-17.exe
File opened (read-only)	\??\L:	teracopy-3-17.exe
File opened (read-only)	\??\P:	teracopy-3-17.exe
File opened (read-only)	\??\Q:	teracopy-3-17.exe
File opened (read-only)	\??\V:	teracopy-3-17.exe
File opened (read-only)	\??\W:	teracopy-3-17.exe
File opened (read-only)	\??\M:	teracopy-3-17.exe
File opened (read-only)	\??\N:	teracopy-3-17.exe
File opened (read-only)	\??\V:	teracopy-3-17.exe
File opened (read-only)	\??\E:	teracopy-3-17.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	teracopy-3-17.exe
File opened (read-only)	\??\I:	teracopy-3-17.exe
File opened (read-only)	\??\M:	teracopy-3-17.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	teracopy-3-17.exe
File opened (read-only)	\??\R:	teracopy-3-17.exe
File opened (read-only)	\??\A:	teracopy-3-17.exe
File opened (read-only)	\??\L:	teracopy-3-17.exe
File opened (read-only)	\??\T:	teracopy-3-17.exe
File opened (read-only)	\??\Y:	teracopy-3-17.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	teracopy-3-17.exe
File opened (read-only)	\??\O:	teracopy-3-17.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	teracopy-3-17.exe
File opened (read-only)	\??\W:	teracopy-3-17.exe
File opened (read-only)	\??\T:	teracopy-3-17.exe
File opened (read-only)	\??\U:	teracopy-3-17.exe
File opened (read-only)	\??\H:	teracopy-3-17.exe
File opened (read-only)	\??\O:	teracopy-3-17.exe
File opened (read-only)	\??\A:	teracopy-3-17.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	teracopy-3-17.exe
File opened (read-only)	\??\S:	teracopy-3-17.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	teracopy-3-17.exe
File opened (read-only)	\??\N:	teracopy-3-17.exe
File opened (read-only)	\??\S:	teracopy-3-17.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	teracopy-3-17.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	teracopy-3-17.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	teracopy-3-17.exe
File opened (read-only)	\??\G:	teracopy-3-17.exe
File opened (read-only)	\??\I:	teracopy-3-17.exe
File opened (read-only)	\??\T:	msiexec.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\TeraCopy\App\Locale\zh-CN\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\Whatsnew.txt	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\fi\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\ru\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\sv-SE\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\xxHashAVX2.dll	msiexec.exe
File created	C:\Program Files\TeraCopy\TeraCopyService.exe	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\ar\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\es-AR\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\id\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\License.txt	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\hr\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\pt-PT\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\zh-TW\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\ar\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\ms\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\Context.dll	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\cs\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Sounds\Complete.wav	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\et\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\bn\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\hu\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\sv-SE\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\no\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\es-ES\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\ko\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\sr\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\ro\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\share.html	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\de\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\hr\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\nl\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\af\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\ja\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\ca\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\hi\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\th\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\tr\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\xxHashSSE2.dll	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\sr\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\lt\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\uk\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\XYplorer.txt	msiexec.exe
File created	C:\Program Files\TeraCopy\32-bit\TeraCopy.dll	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\el\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\pl\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\fr\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\id\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\sl\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\tr\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\updater.exe	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\bn\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\fa\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\pt-BR\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\sorttable.js	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\fa\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\Blake3.dll	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\ka\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\sat\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\es-MX\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\ms\default.mo	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\sat\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\App\Locale\da\default.po	msiexec.exe
File created	C:\Program Files\TeraCopy\License.rtf	msiexec.exe

Drops file in Windows directory 22 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\Installer\f76dba2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1291.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIDDE3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE063.tmp	msiexec.exe
File created	C:\Windows\Installer\f76dba0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{DF5325DF-1F43-4282-85D5-1CA3353E6B13}\ext.exe	msiexec.exe
File created	C:\Windows\Installer\f76db9f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76db9f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF6D3.tmp	msiexec.exe
File created	C:\Windows\Installer\{DF5325DF-1F43-4282-85D5-1CA3353E6B13}\ext.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1497.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF117.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1270.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI12A2.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\{DF5325DF-1F43-4282-85D5-1CA3353E6B13}\TeraCopySmall.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{DF5325DF-1F43-4282-85D5-1CA3353E6B13}\TeraCopySmall.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f76dba0.ipi	msiexec.exe

Executes dropped EXE 4 IoCs

Processes:

TeraCopyService.exeTeraCopy.exeupdater.exe

pid process

2288 TeraCopyService.exe
1184
1704 TeraCopy.exe
340 updater.exe

pid	process
2288	TeraCopyService.exe
1184
1704	TeraCopy.exe
340	updater.exe

Loads dropped DLL 33 IoCs

Processes:

MsiExec.exeMsiExec.exemsiexec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeTeraCopy.exe

pid	process
1040	MsiExec.exe
1040	MsiExec.exe
1040	MsiExec.exe
1040	MsiExec.exe
1040	MsiExec.exe
1040	MsiExec.exe
1040	MsiExec.exe
1040	MsiExec.exe
1040	MsiExec.exe
1040	MsiExec.exe
1040	MsiExec.exe
2180	MsiExec.exe
2180	MsiExec.exe
2180	MsiExec.exe
2180	MsiExec.exe
1288	msiexec.exe
1760	MsiExec.exe
1144	MsiExec.exe
2508	MsiExec.exe
2284	MsiExec.exe
460
460
2180	MsiExec.exe
2568	MsiExec.exe
2180	MsiExec.exe
1040	MsiExec.exe
1040	MsiExec.exe
1704	TeraCopy.exe
1704	TeraCopy.exe
1704	TeraCopy.exe
1184
1184
1184

