532a7d66259842f4a710ea7bc6dc48547de371bb69fc842f53934876e787efb8

Resubmissions

09-06-2022 14:50

220609-r718pshbel 8

09-06-2022 14:38

220609-rzy4dadde2 8

09-06-2022 13:59

220609-raf69sggdk 8

Analysis

max time kernel
636s
max time network
620s
platform
windows10_x64
resource
win10-20220414-en
submitted
09-06-2022 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup_FileViewPro_2022.exe
Size

1.3MB
MD5

5cb079f8ec885592c5538dbe0362d593
SHA1

a5702ea5dfd73c619ad2625e645b93e0a39b1451
SHA256

532a7d66259842f4a710ea7bc6dc48547de371bb69fc842f53934876e787efb8
SHA512

8787a51f3e7eacfd5f507abdfacd58aef34a704d01f84c05ec8074cb77318d3b14223ff2ca3da399633ef82d3529266bcf3bb174bf746450697117915641fb90

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

Processes:

Setup_WinThruster_2020.exeSetup_WinThruster_2020.tmpWTNotifications.exeWinThruster.exeFileViewPro-S-1.9.8.19.exeFileViewPro-S-1.9.8.19.tmpFileViewPro.exeFileViewPro.exe

pid	process
4012	Setup_WinThruster_2020.exe
2288	Setup_WinThruster_2020.tmp
864	WTNotifications.exe
32	WinThruster.exe
2140	FileViewPro-S-1.9.8.19.exe
3240	FileViewPro-S-1.9.8.19.tmp
5032	FileViewPro.exe
4552	FileViewPro.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FileViewPro-S-1.9.8.19.tmpWinThruster.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Control Panel\International\Geo\Nation	FileViewPro-S-1.9.8.19.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Control Panel\International\Geo\Nation	WinThruster.exe

Loads dropped DLL 36 IoCs

Processes:

WTNotifications.exeWinThruster.exeFileViewPro-S-1.9.8.19.tmpFileViewPro.exeFileViewPro.exe

pid	process
864	WTNotifications.exe
32	WinThruster.exe
3240	FileViewPro-S-1.9.8.19.tmp
5032	FileViewPro.exe
5032	FileViewPro.exe
5032	FileViewPro.exe
5032	FileViewPro.exe
5032	FileViewPro.exe
5032	FileViewPro.exe
5032	FileViewPro.exe
5032	FileViewPro.exe
5032	FileViewPro.exe
5032	FileViewPro.exe
5032	FileViewPro.exe
5032	FileViewPro.exe
5032	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe
4552	FileViewPro.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

FileViewPro-S-1.9.8.19.tmpSetup_WinThruster_2020.tmp

description	ioc	process
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\basic-languages\src\is-TU54S.tmp	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\PaintDotNet.Resources.dll	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\Vlc.DotNet.Core.Interops.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-0JI42.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files (x86)\WinThruster\is-DAQSL.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-79BFL.tmp	Setup_WinThruster_2020.tmp
File opened for modification	C:\Program Files\FileViewPro\DevExpress.Charts.v18.1.Core.dll	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\DevExpress.XtraRichEdit.v18.1.dll	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\PaintDotNet.Core.dll	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\ICSharpCode.TextEditor.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-POAQ6.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\basic-languages\src\is-N0U6V.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files (x86)\WinThruster\is-PBRNT.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-L7M0T.tmp	Setup_WinThruster_2020.tmp
File opened for modification	C:\Program Files\FileViewPro\DevExpress.XtraCharts.v18.1.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-4LADO.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\basic-languages\src\is-NVHS4.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Langs\is-IG1G5.tmp	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\DevExpress.DataAccess.v18.1.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-VS29L.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-O3JSI.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\basic-languages\src\is-H45VJ.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Langs\is-AJFPU.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Langs\is-9Q7VB.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Langs\is-3RBAO.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Langs\is-D76NI.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-IFOMU.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-ASJAO.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\basic-languages\src\is-BNG0J.tmp	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\ImageView.dll	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\SevenZipSharp.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\editor\contrib\quickOpen\browser\is-Q5FDH.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\editor\is-GHGRN.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Wps\is-1CAAA.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-QO5VE.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files (x86)\WinThruster\is-IQ04F.tmp	Setup_WinThruster_2020.tmp
File opened for modification	C:\Program Files\FileViewPro\DevExpress.Snap.v18.1.Core.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-FQ01P.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-FE9T3.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-81AMU.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Langs\is-R0J4K.tmp	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\SolvuSoft.Views.Media.dll	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\ICSharpCode.SharpZipLib.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-VQHCT.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\editor\is-K5RNQ.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\basic-languages\src\is-44NB4.tmp	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\unins000.dat	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files (x86)\WinThruster\is-LI12C.tmp	Setup_WinThruster_2020.tmp
File opened for modification	C:\Program Files\FileViewPro\Word.Resources.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-SKG8B.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-E3QBE.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\editor\is-ISBSF.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files (x86)\WinThruster\is-IM79O.tmp	Setup_WinThruster_2020.tmp
File opened for modification	C:\Program Files\FileViewPro\DevExpress.Data.v18.1.dll	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\DevExpress.RichEdit.v18.1.Core.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-V8QBO.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\language\typescript\src\is-F6SUA.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files (x86)\WinThruster\is-K4GMJ.tmp	Setup_WinThruster_2020.tmp
File opened for modification	C:\Program Files\FileViewPro\SolvuSoft.Views.Torrent.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-DMVFL.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-0U1GE.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\editor\contrib\suggest\browser\is-H3M2H.tmp	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\DevExpress.Docs.v18.1.dll	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\SolvuSoft.Views.Pdf.dll	FileViewPro-S-1.9.8.19.tmp

Drops file in Windows directory 5 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinThruster.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WinThruster.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WinThruster.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

592 schtasks.exe

pid	process
592	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "360955874"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 6aa8dc891250d801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{4E5DF25C-2317-4239-A427-D23833CF01F7}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.solvusoft.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\solvusoft.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = b09bb8609e9fd801	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\solvusoft.com\NumberOfSubdoma = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\solvusoft.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "361575330"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 772725ee217cd801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ca1b69f2217cd801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

FileViewPro.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	FileViewPro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FileViewPro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FileViewPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	FileViewPro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	FileViewPro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FileViewPro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	FileViewPro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	FileViewPro.exe
Key created	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	FileViewPro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3578829114-180201921-3281645608-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	FileViewPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	FileViewPro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FileViewPro.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup_WinThruster_2020.tmpFileViewPro-S-1.9.8.19.tmp

pid process

2288 Setup_WinThruster_2020.tmp
2288 Setup_WinThruster_2020.tmp
3240 FileViewPro-S-1.9.8.19.tmp
3240 FileViewPro-S-1.9.8.19.tmp
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

