532a7d66259842f4a710ea7bc6dc48547de371bb69fc842f53934876e787efb8

Resubmissions

09-06-2022 14:50

220609-r718pshbel 8

09-06-2022 14:38

220609-rzy4dadde2 8

09-06-2022 13:59

220609-raf69sggdk 8

Analysis

max time kernel
359s
max time network
366s
platform
windows7_x64
resource
win7-20220414-en
submitted
09-06-2022 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup_FileViewPro_2022.exe
Size

1.3MB
MD5

5cb079f8ec885592c5538dbe0362d593
SHA1

a5702ea5dfd73c619ad2625e645b93e0a39b1451
SHA256

532a7d66259842f4a710ea7bc6dc48547de371bb69fc842f53934876e787efb8
SHA512

8787a51f3e7eacfd5f507abdfacd58aef34a704d01f84c05ec8074cb77318d3b14223ff2ca3da399633ef82d3529266bcf3bb174bf746450697117915641fb90

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

Processes:

Setup_WinThruster_2020.exeSetup_WinThruster_2020.tmpWinThruster.exeWTNotifications.exeFileViewPro-S-1.9.8.19.exeFileViewPro-S-1.9.8.19.tmp

pid	process
544	Setup_WinThruster_2020.exe
988	Setup_WinThruster_2020.tmp
752	WinThruster.exe
1924	WTNotifications.exe
1984	FileViewPro-S-1.9.8.19.exe
1756	FileViewPro-S-1.9.8.19.tmp

Loads dropped DLL 18 IoCs

Processes:

Setup_FileViewPro_2022.exeSetup_WinThruster_2020.exeSetup_WinThruster_2020.tmpWTNotifications.exeWinThruster.exeFileViewPro-S-1.9.8.19.exeFileViewPro-S-1.9.8.19.tmp

pid	process
1472	Setup_FileViewPro_2022.exe
1472	Setup_FileViewPro_2022.exe
1472	Setup_FileViewPro_2022.exe
1472	Setup_FileViewPro_2022.exe
544	Setup_WinThruster_2020.exe
988	Setup_WinThruster_2020.tmp
988	Setup_WinThruster_2020.tmp
988	Setup_WinThruster_2020.tmp
988	Setup_WinThruster_2020.tmp
1924	WTNotifications.exe
752	WinThruster.exe
752	WinThruster.exe
1472	Setup_FileViewPro_2022.exe
1472	Setup_FileViewPro_2022.exe
1472	Setup_FileViewPro_2022.exe
1472	Setup_FileViewPro_2022.exe
1984	FileViewPro-S-1.9.8.19.exe
1756	FileViewPro-S-1.9.8.19.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 34 IoCs

Processes:

Setup_WinThruster_2020.tmp

description	ioc	process
File created	C:\Program Files (x86)\WinThruster\is-CGVJL.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-8KE9B.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-9HT7D.tmp	Setup_WinThruster_2020.tmp
File opened for modification	C:\Program Files (x86)\WinThruster\WinThruster.exe	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-EM4MT.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-3U2IP.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-AEHU3.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-VO828.tmp	Setup_WinThruster_2020.tmp
File opened for modification	C:\Program Files (x86)\WinThruster\WTNotifications.exe	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-M3SLR.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-2OHFH.tmp	Setup_WinThruster_2020.tmp
File opened for modification	C:\Program Files (x86)\WinThruster\unins000.dat	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-KBBV1.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-03HTJ.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-L5KP8.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-KM5OE.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\unins000.dat	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-T43I4.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-K2QEJ.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-SQAPF.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-NS0SB.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-QIU5M.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-EFP00.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-PC6VP.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-P9CQ5.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-8PR5D.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-H48BT.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-43L1L.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-07NN8.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-2KV9F.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-MO25L.tmp	Setup_WinThruster_2020.tmp
File opened for modification	C:\Program Files (x86)\WinThruster\sqlite3.dll	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-DEU32.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-C4U0L.tmp	Setup_WinThruster_2020.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinThruster.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WinThruster.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WinThruster.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

980 schtasks.exe

pid	process
980	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXESetup_FileViewPro_2022.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F2F42C31-E80D-11EC-A5C5-C6DEEDF3EE1E} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	Setup_FileViewPro_2022.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Setup_FileViewPro_2022.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Setup_FileViewPro_2022.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Setup_FileViewPro_2022.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Setup_FileViewPro_2022.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Setup_WinThruster_2020.tmp

pid process

988 Setup_WinThruster_2020.tmp
988 Setup_WinThruster_2020.tmp
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Setup_FileViewPro_2022.exe

pid process

1472 Setup_FileViewPro_2022.exe

pid	process
988	Setup_WinThruster_2020.tmp
988	Setup_WinThruster_2020.tmp

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

WTNotifications.exe

description	pid	process
Token: SeBackupPrivilege	1924	WTNotifications.exe
Token: SeBackupPrivilege	1924	WTNotifications.exe
Token: SeSecurityPrivilege	1924	WTNotifications.exe
Token: SeSecurityPrivilege	1924	WTNotifications.exe
Token: SeBackupPrivilege	1924	WTNotifications.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Setup_WinThruster_2020.tmpWTNotifications.exeiexplore.exe

pid process

988 Setup_WinThruster_2020.tmp
1924 WTNotifications.exe
1924 WTNotifications.exe
656 iexplore.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

