532a7d66259842f4a710ea7bc6dc48547de371bb69fc842f53934876e787efb8

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2023 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup_FileViewPro_2022.exe
Size

1.3MB
MD5

5cb079f8ec885592c5538dbe0362d593
SHA1

a5702ea5dfd73c619ad2625e645b93e0a39b1451
SHA256

532a7d66259842f4a710ea7bc6dc48547de371bb69fc842f53934876e787efb8
SHA512

8787a51f3e7eacfd5f507abdfacd58aef34a704d01f84c05ec8074cb77318d3b14223ff2ca3da399633ef82d3529266bcf3bb174bf746450697117915641fb90
SSDEEP

24576:Ch6SVFzDl6eZmL4v9IoYOlrQ14T1+G05hKwzlXX8l8whkwBY2/+WLHkOU:q6UXtvDz85hK8XM8rcY/OU

Score

8^/10

discovery spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup_FileViewPro_2022.exeWinThruster.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Setup_FileViewPro_2022.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	WinThruster.exe

Executes dropped EXE 9 IoCs

Processes:

Setup_WinThruster_2020.exeSetup_WinThruster_2020.tmpWTNotifications.exeWinThruster.exeFileViewPro-S-1.9.8.19.exeFileViewPro-S-1.9.8.19.tmpFileViewPro.exeFileViewPro.exeFileViewPro.exe

pid	process
2976	Setup_WinThruster_2020.exe
228	Setup_WinThruster_2020.tmp
5088	WTNotifications.exe
1120	WinThruster.exe
2148	FileViewPro-S-1.9.8.19.exe
1276	FileViewPro-S-1.9.8.19.tmp
396	FileViewPro.exe
3888	FileViewPro.exe
2824	FileViewPro.exe

Loads dropped DLL 56 IoCs

Processes:

WTNotifications.exeWinThruster.exeFileViewPro-S-1.9.8.19.tmpFileViewPro.exeFileViewPro.exeFileViewPro.exe

pid	process
5088	WTNotifications.exe
1120	WinThruster.exe
1276	FileViewPro-S-1.9.8.19.tmp
396	FileViewPro.exe
396	FileViewPro.exe
396	FileViewPro.exe
396	FileViewPro.exe
396	FileViewPro.exe
396	FileViewPro.exe
396	FileViewPro.exe
396	FileViewPro.exe
396	FileViewPro.exe
396	FileViewPro.exe
396	FileViewPro.exe
396	FileViewPro.exe
396	FileViewPro.exe
396	FileViewPro.exe
396	FileViewPro.exe
3888	FileViewPro.exe
3888	FileViewPro.exe
3888	FileViewPro.exe
3888	FileViewPro.exe
3888	FileViewPro.exe
3888	FileViewPro.exe
3888	FileViewPro.exe
3888	FileViewPro.exe
2824	FileViewPro.exe
2824	FileViewPro.exe
2824	FileViewPro.exe
2824	FileViewPro.exe
2824	FileViewPro.exe
2824	FileViewPro.exe
2824	FileViewPro.exe
2824	FileViewPro.exe
3888	FileViewPro.exe
3888	FileViewPro.exe
3888	FileViewPro.exe
2824	FileViewPro.exe
2824	FileViewPro.exe
2824	FileViewPro.exe
3888	FileViewPro.exe
3888	FileViewPro.exe
3888	FileViewPro.exe
3888	FileViewPro.exe
3888	FileViewPro.exe
3888	FileViewPro.exe
3888	FileViewPro.exe
3888	FileViewPro.exe
2824	FileViewPro.exe
2824	FileViewPro.exe
2824	FileViewPro.exe
2824	FileViewPro.exe
2824	FileViewPro.exe
2824	FileViewPro.exe
2824	FileViewPro.exe
2824	FileViewPro.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files\FileViewPro\Wps\wps2html.exe	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

FileViewPro-S-1.9.8.19.tmpSetup_WinThruster_2020.tmp

description	ioc	process
File created	C:\Program Files\FileViewPro\is-H946L.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Langs\is-ERB4M.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-1UP16.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files (x86)\WinThruster\is-D3CR8.tmp	Setup_WinThruster_2020.tmp
File opened for modification	C:\Program Files\FileViewPro\DevExpress.Printing.v18.1.Core.dll	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\DevExpress.DataAccess.v18.1.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-GKGG1.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\editor\is-H5QHK.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Langs\is-9U5P5.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-LK99N.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-ST71A.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Langs\is-4SB3T.tmp	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\DevExpress.Sparkline.v18.1.Core.dll	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\SocialExplorer.FastDBF.dll	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\SolvuSoft.Views.Mime.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-PUVGJ.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\editor\contrib\suggest\browser\is-K9NVN.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-BVHQG.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Langs\is-TONJA.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-JARLR.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-1USB9.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\editor\is-5IU0B.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\basic-languages\src\is-D018Q.tmp	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\Wps\wps2html.exe	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\Word.Resources.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files (x86)\WinThruster\is-2C4JE.tmp	Setup_WinThruster_2020.tmp
File opened for modification	C:\Program Files\FileViewPro\Raw\dcraw.exe	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\SolvuSoft.Resources.dll	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\SolvuSoft.Views.Xps.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\basic-languages\src\is-0GHPD.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Langs\is-I3M96.tmp	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\DevExpress.Utils.v18.1.dll	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\SolvuSoft.Views.Wpd.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-AAU9T.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\editor\contrib\quickOpen\browser\is-GC66K.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Langs\is-RJS3B.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\editor\is-P29TJ.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\basic-languages\src\is-8NB43.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files (x86)\WinThruster\is-LP7FT.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-C4RHM.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-01VHS.tmp	Setup_WinThruster_2020.tmp
File opened for modification	C:\Program Files\FileViewPro\SolvuSoft.Views.Pdf.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\editor\is-3FG0B.tmp	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\DevExpress.XtraPrinting.v18.1.dll	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\O2S.Components.PDFRender4NET.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-I7QV5.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-G7H93.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\basic-languages\src\is-OR896.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-IJ19V.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files (x86)\WinThruster\is-OR43B.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\language\json\is-DOBEV.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\basic-languages\src\is-OMDBU.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Langs\is-E372V.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files (x86)\WinThruster\is-G8UP8.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files\FileViewPro\is-7PB1J.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-6REU6.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Resources\Editor\monaco\min\vs\editor\is-ODC2O.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\Langs\is-5PRO2.tmp	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\SolvuSoft.Views.Message.dll	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files\FileViewPro\is-9SM9K.tmp	FileViewPro-S-1.9.8.19.tmp
File created	C:\Program Files (x86)\WinThruster\is-AVH9J.tmp	Setup_WinThruster_2020.tmp
File created	C:\Program Files (x86)\WinThruster\is-HBLT0.tmp	Setup_WinThruster_2020.tmp
File opened for modification	C:\Program Files\FileViewPro\7z\7z.dll	FileViewPro-S-1.9.8.19.tmp
File opened for modification	C:\Program Files\FileViewPro\DevExpress.XtraCharts.v18.1.dll	FileViewPro-S-1.9.8.19.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinThruster.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WinThruster.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WinThruster.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