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers\TeraCopy\ = "{C2175ABC-D15D-4828-AA36-10C662E32999}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy\ = "{2386CB87-96FF-473D-A009-957E3BFE6F88}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers\TeraCopy	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers\TeraCopy\ = "{C2175ABC-D15D-4828-AA36-10C662E32999}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\TeraCopy\ = "{2386CB87-96FF-473D-A009-957E3BFE6F88}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers\TeraCopy	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 48 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD5235FD34F12824585DC13A53E3B631\md5 = "FileTypeAssociations"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sha3-224	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEEBE75A-7A94-46AF-A2EC-414CBA625DB4}\1.0\HELPDIR\ = "C:\\Program Files\\TeraCopy\\"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E0915E-032E-46A5-85E9-19E1DACDBFC6}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.blake2sp\TeraCopy.ChecksumFile\ShellNew	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.blake2sp	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\TeraCopy	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.md4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxh3\ = "TeraCopy.ChecksumFile"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F036C4B3-00EF-443D-B706-76BBD7B2CA9D}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\DragDropHandlers	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\TeraCopy\ = "{2386CB87-96FF-473D-A009-957E3BFE6F88}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sha3-224\ = "TeraCopy.ChecksumFile"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.ChecksumFile\shell\open\command\command = 610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290073006800610033003500310032003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290073006800610033003300380034003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290073006800610033003200350036003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290073006800610033003200320034003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029004100490036003400420069007400460069006c00650073003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b00520038002900730068006100320035003600730075006d003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290078007800680033003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029007300680061003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029007300680061003300380034003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029007800780068003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029007300680061003200350036003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290073006800610031003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029007300660076003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029006d00640035003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029006d00640034003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290073006800610033003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b00520038002900780078006800330032003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b00520038002900780078006800360034003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029006d00640032003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290068006100730068003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029006500780066003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290062006c0061006b00650033003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290062006c0061006b0065003200730070003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290062006b0033003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b002000220025003100220000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2175ABC-D15D-4828-AA36-10C662E32999}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\TeraCopy\ = "{C2175ABC-D15D-4828-AA36-10C662E32999}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\TeraCopy	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.blake3\ = "TeraCopy.ChecksumFile"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sha	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxh3\TeraCopy.ChecksumFile\ShellNew	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C2175ABC-D15D-4828-AA36-10C662E32999}\TypeLib\ = "{FEEBE75A-7A94-46AF-A2EC-414CBA625DB4}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD5235FD34F12824585DC13A53E3B631\blake3 = "FileTypeAssociations"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.ChecksumFile\shell\open\command\command = 610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029006500780066003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290062006c0061006b00650033003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290062006c0061006b0065003200730070003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290062006b0033003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b002000220025003100220000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sha1\ = "TeraCopy.ChecksumFile"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2386CB87-96FF-473D-A009-957E3BFE6F88}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD5235FD34F12824585DC13A53E3B631\sha3224 = "FileTypeAssociations"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.blake3	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exf\TeraCopy.ChecksumFile	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sha256\TeraCopy.ChecksumFile	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD5235FD34F12824585DC13A53E3B631\xxh32 = "FileTypeAssociations"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.ChecksumFile	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FEEBE75A-7A94-46AF-A2EC-414CBA625DB4}\1.0\HELPDIR	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C2175ABC-D15D-4828-AA36-10C662E32999}\ = "TeraCopy Shell Extension"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\TeraCopy\ = "{2386CB87-96FF-473D-A009-957E3BFE6F88}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\TeraCopy	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD5235FD34F12824585DC13A53E3B631\sha256 = "FileTypeAssociations"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD5235FD34F12824585DC13A53E3B631\PortableVersion = "\x06"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.md5\ = "TeraCopy.ChecksumFile"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.ChecksumFile\shell\open\command\command = 610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029007300680061003200350036003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290073006800610031003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029007300660076003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029006d00640035003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029006d00640034003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290073006800610033003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b00520038002900780078006800330032003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b00520038002900780078006800360034003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029006d00640032003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290068006100730068003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029006500780066003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290062006c0061006b00650033003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290062006c0061006b0065003200730070003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290062006b0033003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b002000220025003100220000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.ChecksumFile\DefaultIcon\ = "C:\\Windows\\Installer\\{DF5325DF-1F43-4282-85D5-1CA3353E6B13}\\ext.exe,0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD5235FD34F12824585DC13A53E3B631\PackageCode = "5105262D501FF7D47924162CDB60068E"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sha3-512\ = "TeraCopy.ChecksumFile"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2175ABC-D15D-4828-AA36-10C662E32999}\TypeLib\ = "{FEEBE75A-7A94-46AF-A2EC-414CBA625DB4}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62E0915E-032E-46A5-85E9-19E1DACDBFC6}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2386CB87-96FF-473D-A009-957E3BFE6F88}\Version	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bk3\ = "TeraCopy.ChecksumFile"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DragDropHandlers	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TeraCopy	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\TeraCopy\ = "{2386CB87-96FF-473D-A009-957E3BFE6F88}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sha3	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sha3-384	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\TeraCopy\ = "{C2175ABC-D15D-4828-AA36-10C662E32999}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD5235FD34F12824585DC13A53E3B631\sha1 = "FileTypeAssociations"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD5235FD34F12824585DC13A53E3B631\ProductIcon = "C:\\Windows\\Installer\\{DF5325DF-1F43-4282-85D5-1CA3353E6B13}\\TeraCopySmall.exe"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeraCopy.ChecksumFile\shell\open\command\command = 610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029004100490036003400420069007400460069006c00650073003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b00520038002900730068006100320035003600730075006d003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290078007800680033003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029007300680061003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029007300680061003300380034003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029007800780068003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029007300680061003200350036003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290073006800610031003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029007300660076003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029006d00640035003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029006d00640034003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290073006800610033003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b00520038002900780078006800330032003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b00520038002900780078006800360034003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029006d00640032003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290068006100730068003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b005200380029006500780066003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290062006c0061006b00650033003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290062006c0061006b0065003200730070003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b00200022002500310022000000610071007d006a0070004f00410078004700390043006f0027004c005d0070006b0052003800290062006b0033003e006f004c0066007e0040004900360024002e0039003400420030003400250052004b00340068002b002000220025003100220000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sha512\TeraCopy.ChecksumFile\ShellNew	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2175ABC-D15D-4828-AA36-10C662E32999}\InprocServer32\ = "C:\\Program Files\\TeraCopy\\TeraCopy.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TeraCopy	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C2175ABC-D15D-4828-AA36-10C662E32999}\Version\ = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD5235FD34F12824585DC13A53E3B631\AI64BitFiles	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sha512\TeraCopy.ChecksumFile	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\TeraCopy	MsiExec.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

teracopy-3-17.exeteracopy-3-17.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	teracopy-3-17.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	teracopy-3-17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	teracopy-3-17.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	teracopy-3-17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	teracopy-3-17.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	teracopy-3-17.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	teracopy-3-17.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	teracopy-3-17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	teracopy-3-17.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1288 msiexec.exe
1288 msiexec.exe

pid	process
1288	msiexec.exe
1288	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeteracopy-3-17.exe

