File name:

teracopy.exe

Full analysis: https://app.any.run/tasks/c6ac4f83-d79e-499f-a444-3113613236e6
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: December 20, 2024, 12:02:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
adware
advancedinstaller
copyfiles
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

5DE10815F38B0D86450AB4AD752B5F7A

SHA1:

3481B24607B19152E5175BF4A65452FF1A6F05E6

SHA256:

5F7B796E4EDD366C9C5A97AE65CF1722C3152E3BBDCA593C593622B35372E81F

SSDEEP:

196608:vH2y5ioncuhpE7wXPDIygDNMI81riZB+jh9FHC2qD60rQx9lI65Z:vHx59nxhS7wfDyMI8iMhrhwzcfr5Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ADVANCEDINSTALLER has been detected (SURICATA)

      • teracopy.exe (PID: 6632)

  • SUSPICIOUS

    • Access to an unwanted program domain was detected

      • teracopy.exe (PID: 6632)

    • Executable content was dropped or overwritten

      • teracopy.exe (PID: 6632)
      • teracopy.exe (PID: 6340)
      • updater.exe (PID: 2572)
      • teracopy3.17.exe (PID: 1576)
      • updater.exe (PID: 2796)
      • teracopy3.17.exe (PID: 6784)

    • Checks Windows Trust Settings

      • teracopy.exe (PID: 6632)
      • teracopy.exe (PID: 6340)
      • updater.exe (PID: 2572)
      • msiexec.exe (PID: 7144)
      • teracopy3.17.exe (PID: 1576)
      • msiexec.exe (PID: 1472)

    • Reads security settings of Internet Explorer

      • teracopy.exe (PID: 6632)
      • teracopy.exe (PID: 6340)
      • msiexec.exe (PID: 7144)
      • updater.exe (PID: 2572)
      • updater.exe (PID: 2796)
      • teracopy3.17.exe (PID: 1576)
      • msiexec.exe (PID: 1472)

    • Reads the Windows owner or organization settings

      • teracopy.exe (PID: 6632)
      • teracopy.exe (PID: 6340)

    • Process drops legitimate windows executable

      • teracopy.exe (PID: 6632)
      • teracopy.exe (PID: 6340)
      • teracopy3.17.exe (PID: 1576)
      • teracopy3.17.exe (PID: 6784)

    • Application launched itself

      • teracopy.exe (PID: 6632)
      • teracopy3.17.exe (PID: 1576)
      • cmd.exe (PID: 6328)
      • cmd.exe (PID: 6544)
      • cmd.exe (PID: 7164)

    • Adds/modifies Windows certificates

      • teracopy.exe (PID: 6340)

    • Executes as Windows Service

      • VSSVC.exe (PID: 5208)
      • TeraCopyService.exe (PID: 6432)
      • TeraCopyService.exe (PID: 5268)

    • Creates/Modifies COM task schedule object

      • msiexec.exe (PID: 2728)
      • msiexec.exe (PID: 2216)

    • Starts itself from another location

      • updater.exe (PID: 2572)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7164)
      • cmd.exe (PID: 6328)

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 7116)
      • updater.exe (PID: 2796)
      • cmd.exe (PID: 7164)
      • cmd.exe (PID: 6328)
      • cmd.exe (PID: 6544)

    • Executing commands from a ".bat" file

      • updater.exe (PID: 2796)
      • msiexec.exe (PID: 7116)
      • cmd.exe (PID: 7164)
      • cmd.exe (PID: 6328)
      • cmd.exe (PID: 6544)

    • Changes default file association

      • msiexec.exe (PID: 6324)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 7164)
      • cmd.exe (PID: 6328)

  • INFO

    • The sample compiled with english language support

      • teracopy.exe (PID: 6632)
      • teracopy.exe (PID: 6340)
      • msiexec.exe (PID: 6324)
      • updater.exe (PID: 2572)
      • updater.exe (PID: 2796)
      • teracopy3.17.exe (PID: 1576)
      • teracopy3.17.exe (PID: 6784)

