82f5a693742c6c35f1280dbc5a4148598c129208dfc0544a5cd457b7ac8e824a

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup_WinThruster_2024.exe
Size

7.3MB
MD5

62f9258f3ae4774f9dc169a2a0b1d68e
SHA1

56164f50722724275c0db381235d3b793f85acd5
SHA256

82f5a693742c6c35f1280dbc5a4148598c129208dfc0544a5cd457b7ac8e824a
SHA512

ef04a48d957d646e0b4fbdb68bfe59bedfb6f5701dd9497b2bc5abeea57b5d7be5f8694ca59d535c8d14514ecacfb6773476abcd3d2f65a1da7c0c75241d7fd2
SSDEEP

98304:cSi3CpUYtyBI5sdXR/YVTWXumt2Q7VJedSNtjrk8rNF3y0HWRR4cmWDjzK45:IClt4I+yTd2rJzrjr7H3r2R2qHb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WTNotifications.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation	WTNotifications.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 41 IoCs

Processes:

Setup_WinThruster_2024.tmpWinThruster.exe

description	ioc	process
File created	C:\Program Files (x86)\WinThruster\is-6BBKV.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-3JJ7N.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-Q2QQ5.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-G3SDD.tmp	Setup_WinThruster_2024.tmp
File opened for modification	C:\Program Files (x86)\WinThruster\unins000.dat	Setup_WinThruster_2024.tmp
File opened for modification	C:\Program Files (x86)\WinThruster\En.chm	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-20RTL.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-GKSN6.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-GNEUM.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-RHCI2.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-TPDSR.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-G5VA8.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-KG4HM.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-A5G0T.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-1T15D.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-H2612.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-6E1DT.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-RAA8H.tmp	Setup_WinThruster_2024.tmp
File opened for modification	C:\Program Files (x86)\WinThruster\sqlite3.dll	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\unins000.dat	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-93UI8.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-M3T86.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-LMDRN.tmp	Setup_WinThruster_2024.tmp
File opened for modification	C:\Program Files (x86)\WinThruster\net.db	WinThruster.exe
File created	C:\Program Files (x86)\WinThruster\is-LO30V.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-NPL8R.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-VFGBE.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-OPIIU.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-O0S0I.tmp	Setup_WinThruster_2024.tmp
File opened for modification	C:\Program Files (x86)\WinThruster\WinThruster.exe	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-2TEGN.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-RQBC7.tmp	Setup_WinThruster_2024.tmp
File opened for modification	C:\Program Files (x86)\WinThruster\net.db-journal	WinThruster.exe
File created	C:\Program Files (x86)\WinThruster\is-7VM6F.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-CJ18F.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-RS28L.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-TM4CA.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-FOS5V.tmp	Setup_WinThruster_2024.tmp
File opened for modification	C:\Program Files (x86)\WinThruster\WTNotifications.exe	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-2VSQM.tmp	Setup_WinThruster_2024.tmp
File created	C:\Program Files (x86)\WinThruster\is-0DTP6.tmp	Setup_WinThruster_2024.tmp

Drops file in Windows directory 64 IoCs

Processes:

WinThruster.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100ita_x86	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PenIMC2_v0400_AMD64.dll	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationClient_amd64.dll	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100deu_x64	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationFramework_gac_x86	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\System_Windows_Controls_Ribbon_amd64.dll	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationClientsideProviders_gac_x86	WinThruster.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00001.log	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\ul_msvcm80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PenIMC2_v0400_X86.dll	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcr100_x64	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfcm100u_x64	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\InkDiv.dll.8F02A4B3_A7D7_4F8C_87BE_FAF06999D9A2	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationClient_gac_x86	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100cht_x64	WinThruster.exe
File opened for modification	C:\Windows\Panther\setuperr.log	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100deu_x86	WinThruster.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100jpn_x64	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_vcomp100_x64	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\ul_msvcp80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PenIMC_v0400_X86.dll	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationFramework_SystemData_gac_x86	WinThruster.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edbres00001.jrs	WinThruster.exe
File opened for modification	C:\Windows\Panther\DDACLSys.log	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100_x64	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PenIMC_X86.dll	WinThruster.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100_x86	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\microsoft.build.tasks.v4.0.dll_amd64	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationClientsideProviders_amd64.dll	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100u_x64	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PenIMC_AMD64.dll	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationCore_gac_amd64	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationHostDLL_AMD64.dll	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\System_Xaml_amd64.dll	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_vcomp100_x86	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationFramework_amd64.dll	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationFramework_x86.dll	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationTypes_x86.dll	WinThruster.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	WinThruster.exe
File opened for modification	C:\Windows\DtcInstall.log	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100kor_x86	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationCore_amd64.dll	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\wpfgfx_x86.dll	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100kor_x64	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfcm100u_x86	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationCore_gac_x86	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\System_Xaml_x86.dll	WinThruster.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100fra_x86	WinThruster.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\rtscom.dll.99741D6B_FCC2_4B3D_83AB_413A37786D04	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\system.core.dll_gac_x86	WinThruster.exe
File opened for modification	C:\Windows\setuperr.log	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcp100_x64	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PenIMC_v0400_AMD64.dll	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationHostDLL_amd64.dll.mui	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationTypes_gac_x86	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\WindowsBase_amd64.dll	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100fra_x64	WinThruster.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	WinThruster.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\microsoft.build.tasks.v4.0.dll_gac_x86	WinThruster.exe