480 schtasks.exe

pid	process
480	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

FileViewPro.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	FileViewPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	FileViewPro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	FileViewPro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	FileViewPro.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	FileViewPro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FileViewPro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FileViewPro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FileViewPro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FileViewPro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	FileViewPro.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Setup_WinThruster_2020.tmpFileViewPro-S-1.9.8.19.tmpmsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
228	Setup_WinThruster_2020.tmp
228	Setup_WinThruster_2020.tmp
1276	FileViewPro-S-1.9.8.19.tmp
1276	FileViewPro-S-1.9.8.19.tmp
2608	msedge.exe
2608	msedge.exe
60	msedge.exe
60	msedge.exe
2436	identity_helper.exe
2436	identity_helper.exe
4616	msedge.exe
4616	msedge.exe
4360	msedge.exe
4360	msedge.exe
4620	identity_helper.exe
4620	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exemsedge.exe

pid	process
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

WTNotifications.exe

description	pid	process
Token: SeBackupPrivilege	5088	WTNotifications.exe
Token: SeBackupPrivilege	5088	WTNotifications.exe
Token: SeSecurityPrivilege	5088	WTNotifications.exe
Token: SeSecurityPrivilege	5088	WTNotifications.exe
Token: SeBackupPrivilege	5088	WTNotifications.exe
Token: SeSecurityPrivilege	5088	WTNotifications.exe
Token: SeBackupPrivilege	5088	WTNotifications.exe
Token: SeSecurityPrivilege	5088	WTNotifications.exe
Token: SeBackupPrivilege	5088	WTNotifications.exe
Token: SeSecurityPrivilege	5088	WTNotifications.exe
Token: SeBackupPrivilege	5088	WTNotifications.exe
Token: SeSecurityPrivilege	5088	WTNotifications.exe
Token: SeBackupPrivilege	5088	WTNotifications.exe
Token: SeSecurityPrivilege	5088	WTNotifications.exe
Token: SeSecurityPrivilege	5088	WTNotifications.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Setup_WinThruster_2020.tmpWTNotifications.exeFileViewPro-S-1.9.8.19.tmpmsedge.exemsedge.exe

pid	process
228	Setup_WinThruster_2020.tmp
5088	WTNotifications.exe
5088	WTNotifications.exe
1276	FileViewPro-S-1.9.8.19.tmp
60	msedge.exe
60	msedge.exe
60	msedge.exe
4360	msedge.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

WTNotifications.exe

pid process

5088 WTNotifications.exe
5088 WTNotifications.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

Setup_FileViewPro_2022.exe

pid	process
3152	Setup_FileViewPro_2022.exe
3152	Setup_FileViewPro_2022.exe
3152	Setup_FileViewPro_2022.exe
3152	Setup_FileViewPro_2022.exe
3152	Setup_FileViewPro_2022.exe
3152	Setup_FileViewPro_2022.exe
3152	Setup_FileViewPro_2022.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup_FileViewPro_2022.exeSetup_WinThruster_2020.exeSetup_WinThruster_2020.tmpWinThruster.exemsedge.exeFileViewPro-S-1.9.8.19.exe

description	pid	process	target process
PID 3152 wrote to memory of 2976	3152	Setup_FileViewPro_2022.exe	Setup_WinThruster_2020.exe
PID 3152 wrote to memory of 2976	3152	Setup_FileViewPro_2022.exe	Setup_WinThruster_2020.exe
PID 3152 wrote to memory of 2976	3152	Setup_FileViewPro_2022.exe	Setup_WinThruster_2020.exe
PID 2976 wrote to memory of 228	2976	Setup_WinThruster_2020.exe	Setup_WinThruster_2020.tmp
PID 2976 wrote to memory of 228	2976	Setup_WinThruster_2020.exe	Setup_WinThruster_2020.tmp
PID 2976 wrote to memory of 228	2976	Setup_WinThruster_2020.exe	Setup_WinThruster_2020.tmp
PID 228 wrote to memory of 5088	228	Setup_WinThruster_2020.tmp	WTNotifications.exe
PID 228 wrote to memory of 5088	228	Setup_WinThruster_2020.tmp	WTNotifications.exe
PID 228 wrote to memory of 5088	228	Setup_WinThruster_2020.tmp	WTNotifications.exe
PID 228 wrote to memory of 1120	228	Setup_WinThruster_2020.tmp	WinThruster.exe
PID 228 wrote to memory of 1120	228	Setup_WinThruster_2020.tmp	WinThruster.exe
PID 228 wrote to memory of 1120	228	Setup_WinThruster_2020.tmp	WinThruster.exe
PID 3152 wrote to memory of 2148	3152	Setup_FileViewPro_2022.exe	FileViewPro-S-1.9.8.19.exe
PID 3152 wrote to memory of 2148	3152	Setup_FileViewPro_2022.exe	FileViewPro-S-1.9.8.19.exe
PID 3152 wrote to memory of 2148	3152	Setup_FileViewPro_2022.exe	FileViewPro-S-1.9.8.19.exe
PID 1120 wrote to memory of 60	1120	WinThruster.exe	msedge.exe
PID 1120 wrote to memory of 60	1120	WinThruster.exe	msedge.exe
PID 60 wrote to memory of 1748	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 1748	60	msedge.exe	msedge.exe
PID 2148 wrote to memory of 1276	2148	FileViewPro-S-1.9.8.19.exe	FileViewPro-S-1.9.8.19.tmp
PID 2148 wrote to memory of 1276	2148	FileViewPro-S-1.9.8.19.exe	FileViewPro-S-1.9.8.19.tmp
PID 2148 wrote to memory of 1276	2148	FileViewPro-S-1.9.8.19.exe	FileViewPro-S-1.9.8.19.tmp
PID 1120 wrote to memory of 480	1120	WinThruster.exe	msedge.exe
PID 1120 wrote to memory of 480	1120	WinThruster.exe	msedge.exe
PID 1120 wrote to memory of 480	1120	WinThruster.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3492	60	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Setup_FileViewPro_2022.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_FileViewPro_2022.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\{A11E2514-CEF0-4329-AC18-3ED69C75F36C}\Setup_WinThruster_2020.exe
"C:\Users\Admin\AppData\Local\Temp\{A11E2514-CEF0-4329-AC18-3ED69C75F36C}\Setup_WinThruster_2020.exe" /verysilent /LANG es /scan
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Local\Temp\is-A38I5.tmp\Setup_WinThruster_2020.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A38I5.tmp\Setup_WinThruster_2020.tmp" /SL5="$9006A,4683560,721408,C:\Users\Admin\AppData\Local\Temp\{A11E2514-CEF0-4329-AC18-3ED69C75F36C}\Setup_WinThruster_2020.exe" /verysilent /LANG es /scan
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:228

C:\Program Files (x86)\WinThruster\WTNotifications.exe
"C:\Program Files (x86)\WinThruster\WTNotifications.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5088

C:\Program Files (x86)\WinThruster\WinThruster.exe
"C:\Program Files (x86)\WinThruster\WinThruster.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.solvusoft.com/en/winthruster/install/
5⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb0a2346f8,0x7ffb0a234708,0x7ffb0a234718
6⤵
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,1577950765958352254,10329259482631945881,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
6⤵
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,1577950765958352254,10329259482631945881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,1577950765958352254,10329259482631945881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
6⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1577950765958352254,10329259482631945881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
6⤵
PID:1848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1577950765958352254,10329259482631945881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
6⤵
PID:3180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1577950765958352254,10329259482631945881,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
6⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
6⤵
PID:3416

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff773dc5460,0x7ff773dc5470,0x7ff773dc5480
7⤵
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,1577950765958352254,10329259482631945881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
6⤵
PID:2912

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,1577950765958352254,10329259482631945881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1577950765958352254,10329259482631945881,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
6⤵
PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1577950765958352254,10329259482631945881,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
6⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1577950765958352254,10329259482631945881,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
6⤵
PID:480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1577950765958352254,10329259482631945881,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
6⤵
PID:2248

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "WinThruster automatic scan and notifications" /TR "\"C:\Program Files (x86)\WinThruster\WTNotifications.exe\"" /SC ONLOGON /RL HIGHEST /F
5⤵
- Creates scheduled task(s)
PID:480