    • Reads Environment values

      • teracopy.exe (PID: 6632)
      • msiexec.exe (PID: 6316)
      • teracopy.exe (PID: 6340)
      • updater.exe (PID: 2572)
      • updater.exe (PID: 2796)
      • teracopy3.17.exe (PID: 1576)
      • msiexec.exe (PID: 6776)

    • Reads the machine GUID from the registry

      • teracopy.exe (PID: 6632)
      • teracopy.exe (PID: 6340)
      • msiexec.exe (PID: 6324)
      • updater.exe (PID: 2572)
      • updater.exe (PID: 2796)
      • msiexec.exe (PID: 7144)
      • teracopy3.17.exe (PID: 1576)
      • msiexec.exe (PID: 1472)

    • Reads the computer name

      • teracopy.exe (PID: 6632)
      • msiexec.exe (PID: 6316)
      • msiexec.exe (PID: 6324)
      • teracopy.exe (PID: 6340)
      • msiexec.exe (PID: 7144)
      • TeraCopyService.exe (PID: 6432)
      • msiexec.exe (PID: 4160)
      • teracopy3.17.exe (PID: 1576)

    • Creates files or folders in the user directory

      • teracopy.exe (PID: 6632)
      • TeraCopy.exe (PID: 5592)
      • teracopy3.17.exe (PID: 6784)

    • Checks proxy server information

      • teracopy.exe (PID: 6632)
      • teracopy3.17.exe (PID: 1576)
      • teracopy3.17.exe (PID: 6784)

    • Reads the software policy settings

      • teracopy.exe (PID: 6632)
      • teracopy.exe (PID: 6340)
      • msiexec.exe (PID: 6324)
      • msiexec.exe (PID: 7144)
      • updater.exe (PID: 2572)
      • teracopy3.17.exe (PID: 1576)
      • updater.exe (PID: 2796)
      • teracopy3.17.exe (PID: 6784)
      • msiexec.exe (PID: 1472)

    • Checks supported languages

      • msiexec.exe (PID: 6324)
      • msiexec.exe (PID: 6316)
      • teracopy.exe (PID: 6340)
      • teracopy.exe (PID: 6632)
      • TeraCopyService.exe (PID: 6432)
      • msiexec.exe (PID: 4160)
      • msiexec.exe (PID: 7144)
      • updater.exe (PID: 2572)
      • teracopy3.17.exe (PID: 1576)

    • Create files in a temporary directory

      • teracopy.exe (PID: 6632)
      • teracopy.exe (PID: 6340)
      • teracopy3.17.exe (PID: 1576)

    • Process checks computer location settings

      • teracopy.exe (PID: 6632)
      • msiexec.exe (PID: 6316)

    • Creates files in the program directory

      • teracopy.exe (PID: 6340)

    • The process uses the downloaded file

      • teracopy.exe (PID: 6632)
      • teracopy3.17.exe (PID: 1576)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6324)

    • Sends debugging messages

      • msiexec.exe (PID: 7144)
      • msiexec.exe (PID: 4160)
      • TeraCopy.exe (PID: 5592)
      • updater.exe (PID: 2572)
      • updater.exe (PID: 2796)

    • Application launched itself

      • msiexec.exe (PID: 6324)

    • Manages system restore points

      • SrTasks.exe (PID: 6552)
      • SrTasks.exe (PID: 6376)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6324)

    • Reads Microsoft Office registry keys

      • msiexec.exe (PID: 1472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:03:21 13:48:47+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.31
CodeSize: 2193920
InitializedDataSize: 1159168
UninitializedDataSize: -
EntryPoint: 0x197714
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.9.7.0
ProductVersionNumber: 3.9.7.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Code Sector
FileDescription: TeraCopy Installer
FileVersion: 3.9.7
InternalName: teracopy3.9.7
LegalCopyright: Copyright (C) 2022 Code Sector
OriginalFileName: teracopy3.9.7.exe
ProductName: TeraCopy
ProductVersion: 3.9.7
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
181
Monitored processes
50
Malicious processes
5
Suspicious processes
7