Executes dropped EXE 3 IoCs

Processes:

Setup_WinThruster_2024.tmpWTNotifications.exeWinThruster.exe

pid process

2136 Setup_WinThruster_2024.tmp
2784 WTNotifications.exe
2788 WinThruster.exe

pid	process
2136	Setup_WinThruster_2024.tmp
2784	WTNotifications.exe
2788	WinThruster.exe

Loads dropped DLL 9 IoCs

Processes:

Setup_WinThruster_2024.exeSetup_WinThruster_2024.tmpWinThruster.exeWTNotifications.exe

pid	process
1688	Setup_WinThruster_2024.exe
2136	Setup_WinThruster_2024.tmp
2136	Setup_WinThruster_2024.tmp
2136	Setup_WinThruster_2024.tmp
2136	Setup_WinThruster_2024.tmp
2136	Setup_WinThruster_2024.tmp
2788	WinThruster.exe
2784	WTNotifications.exe
2788	WinThruster.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

WinThruster.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7772804-3287-418E-9072-CF2B47238981}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBB}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2aa2b5fe-b846-4d07-810c-b21ee45320e3}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{607fd4e8-0a03-11d1-ab1d-00c04fc9b304}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7be9d83c-a729-4d97-b5a7-1b7313c39e0a}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{883FF1FC-09E1-48e5-8E54-E2469ACB0CFD}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{96749377-3391-11D2-9EE3-00C04F797396}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4C4C492-0049-4E2B-98FB-9537F6CE516D}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1BB05961-5FBF-11D2-A521-44DF07C10000}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6f13dd2e-ebee-4dd5-a72e-850b2087f5dd}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A09C534C-0057-462E-8402-2A21D38BFCA1}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEBB-D33A-4a4b-BF23-BBEF4663D017}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0087-ABCDEFFEDCBB}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{375ff002-dd27-11d9-8f9c-0002b3988e81}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49C407EF-78B9-4C82-A40B-2FE02F8E771D}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{548968f5-17f7-4751-a581-ff0f1c732995}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{937C1A34-151D-4610-9CA6-A8CC9BDB5D83}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9f37f39c-6f49-11d1-8c18-00c04fd8d503}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBB}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00024500-0000-0000-C000-000000000046}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F04A-0000-0000-C000-000000000046}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1698790a-e2b4-11d0-b0b1-00c04fd8dca6}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74807f67-0058-440d-8600-65541a7fbbea}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{94596c7e-3744-41ce-893e-bbf09122f76a}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{49C69FAB-ED5E-4D48-9A65-E4816E5FE642}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A907657F-6FDF-11D0-8EFB-00C04FD912B2}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B2E8D89A-7A99-4b43-9638-DF4FF83EAC11}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBC}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3D3F924-11FC-11D3-BB97-00C04F8EE6C0}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00eebf57-477d-4084-9921-7ab3c2c9459d}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4C4A5E40-732C-11D0-8816-00A0C903B83C}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BDFEE05C-4418-11DD-90ED-001C257CCFF1}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EFE6629C-81F7-4281-BD91-C9D604A95AF6}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F20DA720-C02F-11CE-927B-0800095AE340}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27F31D55-D6C6-3676-9D42-C40F3A918636}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3756e7f5-e514-4776-a32b-eb24bc1efe7a}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57154C7C-EDB2-3BFD-A8BA-924C60913EBF}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{743B5D60-628D-11D2-AE0F-006097B01411}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A36738B5-FA8F-3316-A929-68099A32B43B}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E187-0000-0000-C000-000000000046}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71455ADC-0A77-405F-BF67-EA663D276653}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9C4D3346-650D-472d-A867-6F595B39D973}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a81d181b-0fd4-4442-91a1-b6febfaf1dc6}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ecabafcb-7f19-11d2-978e-0000f8757e2a}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1C5221CB-C1F6-4999-8936-501C2023E4CD}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4003191F-71FF-49A2-B591-05C606FADB8B}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80757336-5146-11D5-A672-00B0D022E945}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0058-ABCDEFFEDCBB}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0042-ABCDEFFEDCBA}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0018-ABCDEFFEDCBA}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F0BC6AD-46D4-488B-BE1F-047FC7505E60}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3D813DFE-6C91-4A4E-8F41-04346A841D9C}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6E449686-C509-11CF-AAFA-00AA00B6015C}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73647561-0000-0010-8000-00AA00389B71}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ED96B21-73AA-11D2-952C-0060081840BC}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBA}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e126b7dd-1c3b-4821-b861-a6da9ce6f096}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{677126ed-2a91-40ff-8c52-06181c064573}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BD9A7C7-6370-4A3C-A13F-6EA023A1E75C}\InprocServer32	WinThruster.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinThruster.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WinThruster.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WinThruster.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1436 schtasks.exe