3204 MicrosoftEdgeCP.exe
3204 MicrosoftEdgeCP.exe
3204 MicrosoftEdgeCP.exe
3204 MicrosoftEdgeCP.exe

pid	process
2288	Setup_WinThruster_2020.tmp
2288	Setup_WinThruster_2020.tmp
3240	FileViewPro-S-1.9.8.19.tmp
3240	FileViewPro-S-1.9.8.19.tmp

pid	process
3204	MicrosoftEdgeCP.exe
3204	MicrosoftEdgeCP.exe
3204	MicrosoftEdgeCP.exe
3204	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

WTNotifications.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeFileViewPro.exe

description	pid	process
Token: SeBackupPrivilege	864	WTNotifications.exe
Token: SeBackupPrivilege	864	WTNotifications.exe
Token: SeSecurityPrivilege	864	WTNotifications.exe
Token: SeSecurityPrivilege	864	WTNotifications.exe
Token: SeBackupPrivilege	864	WTNotifications.exe
Token: SeSecurityPrivilege	864	WTNotifications.exe
Token: SeDebugPrivilege	672	MicrosoftEdge.exe
Token: SeDebugPrivilege	672	MicrosoftEdge.exe
Token: SeDebugPrivilege	672	MicrosoftEdge.exe
Token: SeDebugPrivilege	672	MicrosoftEdge.exe
Token: SeDebugPrivilege	2208	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2208	MicrosoftEdgeCP.exe
Token: SeBackupPrivilege	864	WTNotifications.exe
Token: SeSecurityPrivilege	864	WTNotifications.exe
Token: SeDebugPrivilege	3336	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3336	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3336	MicrosoftEdgeCP.exe
Token: SeSecurityPrivilege	864	WTNotifications.exe
Token: SeDebugPrivilege	4740	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4740	MicrosoftEdgeCP.exe
Token: SeBackupPrivilege	864	WTNotifications.exe
Token: SeSecurityPrivilege	864	WTNotifications.exe
Token: SeSecurityPrivilege	864	WTNotifications.exe
Token: SeSecurityPrivilege	864	WTNotifications.exe
Token: SeBackupPrivilege	864	WTNotifications.exe
Token: SeSecurityPrivilege	864	WTNotifications.exe
Token: SeDebugPrivilege	4552	FileViewPro.exe
Token: SeBackupPrivilege	864	WTNotifications.exe
Token: SeSecurityPrivilege	864	WTNotifications.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Setup_WinThruster_2020.tmpWTNotifications.exeFileViewPro-S-1.9.8.19.tmp

pid process

2288 Setup_WinThruster_2020.tmp
864 WTNotifications.exe
864 WTNotifications.exe
3240 FileViewPro-S-1.9.8.19.tmp
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

WTNotifications.exe

pid process

864 WTNotifications.exe
864 WTNotifications.exe

pid	process
2288	Setup_WinThruster_2020.tmp
864	WTNotifications.exe
864	WTNotifications.exe
3240	FileViewPro-S-1.9.8.19.tmp

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

Setup_FileViewPro_2022.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeFileViewPro.exe

pid	process
3152	Setup_FileViewPro_2022.exe
3152	Setup_FileViewPro_2022.exe
3152	Setup_FileViewPro_2022.exe
3152	Setup_FileViewPro_2022.exe
3152	Setup_FileViewPro_2022.exe
3152	Setup_FileViewPro_2022.exe
3152	Setup_FileViewPro_2022.exe
672	MicrosoftEdge.exe
3204	MicrosoftEdgeCP.exe
3204	MicrosoftEdgeCP.exe
4552	FileViewPro.exe
4552	FileViewPro.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup_FileViewPro_2022.exeSetup_WinThruster_2020.exeSetup_WinThruster_2020.tmpWinThruster.exeFileViewPro-S-1.9.8.19.exeMicrosoftEdgeCP.exeFileViewPro-S-1.9.8.19.tmp

description	pid	process	target process
PID 3152 wrote to memory of 4012	3152	Setup_FileViewPro_2022.exe	Setup_WinThruster_2020.exe
PID 3152 wrote to memory of 4012	3152	Setup_FileViewPro_2022.exe	Setup_WinThruster_2020.exe
PID 3152 wrote to memory of 4012	3152	Setup_FileViewPro_2022.exe	Setup_WinThruster_2020.exe
PID 4012 wrote to memory of 2288	4012	Setup_WinThruster_2020.exe	Setup_WinThruster_2020.tmp
PID 4012 wrote to memory of 2288	4012	Setup_WinThruster_2020.exe	Setup_WinThruster_2020.tmp
PID 4012 wrote to memory of 2288	4012	Setup_WinThruster_2020.exe	Setup_WinThruster_2020.tmp
PID 2288 wrote to memory of 864	2288	Setup_WinThruster_2020.tmp	WTNotifications.exe
PID 2288 wrote to memory of 864	2288	Setup_WinThruster_2020.tmp	WTNotifications.exe
PID 2288 wrote to memory of 864	2288	Setup_WinThruster_2020.tmp	WTNotifications.exe
PID 2288 wrote to memory of 32	2288	Setup_WinThruster_2020.tmp	WinThruster.exe
PID 2288 wrote to memory of 32	2288	Setup_WinThruster_2020.tmp	WinThruster.exe
PID 2288 wrote to memory of 32	2288	Setup_WinThruster_2020.tmp	WinThruster.exe
PID 32 wrote to memory of 592	32	WinThruster.exe	schtasks.exe
PID 32 wrote to memory of 592	32	WinThruster.exe	schtasks.exe
PID 32 wrote to memory of 592	32	WinThruster.exe	schtasks.exe
PID 3152 wrote to memory of 2140	3152	Setup_FileViewPro_2022.exe	FileViewPro-S-1.9.8.19.exe
PID 3152 wrote to memory of 2140	3152	Setup_FileViewPro_2022.exe	FileViewPro-S-1.9.8.19.exe
PID 3152 wrote to memory of 2140	3152	Setup_FileViewPro_2022.exe	FileViewPro-S-1.9.8.19.exe
PID 2140 wrote to memory of 3240	2140	FileViewPro-S-1.9.8.19.exe	FileViewPro-S-1.9.8.19.tmp
PID 2140 wrote to memory of 3240	2140	FileViewPro-S-1.9.8.19.exe	FileViewPro-S-1.9.8.19.tmp
PID 2140 wrote to memory of 3240	2140	FileViewPro-S-1.9.8.19.exe	FileViewPro-S-1.9.8.19.tmp
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3240 wrote to memory of 5032	3240	FileViewPro-S-1.9.8.19.tmp	FileViewPro.exe
PID 3240 wrote to memory of 5032	3240	FileViewPro-S-1.9.8.19.tmp	FileViewPro.exe
PID 3240 wrote to memory of 5032	3240	FileViewPro-S-1.9.8.19.tmp	FileViewPro.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 4148	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 5092	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 5092	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 5092	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 5092	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 5092	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 5092	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 5092	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3204 wrote to memory of 5092	3204	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\Setup_FileViewPro_2022.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_FileViewPro_2022.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\{52953A73-A761-4F2B-8FD7-E7CC1D788956}\Setup_WinThruster_2020.exe
"C:\Users\Admin\AppData\Local\Temp\{52953A73-A761-4F2B-8FD7-E7CC1D788956}\Setup_WinThruster_2020.exe" /verysilent /LANG en-us /scan
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\AppData\Local\Temp\is-22IQN.tmp\Setup_WinThruster_2020.tmp
"C:\Users\Admin\AppData\Local\Temp\is-22IQN.tmp\Setup_WinThruster_2020.tmp" /SL5="$601D6,4683560,721408,C:\Users\Admin\AppData\Local\Temp\{52953A73-A761-4F2B-8FD7-E7CC1D788956}\Setup_WinThruster_2020.exe" /verysilent /LANG en-us /scan
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2288