description	pid	process
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeTakeOwnershipPrivilege	1288	msiexec.exe
Token: SeSecurityPrivilege	1288	msiexec.exe
Token: SeCreateTokenPrivilege	2420	teracopy-3-17.exe
Token: SeAssignPrimaryTokenPrivilege	2420	teracopy-3-17.exe
Token: SeLockMemoryPrivilege	2420	teracopy-3-17.exe
Token: SeIncreaseQuotaPrivilege	2420	teracopy-3-17.exe
Token: SeMachineAccountPrivilege	2420	teracopy-3-17.exe
Token: SeTcbPrivilege	2420	teracopy-3-17.exe
Token: SeSecurityPrivilege	2420	teracopy-3-17.exe
Token: SeTakeOwnershipPrivilege	2420	teracopy-3-17.exe
Token: SeLoadDriverPrivilege	2420	teracopy-3-17.exe
Token: SeSystemProfilePrivilege	2420	teracopy-3-17.exe
Token: SeSystemtimePrivilege	2420	teracopy-3-17.exe
Token: SeProfSingleProcessPrivilege	2420	teracopy-3-17.exe
Token: SeIncBasePriorityPrivilege	2420	teracopy-3-17.exe
Token: SeCreatePagefilePrivilege	2420	teracopy-3-17.exe
Token: SeCreatePermanentPrivilege	2420	teracopy-3-17.exe
Token: SeBackupPrivilege	2420	teracopy-3-17.exe
Token: SeRestorePrivilege	2420	teracopy-3-17.exe
Token: SeShutdownPrivilege	2420	teracopy-3-17.exe
Token: SeDebugPrivilege	2420	teracopy-3-17.exe
Token: SeAuditPrivilege	2420	teracopy-3-17.exe
Token: SeSystemEnvironmentPrivilege	2420	teracopy-3-17.exe
Token: SeChangeNotifyPrivilege	2420	teracopy-3-17.exe
Token: SeRemoteShutdownPrivilege	2420	teracopy-3-17.exe
Token: SeUndockPrivilege	2420	teracopy-3-17.exe
Token: SeSyncAgentPrivilege	2420	teracopy-3-17.exe
Token: SeEnableDelegationPrivilege	2420	teracopy-3-17.exe
Token: SeManageVolumePrivilege	2420	teracopy-3-17.exe
Token: SeImpersonatePrivilege	2420	teracopy-3-17.exe
Token: SeCreateGlobalPrivilege	2420	teracopy-3-17.exe
Token: SeCreateTokenPrivilege	2420	teracopy-3-17.exe
Token: SeAssignPrimaryTokenPrivilege	2420	teracopy-3-17.exe
Token: SeLockMemoryPrivilege	2420	teracopy-3-17.exe
Token: SeIncreaseQuotaPrivilege	2420	teracopy-3-17.exe
Token: SeMachineAccountPrivilege	2420	teracopy-3-17.exe
Token: SeTcbPrivilege	2420	teracopy-3-17.exe
Token: SeSecurityPrivilege	2420	teracopy-3-17.exe
Token: SeTakeOwnershipPrivilege	2420	teracopy-3-17.exe
Token: SeLoadDriverPrivilege	2420	teracopy-3-17.exe
Token: SeSystemProfilePrivilege	2420	teracopy-3-17.exe
Token: SeSystemtimePrivilege	2420	teracopy-3-17.exe
Token: SeProfSingleProcessPrivilege	2420	teracopy-3-17.exe
Token: SeIncBasePriorityPrivilege	2420	teracopy-3-17.exe
Token: SeCreatePagefilePrivilege	2420	teracopy-3-17.exe
Token: SeCreatePermanentPrivilege	2420	teracopy-3-17.exe
Token: SeBackupPrivilege	2420	teracopy-3-17.exe
Token: SeRestorePrivilege	2420	teracopy-3-17.exe
Token: SeShutdownPrivilege	2420	teracopy-3-17.exe
Token: SeDebugPrivilege	2420	teracopy-3-17.exe
Token: SeAuditPrivilege	2420	teracopy-3-17.exe
Token: SeSystemEnvironmentPrivilege	2420	teracopy-3-17.exe
Token: SeChangeNotifyPrivilege	2420	teracopy-3-17.exe
Token: SeRemoteShutdownPrivilege	2420	teracopy-3-17.exe
Token: SeUndockPrivilege	2420	teracopy-3-17.exe
Token: SeSyncAgentPrivilege	2420	teracopy-3-17.exe
Token: SeEnableDelegationPrivilege	2420	teracopy-3-17.exe
Token: SeManageVolumePrivilege	2420	teracopy-3-17.exe
Token: SeImpersonatePrivilege	2420	teracopy-3-17.exe
Token: SeCreateGlobalPrivilege	2420	teracopy-3-17.exe
Token: SeCreateTokenPrivilege	2420	teracopy-3-17.exe
Token: SeAssignPrimaryTokenPrivilege	2420	teracopy-3-17.exe
Token: SeLockMemoryPrivilege	2420	teracopy-3-17.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

teracopy-3-17.exeTeraCopy.exe

pid process

2420 teracopy-3-17.exe
2420 teracopy-3-17.exe
1704 TeraCopy.exe
1704 TeraCopy.exe

pid	process
2420	teracopy-3-17.exe
2420	teracopy-3-17.exe
1704	TeraCopy.exe
1704	TeraCopy.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