C:\Users\Admin\AppData\Local\Temp\{73866C79-78E4-4427-ACDC-AD1BBE02B9C9}\FileViewPro-S-1.9.8.19.exe
"C:\Users\Admin\AppData\Local\Temp\{73866C79-78E4-4427-ACDC-AD1BBE02B9C9}\FileViewPro-S-1.9.8.19.exe" /verysilent /norestart /LANG es
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Local\Temp\is-PUE04.tmp\FileViewPro-S-1.9.8.19.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PUE04.tmp\FileViewPro-S-1.9.8.19.tmp" /SL5="$10348,60311066,131584,C:\Users\Admin\AppData\Local\Temp\{73866C79-78E4-4427-ACDC-AD1BBE02B9C9}\FileViewPro-S-1.9.8.19.exe" /verysilent /norestart /LANG es
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.solvusoft.com/es/fileviewpro/install/?utm_source=fileviewpro&utm_campaign=version_1.9.8.19_06042019&utm_medium=bundle-winthruster
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0a2346f8,0x7ffb0a234708,0x7ffb0a234718
5⤵
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,7014241395501532487,4493254031910594618,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
5⤵
PID:4304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,7014241395501532487,4493254031910594618,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
5⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,7014241395501532487,4493254031910594618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7014241395501532487,4493254031910594618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
5⤵
PID:2452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7014241395501532487,4493254031910594618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
5⤵
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7014241395501532487,4493254031910594618,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
5⤵
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7014241395501532487,4493254031910594618,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:1
5⤵
PID:3408

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,7014241395501532487,4493254031910594618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
5⤵
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,7014241395501532487,4493254031910594618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7014241395501532487,4493254031910594618,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
5⤵
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7014241395501532487,4493254031910594618,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
5⤵
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7014241395501532487,4493254031910594618,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
5⤵
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7014241395501532487,4493254031910594618,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
5⤵
PID:2596

C:\Program Files\FileViewPro\FileViewPro.exe
"C:\Program Files\FileViewPro\FileViewPro.exe" /restartWithNoAdminRights lang=sp
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1244

C:\Program Files\FileViewPro\FileViewPro.exe
"C:\Program Files\FileViewPro\FileViewPro.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3888

C:\Program Files\FileViewPro\FileViewPro.exe
"C:\Program Files\FileViewPro\FileViewPro.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinThruster\Cookies.txt

Filesize
104B

MD5
bf6c156441320d21440afc65a6bcf77d

SHA1
b04bb3fa963147218ef2c79e96a5a3e1d899e94d

SHA256
502f9fba9bba2ca5f57a3a0ea7efcee4731c98dcd2ea0fcec21059b11ddbf352

SHA512
dba0389aa9a68787f638712f321753d5933a3a9b714358ef780796f8e0a1bece21e113a88626e760c6023c3f03ee18ca138bc3a6962925282a0efbaf92a40474

Download Submit
C:\Program Files (x86)\WinThruster\English.ini

Filesize
52KB

MD5
9d67438ebe4d267c8c0a9b6656b40294

SHA1
6ec736d8721d30f952a02fbce1f63c95a92a3f0e

SHA256
1a61d60a3fc792dac412f76cf33273401659bf9e84bc085dcbdbd3779129d0bf

SHA512
d9d2114ae32eb9c383bd62f4695acad04fe22ac0c7269437868daba9ceae61fae5bf11a5caf7138c36abb37fdfe7f4088a7540e60f8cc492e179af7b3c6678d7

Download Submit
C:\Program Files (x86)\WinThruster\SList.txt

Filesize
72KB

MD5
509c709bc9529cd80c9ac6cb552a1ba5

SHA1
5aa7f857d631b3c8f9adeb381db3d8d0ecc07ce7

SHA256
f85fc4c0e93aa9418ac9a6352a238315e439e3599853296291fad32dd7d20890

SHA512
38bab4d3588e578af84fcce22e297ce2606790d8433c14f771057ffa0504ec66ecf8099621071d692c15dc9c3eb5400ba0ffb5d65774dc42e7eb597a41023ccf

Download Submit
C:\Program Files (x86)\WinThruster\UList.txt

Filesize
9KB

MD5
fa2811cbca1472fe27e16e1a329c4450

SHA1
6bcc1160764615b8e258022c7c2b41b24a7e5043

SHA256
ae43318e7b7776cf59a77d597aa4829fffae130b6b14a980358451e3c71d7466

SHA512
c1cb3a56be8b410da14345aa672f546cdbb64d119d48c2c033ad3ba93d8c87abc96ad3faa9b7494c8393454599a74c6d818361bddf539fa7e0f4c768e907af6a

Download Submit
C:\Program Files (x86)\WinThruster\WTNotifications.exe

Filesize
3.6MB

MD5
e70dbb88489ebeb7b2ee06de070d6144

SHA1
4315555bbfc2b055e92ca8f43d5b4d275c9c6522

SHA256
03447ae8862d0a82bb47c8009bc17e29179bce8d9ec527e62a4acaade36c60ba

SHA512
5ecc5fefbf71180799860e85eee5944006059a1ca3399be76b2349dd099ee61ad0e8b61991686b69253cf4bd6d2810d0288528d1e4aeb82295017546a8921a53

Download Submit
C:\Program Files (x86)\WinThruster\WinThruster.exe

Filesize
7.1MB

MD5
397dc4446f2519ec41552a2102e08764

SHA1
cdbd84a0ba6bcf814df68f8037a8b0ef9c992e62

SHA256
6165ce1cfd74917590da8612cbd8a5ae7a88af5146d5c3361544a6ab2bfd1c96

SHA512
667c7c53617c80dd030276e70611371145241c6caa014697aee9659a2ae7c082d8c41267e1675ea1004f0c55110a38ccbde4549c4bbe36250c7fc538fee50dd2

Download Submit
C:\Program Files (x86)\WinThruster\WinThruster.exe

Filesize
7.1MB

MD5
397dc4446f2519ec41552a2102e08764

SHA1
cdbd84a0ba6bcf814df68f8037a8b0ef9c992e62

SHA256
6165ce1cfd74917590da8612cbd8a5ae7a88af5146d5c3361544a6ab2bfd1c96

SHA512
667c7c53617c80dd030276e70611371145241c6caa014697aee9659a2ae7c082d8c41267e1675ea1004f0c55110a38ccbde4549c4bbe36250c7fc538fee50dd2

Download Submit
C:\Program Files (x86)\WinThruster\sqlite3.dll

Filesize
846KB

MD5
dcf7095d73402d6e1c0e9e8870fd3284

SHA1
a70fd3c662081d40b0be7645d2a77d26cdad8582

SHA256
e5e6df7d8b2c06be464dc75f5139b3b38c230184bdc645c6be6becddf3c83d6a

SHA512
2b6ce53c0d5664a6b5ec7afb3db122c363309db56fed3a9f7f3964bdc837dc66782e839154364ea3a8bce731ae8d699cac536c279a597dfad91445da05ba18d6

Download Submit
C:\Program Files (x86)\WinThruster\sqlite3.dll

Filesize
846KB

MD5
dcf7095d73402d6e1c0e9e8870fd3284

SHA1
a70fd3c662081d40b0be7645d2a77d26cdad8582

SHA256
e5e6df7d8b2c06be464dc75f5139b3b38c230184bdc645c6be6becddf3c83d6a

SHA512
2b6ce53c0d5664a6b5ec7afb3db122c363309db56fed3a9f7f3964bdc837dc66782e839154364ea3a8bce731ae8d699cac536c279a597dfad91445da05ba18d6