C:\Program Files (x86)\WinThruster\WTNotifications.exe
"C:\Program Files (x86)\WinThruster\WTNotifications.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:864

C:\Program Files (x86)\WinThruster\WinThruster.exe
"C:\Program Files (x86)\WinThruster\WinThruster.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "WinThruster automatic scan and notifications" /TR "\"C:\Program Files (x86)\WinThruster\WTNotifications.exe\"" /SC ONLOGON /RL HIGHEST /F
5⤵
- Creates scheduled task(s)
PID:592

C:\Users\Admin\AppData\Local\Temp\{38CE2897-08CF-4877-9FAC-566DE81484AB}\FileViewPro-S-1.9.8.19.exe
"C:\Users\Admin\AppData\Local\Temp\{38CE2897-08CF-4877-9FAC-566DE81484AB}\FileViewPro-S-1.9.8.19.exe" /verysilent /norestart /LANG en-us
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\is-8NF94.tmp\FileViewPro-S-1.9.8.19.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8NF94.tmp\FileViewPro-S-1.9.8.19.tmp" /SL5="$103B0,60311066,131584,C:\Users\Admin\AppData\Local\Temp\{38CE2897-08CF-4877-9FAC-566DE81484AB}\FileViewPro-S-1.9.8.19.exe" /verysilent /norestart /LANG en-us
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3240

C:\Program Files\FileViewPro\FileViewPro.exe
"C:\Program Files\FileViewPro\FileViewPro.exe" /restartWithNoAdminRights lang=en-us
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:5032

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Program Files\FileViewPro\FileViewPro.exe
5⤵
PID:4592

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:672

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1036

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1488

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4148

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5092

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4224

C:\Program Files\FileViewPro\FileViewPro.exe
"C:\Program Files\FileViewPro\FileViewPro.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinThruster\Cookies.txt

Filesize
104B

MD5
bf6c156441320d21440afc65a6bcf77d

SHA1
b04bb3fa963147218ef2c79e96a5a3e1d899e94d

SHA256
502f9fba9bba2ca5f57a3a0ea7efcee4731c98dcd2ea0fcec21059b11ddbf352

SHA512
dba0389aa9a68787f638712f321753d5933a3a9b714358ef780796f8e0a1bece21e113a88626e760c6023c3f03ee18ca138bc3a6962925282a0efbaf92a40474

Download Submit
C:\Program Files (x86)\WinThruster\English.ini

Filesize
52KB

MD5
9d67438ebe4d267c8c0a9b6656b40294

SHA1
6ec736d8721d30f952a02fbce1f63c95a92a3f0e

SHA256
1a61d60a3fc792dac412f76cf33273401659bf9e84bc085dcbdbd3779129d0bf

SHA512
d9d2114ae32eb9c383bd62f4695acad04fe22ac0c7269437868daba9ceae61fae5bf11a5caf7138c36abb37fdfe7f4088a7540e60f8cc492e179af7b3c6678d7

Download Submit
C:\Program Files (x86)\WinThruster\SList.txt

Filesize
72KB

MD5
509c709bc9529cd80c9ac6cb552a1ba5

SHA1
5aa7f857d631b3c8f9adeb381db3d8d0ecc07ce7

SHA256
f85fc4c0e93aa9418ac9a6352a238315e439e3599853296291fad32dd7d20890

SHA512
38bab4d3588e578af84fcce22e297ce2606790d8433c14f771057ffa0504ec66ecf8099621071d692c15dc9c3eb5400ba0ffb5d65774dc42e7eb597a41023ccf

Download Submit
C:\Program Files (x86)\WinThruster\UList.txt

Filesize
9KB

MD5
fa2811cbca1472fe27e16e1a329c4450

SHA1
6bcc1160764615b8e258022c7c2b41b24a7e5043

SHA256
ae43318e7b7776cf59a77d597aa4829fffae130b6b14a980358451e3c71d7466

SHA512
c1cb3a56be8b410da14345aa672f546cdbb64d119d48c2c033ad3ba93d8c87abc96ad3faa9b7494c8393454599a74c6d818361bddf539fa7e0f4c768e907af6a

Download Submit
C:\Program Files (x86)\WinThruster\WTNotifications.exe

Filesize
3.6MB

MD5
e70dbb88489ebeb7b2ee06de070d6144

SHA1
4315555bbfc2b055e92ca8f43d5b4d275c9c6522

SHA256
03447ae8862d0a82bb47c8009bc17e29179bce8d9ec527e62a4acaade36c60ba

SHA512
5ecc5fefbf71180799860e85eee5944006059a1ca3399be76b2349dd099ee61ad0e8b61991686b69253cf4bd6d2810d0288528d1e4aeb82295017546a8921a53

Download Submit
C:\Program Files (x86)\WinThruster\WinThruster.exe

Filesize
7.1MB

MD5
397dc4446f2519ec41552a2102e08764

SHA1
cdbd84a0ba6bcf814df68f8037a8b0ef9c992e62

SHA256
6165ce1cfd74917590da8612cbd8a5ae7a88af5146d5c3361544a6ab2bfd1c96

SHA512
667c7c53617c80dd030276e70611371145241c6caa014697aee9659a2ae7c082d8c41267e1675ea1004f0c55110a38ccbde4549c4bbe36250c7fc538fee50dd2

Download Submit
C:\Program Files (x86)\WinThruster\sqlite3.dll

Filesize
846KB

MD5
dcf7095d73402d6e1c0e9e8870fd3284

SHA1
a70fd3c662081d40b0be7645d2a77d26cdad8582

SHA256
e5e6df7d8b2c06be464dc75f5139b3b38c230184bdc645c6be6becddf3c83d6a

SHA512
2b6ce53c0d5664a6b5ec7afb3db122c363309db56fed3a9f7f3964bdc837dc66782e839154364ea3a8bce731ae8d699cac536c279a597dfad91445da05ba18d6