msiexec.exeteracopy-3-17.exeTeraCopy.exe

description	pid	process	target process
PID 1288 wrote to memory of 1040	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1040	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1040	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1040	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1040	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1040	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1040	1288	msiexec.exe	MsiExec.exe
PID 2420 wrote to memory of 1928	2420	teracopy-3-17.exe	teracopy-3-17.exe
PID 2420 wrote to memory of 1928	2420	teracopy-3-17.exe	teracopy-3-17.exe
PID 2420 wrote to memory of 1928	2420	teracopy-3-17.exe	teracopy-3-17.exe
PID 2420 wrote to memory of 1928	2420	teracopy-3-17.exe	teracopy-3-17.exe
PID 2420 wrote to memory of 1928	2420	teracopy-3-17.exe	teracopy-3-17.exe
PID 2420 wrote to memory of 1928	2420	teracopy-3-17.exe	teracopy-3-17.exe
PID 2420 wrote to memory of 1928	2420	teracopy-3-17.exe	teracopy-3-17.exe
PID 1288 wrote to memory of 2180	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2180	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2180	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2180	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2180	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2180	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2180	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1760	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1760	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1760	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1760	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1760	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1144	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1144	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1144	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1144	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1144	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1144	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 1144	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2508	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2508	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2508	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2508	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2508	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2508	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2508	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2284	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2284	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2284	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2284	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2284	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2568	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2568	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2568	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2568	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2568	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2568	1288	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2568	1288	msiexec.exe	MsiExec.exe
PID 1704 wrote to memory of 340	1704	TeraCopy.exe	updater.exe
PID 1704 wrote to memory of 340	1704	TeraCopy.exe	updater.exe
PID 1704 wrote to memory of 340	1704	TeraCopy.exe	updater.exe
PID 1704 wrote to memory of 340	1704	TeraCopy.exe	updater.exe
PID 1704 wrote to memory of 340	1704	TeraCopy.exe	updater.exe
PID 1704 wrote to memory of 340	1704	TeraCopy.exe	updater.exe
PID 1704 wrote to memory of 340	1704	TeraCopy.exe	updater.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\teracopy-3-17.exe
"C:\Users\Admin\AppData\Local\Temp\teracopy-3-17.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\AppData\Local\Temp\teracopy-3-17.exe
"C:\Users\Admin\AppData\Local\Temp\teracopy-3-17.exe" /i "C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\TeraCopy.x64.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\TeraCopy" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs" SECONDSEQUENCE="1" CLIENTPROCESSID="2420" CHAINERUIPROCESSID="2420Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="Required,AI64BitFiles,AI32BitFiles,LangFiles,bk3,blake2sp,blake3,exf,hash,md2,xxh64,xxh32,sha3,sha3224,sha3256,sha3384,sha3512,md4,md5,sfv,sha1,sha256,xxh,sha384,sha,xxh3,sha256sum,FileTypeAssociations" ALLUSERS="1" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_ADMIN_USER="1" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\teracopy-3-17.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1718470391 " AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\teracopy-3-17.exe" TARGETDIR="C:\" AI_INSTALL="1"
2⤵
- Enumerates connected drives
- Modifies system certificate store
PID:1928

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B1BA3CC0B27424C10E2E6EE9DB475FAD C
2⤵
- Loads dropped DLL
PID:1040

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 15D700DC89C1DE5C4285ADD429385712
2⤵
- Loads dropped DLL
PID:2180

C:\Windows\system32\MsiExec.exe
"C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\TeraCopy\TeraCopy.dll"
2⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
PID:1760

C:\Windows\syswow64\MsiExec.exe
"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\TeraCopy\32-bit\Context.dll"
2⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
PID:1144

C:\Windows\syswow64\MsiExec.exe
"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\TeraCopy\32-bit\TeraCopy.dll"
2⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
PID:2508

C:\Windows\system32\MsiExec.exe
"C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\TeraCopy\Context.dll"
2⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
PID:2284

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1C348EF317A331B6E7A4B2D3F8FCC034 M Global\MSI0000
2⤵
- Loads dropped DLL
PID:2568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2144

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "00000000000005C8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2476

C:\Program Files\TeraCopy\TeraCopyService.exe
"C:\Program Files\TeraCopy\TeraCopyService.exe"
1⤵
- Executes dropped EXE
PID:2288

C:\Program Files\TeraCopy\TeraCopy.exe
"C:\Program Files\TeraCopy\TeraCopy.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1704

C:\Program Files\TeraCopy\updater.exe
"C:\Program Files\TeraCopy\updater.exe" /silent
2⤵
- Executes dropped EXE
PID:340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76dba1.rbs
Filesize
1.8MB

MD5
b91e4ef150079c2f109daa27b0c9526c

SHA1
f7ed016357896ba4a8b088b83e5033c7f95d15d8

SHA256
4ffd8291c7015f92ddd6fef2454d28d0f1c51fcc0fb7bab89d23e2176dfc6168

SHA512
fa68d7c7495f1072ed3ba09eb0385b4a0730afe10905bf750b43aa1fa40cb7a366e85e140a4ed08befe6ee3f22d2c2ffcce94d2962453493172b5548b07f8ce0

Download Submit
C:\Config.Msi\f76dba3.rbs
Filesize
525B

MD5
3e8a61ba98c4f5c9022ad121a4cc5e12

SHA1
3c3e6083a935d45bbdf5e95cddfb872e23f2bda7

SHA256
114b790738552529decd6aee4d17d4b5feec4b956e92776c1806aab889349c2f

SHA512
8842f3cfe0cb803854e2451ea5cd754d87beef9f835402b364a620a262d47ea2d7750d385a7c0aa707daf7b7be9ab6a9e4f785ee52f5792955fa70b03e4e6354

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
Filesize
765B

MD5
77df5c3612fd90fed0a85c53c729cbd8

SHA1
34194c358ce2cb3f651b316117340d9611354e07

SHA256
2fe550cb8069da14c9234199caf689454bfd5e1e9512dbf35f9bec7e7200341b

SHA512
90c6e6a13d0e7b00ea51d7a31cd6a8ee8bf9e61dab797e189ed896316a2fe3ce558ad5a9a7ed33c3beaee199e76d0fcbc6be8f5bc0c6d2c89a0cab0f7db7ead9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_29FEFA71A8995944ED77F14BD3246071
Filesize
638B

MD5
95e72e19e697f8739a5af0f78536b103

SHA1
ee8164c29cd301c8139401d4e527a393b4845b01

SHA256
3d40e53853e2591fdaea183f5fac30b79ef292b9bee40dc003a68453b75b71a3

SHA512
996fe5b20bb9559efcea3e3275290c1a1e56fc1b57d748d9119cbcdd54075884bb21842702020f73377ce5affa190029a8dbc436a19c49c053d911771eb34565

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize
1KB

MD5
98cb4b2e30db123a1378ed45fc3f0468

SHA1
3e067497d10ea9c1e652364c22638051b6997c0c

SHA256
2ed3f07a817e3a989070ee6260b87076c1885fada6a86985a68ca22b22a3490f

SHA512
d902454bc49e72c1a2fe19dd95a93ce004303d2c4bdb18e88b358503adc5f2cade878e6d3ee100f5d89f3a8711d723953041ecd5b6ccefbc4513c6c310f117c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
Filesize
484B

MD5
260e318b7f16833f53ddfe5b532bcc56

SHA1
041d4edef537763b211a0c550b9b893dfe6d08b6

SHA256
7faa5cfd08004c6376c326d06a42e239f7f52b1ff136078edbe9727ba79cbfd8

SHA512
d75542a3d3f125579fe4a501be36d6cad07b00266b181349081815cf338e143462dba64344bf993c8906b5eb796b317cb57ce76b5dec2fe44bf4e3b871720bca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b3ff1f6e78af892bad41408680e87493