Download Submit
C:\Program Files (x86)\WinThruster\sqlite3.dll

Filesize
846KB

MD5
dcf7095d73402d6e1c0e9e8870fd3284

SHA1
a70fd3c662081d40b0be7645d2a77d26cdad8582

SHA256
e5e6df7d8b2c06be464dc75f5139b3b38c230184bdc645c6be6becddf3c83d6a

SHA512
2b6ce53c0d5664a6b5ec7afb3db122c363309db56fed3a9f7f3964bdc837dc66782e839154364ea3a8bce731ae8d699cac536c279a597dfad91445da05ba18d6

Download Submit
C:\Program Files\FileViewPro\FileViewPro.exe

Filesize
739KB

MD5
daa97924499885155278a306d3cd32d8

SHA1
5a315a56db58342c3d18dc73128492a67499c528

SHA256
a78a50b913083c2f3941035e19e48d0c895a1304365d202e491bc780bc9888f6

SHA512
b67f86e2fa693c31e974cefbc0c7c4610ffb6445fed0da3ee62549d6fca1655d23ed24e6fca9aac7dd15702e09f2ab0995df2f2297bfb18928cd8c117b9cc242

Download Submit
C:\Program Files\FileViewPro\FileViewPro.exe

Filesize
739KB

MD5
daa97924499885155278a306d3cd32d8

SHA1
5a315a56db58342c3d18dc73128492a67499c528

SHA256
a78a50b913083c2f3941035e19e48d0c895a1304365d202e491bc780bc9888f6

SHA512
b67f86e2fa693c31e974cefbc0c7c4610ffb6445fed0da3ee62549d6fca1655d23ed24e6fca9aac7dd15702e09f2ab0995df2f2297bfb18928cd8c117b9cc242

Download Submit
C:\Program Files\FileViewPro\FileViewPro.exe

Filesize
739KB

MD5
daa97924499885155278a306d3cd32d8

SHA1
5a315a56db58342c3d18dc73128492a67499c528

SHA256
a78a50b913083c2f3941035e19e48d0c895a1304365d202e491bc780bc9888f6

SHA512
b67f86e2fa693c31e974cefbc0c7c4610ffb6445fed0da3ee62549d6fca1655d23ed24e6fca9aac7dd15702e09f2ab0995df2f2297bfb18928cd8c117b9cc242

Download Submit
C:\Program Files\FileViewPro\FileViewPro.exe.config

Filesize
3KB

MD5
4e73c4ff8ea09cdc528e5eea378b9c89

SHA1
e3974580154b5897441a68b3a14bae74fbfab14d

SHA256
7c90b0bbb693a95518b394ff9fe96f975b1290cf51c017a4a8b5ef669d91e916

SHA512
155962cd814ded2d3d4d4120e8f5774fc381fdb8bf2aecc04e2c0ac84ea2079428f34f60890ad78c627164d33c7f82517750a116e70b00e1aea6e79ae8c32ce3

Download Submit
C:\Program Files\FileViewPro\Wps\wps2html.exe

Filesize
133KB

MD5
4348b879e87211ca9059ff090a6872c9

SHA1
048c395296eeb2af3fda21c820e33e7a06fae82a

SHA256
ed016605bded2acc91854d33ffdefa6ec92dfbc84313d086a250cf75e891e659

SHA512
89d60cd3cf71e8f9132b81c917038b0702299851f2b3656a4f408d2845e4b52062f64390392a0ee43a3533a6f92d38f805f0b2a45db1be4f3eb660c4851d61a7

Download Submit
C:\Program Files\FileViewPro\unins000.exe

Filesize
1.1MB

MD5
1a81372fd72743199f885cfed00c8e34

SHA1
7bb1a83593d07b3833c58150a0a678fc5898aca2

SHA256
fa6030367c0645fe9856ab1b75910c94e4ef32fdcede0ccd2805c6b2cef5f5ab

SHA512
ec79c5efaf4ff5288cca4c9ab7ddc962f17e6b1d92a8b63463ee0fbad889229eae5f3af3af831f209bc8a322a73cafa783d7aef698663bbe288bdda6cd3e5c0b

Download Submit
C:\ProgramData\IsolatedStorage\xhqudlmf.atq\dc12je3b.lu2\Publisher.hobc41kkywtcc0rbz1btlitztrczryui\identity.dat

Filesize
1KB

MD5
05c9f19b4efe1e17616a590bf7ba78b4

SHA1
0b6af11405461794316cca1ba03f04e48368856a

SHA256
2065f492126f161ac0583f22dd1b72240bbee3d763d6a9e0d1eb365b8d9c9ff1

SHA512
e96f2b0c106dcc948225e34c867a23b8f2ec503cd9711a2a6cb4e90cedde8630530147fa4326044d19d9fe95ff45215edc29f2e72b5a6ac93dbc7da839819fb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
832d6401feb6599ea61c383fb9b67710

SHA1
395483c624228ddac2461bd890056b6784192673

SHA256
8235a65e22a68b27c8dd6171efdb40015e191afb75cc3e260a5ae2cef12f2f8e

SHA512
d50fcd1bf8c3ea0c7cdb872d54d61ee5fa9b1c29f71214452a91f249397453971d461e0ba5f6a36aaa46378a83b6a1965a9467b87b7ac8eed0adf6e56d74b798

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
26fc276126615cb2ca37a699d6fe43e7

SHA1
a906363cb732c85341b76a082fddcace38bdfcc8

SHA256
3a7befe8719b89ddc804e53a28df354a4c36504b594ad3eefd9762af478d20c2

SHA512
dc1e345f821f27102e2f1ac7857e14356aede513624d78590a4886457d2e3480141ef88ff9993c71b7573587d90959e1fd584253e8b3b9636e97614a3adefc62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
42655960a6079f85a17f6c351dbae373

SHA1
3b3c3c135828d3ea78b6e1e4249c8f807203796e

SHA256
4f622c9e65acd4b260428410eeb7bdfd4189747db7af2fbaf8fb0e42f9161d47

SHA512
6f928327b155b332a9251953cf3d181b7f139bf1f8cb6bb2e216e758c694a60cec31c8532a3da843dd266c33bdcf4981361b7e0f95342d1bcee800dc76b95194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
42655960a6079f85a17f6c351dbae373

SHA1
3b3c3c135828d3ea78b6e1e4249c8f807203796e

SHA256
4f622c9e65acd4b260428410eeb7bdfd4189747db7af2fbaf8fb0e42f9161d47

SHA512
6f928327b155b332a9251953cf3d181b7f139bf1f8cb6bb2e216e758c694a60cec31c8532a3da843dd266c33bdcf4981361b7e0f95342d1bcee800dc76b95194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
586743477235ff89eb71456f2f329592

SHA1
021deb498cefd4564e5c3c690548a78ce0aed173

SHA256
1854dc9c4f5895f3e71ad3ca50d6029421185d3728d9cfcb47147f86113e70d4

SHA512
9aa120911ee8ea5f6586295824a67937487c297e43caa8b0de36e173bfa789d7ee7c0e73196bb4e5651611cf88ed1fdc65f22ecbe22110edac6bd52a02463264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
146ba2347b83462e418305f7a7848030

SHA1
99b73cec021a8417a289173eeac3cbb3aae30f6e

SHA256
eb296ab65ca5ca0acd3f2378e5c0b01224c1ba53dff368e8b3880ca34e2c5cab

SHA512
283e8b90cf4b0f36264be9d3c90882bb11cab24fa80dc516a5ce53dfa0336e3473968ff3435850c658831f49a7280709f4fc208ecb46fefd32700b613a816113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
462f3c1360a4b5e319363930bc4806f6