Behavior graph

Click at the process to see the details
start #ADVANCEDINSTALLER teracopy.exe msiexec.exe msiexec.exe no specs teracopy.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs teracopyservice.exe no specs msiexec.exe no specs teracopy.exe no specs updater.exe updater.exe teracopy3.17.exe msiexec.exe no specs teracopy3.17.exe srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs teracopyservice.exe no specs msiexec.exe no specs msiexec.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs attrib.exe no specs timeout.exe no specs timeout.exe no specs teracopy.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
648C:\Windows\System32\MsiExec.exe -Embedding BAF5B0FED89B36CBCC4107227E774BC3C:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
736C:\WINDOWS\System32\attrib.exe -r "C:\Users\admin\AppData\Local\Temp\EXE95E6.bat" C:\Windows\SysWOW64\attrib.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1192C:\WINDOWS\System32\timeout.exe 5 C:\Windows\SysWOW64\timeout.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1348C:\WINDOWS\system32\cmd.exe /S /D /c" del "C:\Users\admin\AppData\Local\Temp\EXE9597.bat" "C:\Windows\SysWOW64\cmd.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
1472C:\Windows\syswow64\MsiExec.exe -Embedding 3476049D5B712B66D22D3C997DC7E5F7C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
1576"C:\ProgramData\Code Sector\TeraCopy\updates\Update\teracopy3.17.exe" C:\ProgramData\Code Sector\TeraCopy\updates\Update\teracopy3.17.exe
updater.exe
User:
admin
Company:
Code Sector
Integrity Level:
MEDIUM
Description:
TeraCopy Installer
Exit code:
3221225477
Version:
3.17
1612"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\TeraCopy\Context.dll"C:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
2076"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\TeraCopy\TeraCopy.dll"C:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2216"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\TeraCopy\32-bit\TeraCopy.dll"C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
2572"C:\Program Files\TeraCopy\updater.exe" /silentC:\Program Files\TeraCopy\updater.exe
TeraCopy.exe
User:
admin
Company:
Code Sector
Integrity Level:
MEDIUM
Description:
updater 3.9.7
Exit code:
0
Version:
3.9.7
Modules
Images
c:\program files\teracopy\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\ucrtbase.dll
Total events
48 602
Read events
47 229
Write events
1 127
Delete events
246