WTNotifications.exe

pid process

1924 WTNotifications.exe
1924 WTNotifications.exe

pid	process
988	Setup_WinThruster_2020.tmp
1924	WTNotifications.exe
1924	WTNotifications.exe
656	iexplore.exe

pid	process
1924	WTNotifications.exe
1924	WTNotifications.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

Setup_FileViewPro_2022.exeiexplore.exeIEXPLORE.EXE

pid	process
1472	Setup_FileViewPro_2022.exe
1472	Setup_FileViewPro_2022.exe
1472	Setup_FileViewPro_2022.exe
1472	Setup_FileViewPro_2022.exe
1472	Setup_FileViewPro_2022.exe
1472	Setup_FileViewPro_2022.exe
1472	Setup_FileViewPro_2022.exe
656	iexplore.exe
656	iexplore.exe
1284	IEXPLORE.EXE
1284	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

Setup_FileViewPro_2022.exeSetup_WinThruster_2020.exeSetup_WinThruster_2020.tmpWinThruster.exeiexplore.exeFileViewPro-S-1.9.8.19.exe

description	pid	process	target process
PID 1472 wrote to memory of 544	1472	Setup_FileViewPro_2022.exe	Setup_WinThruster_2020.exe
PID 1472 wrote to memory of 544	1472	Setup_FileViewPro_2022.exe	Setup_WinThruster_2020.exe
PID 1472 wrote to memory of 544	1472	Setup_FileViewPro_2022.exe	Setup_WinThruster_2020.exe
PID 1472 wrote to memory of 544	1472	Setup_FileViewPro_2022.exe	Setup_WinThruster_2020.exe
PID 1472 wrote to memory of 544	1472	Setup_FileViewPro_2022.exe	Setup_WinThruster_2020.exe
PID 1472 wrote to memory of 544	1472	Setup_FileViewPro_2022.exe	Setup_WinThruster_2020.exe
PID 1472 wrote to memory of 544	1472	Setup_FileViewPro_2022.exe	Setup_WinThruster_2020.exe
PID 544 wrote to memory of 988	544	Setup_WinThruster_2020.exe	Setup_WinThruster_2020.tmp
PID 544 wrote to memory of 988	544	Setup_WinThruster_2020.exe	Setup_WinThruster_2020.tmp
PID 544 wrote to memory of 988	544	Setup_WinThruster_2020.exe	Setup_WinThruster_2020.tmp
PID 544 wrote to memory of 988	544	Setup_WinThruster_2020.exe	Setup_WinThruster_2020.tmp
PID 544 wrote to memory of 988	544	Setup_WinThruster_2020.exe	Setup_WinThruster_2020.tmp
PID 544 wrote to memory of 988	544	Setup_WinThruster_2020.exe	Setup_WinThruster_2020.tmp
PID 544 wrote to memory of 988	544	Setup_WinThruster_2020.exe	Setup_WinThruster_2020.tmp
PID 988 wrote to memory of 1924	988	Setup_WinThruster_2020.tmp	WTNotifications.exe
PID 988 wrote to memory of 1924	988	Setup_WinThruster_2020.tmp	WTNotifications.exe
PID 988 wrote to memory of 1924	988	Setup_WinThruster_2020.tmp	WTNotifications.exe
PID 988 wrote to memory of 1924	988	Setup_WinThruster_2020.tmp	WTNotifications.exe
PID 988 wrote to memory of 752	988	Setup_WinThruster_2020.tmp	WinThruster.exe
PID 988 wrote to memory of 752	988	Setup_WinThruster_2020.tmp	WinThruster.exe
PID 988 wrote to memory of 752	988	Setup_WinThruster_2020.tmp	WinThruster.exe
PID 988 wrote to memory of 752	988	Setup_WinThruster_2020.tmp	WinThruster.exe
PID 752 wrote to memory of 656	752	WinThruster.exe	iexplore.exe
PID 752 wrote to memory of 656	752	WinThruster.exe	iexplore.exe
PID 752 wrote to memory of 656	752	WinThruster.exe	iexplore.exe
PID 752 wrote to memory of 656	752	WinThruster.exe	iexplore.exe
PID 752 wrote to memory of 980	752	WinThruster.exe	schtasks.exe
PID 752 wrote to memory of 980	752	WinThruster.exe	schtasks.exe
PID 752 wrote to memory of 980	752	WinThruster.exe	schtasks.exe
PID 752 wrote to memory of 980	752	WinThruster.exe	schtasks.exe
PID 656 wrote to memory of 1284	656	iexplore.exe	IEXPLORE.EXE
PID 656 wrote to memory of 1284	656	iexplore.exe	IEXPLORE.EXE
PID 656 wrote to memory of 1284	656	iexplore.exe	IEXPLORE.EXE
PID 656 wrote to memory of 1284	656	iexplore.exe	IEXPLORE.EXE
PID 1472 wrote to memory of 1984	1472	Setup_FileViewPro_2022.exe	FileViewPro-S-1.9.8.19.exe
PID 1472 wrote to memory of 1984	1472	Setup_FileViewPro_2022.exe	FileViewPro-S-1.9.8.19.exe
PID 1472 wrote to memory of 1984	1472	Setup_FileViewPro_2022.exe	FileViewPro-S-1.9.8.19.exe
PID 1472 wrote to memory of 1984	1472	Setup_FileViewPro_2022.exe	FileViewPro-S-1.9.8.19.exe
PID 1472 wrote to memory of 1984	1472	Setup_FileViewPro_2022.exe	FileViewPro-S-1.9.8.19.exe
PID 1472 wrote to memory of 1984	1472	Setup_FileViewPro_2022.exe	FileViewPro-S-1.9.8.19.exe
PID 1472 wrote to memory of 1984	1472	Setup_FileViewPro_2022.exe	FileViewPro-S-1.9.8.19.exe
PID 1984 wrote to memory of 1756	1984	FileViewPro-S-1.9.8.19.exe	FileViewPro-S-1.9.8.19.tmp
PID 1984 wrote to memory of 1756	1984	FileViewPro-S-1.9.8.19.exe	FileViewPro-S-1.9.8.19.tmp
PID 1984 wrote to memory of 1756	1984	FileViewPro-S-1.9.8.19.exe	FileViewPro-S-1.9.8.19.tmp
PID 1984 wrote to memory of 1756	1984	FileViewPro-S-1.9.8.19.exe	FileViewPro-S-1.9.8.19.tmp
PID 1984 wrote to memory of 1756	1984	FileViewPro-S-1.9.8.19.exe	FileViewPro-S-1.9.8.19.tmp
PID 1984 wrote to memory of 1756	1984	FileViewPro-S-1.9.8.19.exe	FileViewPro-S-1.9.8.19.tmp
PID 1984 wrote to memory of 1756	1984	FileViewPro-S-1.9.8.19.exe	FileViewPro-S-1.9.8.19.tmp