SHA1
84a9094725561a362550a2c1a6be7d83bf2c0541

SHA256
6231e31555e93cf29fbc5f5c2a4732810ad0c1506f7cd1a35b00563d41c533fc

SHA512
d455a8c0617287fa6cc415beb8e3dad0386f19fb4fb2fc974024c0cd8b4ddc67b38059b8573d861c9b10c7da5431e5c06c15d211fbd5cd70c28d056703061751

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d544cf8a8d7e1e222225d15a9c5519d6

SHA1
9c63d9fec381b2da759adc2b2a9218a7c40ef464

SHA256
dcceccf09a3980a4b09bad2b8010b3d76fcfd5238bea373d609e742638c4b976

SHA512
228318a836f2ea14a75e87dac0564084a79c40f7a782c43efc265de9a218d15384f5ec9c0f92b8ec63095c29e41622f9de9893ddc3e9f7b50a3f71a4d36a8c4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
cd32033d6f49f1cffa32ad200308b237

SHA1
90ca9f91b946559407111da5b8b1067914ba5232

SHA256
7fcf4660ad14a1d4798f719b2fb1fff2f3e9a12ff7c9463f4860aec754799c43

SHA512
bb6545cbef4dcfce55b10bcd1802682744270a0ab5f3d4d8ab49d9569e617cdb96f733e8c856cbca1412264e68123f0405cf24096bfda4f550d376f04ecac980

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_29FEFA71A8995944ED77F14BD3246071
Filesize
484B

MD5
d5481a094e590774af0de2a612228602

SHA1
602f2d28befa45a5a5f2be5b2153ddd6b0d9c48b

SHA256
fe172f8f475a9f899ef89516ebaf70d0833aca2a13d2db5dfc904a77efce58a4

SHA512
49a153b6fddb379566ccc6b5ccd5a4601a8ed74f3f2d2ae739505e3a98c164791e05ca04ff5f9fde87e267712ffef2a90064f65621f917b2e8dcc7d440eced4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize
482B

MD5
d9128df44472869acc992a26706beb39

SHA1
1d4d5c1a60a168e149048347eaed0def0f2c5255

SHA256
f2e7c6931dabf23d70c413641d825780c736cdc81f1e5d7e77448335f51c88d5

SHA512
843e1997c47a23aa02f8130525883c34514ea7019d543e592ce8bf7af25f08d9c508467ba2f5b7ef2c900198a727dcdbf33036c9454073125e9f532d6c3c0cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2420\ProgressImage.png
Filesize
1KB

MD5
8c903c7a534cd12c8eea9582068fb39d

SHA1
ed049dcebc99857fa90043861c5619c776f8e937

SHA256
efdf35f6be917e4cbb41482226f2b475537f1d3de9d415933ed499a89342eae1

SHA512
baf4487948277bb04392b81f2ac211b96f6adc37545a3ddf60df50721329b6d967bfd85eb9048c1c343094d37350f90f988fca3ba587f31b3e96734b9ff05a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2420\TeraCopy.png
Filesize
43KB

MD5
f3e10dad17928bc47031a2205a26c17a

SHA1
8716244bc1ae996025246e1306db6f9a3bfe08a7

SHA256
9c7f720c1367e6ea08e4c8a93e7f1ea54f72328e85e1c04b58667383464dbf80

SHA512
180469a611cd9cdb73a74259125f334330915bc6ee6fee22851ed1fa7ce35ad61b501232be87a2fef8a0c887c3aabef913235def82c140cbf0c8fe285b406ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2420\aboutbtn
Filesize
1KB

MD5
b51b54b77e9cbfdb1063f7487c1c07ec

SHA1
8a8a7036cfbc86a537447bf71b9f6795923db8b9

SHA256
9d7243c688264329a8cb9e22da00b651e0a9407741d722e03dd67cc8b3ee1335

SHA512
04cef1aa3a530e7f03054369450eb42f36bf45c13c7445adf450ec4635a8601447c5bb6e978b3adabe9021019644681bf1609539eb548dd50ada973aac0c6555

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2420\background
Filesize
2KB

MD5
9e23da7c3cd3fb8113e698a12a3d3047

SHA1
6d021109495d77a53afe101f2b03a4da847e6d99

SHA256
b671008e5d4a15409051d7b3d2aa40f7c028e1dab5876c2882976793abb9356c

SHA512
65e885984681cee190764515f61bb8da3c29463b87f4371fff27ae4c4089af46c9b98910a847ec29d7368160d6aaf841fb93f1347c9abc47bce5cf997c8b4ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2420\buttonimgs
Filesize
1KB

MD5
7633f00ea029a3b988c354441f0f4722

SHA1
a72a74af68d006a35efcf9be6fe3424ff31fb84c

SHA256
ed127a86f01d767643af667c1d52525a3cb7632713b981896af72628da7ee7fa

SHA512
52c70cbd6fa3cc292a1d5b505b272d88b6f950eac4d24df750b7c8ce5bcacdff9fc9fdd0ccff8f081d05852559ae187f50d4e6b4f5f95e8c648a658d4b9a03b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2420\checkboximgs
Filesize
1KB

MD5
bf7ac146eb80de9d4d3e6b5a7998ebbf

SHA1
532b1bae084af1bb3a8880c47a509ce1bb804df3

SHA256
73616e9e679089cd5c580d5ef9cc96859f13509af8150fe081d67a1935ce4885

SHA512
ea5ed62de728d88cf598b0b9bb1da953b2ee7675cb71d04f022ce41b2697e0f02bef269181c09ede6c28c6946dd8944abbb487ab4be8b190fc9b72423ca4a905

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2420\custominstallbtn
Filesize
914B

MD5
fb33dcad5260941fc9261b1f378d5775

SHA1
5bfbefc05e1d1f41b10974b1ca43495053ad95f3

SHA256
9ccbc0baba2efe3424610a0f282626e2364473c5afc5cd6d485e6673bff3a862

SHA512
7cc5481fbcb4e4f0420da5196a209124f615c0b42e2f1ff5da444ac13c0d8698b5f20472ee1743c126d0bbdc6241e2ccbb58f6ac0970dba6aff74189d600f0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5C37.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI653C.tmp
Filesize
721KB

MD5
5a1f2196056c0a06b79a77ae981c7761

SHA1
a880ae54395658f129e24732800e207ecd0b5603

SHA256
52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

SHA512
9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI67EC.tmp
Filesize
1.1MB