Modification events

(PID) Process:(6324) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000B39CD517D752DB01B4180000BC170000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6324) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000B39CD517D752DB01B4180000BC170000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6340) teracopy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Value:
(PID) Process:(6340) teracopy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Operation:writeName:Blob
Value:
0400000001000000100000001BFE69D191B71933A372A80FE155E5B51D0000000100000010000000885010358D29A38F059B028559C95F90620000000100000020000000E793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD2090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F000000010000003000000066B764A96581128168CF208E374DDA479D54E311F32457F4AEE0DBD2A6C8D171D531289E1CD22BFDBBD4CFD9796254830300000001000000140000002B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E190000000100000010000000EA6089055218053DD01E37E1D806EEDF53000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C01400000001000000140000005379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB0B00000001000000100000005300650063007400690067006F0000002000000001000000E2050000308205DE308203C6A003020102021001FD6D30FCA3CA51A81BBC640E35032D300D06092A864886F70D01010C0500308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F72697479301E170D3130303230313030303030305A170D3338303131383233353935395A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A028202010080126517360EC3DB08B3D0AC570D76EDCD27D34CAD508361E2AA204D092D6409DCCE899FCC3DA9ECF6CFC1DCF1D3B1D67B3728112B47DA39C6BC3A19B45FA6BD7D9DA36342B676F2A93B2B91F8E26FD0EC162090093EE2E874C918B491D46264DB7FA306F188186A90223CBCFE13F087147BF6E41F8ED4E451C61167460851CB8614543FBC33FE7E6C9CFF169D18BD518E35A6A766C87267DB2166B1D49B7803C0503AE8CCF0DCBC9E4CFEAF0596351F575AB7FFCEF93DB72CB6F654DDC8E7123A4DAE4C8AB75C9AB4B7203DCA7F2234AE7E3B68660144E7014E46539B3360F794BE5337907343F332C353EFDBAAFE744E69C76B8C6093DEC4C70CDFE132AECC933B517895678BEE3D56FE0CD0690F1B0FF325266B336DF76E47FA7343E57E0EA566B1297C3284635589C40DC19354301913ACD37D37A7EB5D3A6C355CDB41D712DAA9490BDFD8808A0993628EB566CF2588CD84B8B13FA4390FD9029EEB124C957CF36B05A95E1683CCB867E2E8139DCC5B82D34CB3ED5BFFDEE573AC233B2D00BF3555740949D849581A7F9236E651920EF3267D1C4D17BCC9EC4326D0BF415F40A94444F499E757879E501F5754A83EFD74632FB1506509E658422E431A4CB4F0254759FA041E93D426464A5081B2DEBE78B7FC6715E1C957841E0F63D6E962BAD65F552EEA5CC62808042539B80E2BA9F24C971C073F0D52F5EDEF2F820F0203010001A3423040301D0603551D0E041604145379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300D06092A864886F70D01010C050003820201005CD47C0DCFF7017D4199650C73C5529FCBF8CF99067F1BDA43159F9E0255579614F1523C27879428ED1F3A0137A276FC5350C0849BC66B4EBA8C214FA28E556291F36915D8BC88E3C4AA0BFDEFA8E94B552A06206D55782919EE5F305C4B241155FF249A6E5E2A2BEE0B4D9F7FF70138941495430709FB60A9EE1CAB128CA09A5EA7986A596D8B3F08FBC8D145AF18156490120F73282EC5E2244EFC58ECF0F445FE22B3EB2F8ED2D9456105C1976FA876728F8B8C36AFBF0D05CE718DE6A66F1F6CA67162C5D8D083720CF16711890C9C134C7234DFBCD571DFAA71DDE1B96C8C3C125D65DABD5712B6436BFFE5DE4D661151CF99AEEC17B6E871918CDE49FEDD3571A21527941CCF61E326BB6FA36725215DE6DD1D0B2E681B3B82AFEC836785D4985174B1B9998089FF7F78195C794A602E9240AE4C372A2CC9C762C80E5DF7365BCAE0252501B4DD1A079C77003FD0DCD5EC3DD4FABB3FCC85D66F7FA92DDFB902F7F5979AB535DAC367B0874AA9289E238EFF5C276BE1B04FF307EE002ED45987CB524195EAF447D7EE6441557C8D590295DD629DC2B9EE5A287484A59BB790C70C07DFF589367432D628C1B0B00BE09C4CC31CD6FCE369B54746812FA282ABD3634470C48DFF2D33BAAD8F7BB57088AE3E19CF4028D8FCC890BB5D9922F552E658C51F883143EE881DD7C68E3C436A1DA718DE7D3D16F162F9CA90A8FD
(PID) Process:(6340) teracopy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Operation:writeName:Blob
Value:
5C0000000100000004000000001000000B00000001000000100000005300650063007400690067006F0000001400000001000000140000005379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB53000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0190000000100000010000000EA6089055218053DD01E37E1D806EEDF0300000001000000140000002B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E0F000000010000003000000066B764A96581128168CF208E374DDA479D54E311F32457F4AEE0DBD2A6C8D171D531289E1CD22BFDBBD4CFD979625483090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B06010505070308620000000100000020000000E793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD21D0000000100000010000000885010358D29A38F059B028559C95F900400000001000000100000001BFE69D191B71933A372A80FE155E5B52000000001000000E2050000308205DE308203C6A003020102021001FD6D30FCA3CA51A81BBC640E35032D300D06092A864886F70D01010C0500308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F72697479301E170D3130303230313030303030305A170D3338303131383233353935395A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A028202010080126517360EC3DB08B3D0AC570D76EDCD27D34CAD508361E2AA204D092D6409DCCE899FCC3DA9ECF6CFC1DCF1D3B1D67B3728112B47DA39C6BC3A19B45FA6BD7D9DA36342B676F2A93B2B91F8E26FD0EC162090093EE2E874C918B491D46264DB7FA306F188186A90223CBCFE13F087147BF6E41F8ED4E451C61167460851CB8614543FBC33FE7E6C9CFF169D18BD518E35A6A766C87267DB2166B1D49B7803C0503AE8CCF0DCBC9E4CFEAF0596351F575AB7FFCEF93DB72CB6F654DDC8E7123A4DAE4C8AB75C9AB4B7203DCA7F2234AE7E3B68660144E7014E46539B3360F794BE5337907343F332C353EFDBAAFE744E69C76B8C6093DEC4C70CDFE132AECC933B517895678BEE3D56FE0CD0690F1B0FF325266B336DF76E47FA7343E57E0EA566B1297C3284635589C40DC19354301913ACD37D37A7EB5D3A6C355CDB41D712DAA9490BDFD8808A0993628EB566CF2588CD84B8B13FA4390FD9029EEB124C957CF36B05A95E1683CCB867E2E8139DCC5B82D34CB3ED5BFFDEE573AC233B2D00BF3555740949D849581A7F9236E651920EF3267D1C4D17BCC9EC4326D0BF415F40A94444F499E757879E501F5754A83EFD74632FB1506509E658422E431A4CB4F0254759FA041E93D426464A5081B2DEBE78B7FC6715E1C957841E0F63D6E962BAD65F552EEA5CC62808042539B80E2BA9F24C971C073F0D52F5EDEF2F820F0203010001A3423040301D0603551D0E041604145379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300D06092A864886F70D01010C050003820201005CD47C0DCFF7017D4199650C73C5529FCBF8CF99067F1BDA43159F9E0255579614F1523C27879428ED1F3A0137A276FC5350C0849BC66B4EBA8C214FA28E556291F36915D8BC88E3C4AA0BFDEFA8E94B552A06206D55782919EE5F305C4B241155FF249A6E5E2A2BEE0B4D9F7FF70138941495430709FB60A9EE1CAB128CA09A5EA7986A596D8B3F08FBC8D145AF18156490120F73282EC5E2244EFC58ECF0F445FE22B3EB2F8ED2D9456105C1976FA876728F8B8C36AFBF0D05CE718DE6A66F1F6CA67162C5D8D083720CF16711890C9C134C7234DFBCD571DFAA71DDE1B96C8C3C125D65DABD5712B6436BFFE5DE4D661151CF99AEEC17B6E871918CDE49FEDD3571A21527941CCF61E326BB6FA36725215DE6DD1D0B2E681B3B82AFEC836785D4985174B1B9998089FF7F78195C794A602E9240AE4C372A2CC9C762C80E5DF7365BCAE0252501B4DD1A079C77003FD0DCD5EC3DD4FABB3FCC85D66F7FA92DDFB902F7F5979AB535DAC367B0874AA9289E238EFF5C276BE1B04FF307EE002ED45987CB524195EAF447D7EE6441557C8D590295DD629DC2B9EE5A287484A59BB790C70C07DFF589367432D628C1B0B00BE09C4CC31CD6FCE369B54746812FA282ABD3634470C48DFF2D33BAAD8F7BB57088AE3E19CF4028D8FCC890BB5D9922F552E658C51F883143EE881DD7C68E3C436A1DA718DE7D3D16F162F9CA90A8FD
(PID) Process:(6324) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
480000000000000027A19717D752DB01B4180000BC170000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6324) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
480000000000000027A19717D752DB01B4180000BC170000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6324) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000003201D817D752DB01B4180000BC170000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6324) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000AFB5DC17D752DB01B4180000BC170000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6324) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
Executable files
128
Suspicious files
274
Text files
314
Unknown types
31