C:\Users\Admin\AppData\Local\Temp\Setup_FileViewPro_2022.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_FileViewPro_2022.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\{2E60A7C9-E23B-4059-AB6D-548456CA884A}\Setup_WinThruster_2020.exe
"C:\Users\Admin\AppData\Local\Temp\{2E60A7C9-E23B-4059-AB6D-548456CA884A}\Setup_WinThruster_2020.exe" /verysilent /LANG en-us /scan
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\Temp\is-1V67N.tmp\Setup_WinThruster_2020.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1V67N.tmp\Setup_WinThruster_2020.tmp" /SL5="$20190,4683560,721408,C:\Users\Admin\AppData\Local\Temp\{2E60A7C9-E23B-4059-AB6D-548456CA884A}\Setup_WinThruster_2020.exe" /verysilent /LANG en-us /scan
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:988

C:\Program Files (x86)\WinThruster\WTNotifications.exe
"C:\Program Files (x86)\WinThruster\WTNotifications.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1924

C:\Program Files (x86)\WinThruster\WinThruster.exe
"C:\Program Files (x86)\WinThruster\WinThruster.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.solvusoft.com/en/winthruster/install/
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:656

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:656 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1284

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "WinThruster automatic scan and notifications" /TR "\"C:\Program Files (x86)\WinThruster\WTNotifications.exe\"" /SC ONLOGON /RL HIGHEST /F
5⤵
- Creates scheduled task(s)
PID:980

C:\Users\Admin\AppData\Local\Temp\{80F18B0F-5705-49CF-B79F-2F67208C23EE}\FileViewPro-S-1.9.8.19.exe
"C:\Users\Admin\AppData\Local\Temp\{80F18B0F-5705-49CF-B79F-2F67208C23EE}\FileViewPro-S-1.9.8.19.exe" /verysilent /norestart /LANG en-us
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\is-6E3B6.tmp\FileViewPro-S-1.9.8.19.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6E3B6.tmp\FileViewPro-S-1.9.8.19.tmp" /SL5="$10354,60311066,131584,C:\Users\Admin\AppData\Local\Temp\{80F18B0F-5705-49CF-B79F-2F67208C23EE}\FileViewPro-S-1.9.8.19.exe" /verysilent /norestart /LANG en-us
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinThruster\Cookies.txt

Filesize
104B

MD5
bf6c156441320d21440afc65a6bcf77d

SHA1
b04bb3fa963147218ef2c79e96a5a3e1d899e94d

SHA256
502f9fba9bba2ca5f57a3a0ea7efcee4731c98dcd2ea0fcec21059b11ddbf352

SHA512
dba0389aa9a68787f638712f321753d5933a3a9b714358ef780796f8e0a1bece21e113a88626e760c6023c3f03ee18ca138bc3a6962925282a0efbaf92a40474