SHA1
9ba5e43d833c284b89519423f6b6dab5a859a8d0

SHA256
fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

SHA512
5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d2642245b1e4572ba7d7cd13a0675bb8

SHA1
96456510884685146d3fa2e19202fd2035d64833

SHA256
3763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1

SHA512
99e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
55a16889cff6a2b2e4344f52d7b45f92

SHA1
04d729e4b590150f079e558f21a14d754aa40f71

SHA256
af93acc36b04516946ede90e632481c5f555e7159bef00c4023282ebb3175c31

SHA512
1effdb0f1e307e1d207ef0354d39b71859aaa3a3c4542794307fb9793a5d2ef502721c1d591c38a386c818ff19e41042d2596cf24d16d27ea7def09535439f25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
017cf842846aa673fe010fc6e143c3ef

SHA1
ba06339d926d6522acd9f9eb23b03f32b5617b1a

SHA256
04d62f2865f05ebbd87ddc53d9562149e3301735d2ceb2f83647c357a410bc87

SHA512
d6422e219d57cd2a99a2b324295696dfa90ecca54244f0c4154ddfc6d863664fafa5000f979161525e562ea8be88557bb521d911925d5c5309cfa11fc4c9b309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57acbb.TMP

Filesize
48B

MD5
2590bbe852e5123c59ebab7e1524d318

SHA1
8a92d78806a54f4b0f4304791a42c19a1ecae766

SHA256
d966ccf4ae86dd6cd2e1aa9fd1ee3df9c0297f256eed492160b02599baf75b29

SHA512
f93d2e031b3871920b583a2e85ba1be6a1ca0546841d2c1d3351daed030a8b4f919566e27c1a1a7eb96775a14588413225cf863fd6f1983bc72e93a78585edbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
9c490031b97d3747326318df61caf654

SHA1
ca1e101187f3af212156bf0216c55b69e61af5f4

SHA256
25ece398879cb8cd6e156deacdcae47d34b7f9dbf8cb6affa3d0949560369f17

SHA512
ef529f5dd8b48719f49a9bc41750a832e42fe4d834a4e02fa356037b42cf6807b547945abb0bef30c8f18b82654fdb24958c7f18129c13c0cfe1dfe0eb4f6244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
b1fa1936576cd688b55cafbcfd7144fd

SHA1
a3b1e75c076722ffaa3d6f509998c8ad90a66072

SHA256
5d257cae8d07b1085252033635aa5f45ce1859ebeefa93870de31c9c21e45a7b

SHA512
13c4eea0d3ccc5afe1b7e5ac076d2ac4eadb6454122c009e5688e1b5b39bd5902ea35b7bbc58c91d18cfcbccd5523a391736a618ff0a8d109a2e499c5b8209d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
b4dd25f3a79583f4d2fc11d59505f5f0

SHA1
9cb3025ed60dce05d4772e58257058b5df982248

SHA256
dee999dbd238361b2fe488fea50671474db5809ed7452bb8d5c85bb4dda67c81

SHA512
27fa72afa0d03fe20185e8e0fc6978e383b6bde025a2b621d0b85dcc279b5925d922915a1d4aee6e19c56862534d27e877f0849b72c0ed9f5a7ea224e70adf14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

Filesize
256KB

MD5
0e4fa27b7a18ebc1ec86750f529bd20e

SHA1
fdde4276bc9477af319516655c45eaac53f50139

SHA256
daabb4a46965cc4e4bf18a69ca6df4f6718e754f063ec2453d64f7008369e0a7

SHA512
889821138c4773d0a0a7923331e7a8638964048482d9cc32f4b7297144f30902802023c8c7c69286510cdfe99a644afac7033a7af88c08cc43a118d0aa0c17c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
6d2bfb2bc3c9d8c44dc4115ec51d3243

SHA1
54ab8d14514115f999a97d12dc1686efc2f77722

SHA256
eed9fe53dfbfe28749487d1c07c325aa3c718266e9ca5e2fb4ed869bf441f52e

SHA512
90f42a7cc01a78ffc10238c8e399076ec9481b0b7d2dfadff2ea8ebf3cba3f71c098b110c280925ae14c7d9d2d65ada081b0712e6725cf61bfc363fd6a493192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
498B

MD5
27020d18f9a8702b1acdd4609bdb14d3

SHA1
b64ce4512e4a4ac8e7890e13f0ef44dd8b20bc64

SHA256
fd6df4a9d53e831ca3b991b5f458d7a04f96e4b9da3ad0336e001f273a3565cf

SHA512
84160f65361abe242b6eca5ce1737e2db2a4601cb904a95da83976a5281afb30974127989caa6f0a5d3b3068930a1eeea8c5bd5f6ac33ed62d1919bbff9181a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
157B

MD5
bbc38284f7635c9f2a87a54cd1a58390

SHA1
39df82e3a2dd2fcf75331fb4201d6a977b986517

SHA256
df5e552d00e15ee4b01d39bfee706ea9803e02e7e7a00b912c16bba0c052f14f

SHA512
0ead4dfe11db92694b24b1b4edc0113f33c9f45ebfe88cf00760832843732007939b79ab7b2d1f9965e875518bc3fd11551002f53d0396de2022775da10779ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
4f9c77c81a73129d804163414b2342b8

SHA1
d2925a13afb47f73f1c94e9ea1a313feb1892ce0

SHA256
d0d368dc0b1a56115577de14f6df0f92f37b914e9bdde1558823fc0bb8bdd9b5

SHA512
0925abac3cef9afa0fda3c5bd55d2edc01103b2647b4b8ec3cb70ace4e49d11ed369372d5651ab228077ab537f0df82d09270c72f4e782b54d8fd14f36a7617a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
ac133dd27cb9d5a2e13700bea9726478

SHA1
630ac4b73ffa0e28710e68b1c93d3eba80c99875

SHA256
13e4f1b191de5a2e485ca74ad91c448857b2b330a689ce1079e2e31022c3fd9f

SHA512
6e12b6c2ba6236f4205300bac985c00f712146347fe5750a85fa196932f9b815fe54eec8e03b5d55e65cd8e8b03a9aa0a0a3dbe863635ac75b6758eeb896ff6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
41dcb8dfaa8ccfd6c4d0ff57e1a50816

SHA1
d3fe751c6ac72403d2ef6b275c5f3bc37be63876

SHA256
5ca1fa5134ff00b0398f04631934fca65f190744dffdadd097af8fda9c971349

SHA512
12d0bf2e4450d8f2e6c3d1af33cd258a3298ddeb16ad9acb41e8d733cecf7d5eb06160e7d150e9a176435c6f233c716023c634f8be1d64db4053b3701b0fc3b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b558e77c94ed4bea06d24620d83659d0

SHA1
2a98ef2ee4bbb07c2a7221556bffd651446e37dc

SHA256
d3e31ca178e2a94914b3d088aa5461d6b4c279f2038baf232cde7f483d969789

SHA512
313ab999caa444121fb8ba4daa4f107fd2f4efc7949a56337e1673ec6fbd9e6da2cc54d5da75df90d16f3d7861ba6c0d983923f4b9d2e781484109ed67b2013b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
85bed2d95787edda5b6a91595760683e

SHA1
9e764948af704d469eeb1559d6fc4537065b23cd

SHA256
fbda453b6c275c23dc343e9961a77995668e415e9a825ab3aa9a9eed8e67445d

SHA512
a010fc32460c728bbf32ec9fbd70d5afe3942f254ea9001691cf7797d4cef04330092640a2d22f9a78b809482a9ddab5b3070474a2216309a2943d0d0de8decd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9a130b2e19a5a87e39aeb3d4b72f8de