Download Submit
C:\Program Files\FileViewPro\DevExpress.Data.v18.1.dll

Filesize
6.4MB

MD5
75e4c5f9581ef853d787961cf4f8830f

SHA1
04615d07cd402692f5c1a35474fc9ae01a1cb3cb

SHA256
a12b4168dcd3692fb8a68382c3d9413351c9d2c543b2d2061064de7994787209

SHA512
02efcef0a7250db93322c2c241a0f120985a730479517793fa8cbce8f0bfed3103bb2a22bde751b8fd333a89e6f85ffd3ebad821d1155d9d82c5f681f213a12b

Download Submit
C:\Program Files\FileViewPro\DevExpress.Utils.v18.1.dll

Filesize
12.4MB

MD5
c5420b084a69cc5783d15bd9ee77d707

SHA1
ed47a4da79ce18af598a416633f4b9d9a032464e

SHA256
1a610b808c07247c0662b829fa703c5068f361194c301594b9594f414e0ebe84

SHA512
53994e509c56ac9435bcd06dc1341b589dc168ed5df2ebe13d2ca43cd50278e898768b1b5b65596542831b68d922612d3896c74d4dae8da829f5f0512905cb4e

Download Submit
C:\Program Files\FileViewPro\FileViewPro.exe

Filesize
739KB

MD5
daa97924499885155278a306d3cd32d8

SHA1
5a315a56db58342c3d18dc73128492a67499c528

SHA256
a78a50b913083c2f3941035e19e48d0c895a1304365d202e491bc780bc9888f6

SHA512
b67f86e2fa693c31e974cefbc0c7c4610ffb6445fed0da3ee62549d6fca1655d23ed24e6fca9aac7dd15702e09f2ab0995df2f2297bfb18928cd8c117b9cc242

Download Submit
C:\Program Files\FileViewPro\FileViewPro.exe

Filesize
739KB

MD5
daa97924499885155278a306d3cd32d8

SHA1
5a315a56db58342c3d18dc73128492a67499c528

SHA256
a78a50b913083c2f3941035e19e48d0c895a1304365d202e491bc780bc9888f6

SHA512
b67f86e2fa693c31e974cefbc0c7c4610ffb6445fed0da3ee62549d6fca1655d23ed24e6fca9aac7dd15702e09f2ab0995df2f2297bfb18928cd8c117b9cc242

Download Submit
C:\Program Files\FileViewPro\FileViewPro.exe.config

Filesize
3KB

MD5
4e73c4ff8ea09cdc528e5eea378b9c89

SHA1
e3974580154b5897441a68b3a14bae74fbfab14d

SHA256
7c90b0bbb693a95518b394ff9fe96f975b1290cf51c017a4a8b5ef669d91e916

SHA512
155962cd814ded2d3d4d4120e8f5774fc381fdb8bf2aecc04e2c0ac84ea2079428f34f60890ad78c627164d33c7f82517750a116e70b00e1aea6e79ae8c32ce3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\9IG55ERY\gtm[1].js

Filesize
134KB

MD5
cacef5b7eaeb974040542051d72df074

SHA1
23469397c7f915c1b6a97c543640752af279b70a

SHA256
370622f2d9876393cb0a36d9bb67ca21ada989ec1f5868b903724a33656eb870

SHA512
67301f18434e1340f283b707b9b3b407e60e4c8b4b340ef66e50bda1c2487d20e6ece1a2d21e0154dbcefde73af73246272507511ff39c132ccf6f84ecfceb97

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\9IG55ERY\logo-microsoft[1].png

Filesize
4KB

MD5
c044dc3cc00d1b97c81f6d454b97b961

SHA1
8d62e0ad00adb37d846a0d8f9c2c77ebb3390e20

SHA256
11c8b6dbd67ab9c414491108e5f2282c66c9f232deef702887330f7acde3d80c

SHA512
16abd55c0b403e6b1e80c6f4ced9eedc7baa79a68bb023048dd14a133e9b505b5cd9e50bc8bc9e567c27777917859c64c121945b3a8ce422a5641781e4b1d43d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\9IG55ERY\m=bootstrap[1].js

Filesize
16KB

MD5
6b84dba534a9173348dae6660be86858

SHA1
d0c23674e82a6077510d6d892c3f37aa706d639b

SHA256
3e64ff52c3dfbc35f1a843780b3c7da5e0097ac0b363b6a86331b604b2173f5f

SHA512
fa28d655ae9f05ad19747ccbbef1ca42b2ac594ab922b8e0423fdd77877af4034f0e1e2d077f961376a0532d00a58715d8ad2cc2b15fed3edde01e52ab605da4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\L1LVEPP4\js[1].js

Filesize
573B

MD5
09839e145943204382aea151c29e0a26

SHA1
fd09f60aa1b928f988323763ac51876469dcd88a

SHA256
e9c2c7062b0b741bb7ccff7f9f82eaf7e6f655a9f147e6bd04597bc8ee7e910d

SHA512
cc9957f055445e64d23b67407619bd5f0aa1c01d8e8704048833bea00ac7ecab13f4217c1b4af5edc849a8053d261da492ecfbf069a747ec6472cb2a40fbe69d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\L1LVEPP4\mobile[1].css

Filesize
5KB

MD5
874af21836b8ce61bb76ccbd196eccb3

SHA1
1468ead6c984a9d2754b0d17a3edb5d87be55e7f

SHA256
61ea387aa104d550f9a9d77e82021abdf911f3d1b4b3b59c81afec583dfc6add

SHA512
3e69445244008955eb97a7c37fd32d3ddc0d127aee27ddcf47b297149f7469488d2b6f887f0c34d310f365776a9c4900da6e0e71b57d9549c4094799e9edc8ea

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\THCFLAH3\1[1].js

Filesize
18KB

MD5
72954309dddde9cece4d47a59225a72c

SHA1
442f33a6ccb5fe07a0b8a3d864fc1b3ad5dabc85

SHA256
ee01d40bfdd77aba5652b3ff93095712b618a6a2cc2637828bd875979cfe9cb8

SHA512
94109d46cad3913fec9013ab7a5329238440d0186dea09f6c2894c6dd0aadd70854c051921eb3dbf551dfd3c8428b49286bf946a133de8a29bdd89d020b2927c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\THCFLAH3\buttons[1].css

Filesize
3KB

MD5
6fa6330e4b8f94ce0a0a2a9d58cf5fc1

SHA1
5d2e2d2013e3d743aa7a44e0d72ba7e08054ddb3

SHA256
8ce8f98d6f281b966c0f85f552785e2c547864ada3f7c65613bc8ec5c735aca3

SHA512
262c179eef648262e7debf2a34af5196b6a272ffa2a508385aecc0cbe3363668ff816f9f644a9f04577aaa188d5fa405a164484a2f42b4983bfc0e53b58ded00