Download Submit
C:\Program Files (x86)\WinThruster\English.ini

Filesize
52KB

MD5
9d67438ebe4d267c8c0a9b6656b40294

SHA1
6ec736d8721d30f952a02fbce1f63c95a92a3f0e

SHA256
1a61d60a3fc792dac412f76cf33273401659bf9e84bc085dcbdbd3779129d0bf

SHA512
d9d2114ae32eb9c383bd62f4695acad04fe22ac0c7269437868daba9ceae61fae5bf11a5caf7138c36abb37fdfe7f4088a7540e60f8cc492e179af7b3c6678d7

Download Submit
C:\Program Files (x86)\WinThruster\SList.txt

Filesize
72KB

MD5
509c709bc9529cd80c9ac6cb552a1ba5

SHA1
5aa7f857d631b3c8f9adeb381db3d8d0ecc07ce7

SHA256
f85fc4c0e93aa9418ac9a6352a238315e439e3599853296291fad32dd7d20890

SHA512
38bab4d3588e578af84fcce22e297ce2606790d8433c14f771057ffa0504ec66ecf8099621071d692c15dc9c3eb5400ba0ffb5d65774dc42e7eb597a41023ccf

Download Submit
C:\Program Files (x86)\WinThruster\UList.txt

Filesize
9KB

MD5
fa2811cbca1472fe27e16e1a329c4450

SHA1
6bcc1160764615b8e258022c7c2b41b24a7e5043

SHA256
ae43318e7b7776cf59a77d597aa4829fffae130b6b14a980358451e3c71d7466

SHA512
c1cb3a56be8b410da14345aa672f546cdbb64d119d48c2c033ad3ba93d8c87abc96ad3faa9b7494c8393454599a74c6d818361bddf539fa7e0f4c768e907af6a

Download Submit
C:\Program Files (x86)\WinThruster\WTNotifications.exe

Filesize
3.6MB

MD5
e70dbb88489ebeb7b2ee06de070d6144

SHA1
4315555bbfc2b055e92ca8f43d5b4d275c9c6522

SHA256
03447ae8862d0a82bb47c8009bc17e29179bce8d9ec527e62a4acaade36c60ba

SHA512
5ecc5fefbf71180799860e85eee5944006059a1ca3399be76b2349dd099ee61ad0e8b61991686b69253cf4bd6d2810d0288528d1e4aeb82295017546a8921a53

Download Submit
C:\Program Files (x86)\WinThruster\WinThruster.exe

Filesize
7.1MB

MD5
397dc4446f2519ec41552a2102e08764

SHA1
cdbd84a0ba6bcf814df68f8037a8b0ef9c992e62

SHA256
6165ce1cfd74917590da8612cbd8a5ae7a88af5146d5c3361544a6ab2bfd1c96

SHA512
667c7c53617c80dd030276e70611371145241c6caa014697aee9659a2ae7c082d8c41267e1675ea1004f0c55110a38ccbde4549c4bbe36250c7fc538fee50dd2

Download Submit
C:\Program Files (x86)\WinThruster\WinThruster.exe

Filesize
7.1MB

MD5
397dc4446f2519ec41552a2102e08764

SHA1
cdbd84a0ba6bcf814df68f8037a8b0ef9c992e62

SHA256
6165ce1cfd74917590da8612cbd8a5ae7a88af5146d5c3361544a6ab2bfd1c96

SHA512
667c7c53617c80dd030276e70611371145241c6caa014697aee9659a2ae7c082d8c41267e1675ea1004f0c55110a38ccbde4549c4bbe36250c7fc538fee50dd2

Download Submit
C:\Program Files (x86)\WinThruster\sqlite3.dll

Filesize
846KB

MD5
dcf7095d73402d6e1c0e9e8870fd3284

SHA1
a70fd3c662081d40b0be7645d2a77d26cdad8582

SHA256
e5e6df7d8b2c06be464dc75f5139b3b38c230184bdc645c6be6becddf3c83d6a

SHA512
2b6ce53c0d5664a6b5ec7afb3db122c363309db56fed3a9f7f3964bdc837dc66782e839154364ea3a8bce731ae8d699cac536c279a597dfad91445da05ba18d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
308336e7f515478969b24c13ded11ede

SHA1
8fb0cf42b77dbbef224a1e5fc38abc2486320775

SHA256
889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

SHA512
61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_33E8F98A524575FDD27708D6D61F97ED

Filesize
471B

MD5
22fc65f73e1c2d2b6a7f73ff05c815fb

SHA1
d001146b9b07ec3d2d6e226d9aa93d336cadfcf0

SHA256
40abe50a3a996abdc540890e45567b9dc9ec50d291f53f44e53111f5a6b67a89

SHA512
4948b797b32a42dff6a090e64d0bd1c30dba4ccce718b5fde2fb9e906760ff5b4db3de5981359fef330e36b886f77dd8f58b485407d2e85951cae2d7a4a7ac18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e32fc224801fc56e16f573b73c3dd09