SHA1
fc95d6cf3aa16a885253c84b99244fcc508fb472

SHA256
dfa1bb3813d414d29a197aef8c3dd89e51b20aab74dc74be0b9857d0561bc572

SHA512
151783585264b44fb392b5165a73f09dc7e585f2b6d443fb99ba4f1f2cdfa03f6f05c87c217384c7f279f1c2651798ba79e1deaf7528ef3775848d86a1af5499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7795b32ee26eeba12ebe504d305e0ae4

SHA1
28d4c68552c673ebacdd1aecea354e7b5b13ddba

SHA256
7593015c4bc75e6958dd5d667cbf9837b398ad24f12d60a45150e76aadda76b7

SHA512
69d6ae9f6b7d59a294b93fe3f343ecbcf3ca9a9b78e5ae88e7728fa422a3f7fa63357d90fef19c40c2c8861632642b56ba18453453334a89a61b05a81cbf8f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
45debb3df44f78d16bd60eb8392edb63

SHA1
a77fd14aeb70439d9f8ae87b78eb8ac40423a3a0

SHA256
1d4692a195e10357ec7762e0eeae4c4e0114fd7dab59c1438c0186f747e03737

SHA512
d8120ab80efac290b0d69d9cf87c9e7f3397bfd1a9a88e99400221db7b21aff90b7b916cd569cf675bada7416825506baf788cf050e83a3fd91fb819d291941d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4402e2aa83a7268652ef15a7b709ce0d

SHA1
4bc0f2228d34032a32104855dc612bd1883b50a8

SHA256
4ba962153e80e37fae6132392b5bb145188cc088da141bc1b31726c3a8f8719d

SHA512
7aadaf75a51f23d26eedcf333992b980315c5c45d420f95a5e1ec7b833c78162ef3c5833b8710808e6c46f29aaec4207be2be887dd5f7b3b3c2ea99b7b1215e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4ec06fa0ac3ec299a8a91447ba05ade4

SHA1
11d9c2226a9276ad0caa7619ab23ee54d21619cb

SHA256
96aad52737049d1caf822806398af88561d937e9ec4b0c7b4e98963d3b3be8d9

SHA512
435a1a598466577f4d43a3e00c389d0feae1e9a33a7237b171fdf4323d349707cdfad92f2d26eed23ac35d4e813ce2892876182d58475b4a30ff1b0384081fd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4ec06fa0ac3ec299a8a91447ba05ade4

SHA1
11d9c2226a9276ad0caa7619ab23ee54d21619cb

SHA256
96aad52737049d1caf822806398af88561d937e9ec4b0c7b4e98963d3b3be8d9

SHA512
435a1a598466577f4d43a3e00c389d0feae1e9a33a7237b171fdf4323d349707cdfad92f2d26eed23ac35d4e813ce2892876182d58475b4a30ff1b0384081fd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c325881ebe65f710ffde9291a337fa80

SHA1
1ee282fbda5f7c9b49406abfc182cc83148883e6

SHA256
3b769be053cc0fb275a708dbd5e7cca5af41a5b4994385cbd19266e880da9c0c

SHA512
f28ba69ec56f4d1dd8e241cb47d4514ac7f9d9cb177929f1c48dbb04bcc9adea13d95f415dfb4c660eb3c79ad1211ca15459b3c566179365d026ab3e5b4cad0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
130644a5f79b27202a13879460f2c31a

SHA1
29e213847a017531e849139c7449bce6b39cb2fa

SHA256
1306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1

SHA512
fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13321579052367865

Filesize
2KB

MD5
d8e1babb4776e904b5e9489117ddcdc3

SHA1
2e6115d78c7474713c19d3f48c9d79344754add3

SHA256
b76a553387bf54b1ef00af9e4cce216847df6637fb0e3933343063e764a36dab

SHA512
e63aec7c5db62c0f2d05011bbff4fc1abee57865b2e732dcabae5a9d4c48148258051d3b8801a8d0e57057971f031a2993690e29eecd7332394f84211ae0c91d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
5281ae30851308e0d3f8fa7a65b8856b

SHA1
d65ee7c0b1013c45aa84c18d506b3ca139a55f1a

SHA256
4ad375f51843d5664a199db07f80715809aa527c9da2d8d3ec7a0e68eb636616

SHA512
b38f81e7fbe743026a0ea9068b7376118cde5c38dc0c6a52eb4f4244c88cdfdc9d2535d60574ecaa10a2cd55c9540056c5f6facf34731b7d32eb87317c94cff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
bd06b19b84bf7412a164e444b80a28bf

SHA1
a543cdef091f31d59bbc43c84eb101580c22e9a5

SHA256
8c648699d7ba5dc158d297cfab75b18ce093f3013c0aad989e5dabe28a52756f

SHA512
b5ec9833630648eb2a522ce1f540273599c08e84576f4db0203e1fea33882435fd3498813e5829f34368ad6d9d8204742a98b5d3cc4393c321affd08f4a55ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
65e3d9bf41f05b04f664b87d9d8e4d7a

SHA1
08ba0788d83f0c39cb09a4217e322f8cf687894a

SHA256
c046a643a9478347030d219ef81e9dc0b338cc45b9d1012956b0ad00b1e4a88e

SHA512
d14f401f21da2d38a65be5d5530fae20fae21ee21f5d34cddf3fde2a528555810df66bff6f30733b883fe138eccb23e52344d955aafd8d7e5d8e2cbd54152e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b48bbf017be2035369621cb5de4701be

SHA1
998bf6d34fadc47e77458de05626f3f139cb1986

SHA256
8aa2aab2aaa18d55f37be04ab2e057de99f75270277c249fd007b7fb082a5456

SHA512
103993e571c504a9d927033a8ee6033f1543495a2ce6bdf3c3e151a1798c25c33c90fc1ac1d165b7550e8ff60a36d729c33c98a565319a34e6b761cae4909113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
799b737dc99ec81ae90de76bc639a639

SHA1
c1a7676fa533f589b6a56a778d45b2459ff79575

SHA256
1fe09d97c6f605c6fd3c1f74fc92c9f556177a9cefc326afc4f2be17ce34b73b

SHA512
8f69edeef811e98b73f3334aa32e73121f259a86e7c3937df43694026fff37a1e2466e30b49a7424cc2ef8df051f1b98aeb4bc499e33354352ce35b780e2c025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
4KB

MD5
d9f84c8cf73422f2ca07d7e7462b9534

SHA1
cff6e092bf5bf1f3f47b7074847e204042a881ae

SHA256
5bf7b14dde109f722782628bbcf3011a23cd2416e7621a62b49ee0333cdec6c2

SHA512
1ea893c62d64304c35b9086e2c7e760716ea5ce220bafb76632670fcd2f97eca5c6693ff98004a861b190060c47c9d97ac92b41e3b1da1a4e8f89d9638548c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
744KB

MD5
b8385a778f60b048b3f0a548c00601d6

SHA1
50c12f8b68b836f5af8150759c6165724031a21e

SHA256
f677e98ba85149341da71fd2fcfead8e91dc9be052accb2e70a2aa076986de7d

SHA512
04f96ad88a65e0a39970aa323f7a2243d337067352bbe71d4fcd0d0529ede1a1176e143031e511652eaa1a1c26c141208c2ec2fb864e861bef6daf71a91b565b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
b6b0fdd0287b2cebd33dd46fae914827

SHA1
8c4dc1569dd66bd4281ddf8929f272ffeefc40e1

SHA256
25366b6d8f32ad6ea0aa896657de110c76c80aead172baa625e0ab33638b9ae7

SHA512
ab9ecc3a99c546adadb1a8085452a1ff46c54862b34a18c7f58c257f04668409590e4f3c112d4e3cb6cc801a83cca0f747aa190e70cc11901af74dd9542bdc55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1ffee6219d0ec762cc702916fcea1d85