MD5
25e52c5776a81e0c5ccb9bdd4c808c90

SHA1
e42104ef61ae4760a41552292091eb6a5089ced4

SHA256
0831dbcb3799c9e36ea586582e8ef907dcefeb2045351d6774c7ad0ef02a9af2

SHA512
746570c011e501505ec9d09077519bca1a485b0cac66229be6f4715a91ee52d5cc857de26ad8d7a33806ddfa580d2ba9f77759e3764ea761d327fe2f1e881292

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5C97.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\upd54A5.tmp
Filesize
822B

MD5
e750aa90012457a9c718ba564cc7c59d

SHA1
f2de0aebed40ab99ae10830a536b50282122102f

SHA256
9d48ea41da43018da9d980ffc26de5cb7601c5b8985985753bf0ea3a1e050e55

SHA512
fddadbfcc366af3aaa481d87bb5a1521f41090624048b39e4f77ba584eb161d6b19f32e22ec596e17b0f5792bbb353585a70b2b6455b5a4e59c3b810f515d818

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\32-bit\Context.dll
Filesize
1.2MB

MD5
b3c193ea7d8aa574c736a4720d71dc93

SHA1
fb56bb48dd4c73fe97cb5424bd1ba7903185611a

SHA256
f9f1d46e0105ad3a0ebf8584ae9f5b88c2c33ed5e79b41e7cb40cd598b3e3eb0

SHA512
abee0986043c191d343e577b2b148830e897b295277dcd8e1a445da874b4513b4019440745f78f9486ce433084c7e87fb296fec07af94b0eedfa82a9f0b0afb5

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\32-bit\TeraCopy.dll
Filesize
1.1MB

MD5
91dbc4d3933f7572e93758583cac490d

SHA1
27eac8058768e8e8b7b67f34b2229b78fb3bee45

SHA256
7b520ead82236b6692449318076a9bda561cc73e0055ab19d8e12fbd138e0152

SHA512
e0939519b469528e7d164d5342fc28f29b94eb3eec9c9d75f7dea5670cc814a5457e82dffbaed4a43e768c8dba27e3c0ebcc23b9488a94f2273fb6abbb60896c

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\32-bit\TeraCopy.exe
Filesize
3.3MB

MD5
69fec14702d245028f9cc04e1e9a1f96

SHA1
0447b0a3d761c8bb24a694e3982a11271590e894

SHA256
89653b3a79e8b17dfc5de1206d859ddb3b60ef95468a0e4b51e964c200fe6d1b

SHA512
a3772a7ac406df67b461d63680a6ee8a4f5efae8e4ba080f6af42474c9b8630ab55178d15f9953c655532e8bd4595053077a20d9f153e643ff1c07e6a513684e

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\AppDataFolder\TeraCopy\Ignore\Temp files.txt
Filesize
141B

MD5
3d62c0183f83da72ec3107bec5446f52

SHA1
f891c548e98680cca44e8534a327bc6500f56d16

SHA256
f18018d786ffc21f2cf1c6f475e5ea8d03bde907f21026e3cb79e6b3b303cacb

SHA512
9d51191ed27ab48f40a633972e97d34e755644768d6cb32abe2faeead967aaf3ca25688f1577c4749d3622424d8142e4c5b9b045e09f12f62af3fd6f9a3a938c

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\AppDataFolder\TeraCopy\Ignore\Video files.txt
Filesize
127B

MD5
995f3f5c23a3c5f239a5192a9548eeea

SHA1
4d3e96aad16d657d44a9c97eb7b3761285e63e33

SHA256
32de3b6e121896c34e1285a8972822aac4e2fd23a72637490faf95ef206b1087

SHA512
9fd1b9cbb11abea7bbc4af55dfae913204c7255a4507568302c89c1026a20f19d220459f9999e5efb14604544171d7146f7b870c6205019ccc72975e55e52c78

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\App\DefaultData\PowerOff.cmd
Filesize
279B

MD5
f95082b2d55f940ffd919c87c3432c38

SHA1
1adaca6fc0a241aa405c67eeac4513ab204e98de

SHA256
50c0bc8a1097a40a940133fda83e77d109e1c30fe385e142c646ccfaec9bd4bd

SHA512
bff12129c00419a030e1379ca2497b725feb78f6dff6ef7a801af887c405871932310bd62c7f02e2355faf50b83924fb4aa3e3e1027a69e5835f851033b95089

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\App\Locale\af\default.mo
Filesize
2KB

MD5
ca9cd54a8419ca61e1b17ba4b05c2f11

SHA1
4265289479faea438ed68d82c5d357c8e57c1e67

SHA256
90932491423759776b83c99d3c085a90179f12411370c4b91aca284010c838b9

SHA512
1a26824415c4da6d2690af2ce9f16c8f93ad9b17db896ce66b5b00939feae3afc892dc0abde3506ae4682b101c448e2d1e1960b9cd0441dda29bf8287f39c9d2

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\App\Locale\af\default.po
Filesize
12KB

MD5
4012217e3eee49ee1610dbe87e46651d

SHA1
b803f7ec967b416c99d64a0463a902de551f65cf

SHA256
5d11bce4bf2e61976e84f9a98d5848bbf0a20da32614db5ca7dd2da4eac1e6ef

SHA512
ded5e566b2f8db5c25620379dbed9982d3bc8ec5f59802573884a776d438bfc59d38b62f4bc562d74262152a8ef91cfbefac8f5e201551a3859a02a5d19b59a4

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\App\Locale\ar\default.mo
Filesize
19KB

MD5
4327f54846724dd55a393a41095d23ab

SHA1
574538ea6bf1a79f6f2491f1563d9afd8f9c6e5f

SHA256
d49d4ce4dff401441c28cafac7dd77bacae3cccb4af1077ccc318fffdf6b4e10

SHA512
05d439f31aa5895444671adb879dcb19490d9a6402c7706d646d5120e65feab222291495dd5fb4f402872ceaa89b576789b098b281c54bac8af41ecf0708b2fa

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\App\Locale\ar\default.po
Filesize
20KB

MD5
4b0e0fd066887c45d46d283465fafe3e

SHA1
eab115617a26b41ccce5b810441f323f1047b231

SHA256
9a8e627991299248316c054f1ae956630d4f985b82958f89d235b80dc00d4092

SHA512
7ade313707385da10175c62d7c31be619e4e3b41371a4510a8c1bf31cb80b0c5a91348c6efb6d2497da2f4f555f8b6ddf601ea49266492de3b91a574eb8e32f0