SHA1
eab0bb2c65e3868603e30ea35c32cbac57a6e513

SHA256
aab1cb6e52f32800e88eb07d1fc4ebfbb71ebcd26cf2de92be5d2fe06e463435

SHA512
5b144de8b068c425a86eb38f2d74d5b9e6bfb93e14401f01fdb30b3acf2508504997311d026c4efe1e7da492679c6b9440f79cb420c28f9208d4631f9b764365

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_33E8F98A524575FDD27708D6D61F97ED

Filesize
400B

MD5
841382989883825055b7fd2e059d2fd0

SHA1
fab0d1dfdf39f5d99586d0c2c4701a20cdb4d2b6

SHA256
9b144d3b52b2dd9b53544c5d1dcb839cd1aeb86beedc17c8eb43a90ab6b74e92

SHA512
a4bd2e31ae5c3982e5c307d146f11c256d806a1ad649fbe740b0245b12f4fdd6288d9c86a123f38973e342e5786060ade6145f92ff95b652d78811a458560e9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CSMPMU9R\Setup_WinThruster_2020[1].exe

Filesize
5.2MB

MD5
307fbb0c726073814c64104c74b054f8

SHA1
e885c33601ca6e3e56ade30eaad5aee9227b46ea

SHA256
c5603f15a7fd2cbadaadb3860ebcaac42b27499bed55f8a57b8278001a16ab9f

SHA512
07305bef38497ba914ac693d76f6f1380ec94aed02f5e8a6c8af5c1db785b8ffa91bc7573e7e69e2221807a5d96190be5069f4015311d77bb9fbec93c394a4eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SGODTZ7C\FileViewPro-S-1.9.8.19[1].exe

Filesize
58.1MB

MD5
35bc3d926698c1f580603e7a5c4b0cc6

SHA1
7aaacafbf325c08b4ef577994505fbf0cce87fc6

SHA256
b3a64b2c2d3292de9a9e9f590bf3ce04aecc8483af8f181f57aee1dad375e1be

SHA512
1e77629bba2eda9c4b7d0701785561c2326953b924984d08db177d02ef3f4e752ed1f37005e63aaa1b327db9294c076aa0447ed71c974da4410f4bee10872652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V789HYVY\resources.1.0.0[1].34s

Filesize
1.6MB

MD5
65a9517b73bcfc01b3d46f715bf92c36

SHA1
444bbd5cdd8f9e4fe1be79a7c5dbcd2164765226

SHA256
835a6309713ce9102456ed8ce3b211cc1055fc17c981205e263859b21d6031f2

SHA512
7dcf27a044323485d93cef39e920acfb4cce24f2a09b55bcbfac174aa98f580d8c8078beb74b99886061b18be14ae38e452dd0187431820beebbf760db8a7496

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1V67N.tmp\Setup_WinThruster_2020.tmp

Filesize
2.4MB

MD5
84db4b4205f705da71471dc6ecc061f5

SHA1
b90bac8c13a1553d58feef95a2c41c64118b29cf

SHA256
647983ebde53e0501ff1af8ef6190dfeea5ccc64caf7dce808f1e3d98fb66a3c

SHA512
c5803b63d33bb409433b496b83ca2a7359b4b1835815386206283b3af5c54d7d1cb9e80244a888638c7703c4bf54e1b2c11be6836f20b9fea157ab92bfbf365a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1V67N.tmp\Setup_WinThruster_2020.tmp

Filesize
2.4MB

MD5
84db4b4205f705da71471dc6ecc061f5

SHA1
b90bac8c13a1553d58feef95a2c41c64118b29cf

SHA256
647983ebde53e0501ff1af8ef6190dfeea5ccc64caf7dce808f1e3d98fb66a3c

SHA512
c5803b63d33bb409433b496b83ca2a7359b4b1835815386206283b3af5c54d7d1cb9e80244a888638c7703c4bf54e1b2c11be6836f20b9fea157ab92bfbf365a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6E3B6.tmp\FileViewPro-S-1.9.8.19.tmp

Filesize
1.1MB

MD5
1a81372fd72743199f885cfed00c8e34

SHA1
7bb1a83593d07b3833c58150a0a678fc5898aca2

SHA256
fa6030367c0645fe9856ab1b75910c94e4ef32fdcede0ccd2805c6b2cef5f5ab

SHA512
ec79c5efaf4ff5288cca4c9ab7ddc962f17e6b1d92a8b63463ee0fbad889229eae5f3af3af831f209bc8a322a73cafa783d7aef698663bbe288bdda6cd3e5c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6E3B6.tmp\FileViewPro-S-1.9.8.19.tmp