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\THCFLAH3\icon-facebook[1].png

Filesize
257B

MD5
319e24d01c7396a2b786e0abeaecb789

SHA1
4b8940fd182d365513fe8515c1bf8c99418a8038

SHA256
5801b5e6d8e9bd9dd6861a82d487417131493f01936f64462bbae3a7cbec2ffb

SHA512
26703cff0b6ef80bcc8d49bc21fdb6d0931558e6b72b9e0991f5822f031435a29c8126f39c20534a349d6adf57c76cd10450d8a929dcaaaa3e7ae32aae89cc93

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\THCFLAH3\icon-mail[1].png

Filesize
321B

MD5
a71ab656fa33d48729ca658ce1fa89d5

SHA1
f7d39474cee1adb481747a15d0f9802eb8d2fb93

SHA256
776bd7578036ca0a54f2dbb97e53b0df6dad7743141db8a4bbb0c59ae04af560

SHA512
51b456c8712752094997c9bca40f10132f4462945df48a2de6a3443b8bd72362cc26aa774d2af865cf9ff10feef89901fcd1d859b9007b06a25df50cb6aa3bb3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\THCFLAH3\icon-rss[1].png

Filesize
350B

MD5
46c3df82292d0710bfecb77ff76212cf

SHA1
07cbe46b0ddbf146f5f9db798a0f223adf48f216

SHA256
bb25091603de1fc8f612ce87c9b26c0606711314123f4fa4870ac5986764d740

SHA512
373ad43fea50ccd5707bfcaef6a31a8ed6bb9f51b3d360781755143e467b5885bf28501baa16c25b3e26813c6c703a6d7f3b1e2ef7dc4beece6d1911d70835f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\THCFLAH3\icon-twitter[1].png

Filesize
318B

MD5
b7f001f77586c71af5e87308132b70bb

SHA1
60d6e68a55c7683d091815b3386bc36c5c303778

SHA256
78717dcf02720236aca0baeab28d64c520100c0f9fc9d4b5f6f89ff1ea5a0e29

SHA512
0eff22db70447fc5ac787f4e2e9c873e23324df48ab26ad2fb89219fc740ddb637e67db5f0811c981f70e7f4135fc5f360acc833acd54a3925d3775ae2b5ae76

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\THCFLAH3\jquery.cookie[1].js

Filesize
3KB

MD5
20a0023596a032da17c48c7ffe08087a

SHA1
63863462d721d103bcbbb2e1e543f8cd4bd6f335

SHA256
4ba03e57203ea578ec51f56d317a69cc2bb83af0933780683890fd9e046b66e5

SHA512
938c0d755e0bd20b3e6c2f3c1d21738c6e94c63070f350bdb65d70a5e7474608380897abb0466369c0955b22b669ca744159287dbcd5a12e3c3f00b067088eae

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\THCFLAH3\logo-bbb[1].png

Filesize
6KB

MD5
1f14083795ce07522c49572733dbf5f9

SHA1
03fbf8fe881ff0b669b959a8f4f922c15069278d

SHA256
c075c39f0b1077dd012b5d270f8a6c39ef94552cd201e5a8901476a3762615a1

SHA512
57c89dd58449074fa1854251e677549c40d09aa492ebdc91fe2dd0a73bf4dbb41ad72d09281d56f347ca30109adf770cbf5e81ee9c9cfde8fb90c365cbcf62ec

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UBO4JM8C\960grid[1].css

Filesize
4KB

MD5
8cabfe7b15477b4c9a7f939cfdc968b8

SHA1
acbb36eabedc84cb9d6dfbada4812934a55b007a

SHA256
1f04fb766cd3735879c21bf158f1b9b7059e225d93a77b0d77b4b6e14eb635ef

SHA512
71491722c2c3873b2e48e5b6025b8f689cd519dc90f65db4cef5d6aa8c13138fc164d3b197957a8d5d59912d448026a0ccb0597d05b45e414c039ae2f401bd24

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UBO4JM8C\logo-apple[1].png

Filesize
5KB

MD5
cd1683a092638f189f378e64f9c973e3

SHA1
823b6bd855f652d75e0a3116188ac90cd27eacac

SHA256
1ef937a68518d6ffb3396e0bbb09534c18a24deaf1c81ac81a1a9d3b1e90a3c3

SHA512
5512df4e1f9f98479a5650b725103352335c35cd380b8e9fec77bc42881c07afd9bf19ef9e963285ffc91db7def23835baa212f01e927209bf52e0804f85ebf1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UBO4JM8C\logo-asp[1].png

Filesize
9KB

MD5
f4f64524a8771cb50897b6a242310637

SHA1
89c9550ca62ed3560d81012390b98c6db207e53c

SHA256
1d0282d7602159d4d54d642dd1a117f2b7dcf73a9b76c71934c486ac81143f66

SHA512
e981aefdfa42210c080664d9b0f40aa7d91608d36df4735bf01c18a1000e2aa1e96aa15702cd7bc575e2694493ba727c50a35acb204a03e43cecfdf890ceccf3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UBO4JM8C\logo-ibm[1].png

Filesize
6KB

MD5
fbd3b7b75706e9e9044fe61666fcafaf

SHA1
a997e55dcb03a61b29c192b768aa6001909a9146

SHA256
d5bb85e989103d177d3e0b276b31b8a6bd6820d357e0a4385d56d341b5a54090

SHA512
e13051645fca88e1d07edc5a0effe1e5fdd4d3e66d757928bd822191ec64c6c7b18f35c217f2c10269ec8efc01f1d3fbc73215da60facee9fe0d55dd3d116746

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
92f1479b24aa5c7c85e3831cef526f69

SHA1
9e28c1100c5a30dfbe0196e9102567ca2e1876c6

SHA256
a324ac7fc8dbcb803d00638e32b950f8fb8eecbf3d257a192b1a9e3ce5e3199c

SHA512
ae612a5e04c4e0eec69e289f5f044c5499a8e39b576b61364f293376ed539df5fd962024aa126fc35f835eaa0439605ff3cd54f49f2a81bb9b0c90c33a404878

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231

Filesize
1KB

MD5
2030ca4811f86e5e8b911a01166c1fb5

SHA1
d49d726beeaeea8bd4e8735b7238a0b1fc2ee6d5

SHA256
ba4ebac4db24a8e1ce5f0c8384b8e4f646bee6cefad72cd28a55d5acec759bc1

SHA512
820dae48db5ddafbf0c20b426bdda6369201fdbce75bbfac1e31415a7699aaaef9a51c946acfd6b0408a6bfb9f4096f9838877035376f91c56fac641ad836267