SHA1
73e971ef19a939a9e3559d8de847387c55bed121

SHA256
f4190a626f46bfc6c6059c05725effbc6dca2ce5754899a1e02cb02e8e036168

SHA512
35b8dabac0ae3cd95ad074e767da036625653dc316f81f923becca0b694c46b27d55aa4b1d53214a287882986fc791bba5c7630fe7b060b1d5055fd875840124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0f7aa993c91edc24ba17bdabd333a474

SHA1
3b51e624776e85c8c39c18d09ad83be852dd6845

SHA256
567e2c770e4f81197e86e8648e193f074a85ee7320cd91683973ce71f4954dbd

SHA512
145ee55b63e5de184057f3c54d7eb7de1ffcb4f4d79cff52c299ea5df53fe2d5dfffb24dc041b5058a78632049da2b838ce5e36cbcfd4b347340a68ae0fc415a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0f7aa993c91edc24ba17bdabd333a474

SHA1
3b51e624776e85c8c39c18d09ad83be852dd6845

SHA256
567e2c770e4f81197e86e8648e193f074a85ee7320cd91683973ce71f4954dbd

SHA512
145ee55b63e5de184057f3c54d7eb7de1ffcb4f4d79cff52c299ea5df53fe2d5dfffb24dc041b5058a78632049da2b838ce5e36cbcfd4b347340a68ae0fc415a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
0508b36a4197787b12c813ab9f86d482

SHA1
dc44176a67a4a2426f5b90a831b91d123c479f51

SHA256
a64a7d9cdb8d155b3da6932469e1a8907a5ec6b7dbdce535bf2e33c12c7af07b

SHA512
808bd44a9e95bf36e66f7779daa39a23bedd406c614d0d1a8f4a7a08bab3e11456a0f975659b66d8c7b8c70ce9ffec08654afbb91188d98b3270d4622ce0953b

Download Submit
C:\Users\Admin\AppData\Local\Solvusoft_Corporation\FileViewPro.exe_Url_dnaugtvmzfhczvych303evrzkmck3wnr\1.9.8.19\u1ckpoar.newcfg

Filesize
897B

MD5
76c406f3463f8927abfdead2e20c6743

SHA1
44c4a253f270d4f9a071edc8763f804117f5bd80

SHA256
56874e4c85e368b11d105180b0806e434f3d0d7e5a816ee866853df1017ccfa4

SHA512
1defde300abbbb71372f2fa0c384780f293bcabcc745c2cbd4e028fc93b41c921788a0e5a3f425111dc24ea2197515768b711e3a58ec825e93b1755d868568f1

Download Submit
C:\Users\Admin\AppData\Local\Solvusoft_Corporation\FileViewPro.exe_Url_dnaugtvmzfhczvych303evrzkmck3wnr\1.9.8.19\user.config

Filesize
697B

MD5
0a7398e4f31c76d0011b55271476e0ff

SHA1
bc5ba183844eac072cf3840da916fadbd4373283

SHA256
eef3293b6321934bd16a1118a5d7cccde00128367348f9c6768a4eed353f3441

SHA512
19695367ad4a2c6d88bc376a48af60a1ae84a2f1b2fe5ff305d0e8722ae64abf6b4781c00c7d53d0a27f71036d3fbc1aed3d388945d5b284d0dc5cdfa05994a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A38I5.tmp\Setup_WinThruster_2020.tmp

Filesize
2.4MB

MD5
84db4b4205f705da71471dc6ecc061f5

SHA1
b90bac8c13a1553d58feef95a2c41c64118b29cf

SHA256
647983ebde53e0501ff1af8ef6190dfeea5ccc64caf7dce808f1e3d98fb66a3c

SHA512
c5803b63d33bb409433b496b83ca2a7359b4b1835815386206283b3af5c54d7d1cb9e80244a888638c7703c4bf54e1b2c11be6836f20b9fea157ab92bfbf365a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A38I5.tmp\Setup_WinThruster_2020.tmp

Filesize
2.4MB

MD5
84db4b4205f705da71471dc6ecc061f5

SHA1
b90bac8c13a1553d58feef95a2c41c64118b29cf

SHA256
647983ebde53e0501ff1af8ef6190dfeea5ccc64caf7dce808f1e3d98fb66a3c

SHA512
c5803b63d33bb409433b496b83ca2a7359b4b1835815386206283b3af5c54d7d1cb9e80244a888638c7703c4bf54e1b2c11be6836f20b9fea157ab92bfbf365a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KQENP.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PUE04.tmp\FileViewPro-S-1.9.8.19.tmp

Filesize
1.1MB

MD5
1a81372fd72743199f885cfed00c8e34

SHA1
7bb1a83593d07b3833c58150a0a678fc5898aca2

SHA256
fa6030367c0645fe9856ab1b75910c94e4ef32fdcede0ccd2805c6b2cef5f5ab

SHA512
ec79c5efaf4ff5288cca4c9ab7ddc962f17e6b1d92a8b63463ee0fbad889229eae5f3af3af831f209bc8a322a73cafa783d7aef698663bbe288bdda6cd3e5c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PUE04.tmp\FileViewPro-S-1.9.8.19.tmp

Filesize
1.1MB

MD5
1a81372fd72743199f885cfed00c8e34

SHA1
7bb1a83593d07b3833c58150a0a678fc5898aca2

SHA256
fa6030367c0645fe9856ab1b75910c94e4ef32fdcede0ccd2805c6b2cef5f5ab

SHA512
ec79c5efaf4ff5288cca4c9ab7ddc962f17e6b1d92a8b63463ee0fbad889229eae5f3af3af831f209bc8a322a73cafa783d7aef698663bbe288bdda6cd3e5c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{73866C79-78E4-4427-ACDC-AD1BBE02B9C9}\FileViewPro-S-1.9.8.19.exe

Filesize
58.1MB

MD5
35bc3d926698c1f580603e7a5c4b0cc6

SHA1
7aaacafbf325c08b4ef577994505fbf0cce87fc6

SHA256
b3a64b2c2d3292de9a9e9f590bf3ce04aecc8483af8f181f57aee1dad375e1be

SHA512
1e77629bba2eda9c4b7d0701785561c2326953b924984d08db177d02ef3f4e752ed1f37005e63aaa1b327db9294c076aa0447ed71c974da4410f4bee10872652

Download Submit
C:\Users\Admin\AppData\Local\Temp\{73866C79-78E4-4427-ACDC-AD1BBE02B9C9}\FileViewPro-S-1.9.8.19.exe

Filesize
58.1MB

MD5
35bc3d926698c1f580603e7a5c4b0cc6

SHA1
7aaacafbf325c08b4ef577994505fbf0cce87fc6

SHA256
b3a64b2c2d3292de9a9e9f590bf3ce04aecc8483af8f181f57aee1dad375e1be

SHA512
1e77629bba2eda9c4b7d0701785561c2326953b924984d08db177d02ef3f4e752ed1f37005e63aaa1b327db9294c076aa0447ed71c974da4410f4bee10872652

Download Submit
C:\Users\Admin\AppData\Local\Temp\{73866C79-78E4-4427-ACDC-AD1BBE02B9C9}\FileViewPro-S-1.9.8.19.exe

Filesize
58.1MB

MD5
35bc3d926698c1f580603e7a5c4b0cc6

SHA1
7aaacafbf325c08b4ef577994505fbf0cce87fc6

SHA256
b3a64b2c2d3292de9a9e9f590bf3ce04aecc8483af8f181f57aee1dad375e1be

SHA512
1e77629bba2eda9c4b7d0701785561c2326953b924984d08db177d02ef3f4e752ed1f37005e63aaa1b327db9294c076aa0447ed71c974da4410f4bee10872652