Filesize
1.1MB

MD5
1a81372fd72743199f885cfed00c8e34

SHA1
7bb1a83593d07b3833c58150a0a678fc5898aca2

SHA256
fa6030367c0645fe9856ab1b75910c94e4ef32fdcede0ccd2805c6b2cef5f5ab

SHA512
ec79c5efaf4ff5288cca4c9ab7ddc962f17e6b1d92a8b63463ee0fbad889229eae5f3af3af831f209bc8a322a73cafa783d7aef698663bbe288bdda6cd3e5c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2E60A7C9-E23B-4059-AB6D-548456CA884A}\Setup_WinThruster_2020.exe

Filesize
5.2MB

MD5
307fbb0c726073814c64104c74b054f8

SHA1
e885c33601ca6e3e56ade30eaad5aee9227b46ea

SHA256
c5603f15a7fd2cbadaadb3860ebcaac42b27499bed55f8a57b8278001a16ab9f

SHA512
07305bef38497ba914ac693d76f6f1380ec94aed02f5e8a6c8af5c1db785b8ffa91bc7573e7e69e2221807a5d96190be5069f4015311d77bb9fbec93c394a4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2E60A7C9-E23B-4059-AB6D-548456CA884A}\Setup_WinThruster_2020.exe

Filesize
5.2MB

MD5
307fbb0c726073814c64104c74b054f8

SHA1
e885c33601ca6e3e56ade30eaad5aee9227b46ea

SHA256
c5603f15a7fd2cbadaadb3860ebcaac42b27499bed55f8a57b8278001a16ab9f

SHA512
07305bef38497ba914ac693d76f6f1380ec94aed02f5e8a6c8af5c1db785b8ffa91bc7573e7e69e2221807a5d96190be5069f4015311d77bb9fbec93c394a4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80F18B0F-5705-49CF-B79F-2F67208C23EE}\FileViewPro-S-1.9.8.19.exe

Filesize
33.4MB

MD5
40eee1de8153258ae19cc48d97b92ba8

SHA1
407574ba21b1e57ada20ad45b62b54d3e255fd29

SHA256
02df1ed4270fc9a0b86efe08107c22bcb138081afe7909bf6e6ddbe1ecac7e69

SHA512
a195378f71167b3800946dc54c5d64def40f5cfe7ca74c75cd64a44f364c5fb636f91acb24303d7309e687889349633b36f11130c27ecbc9d2fd9940dd51c9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\{80F18B0F-5705-49CF-B79F-2F67208C23EE}\FileViewPro-S-1.9.8.19.exe

Filesize
35.1MB

MD5
5f34ecc4522ea84a416dc8bca1572b82

SHA1
da12ea4952adb8aef5faf48e6d405ba5a1c64781

SHA256
a54ebdf69941776c338db9f0eb8b46afa72bd709cbaf33104847214e8c2e9037

SHA512
de83bd844767e8f787401c936cd5b988f84edf41860ebedde50eba6eec78dbc16775005829c1a78400153d91e4267c885830f9f194973d941a3fa20c0c94409f

Download Submit
\Program Files (x86)\WinThruster\WTNotifications.exe

Filesize
3.6MB

MD5
e70dbb88489ebeb7b2ee06de070d6144

SHA1
4315555bbfc2b055e92ca8f43d5b4d275c9c6522

SHA256
03447ae8862d0a82bb47c8009bc17e29179bce8d9ec527e62a4acaade36c60ba

SHA512
5ecc5fefbf71180799860e85eee5944006059a1ca3399be76b2349dd099ee61ad0e8b61991686b69253cf4bd6d2810d0288528d1e4aeb82295017546a8921a53

Download Submit
\Program Files (x86)\WinThruster\WinThruster.exe

Filesize
7.1MB

MD5
397dc4446f2519ec41552a2102e08764

SHA1
cdbd84a0ba6bcf814df68f8037a8b0ef9c992e62

SHA256
6165ce1cfd74917590da8612cbd8a5ae7a88af5146d5c3361544a6ab2bfd1c96

SHA512
667c7c53617c80dd030276e70611371145241c6caa014697aee9659a2ae7c082d8c41267e1675ea1004f0c55110a38ccbde4549c4bbe36250c7fc538fee50dd2

Download Submit
\Program Files (x86)\WinThruster\WinThruster.exe

Filesize
7.1MB

MD5
397dc4446f2519ec41552a2102e08764

SHA1
cdbd84a0ba6bcf814df68f8037a8b0ef9c992e62

SHA256
6165ce1cfd74917590da8612cbd8a5ae7a88af5146d5c3361544a6ab2bfd1c96

SHA512
667c7c53617c80dd030276e70611371145241c6caa014697aee9659a2ae7c082d8c41267e1675ea1004f0c55110a38ccbde4549c4bbe36250c7fc538fee50dd2