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F

Filesize
1KB

MD5
d5f6c34263d0c3c9d234afa1a2a355c6

SHA1
88bb6c2934f6f0f991627df42d44a4ff213c9b1f

SHA256
cbed688545a35b25aed2ce2fd3ca23efcc4f5f6086a03ce1ef469564f797fd76

SHA512
4b061d9020b5c69a73d549081640941929a753d5a481829e51294003d09add19683b756d4f8688b67d89386a4bb1d13ad6490085166945d088e687a8e75b82a0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
d36fe404b07e9948b7a512bfa1897866

SHA1
6370493126a800df6c653e042de19c3a61ddf0a2

SHA256
13926effcdef20b17c5a332671b09f48eae5f89f11745b76f762903707c9d5ce

SHA512
8e2aac5dd8bc4e7fefc7757685cb3e42613ba590bfa115dffef5c90ae28c4e803b214d3ead8c59f10af1190e7ed56fd94a361f715c1d686204dbbdbe0e9fa502

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
1KB

MD5
95af78c9d9437ac49ef5042985693e58

SHA1
6001daa27547f0a076792ecf2e0ec622e6497b02

SHA256
49f5874c333d1149dd29ca6c56761de9b76df34fb6bc1d9cf5015b13cb79efd0

SHA512
0e26841a06d97e5d7aebc76d7b622cd5bb6d8be638268ee5631701c1db7abb6134c49e4204e1437e16b025cc25c3e44415106d118f4c1692dd711f08e41ac126

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
25502697c284f70e4ccb1e1f44496a6f

SHA1
f77c6928a81684fd6489e4ab5cee55bcd25d2050

SHA256
81ece3eb4f4ec83ff1fe03f680819ed1968317eb8e2167f3cfb8760de4c10c90

SHA512
1820871431cfb5cc23e296fef9c89bc69deb1c485ef49263517957bb9770d0025dea2787563b74866c2f1f7f29bb899f378ab526d053eb65e1067aa204e28889

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
5a11c6099b9e5808dfb08c5c9570c92f

SHA1
e5dc219641146d1839557973f348037fa589fd18

SHA256
91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

SHA512
c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_33E8F98A524575FDD27708D6D61F97ED

Filesize
471B

MD5
22fc65f73e1c2d2b6a7f73ff05c815fb

SHA1
d001146b9b07ec3d2d6e226d9aa93d336cadfcf0

SHA256
40abe50a3a996abdc540890e45567b9dc9ec50d291f53f44e53111f5a6b67a89

SHA512
4948b797b32a42dff6a090e64d0bd1c30dba4ccce718b5fde2fb9e906760ff5b4db3de5981359fef330e36b886f77dd8f58b485407d2e85951cae2d7a4a7ac18

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_08B7EC0AC9F6DDEA27ED42EBBDBABDDB

Filesize
472B

MD5
04fd9b8c7687289f29c604899e29988a

SHA1
7e271d2308c8a98fb03fdbf8e867110ef20437d3

SHA256
590097901dd5aca5a2eb67c8a9597437ec23609152ebeab06789a28fd159efd4

SHA512
2cdd2986437dfd7b53a59f5af53a3943494ec6c74714d9e4e1cbcd917ef540e3b6ea6bc3b4a18351c3e00ba747e6c15e042683bda19c2d0ab4a61b9045a9626f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
47d4a71cf18539967439e783650914ba

SHA1
c49b074044f7b7f1d2b38290f415ab86a518ba7b

SHA256
bc077a621b2079decda13f1a0b176bd5777545b93dd716badc1608e57e0a64c2

SHA512
24564aa303cd4f8441e1bcc3f643e36972ce710c4cf7ed662ffa55b0277ff488e1bf910e84d9af2d95e83ed40faa58c9c34844fda10a68e090ca3407124b498e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231

Filesize
434B

MD5
a7e538dbaad5d3b5b4af167471ccd039

SHA1
ef30ec3668a01e86287bf19de0f7973a9144b558

SHA256
a7cb48effe99d48c6e572ee25bdba09b8c3c3181e59721ee018a767473de9b0f

SHA512
038feb0b5fc4e6bc42d00de94822847aa820d968a50b73629f2c5554808ee34638cde6816c4433e4e8f177837dc340809abc9cff1de286ac3676d1798867e40e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F

Filesize
442B

MD5
c9daf73292918e2d5e9af2bae21a9dec

SHA1
408172fff0a51f05a5b94b75ec72ca198c88d73b

SHA256
35f31713de6fc75e9eec9de242ad4a106acfbc33b79b444eb0a25fcb51185568

SHA512
d9c7ea81be5bb2ab814b4c10c844454a8eea73c8d3b5ef745a44260ee39275112ec30f2b116a39c9881a707ab3886ffc99492a496d9ba72a783a0c14e5b144aa

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
a850fb676f5d9ab86afbf484a9534f22

SHA1
bf0b459278c436f84fef55d2190c9cd83dd92bb0

SHA256
7b43a6812c8c45f73566e951d6abc96c146a4d3c5ed1056ae8c0517ecb96e4bb

SHA512
852ff0139b13b53e84190fcac4c75db521095335e044394a8745fad4cdd98f14769e53be30c85fe42ee7e15f0887106a54624ccfec8f9d295452a6665f819727

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
f76773d24b1bc54d52c3856fe24ee283

SHA1
da7f171b5e9d302b49f612f50aca9606ba185820

SHA256
be9eafb722423d27dda5e0a23638a3a7d937d26f6007ad1eff6c5b00c4ba2b6e

SHA512
672b5227021122305e23637468c88e7225f64e91df2bac902265a7792a0895ce0c0f5d6119a26cf73d8e94be746b7beb32ca66be0ab6788e90cecc0e28492dba

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
e519f531044b6a2f87cec42fecf4e794

SHA1
b20f0870fe0327481bacc7c28e2da448c29f7237

SHA256
e8e7d400e3262a30dae6893540b40a730a6d0391ee633f5f41744067868ba50a

SHA512
4725259b88bc048ad561625f6583e39ec407e5b8d5adc959102f4c139b67738cdef4fa1dad3665542703a970878a0e1a6a42e793f1050ff4a8fd9076a28580e6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
552fa95484b4da914d8b198aee49ea12

SHA1
45a85269c7a0f9f5bd807c30b8d5911bf950cbbb

SHA256
e742fb0b77a43a6eb7e61e91da91b8f261774827ea96d39ceb8775c583a15c53

SHA512
0d3b2698eeb1c9366029864b9aba09851cbcaab1e232e0d2f93bd58528714f556cbadb0de72ef7b24c59f4b65cc63ad8f702b21b8569091e328c4b37922f5201

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_33E8F98A524575FDD27708D6D61F97ED

Filesize
430B

MD5
8d63620ab2947deda064c48b7e961b8a

SHA1
c0123b51a0b6cf5968be0eed293ca77a3297f253

SHA256
2a6635c4a0c67bd821f0fe309fcbf8a55d88321e7f432a61740ffe8a67a9e425

SHA512
fb4fc0f6e6463a6a5bb715221dacdabf5ed8e75703ed7e1b460b64e746c636824f2cecf562974321abb401b1f31b582ac0e83a6c27acb66d6aca8e58617e8a41