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\Context.dll
Filesize
1.7MB

MD5
f25893561856e49fea312fe0660309b7

SHA1
cedb00ab9052101c6ba37127853a37be3a68ffae

SHA256
805e41fb941140234c29ae25a0be1542dc72c6957132588e68d79dac7687daa8

SHA512
15bbf583b253bbd87e68a759f9d9a3ff09928317cd29a3046b98fd555773083122497ab18e092c4469021ad8aaaf75e8fb4a88647343772cc51c31ce82a2e699

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\Directory Opus.txt
Filesize
917B

MD5
da536a00c47327cf9750afb7798e6eb8

SHA1
ea95aed802524e8eadad649ddfd9375331e3bfd8

SHA256
727633b122c814bdb58d83737ae0bcc0613ccffa2808ce319910a4567faaeca3

SHA512
5e6f024310b241265274cf1861ea55515b9acea990d6503d2c584b30f9ed4c52c74d03827528c9fd7356ce3073f7602b9ab8a67d9256c67d74c67f22e3092a24

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\License.rtf
Filesize
1KB

MD5
e8a8ef422a7b69c7fe5e4040230cbce4

SHA1
e6435981001b98d3e5abfa7c163aa90b2bf76008

SHA256
0cf0973d9bb6df2f0effef874404a7d19cf30b53de88ecdf326fa29477b904da

SHA512
a3a6688f5c56868fbf53c848bd5b6228e65c0c613fde11000f22f41855b8adfab08089a3e380fd0fe240cc2783f192feca611ffd7999101b9cd48ad816038192

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\License.txt
Filesize
1KB

MD5
0c020e9ec866a7426aa62a593d77a894

SHA1
dc75a260eaae962462b84c14045837e029a7263d

SHA256
7dcfbd0351c64c0798ec5cc14bb32bab7b224a854a456a7e20ca15e103bb8d7f

SHA512
89011e39cf9d7700b1dae0fa190d075d7d3ec0fde032eb65d0e1cab7830a686fd71fac07d5b9648ca99e48af3abcefb95c71b99adc015a608f9512e8462069c2

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\Portable.txt
Filesize
79B

MD5
7d6446e2ee411f4c3fdd42e5e9f35e05

SHA1
9e022e3fa52bfe456ad6f7d2fd3aa25130e5e235

SHA256
877336267c4fc71a5c8b202b629875fdb492de485b263b1cd5d862a7bd87aab5

SHA512
838919b0481d888a45ebe112398624ede7bc001d7bfa100f6e5b1e51022f0e00e881f188f5ed941f91cbff212d8041454186d2e90d8326b9fb630e72a41a5ffd

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\Readme.txt
Filesize
1KB

MD5
77a28c6396845a0622a7bff3ae011bf1

SHA1
0727e94064d93c26887bb906be7f1b1642eff106

SHA256
253dd55e4186c616f13f73603077c3f644e0b6f5da5d2dc36e7ffd90569035d9

SHA512
e229626a40453adfd16f311e48ff868e836be123c13d57bf290d89aa3b5d4a7444ebbfe0532bbda923e75e2bd3b247d146941a4dc502b9e83527880ec4851f75

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\TeraCopy.dll
Filesize
1.8MB

MD5
3dd02d5a01043942218aa58f655f3af5

SHA1
8bbf0a8ada30812110580ded53f65741a222b29c

SHA256
6005273fecd0104b9798e834c33c3f6d23e1e5fcc7d2a4dafc493cbc49bd84af

SHA512
eb8c8c044adec6a62a02d42ecd7d4b915a88f327d212e9afe6d29cf0c41731ac9117e2c7892ea7f893ef7d2ba4e987d8b150a32ac67767c71bbb85bf3133f1c6

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\TeraCopy.exe
Filesize
4.6MB

MD5
0599e55c4eb4729fa508e2a1ef36ba2a

SHA1
12635b1ccbec25c75d858c1729240e1cef8f60bf

SHA256
4f4e3c5d265c7350d56638be72413e62a0d48a94411da68836dd630e1e61391c

SHA512
0078aeffb216a26737271eed570917d01f1ea437cbb27872ef9f633cc5cbb03c4022349547b4190c106001db5c79320970749b67f54154ca593c42f595c30537

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\TeraCopy.x64.msi
Filesize
5.6MB

MD5
9529d790607eca409b70c780f99e05a3

SHA1
c1852c6d0ce7ee0b424890a3d7e9c6ff338fd459

SHA256
c8077ad69802259fcb291e528c9be01eced4e7302c1dbd337d53bb879b6e7b02

SHA512
ab9debb175c7635ec3beb326c5a0f5486d7efb029872d6ddef4a64a9ba52cce4f2934f54e8b3bad6055d4277fca551a844cd1019239bf25fc7b7f6fa1e6779f4

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\TeraCopyService.exe
Filesize
310KB

MD5
e90cb56d8c42b86e74cd1c87c4d9958e

SHA1
7734817ec380b8d53714840d448a306065c8c973

SHA256
44f9500e24722730a9d2fa271051de46bd1c0a5aa1971c5fc2a01942e348609a

SHA512
4d6c1e2eaf428527358edeb5c8b60c92a58c25783b83d12aa11d8ae6511032071fa6e976a4149a3d444acea368056b79b97c8176ddf0d9849fab9dbc5fe4db84

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\Total Commander.txt
Filesize
401B

MD5
4952471cf7d4a5246883940d341805b8

SHA1
e616b90ad7a7dae80631e0d848085d9e1393c2c3

SHA256
4b6bba5c3480144437670cd1e47b9aeda31776474a841867004dcf48c77c2d95

SHA512
3b50d781f6a06f8e24c979ecafff6c628c84a25aaf4b5876ef928642de08b47d333c302dc267411a60b9cc93effd394308bb09a8c18fb7bd0fe6bd42de7be613

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\Whatsnew.txt
Filesize
19KB

MD5
265db33349da50400770fbd69704a7fd

SHA1
29aa93a5c99b5f44d4b2be291b096bf585472e24

SHA256
50b9f938ff6d5fe984d7b926498df5852d4cdf68026181935e5226c8f0b6b0ee

SHA512
4035007dcf322655029395df4ef765dff7cff0f5cdfd7290440f2613aa422947bd5f086616c0dc87bca992005669734b09d9a0a0324326eebe4c075fc8f39fb3