Download Submit
\Program Files (x86)\WinThruster\WinThruster.exe

Filesize
7.1MB

MD5
397dc4446f2519ec41552a2102e08764

SHA1
cdbd84a0ba6bcf814df68f8037a8b0ef9c992e62

SHA256
6165ce1cfd74917590da8612cbd8a5ae7a88af5146d5c3361544a6ab2bfd1c96

SHA512
667c7c53617c80dd030276e70611371145241c6caa014697aee9659a2ae7c082d8c41267e1675ea1004f0c55110a38ccbde4549c4bbe36250c7fc538fee50dd2

Download Submit
\Program Files (x86)\WinThruster\sqlite3.dll

Filesize
846KB

MD5
dcf7095d73402d6e1c0e9e8870fd3284

SHA1
a70fd3c662081d40b0be7645d2a77d26cdad8582

SHA256
e5e6df7d8b2c06be464dc75f5139b3b38c230184bdc645c6be6becddf3c83d6a

SHA512
2b6ce53c0d5664a6b5ec7afb3db122c363309db56fed3a9f7f3964bdc837dc66782e839154364ea3a8bce731ae8d699cac536c279a597dfad91445da05ba18d6

Download Submit
\Program Files (x86)\WinThruster\sqlite3.dll

Filesize
846KB

MD5
dcf7095d73402d6e1c0e9e8870fd3284

SHA1
a70fd3c662081d40b0be7645d2a77d26cdad8582

SHA256
e5e6df7d8b2c06be464dc75f5139b3b38c230184bdc645c6be6becddf3c83d6a

SHA512
2b6ce53c0d5664a6b5ec7afb3db122c363309db56fed3a9f7f3964bdc837dc66782e839154364ea3a8bce731ae8d699cac536c279a597dfad91445da05ba18d6

Download Submit
\Program Files (x86)\WinThruster\unins000.exe

Filesize
2.4MB

MD5
fe027195276d9af1d6ce2af736c3f259

SHA1
7d8a9dbdb190710cfc8e674182ab73ad4469952e

SHA256
c493cfa706845358e151c2745e52ee8e6c7400619fbd7ae304fda130865f17ca

SHA512
1fa63f2095fe112a14aa2183b2be4d2cc672c2bbd86fd9ff7dd53ca5eff9fe78e0547168039346ec89af1363fed47f1b054a7c368de26a46d0cc4fed818e3016

Download Submit
\Users\Admin\AppData\Local\Temp\is-1V67N.tmp\Setup_WinThruster_2020.tmp

Filesize
2.4MB

MD5
84db4b4205f705da71471dc6ecc061f5

SHA1
b90bac8c13a1553d58feef95a2c41c64118b29cf

SHA256
647983ebde53e0501ff1af8ef6190dfeea5ccc64caf7dce808f1e3d98fb66a3c

SHA512
c5803b63d33bb409433b496b83ca2a7359b4b1835815386206283b3af5c54d7d1cb9e80244a888638c7703c4bf54e1b2c11be6836f20b9fea157ab92bfbf365a

Download Submit
\Users\Admin\AppData\Local\Temp\is-6E3B6.tmp\FileViewPro-S-1.9.8.19.tmp

Filesize
1.1MB

MD5
1a81372fd72743199f885cfed00c8e34

SHA1
7bb1a83593d07b3833c58150a0a678fc5898aca2

SHA256
fa6030367c0645fe9856ab1b75910c94e4ef32fdcede0ccd2805c6b2cef5f5ab

SHA512
ec79c5efaf4ff5288cca4c9ab7ddc962f17e6b1d92a8b63463ee0fbad889229eae5f3af3af831f209bc8a322a73cafa783d7aef698663bbe288bdda6cd3e5c0b

Download Submit
\Users\Admin\AppData\Local\Temp\is-RHLN4.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
\Users\Admin\AppData\Local\Temp\{2E60A7C9-E23B-4059-AB6D-548456CA884A}\Setup_WinThruster_2020.exe

Filesize
5.2MB

MD5
307fbb0c726073814c64104c74b054f8

SHA1
e885c33601ca6e3e56ade30eaad5aee9227b46ea

SHA256
c5603f15a7fd2cbadaadb3860ebcaac42b27499bed55f8a57b8278001a16ab9f

SHA512
07305bef38497ba914ac693d76f6f1380ec94aed02f5e8a6c8af5c1db785b8ffa91bc7573e7e69e2221807a5d96190be5069f4015311d77bb9fbec93c394a4eb

Download Submit
\Users\Admin\AppData\Local\Temp\{2E60A7C9-E23B-4059-AB6D-548456CA884A}\Setup_WinThruster_2020.exe

Filesize
5.2MB

MD5
307fbb0c726073814c64104c74b054f8

SHA1
e885c33601ca6e3e56ade30eaad5aee9227b46ea

SHA256
c5603f15a7fd2cbadaadb3860ebcaac42b27499bed55f8a57b8278001a16ab9f

SHA512
07305bef38497ba914ac693d76f6f1380ec94aed02f5e8a6c8af5c1db785b8ffa91bc7573e7e69e2221807a5d96190be5069f4015311d77bb9fbec93c394a4eb