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_08B7EC0AC9F6DDEA27ED42EBBDBABDDB

Filesize
406B

MD5
ef319fb3f9ff74136a286fcccd0a790e

SHA1
6ac52136b70832a7cf666e8198188719623c6db2

SHA256
d2c710b2a1d610cf7f39df48b72815237d683ea967c89344cb66b5a38e107539

SHA512
77f56fb8f0554d2f76ac4a278eca49e871d3fb251f0cda1260c3b35abf908fa5c906df74251aa83ba36056da5aba3d0d3115420a7efa1bfe90e1975ac481b22a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.pri

Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-22IQN.tmp\Setup_WinThruster_2020.tmp

Filesize
2.4MB

MD5
84db4b4205f705da71471dc6ecc061f5

SHA1
b90bac8c13a1553d58feef95a2c41c64118b29cf

SHA256
647983ebde53e0501ff1af8ef6190dfeea5ccc64caf7dce808f1e3d98fb66a3c

SHA512
c5803b63d33bb409433b496b83ca2a7359b4b1835815386206283b3af5c54d7d1cb9e80244a888638c7703c4bf54e1b2c11be6836f20b9fea157ab92bfbf365a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-22IQN.tmp\Setup_WinThruster_2020.tmp

Filesize
2.4MB

MD5
84db4b4205f705da71471dc6ecc061f5

SHA1
b90bac8c13a1553d58feef95a2c41c64118b29cf

SHA256
647983ebde53e0501ff1af8ef6190dfeea5ccc64caf7dce808f1e3d98fb66a3c

SHA512
c5803b63d33bb409433b496b83ca2a7359b4b1835815386206283b3af5c54d7d1cb9e80244a888638c7703c4bf54e1b2c11be6836f20b9fea157ab92bfbf365a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8NF94.tmp\FileViewPro-S-1.9.8.19.tmp

Filesize
1.1MB

MD5
1a81372fd72743199f885cfed00c8e34

SHA1
7bb1a83593d07b3833c58150a0a678fc5898aca2

SHA256
fa6030367c0645fe9856ab1b75910c94e4ef32fdcede0ccd2805c6b2cef5f5ab

SHA512
ec79c5efaf4ff5288cca4c9ab7ddc962f17e6b1d92a8b63463ee0fbad889229eae5f3af3af831f209bc8a322a73cafa783d7aef698663bbe288bdda6cd3e5c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8NF94.tmp\FileViewPro-S-1.9.8.19.tmp

Filesize
1.1MB

MD5
1a81372fd72743199f885cfed00c8e34

SHA1
7bb1a83593d07b3833c58150a0a678fc5898aca2

SHA256
fa6030367c0645fe9856ab1b75910c94e4ef32fdcede0ccd2805c6b2cef5f5ab

SHA512
ec79c5efaf4ff5288cca4c9ab7ddc962f17e6b1d92a8b63463ee0fbad889229eae5f3af3af831f209bc8a322a73cafa783d7aef698663bbe288bdda6cd3e5c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{38CE2897-08CF-4877-9FAC-566DE81484AB}\FileViewPro-S-1.9.8.19.exe

Filesize
58.1MB

MD5
35bc3d926698c1f580603e7a5c4b0cc6

SHA1
7aaacafbf325c08b4ef577994505fbf0cce87fc6

SHA256
b3a64b2c2d3292de9a9e9f590bf3ce04aecc8483af8f181f57aee1dad375e1be

SHA512
1e77629bba2eda9c4b7d0701785561c2326953b924984d08db177d02ef3f4e752ed1f37005e63aaa1b327db9294c076aa0447ed71c974da4410f4bee10872652

Download Submit
C:\Users\Admin\AppData\Local\Temp\{38CE2897-08CF-4877-9FAC-566DE81484AB}\FileViewPro-S-1.9.8.19.exe

Filesize
58.1MB

MD5
35bc3d926698c1f580603e7a5c4b0cc6

SHA1
7aaacafbf325c08b4ef577994505fbf0cce87fc6

SHA256
b3a64b2c2d3292de9a9e9f590bf3ce04aecc8483af8f181f57aee1dad375e1be

SHA512
1e77629bba2eda9c4b7d0701785561c2326953b924984d08db177d02ef3f4e752ed1f37005e63aaa1b327db9294c076aa0447ed71c974da4410f4bee10872652

Download Submit
C:\Users\Admin\AppData\Local\Temp\{52953A73-A761-4F2B-8FD7-E7CC1D788956}\Setup_WinThruster_2020.exe

Filesize
5.2MB

MD5
307fbb0c726073814c64104c74b054f8

SHA1
e885c33601ca6e3e56ade30eaad5aee9227b46ea

SHA256
c5603f15a7fd2cbadaadb3860ebcaac42b27499bed55f8a57b8278001a16ab9f

SHA512
07305bef38497ba914ac693d76f6f1380ec94aed02f5e8a6c8af5c1db785b8ffa91bc7573e7e69e2221807a5d96190be5069f4015311d77bb9fbec93c394a4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{52953A73-A761-4F2B-8FD7-E7CC1D788956}\Setup_WinThruster_2020.exe

Filesize
5.2MB

MD5
307fbb0c726073814c64104c74b054f8

SHA1
e885c33601ca6e3e56ade30eaad5aee9227b46ea

SHA256
c5603f15a7fd2cbadaadb3860ebcaac42b27499bed55f8a57b8278001a16ab9f

SHA512
07305bef38497ba914ac693d76f6f1380ec94aed02f5e8a6c8af5c1db785b8ffa91bc7573e7e69e2221807a5d96190be5069f4015311d77bb9fbec93c394a4eb

Download Submit
\Program Files (x86)\WinThruster\sqlite3.dll

Filesize
846KB

MD5
dcf7095d73402d6e1c0e9e8870fd3284

SHA1
a70fd3c662081d40b0be7645d2a77d26cdad8582

SHA256
e5e6df7d8b2c06be464dc75f5139b3b38c230184bdc645c6be6becddf3c83d6a

SHA512
2b6ce53c0d5664a6b5ec7afb3db122c363309db56fed3a9f7f3964bdc837dc66782e839154364ea3a8bce731ae8d699cac536c279a597dfad91445da05ba18d6

Download Submit
\Program Files (x86)\WinThruster\sqlite3.dll

Filesize
846KB

MD5
dcf7095d73402d6e1c0e9e8870fd3284

SHA1
a70fd3c662081d40b0be7645d2a77d26cdad8582

SHA256
e5e6df7d8b2c06be464dc75f5139b3b38c230184bdc645c6be6becddf3c83d6a

SHA512
2b6ce53c0d5664a6b5ec7afb3db122c363309db56fed3a9f7f3964bdc837dc66782e839154364ea3a8bce731ae8d699cac536c279a597dfad91445da05ba18d6