Dropped files

PID
Process
Filename
Type
6632teracopy.exeC:\Users\admin\AppData\Roaming\Code Sector\TeraCopy 3.9.7\install\holder0.aiph
MD5:
SHA256:
6632teracopy.exeC:\Users\admin\AppData\Local\Temp\TES5920.tmp\tin5921.tmphtml
MD5:BD0C0999B4F2E61F8A3473EECD9B2FA1
SHA256:4B8562DDD90C18B241529B0AE05E233110AA1E2DF4BF4D6A9E2B5EBA9DD95D72
6632teracopy.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:86D35C019412061C10048DEF28839B47
SHA256:1BE225C216CC961852495BA6BBA2404C59050930F980C6EA22FB62C2A8DECE4F
6632teracopy.exeC:\Users\admin\AppData\Local\Temp\TES5920.tmp\tin5921.tmp.parthtml
MD5:BD0C0999B4F2E61F8A3473EECD9B2FA1
SHA256:4B8562DDD90C18B241529B0AE05E233110AA1E2DF4BF4D6A9E2B5EBA9DD95D72
6632teracopy.exeC:\Users\admin\AppData\Roaming\Code Sector\TeraCopy 3.9.7\install\D4CC796\TeraCopy.x64.msiexecutable
MD5:DABEE57E12E27FB24A74A47A85A0EB9B
SHA256:6969ED5F4FDA49F505122F2B47DBB0F905B8CD763DC1DF20AF46C04E9BA77705
6632teracopy.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:F68F23B391478F3FEBF398BA3B0E5AC1
SHA256:C420056FC3A48186CAC5E36EA03C0E5BA1CAD9530CA7C9C3E73B0CB21D459EE6
6632teracopy.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:E935BC5762068CAF3E24A2683B1B8A88
SHA256:A8ACCFCFEB51BD73DF23B91F4D89FF1A9EB7438EF5B12E8AFDA1A6FF1769E89D
6632teracopy.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:5B08A2717C6834D6230ED9E6F999BF20
SHA256:27D6EBBA14EFDA3413C7B982BEFD74A0BEFD2B46AED48EA1F752B35B83557F3A
6632teracopy.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\534B7EE50FA08B79E3BD07C2A811D271_904E94F57B1F9AECE4555FE54FDE6A07binary
MD5:602CE406794D933E46713D4673EA263D
SHA256:26FD1C027CCC613685C7A9AD0A28D82CC86AAF4F48BD3A653445B4FCD46F91D2
6632teracopy.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17der
MD5:4B8A85AD8B4277E4C5EBA9C27F70F92E
SHA256:00F66F3FDD72AA5543EB284787ABBB523A63030A4B0C5EBF65B37B96AAE81D15
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
46
DNS requests
27
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1488
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1488
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6632
teracopy.exe
GET
200
172.217.16.196:80
http://www.google.com/
unknown
whitelisted
6632
teracopy.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
6632
teracopy.exe
GET
200
142.250.185.131:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
6632
teracopy.exe
GET
200
142.250.181.227:80
http://o.pki.goog/s/wr3/afM/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEGnzlHMwq4g1EGxgL3NwA%2B0%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6632
teracopy.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ5suEceKjAJbxseAmHFkQ9FrhTWQQUDuE6qFM6MdWKvsG7rWcaA4WtNA4CEGDY5MHBZYm8nFu5tUOh1lk%3D
unknown
whitelisted
6632
teracopy.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEB2iSDBvmyYY0ILgln0z02o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1488
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1488
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.154:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6632
teracopy.exe
172.217.16.196:80
www.google.com
GOOGLE
US
whitelisted
6632
teracopy.exe
216.239.36.21:443
codesector.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
google.com
  • 142.250.185.78
whitelisted
www.bing.com
  • 104.126.37.154
  • 104.126.37.162
  • 104.126.37.161
  • 104.126.37.163
  • 104.126.37.155
  • 104.126.37.144
  • 104.126.37.146
  • 104.126.37.137
  • 104.126.37.153
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.google.com
  • 172.217.16.196
whitelisted
codesector.com
  • 216.239.36.21
  • 216.239.38.21
  • 216.239.32.21
  • 216.239.34.21
whitelisted
ocsp.pki.goog
  • 142.250.181.227
whitelisted
c.pki.goog
  • 142.250.185.131
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
teracopy.exe