Download Submit
\Users\Admin\AppData\Local\Temp\{2E60A7C9-E23B-4059-AB6D-548456CA884A}\Setup_WinThruster_2020.exe

Filesize
5.2MB

MD5
307fbb0c726073814c64104c74b054f8

SHA1
e885c33601ca6e3e56ade30eaad5aee9227b46ea

SHA256
c5603f15a7fd2cbadaadb3860ebcaac42b27499bed55f8a57b8278001a16ab9f

SHA512
07305bef38497ba914ac693d76f6f1380ec94aed02f5e8a6c8af5c1db785b8ffa91bc7573e7e69e2221807a5d96190be5069f4015311d77bb9fbec93c394a4eb

Download Submit
\Users\Admin\AppData\Local\Temp\{2E60A7C9-E23B-4059-AB6D-548456CA884A}\Setup_WinThruster_2020.exe

Filesize
5.2MB

MD5
307fbb0c726073814c64104c74b054f8

SHA1
e885c33601ca6e3e56ade30eaad5aee9227b46ea

SHA256
c5603f15a7fd2cbadaadb3860ebcaac42b27499bed55f8a57b8278001a16ab9f

SHA512
07305bef38497ba914ac693d76f6f1380ec94aed02f5e8a6c8af5c1db785b8ffa91bc7573e7e69e2221807a5d96190be5069f4015311d77bb9fbec93c394a4eb

Download Submit
\Users\Admin\AppData\Local\Temp\{80F18B0F-5705-49CF-B79F-2F67208C23EE}\FileViewPro-S-1.9.8.19.exe

Filesize
37.3MB

MD5
ecb94391207d19e1e3a61b3ea3f66775

SHA1
568e7d287bbaf7e782e9a965ed228248826e3427

SHA256
dfd6c37f424551b52e7e3a8b3cd7ba6815a01f086b28f6ea19b0503a092bef05

SHA512
84c1aa4cbb9bfa28452e17466cfef90383b6b3f9e270248ff7463414ff344db9cb333ecd133d11df803bb2a40bb99693c1d49a3a2e16c898aa2fe6b5c0791536

Download Submit
\Users\Admin\AppData\Local\Temp\{80F18B0F-5705-49CF-B79F-2F67208C23EE}\FileViewPro-S-1.9.8.19.exe

Filesize
32.7MB

MD5
7a53e9afaf8b808a6ba07bf8342f9e59

SHA1
cc7ec8701271aff77712ffb0b6fc52102e4bbefb

SHA256
7056da7f3bbc7204d97efb7f7953a95674d3d57c5f7a1a4009b52490e4a7530b

SHA512
d301c6cdb300534c26f353da2b5a4147b511382315aafc436bb152649a8967bee95522bdd3435fd97c6dd588b60ff103551a4764bf2b50256c8e76eb098148ae

Download Submit
\Users\Admin\AppData\Local\Temp\{80F18B0F-5705-49CF-B79F-2F67208C23EE}\FileViewPro-S-1.9.8.19.exe

Filesize
29.2MB

MD5
0e534e0793a1da7506991d854dd4426e

SHA1
52cdaea0ba464d67e772cb4b5171fa32379f2c17

SHA256
4358c99da739a5eb91c7e9609013d97b14d84593364e141709108a925d0a468c

SHA512
8c7cc512b2dc45cd362524cdefb5cf6f6d722cd4a50444228d73143378486a76b18ab81c268b70bcf4c6c89080bf58236d3255ca34f32da9ea26a7c24db9ff20

Download Submit
\Users\Admin\AppData\Local\Temp\{80F18B0F-5705-49CF-B79F-2F67208C23EE}\FileViewPro-S-1.9.8.19.exe

Filesize
31.7MB

MD5
cc54c69b5e86dc0b594ff03647b28760

SHA1
e2eab1152b12a6c3933e66da3b320e323162d075

SHA256
370ada4895de2df5a6dd009533e5282d7eca12af5c3112070bbf4d757b2d0b1d

SHA512
0964cd04ca5f9e725e9c004d29ceef03810359d24466e17417c52be8a0d225718e4195f069c371bb55e5653277bae49833adfc8ca22257c97f603d6fb7e7f0dd

Download Submit
memory/544-63-0x0000000000000000-mapping.dmp

Download
memory/544-89-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/544-70-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/544-66-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/752-81-0x0000000000000000-mapping.dmp

Download
memory/980-96-0x0000000000000000-mapping.dmp

Download
memory/988-71-0x0000000000000000-mapping.dmp

Download
memory/988-74-0x0000000071281000-0x0000000071283000-memory.dmp

Filesize
8KB

Download
memory/1472-54-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1756-116-0x000000006FA21000-0x000000006FA23000-memory.dmp

Filesize
8KB

Download
memory/1756-112-0x0000000000000000-mapping.dmp

Download
memory/1924-80-0x0000000000000000-mapping.dmp

Download
memory/1984-110-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1984-107-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1984-104-0x0000000000000000-mapping.dmp

Download