Download Submit
\Program Files\FileViewPro\DevExpress.Data.v18.1.dll

Filesize
6.4MB

MD5
75e4c5f9581ef853d787961cf4f8830f

SHA1
04615d07cd402692f5c1a35474fc9ae01a1cb3cb

SHA256
a12b4168dcd3692fb8a68382c3d9413351c9d2c543b2d2061064de7994787209

SHA512
02efcef0a7250db93322c2c241a0f120985a730479517793fa8cbce8f0bfed3103bb2a22bde751b8fd333a89e6f85ffd3ebad821d1155d9d82c5f681f213a12b

Download Submit
\Program Files\FileViewPro\DevExpress.Data.v18.1.dll

Filesize
6.4MB

MD5
75e4c5f9581ef853d787961cf4f8830f

SHA1
04615d07cd402692f5c1a35474fc9ae01a1cb3cb

SHA256
a12b4168dcd3692fb8a68382c3d9413351c9d2c543b2d2061064de7994787209

SHA512
02efcef0a7250db93322c2c241a0f120985a730479517793fa8cbce8f0bfed3103bb2a22bde751b8fd333a89e6f85ffd3ebad821d1155d9d82c5f681f213a12b

Download Submit
\Program Files\FileViewPro\DevExpress.Utils.v18.1.dll

Filesize
12.4MB

MD5
c5420b084a69cc5783d15bd9ee77d707

SHA1
ed47a4da79ce18af598a416633f4b9d9a032464e

SHA256
1a610b808c07247c0662b829fa703c5068f361194c301594b9594f414e0ebe84

SHA512
53994e509c56ac9435bcd06dc1341b589dc168ed5df2ebe13d2ca43cd50278e898768b1b5b65596542831b68d922612d3896c74d4dae8da829f5f0512905cb4e

Download Submit
\Program Files\FileViewPro\DevExpress.Utils.v18.1.dll

Filesize
12.4MB

MD5
c5420b084a69cc5783d15bd9ee77d707

SHA1
ed47a4da79ce18af598a416633f4b9d9a032464e

SHA256
1a610b808c07247c0662b829fa703c5068f361194c301594b9594f414e0ebe84

SHA512
53994e509c56ac9435bcd06dc1341b589dc168ed5df2ebe13d2ca43cd50278e898768b1b5b65596542831b68d922612d3896c74d4dae8da829f5f0512905cb4e

Download Submit
\Users\Admin\AppData\Local\Temp\is-5OHM3.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
memory/32-350-0x0000000000000000-mapping.dmp

Download
memory/592-529-0x0000000000000000-mapping.dmp

Download
memory/864-347-0x0000000000000000-mapping.dmp

Download
memory/2140-534-0x0000000000000000-mapping.dmp

Download
memory/2140-723-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2140-655-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2140-597-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2288-278-0x0000000000000000-mapping.dmp

Download
memory/3152-174-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-157-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-137-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-136-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-117-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-118-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-135-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-179-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-134-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-133-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-132-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-131-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-178-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-177-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-176-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-175-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-138-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-139-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-173-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-171-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-172-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-170-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-169-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-130-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-140-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-129-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-168-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-128-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-141-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-142-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-167-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-166-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-143-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-119-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-144-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-165-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-127-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-126-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-125-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-164-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-124-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-163-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-161-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-162-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-160-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-159-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-158-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-145-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-146-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-122-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-156-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-155-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-123-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-116-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-154-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-153-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-147-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-121-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-120-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-152-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-150-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-151-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-149-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-148-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/3240-588-0x0000000000000000-mapping.dmp

Download
memory/4012-383-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4012-236-0x0000000000000000-mapping.dmp

Download
memory/4012-279-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4552-1170-0x0000000006520000-0x000000000654E000-memory.dmp

Filesize
184KB

Download
memory/4552-1173-0x000000000C3E0000-0x000000000C9E4000-memory.dmp

Filesize
6.0MB

Download
memory/4552-1172-0x0000000008180000-0x00000000081B8000-memory.dmp

Filesize
224KB

Download
memory/4552-1171-0x000000000BDB0000-0x000000000C3D4000-memory.dmp

Filesize
6.1MB

Download
memory/4552-1169-0x0000000006550000-0x00000000065AE000-memory.dmp

Filesize
376KB

Download
memory/4552-1075-0x0000000000000000-mapping.dmp

Download
memory/4552-1174-0x00000000081F0000-0x0000000008210000-memory.dmp

Filesize
128KB

Download
memory/4552-1183-0x0000000006470000-0x000000000647C000-memory.dmp

Filesize
48KB

Download
memory/4592-1019-0x0000000000000000-mapping.dmp

Download
memory/5032-829-0x00000000054A0000-0x00000000054C0000-memory.dmp

Filesize
128KB

Download
memory/5032-825-0x00000000080B0000-0x0000000008712000-memory.dmp

Filesize
6.4MB

Download
memory/5032-990-0x0000000005980000-0x00000000059D0000-memory.dmp

Filesize
320KB

Download
memory/5032-991-0x0000000005940000-0x000000000594A000-memory.dmp

Filesize
40KB

Download
memory/5032-1001-0x000000000F380000-0x000000000F40A000-memory.dmp

Filesize
552KB

Download
memory/5032-1002-0x000000000F4E0000-0x000000000F5AE000-memory.dmp

Filesize
824KB

Download
memory/5032-1010-0x000000000F900000-0x000000000F91C000-memory.dmp

Filesize
112KB

Download
memory/5032-1011-0x00000000098E0000-0x00000000098E6000-memory.dmp

Filesize
24KB

Download
memory/5032-1012-0x0000000004DB0000-0x0000000004DB6000-memory.dmp

Filesize
24KB

Download
memory/5032-799-0x00000000050B0000-0x0000000005106000-memory.dmp

Filesize
344KB

Download
memory/5032-693-0x0000000000000000-mapping.dmp

Download
memory/5032-747-0x0000000000230000-0x00000000002EE000-memory.dmp

Filesize
760KB

Download
memory/5032-754-0x0000000002680000-0x00000000026D8000-memory.dmp

Filesize
352KB

Download
memory/5032-755-0x0000000009350000-0x00000000093EC000-memory.dmp

Filesize
624KB

Download
memory/5032-758-0x00000000098F0000-0x0000000009DEE000-memory.dmp

Filesize
5.0MB

Download
memory/5032-815-0x0000000005D90000-0x0000000006A02000-memory.dmp

Filesize
12.4MB

Download
memory/5032-760-0x0000000004F00000-0x0000000004F92000-memory.dmp

Filesize
584KB

Download
memory/5032-788-0x0000000002740000-0x000000000274A000-memory.dmp

Filesize
40KB

Download