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\XYplorer.txt
Filesize
559B

MD5
14994b64af1f1c512e42cf227f936ceb

SHA1
45348bbfb908bced201575632493e0dc59ff2834

SHA256
1f4b20ec1aa01f7dcb26cf97af275a26454fc34a517c25dd44793f138894a07c

SHA512
d11b6781acaa7d9b722b3169985dbe0318e4f6477fecc14ee716b2f72078b93f9aef0c81534a5262c4ad5d77cd0cda1367c5debd985c5d8985a24b4a35446c75

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\share.html
Filesize
751B

MD5
35433f2fe5ad1dce57646d1d66bfc2f5

SHA1
e9d7bbf52369f8afaf41fe8d1044a8e0f2bbb679

SHA256
5a723cff0a7883595342272a28c57d0c67af83ecc468df9ad8ed1307d95e1d44

SHA512
33cad676e3ea2ad6aa7b4039c4b2bf6d59d8f0b21eaeb2dd3151057385a71fa07bb50c4eb37ebc05fb118f5314f5dba92ddbf3b02b59016eebf8d5a2d0fd1a0d

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\sorttable.js
Filesize
16KB

MD5
c465d96c2035408602f71b29b06d722c

SHA1
80862ee118c9f5833d69483f2c682092735fbde8

SHA256
72fa6ddc5dfdb54dd35935feaaad9b2a68ca1e872caa4edf03c1a26f1c3e4931

SHA512
6b09db7e545c57c78b38c74966948d1e681101059025facb5b233ae957c5f54c589c347b8ff54bea67d31c69541ed736447e4e223b663f5491196edea2e07635

Download Submit
C:\Users\Admin\AppData\Roaming\Code Sector\TeraCopy 3.17\install\53E6B13\updater.exe
Filesize
1.2MB

MD5
d8b22f90533e53ac0b219133b28aeab4

SHA1
3204e11f5ccfbe5bb5441a6f7f43f8cdc16983ea

SHA256
dc9d76355354fc0b3d5d7176f97dbedf72526d81e4b93ad8231e4f48f0020708

SHA512
f606a91e811a3dcf2eb5fde0dda4280adf641b19087f6c491a4f817a45eea88a8650c9f1daa2b1af12eccf59d19a0aa8e83cad0b028df94df16b4d5be428925a

Download Submit
C:\Windows\Installer\MSIF5D9.tmp
Filesize
173KB

MD5
d43aeae5b7b5831a99b5d74140133d1a

SHA1
79a88c0be5865db188bd3db39a53c9f0066cc064

SHA256
557e29270d0b009cdd844137d61b5e9952aecb62867cd52a8ba84870b02b5c15

SHA512
01db3faacc75cb7c61fe798563e28b1be5f0161a0cd25f44642ea62825c6bccaf8719e0ef9808b1cab964861356dd814805ee45e0f6a96d4dd8d35ac1015ddb5

Download Submit
\Windows\Installer\MSIE063.tmp
Filesize
838KB

MD5
4a3f6a4023abd6bba56534de47d20017

SHA1
02dd888e467143e2e35465d73f39cf3e66afad10

SHA256
a8dfdc283ad8d4dc6f500ddfab564e79dadae075c0d54784b50e1ca548709b30

SHA512
580c7918ef90eb0020901bab645b72bcaf945ceb5bd56c2e7847f229b31a961bc4cd4ca9cb2583db480947ca8a0880b5ae4bd26717217abcacc9754352aaba28

Download Submit
\Windows\Installer\MSIF117.tmp
Filesize
834KB

MD5
065fab0d856b9896887392a021578e0b

SHA1
11087b4dbbc6855c245c9e686cefc96d581a578f

SHA256
a9a34d9c6cc14ed252cf0a07896f266187d57b4635c31a89779dac5843f17411

SHA512
19f23c2a9f2bbf6d9f05f29548740a5ba495ce340a1166549ab1adcccc5d582c9c5b6040f9514f03875894d25aab73a8f217d39e0ad36c0bc0f01ae988eff98c

Download Submit
memory/1040-656-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download
memory/1144-620-0x00000000020D0000-0x0000000002216000-memory.dmp

Filesize
1.3MB

Download
memory/1288-586-0x0000000001110000-0x0000000001120000-memory.dmp

Filesize
64KB

Download
memory/1288-787-0x0000000001110000-0x0000000001120000-memory.dmp

Filesize
64KB

Download
memory/1704-660-0x00000000003B0000-0x0000000000D0F000-memory.dmp

Filesize
9.4MB

Download
memory/1704-718-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/1704-814-0x00000000003B0000-0x0000000000D0F000-memory.dmp

Filesize
9.4MB

Download
memory/1704-664-0x00000000003B0000-0x0000000000D0F000-memory.dmp

Filesize
9.4MB

Download
memory/1704-663-0x00000000003B0000-0x0000000000D0F000-memory.dmp

Filesize
9.4MB

Download
memory/1704-658-0x00000000003B0000-0x0000000000D0F000-memory.dmp

Filesize
9.4MB

Download
memory/1704-665-0x0000000002560000-0x0000000002693000-memory.dmp

Filesize
1.2MB

Download
memory/1704-659-0x00000000003B0000-0x0000000000D0F000-memory.dmp

Filesize
9.4MB

Download
memory/1704-657-0x00000000003B0000-0x0000000000D0F000-memory.dmp

Filesize
9.4MB

Download
memory/1704-661-0x00000000003B0000-0x0000000000D0F000-memory.dmp

Filesize
9.4MB

Download
memory/1704-811-0x00000000003B0000-0x0000000000D0F000-memory.dmp

Filesize
9.4MB

Download
memory/1704-780-0x0000000073F00000-0x0000000073F58000-memory.dmp

Filesize
352KB

Download
memory/1704-779-0x00000000003B0000-0x0000000000D0F000-memory.dmp

Filesize
9.4MB

Download
memory/1704-805-0x00000000003B0000-0x0000000000D0F000-memory.dmp

Filesize
9.4MB

Download
memory/1704-795-0x00000000003B0000-0x0000000000D0F000-memory.dmp

Filesize
9.4MB

Download
memory/1704-798-0x00000000003B0000-0x0000000000D0F000-memory.dmp

Filesize
9.4MB

Download
memory/1704-802-0x00000000003B0000-0x0000000000D0F000-memory.dmp

Filesize
9.4MB

Download
memory/2288-778-0x0000000000B50000-0x0000000000BAD000-memory.dmp

Filesize
372KB

Download
memory/2420-0-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2420-278-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download