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7455C9CF-317F-4277-8B5E-13B5AA2DB313}\resources.1.0.0.34s

Filesize
1.6MB

MD5
65a9517b73bcfc01b3d46f715bf92c36

SHA1
444bbd5cdd8f9e4fe1be79a7c5dbcd2164765226

SHA256
835a6309713ce9102456ed8ce3b211cc1055fc17c981205e263859b21d6031f2

SHA512
7dcf27a044323485d93cef39e920acfb4cce24f2a09b55bcbfac174aa98f580d8c8078beb74b99886061b18be14ae38e452dd0187431820beebbf760db8a7496

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A11E2514-CEF0-4329-AC18-3ED69C75F36C}\Setup_WinThruster_2020.exe

Filesize
5.2MB

MD5
307fbb0c726073814c64104c74b054f8

SHA1
e885c33601ca6e3e56ade30eaad5aee9227b46ea

SHA256
c5603f15a7fd2cbadaadb3860ebcaac42b27499bed55f8a57b8278001a16ab9f

SHA512
07305bef38497ba914ac693d76f6f1380ec94aed02f5e8a6c8af5c1db785b8ffa91bc7573e7e69e2221807a5d96190be5069f4015311d77bb9fbec93c394a4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A11E2514-CEF0-4329-AC18-3ED69C75F36C}\Setup_WinThruster_2020.exe

Filesize
5.2MB

MD5
307fbb0c726073814c64104c74b054f8

SHA1
e885c33601ca6e3e56ade30eaad5aee9227b46ea

SHA256
c5603f15a7fd2cbadaadb3860ebcaac42b27499bed55f8a57b8278001a16ab9f

SHA512
07305bef38497ba914ac693d76f6f1380ec94aed02f5e8a6c8af5c1db785b8ffa91bc7573e7e69e2221807a5d96190be5069f4015311d77bb9fbec93c394a4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A11E2514-CEF0-4329-AC18-3ED69C75F36C}\Setup_WinThruster_2020.exe

Filesize
5.2MB

MD5
307fbb0c726073814c64104c74b054f8

SHA1
e885c33601ca6e3e56ade30eaad5aee9227b46ea

SHA256
c5603f15a7fd2cbadaadb3860ebcaac42b27499bed55f8a57b8278001a16ab9f

SHA512
07305bef38497ba914ac693d76f6f1380ec94aed02f5e8a6c8af5c1db785b8ffa91bc7573e7e69e2221807a5d96190be5069f4015311d77bb9fbec93c394a4eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
31a0d51484fd4a661ff443f154772942

SHA1
6913863938feeda63c97ed9e30e01598e388becb

SHA256
25e67dd553019bed843dd5abff0bcb63b8d72c9d458599504dd2b6805b0517ec

SHA512
e8ac88c5e3918e2198c4e74424beb55186331b338cf462c5d344b11980f99fb356818b7515faf5c88a4749c9890bc25d535374b0bbb4b30ccece7b66955932ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
449f79af2239ef101894636b028c21d1

SHA1
304084ae73b01b24f29182c108344122ebe22096

SHA256
67e80416e9ece440de7efac0e1a7e0efd841f34abd683be76b1ba93f2f42a0b7

SHA512
5474bf3cee4cbb7297b43b2e814ba41249e2dc99c232d9651e81e4315da6122cf4b08c903545af4ed03c1c77005bec447060b5d7f225c2d64a21e05f383b71c9

Download Submit
\??\pipe\LOCAL\crashpad_4360_WLCFBMFEYRQBLSLO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_60_VFLZYVRUKAXTPAVJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/228-248-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/228-162-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/396-1077-0x0000000009130000-0x00000000091CC000-memory.dmp

Filesize
624KB

Download
memory/396-1469-0x0000000007C90000-0x0000000007CBE000-memory.dmp

Filesize
184KB

Download
memory/396-1086-0x0000000009780000-0x0000000009D24000-memory.dmp

Filesize
5.6MB

Download
memory/396-1470-0x000000000A1B0000-0x000000000A1E8000-memory.dmp

Filesize
224KB

Download
memory/396-1124-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/396-1104-0x0000000004BB0000-0x0000000004C42000-memory.dmp

Filesize
584KB

Download
memory/396-1458-0x000000000A340000-0x000000000A944000-memory.dmp

Filesize
6.0MB

Download
memory/396-1310-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/396-1134-0x0000000004B80000-0x0000000004B8A000-memory.dmp

Filesize
40KB

Download
memory/396-1135-0x0000000004DC0000-0x0000000004E16000-memory.dmp

Filesize
344KB

Download
memory/396-1212-0x0000000007990000-0x00000000079AC000-memory.dmp

Filesize
112KB

Download
memory/396-1200-0x0000000007280000-0x000000000734E000-memory.dmp

Filesize
824KB

Download
memory/396-1198-0x0000000007120000-0x00000000071AA000-memory.dmp

Filesize
552KB

Download
memory/396-1168-0x0000000005660000-0x00000000056B0000-memory.dmp

Filesize
320KB

Download
memory/396-1140-0x0000000005270000-0x0000000005290000-memory.dmp

Filesize
128KB

Download
memory/396-1139-0x0000000007E90000-0x00000000084F2000-memory.dmp

Filesize
6.4MB

Download
memory/396-1076-0x00000000000F0000-0x00000000001AE000-memory.dmp

Filesize
760KB

Download
memory/396-1136-0x0000000005C40000-0x00000000068B2000-memory.dmp

Filesize
12.4MB

Download
memory/1120-1199-0x0000000000400000-0x0000000000B1D000-memory.dmp

Filesize
7.1MB

Download
memory/1120-324-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/1120-501-0x0000000000400000-0x0000000000B1D000-memory.dmp

Filesize
7.1MB

Download
memory/1120-286-0x0000000000400000-0x0000000000B1D000-memory.dmp

Filesize
7.1MB

Download
memory/1120-396-0x0000000000400000-0x0000000000B1D000-memory.dmp

Filesize
7.1MB

Download
memory/1120-251-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/1120-287-0x0000000061E00000-0x0000000061EBE000-memory.dmp

Filesize
760KB

Download
memory/1120-1201-0x0000000061E00000-0x0000000061EBE000-memory.dmp

Filesize
760KB

Download
memory/1120-1173-0x0000000000400000-0x0000000000B1D000-memory.dmp

Filesize
7.1MB

Download
memory/1276-506-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1276-1067-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1276-288-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1276-723-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1276-424-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2148-342-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2148-1069-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2148-265-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-1519-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2824-1762-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2824-1730-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/2976-155-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2976-249-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3492-304-0x00007FFB28EA0000-0x00007FFB28EA1000-memory.dmp

Filesize
4KB

Download
memory/3888-1753-0x0000000007530000-0x0000000007550000-memory.dmp

Filesize
128KB

Download
memory/3888-1755-0x0000000009210000-0x000000000940A000-memory.dmp

Filesize
2.0MB

Download
memory/3888-1749-0x0000000009770000-0x0000000009AAE000-memory.dmp

Filesize
3.2MB

Download
memory/3888-1760-0x0000000008360000-0x000000000840A000-memory.dmp

Filesize
680KB

Download
memory/3888-1505-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/3888-1761-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/3888-1675-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/5088-492-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/5088-1471-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/5088-284-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/5088-285-0x0000000061E00000-0x0000000061EBE000-memory.dmp

Filesize
760KB

Download
memory/5088-1347-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/5088-250-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/5088-394-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/5088-1169-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download