pid	process
1436	schtasks.exe

Modifies registry class 64 IoCs

Processes:

WinThruster.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4582746F-473B-4022-A7E9-887CBEDD8F85}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7EB5FBE4-2100-49E6-8593-17E130122F91}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DBBC77-588F-4517-A485-74A29759F54C}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{682D63B8-1692-31BE-88CD-5CB1F79EDB7B}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6C1C243A-2146-3342-8078-AC4BFB9DB4E9}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{92396AD0-68F5-11d0-A57E-00A0C9138C66}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9443B89B-6564-496a-B19C-6C6D22709045}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBA}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBA}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{01D0A625-782D-4777-8D4E-547E6457FAD5}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4db26476-6787-4046-b836-e8412a9e8a27}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{593817A0-7DB3-11CF-A2DE-00AA00B93356}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80757322-5146-11D5-A672-00B0D022E945}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86d5eb8a-859f-4c7b-a76b-2bd819b7a850}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08295C62-7462-3633-B35E-7AE68ACA3948}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73AD6842-ACE0-45E8-A4DD-8795881A2C2A}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b5827163-52b0-42c2-940f-f1d72cab1251}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6E73D20-0C8A-11d2-A484-00C04F8EFB69}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ecabafcb-7f19-11d2-978e-0000f8757e2a}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F80608CB-5A88-4046-9E4B-3C1BB368F2DA}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2BD40F38-DE45-429D-9D04-24F7C24C78FD}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98042251-8C2B-4FC4-93E2-B1DB331EF5B9}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{98D99750-0B8A-4c59-9151-589053683D73}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DBD2C50-62AD-11d0-B806-00C04FD706EC}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AA04CA0B-7597-4F3E-99A8-36712D13D676}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC829A2F-3365-463F-AF13-81DBB6F3A555}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E38DA416-8050-3786-8201-46F187C15213}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{58221C6A-EA27-11CF-ADCF-00AA00A80033}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42C9B9F5-16FC-47ef-AF22-DA05F7C842E3}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8336e323-2e6a-4a04-937c-548f681839b3}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B056521A-9B10-425E-B616-1FCD828DB3B1}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E26B366D-F998-43ce-836F-CB6D904432B0}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5CA59F5-57C4-4DD8-9BD6-1DEEEDD27AF4}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EA7A549-7BFF-4aae-BAB0-22D43111DE49}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{52ce2fe5-04c3-42fd-8a8b-4251affb8408}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7007ACD4-3202-11D1-AAD2-00805FC1270E}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{884e2011-217d-11da-b2a4-000e7bbb2b09}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2E88C2F-6F5B-4AAA-894B-55C847AD3A2D}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{32557D3B-69DC-4F95-836E-F5972B2F6159}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E483DC9-7E4D-4861-B496-7E00B7FA184F}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7057e952-bd1b-11d1-8919-00c04fc2c836}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{944D4C00-DD52-11CE-BF0E-00AA0055595A}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9f37f39c-6f49-11d1-8c18-00c04fd8d503}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07AA0886-CC8D-4e19-A410-1C75AF686E62}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{93852550-5403-4E1B-AF8C-5806F151B2F5}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E175B70-F52A-11D8-B9A5-505054503030}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5AB5662-131D-453D-88C8-9BBA87502ADE}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8101368E-CABB-4426-ACFF-96C4108120CD}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBEAA915-4D2C-3F77-98E8-A258B0FD3CEF}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1621129-45C4-41AD-A1D1-AF7EAFABEEDC}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D8013EF1-730B-45E2-BA24-874B7242C425}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{414AC301-8D95-43C8-99D0-3F25E4076945}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3BF043EF-A974-49B3-8322-B853CF1E5EC5}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7E4A23E2-B969-4761-BE35-1A8CED58E323}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0055-ABCDEFFEDCBA}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE40-6C63-11cf-8A03-00AA006ECB65}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9C4D3346-650D-472d-A867-6F595B39D973}\InprocServer32	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFF4A44B-1897-453F-B6A1-BE152D0A0F75}	WinThruster.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBA}\InprocServer32	WinThruster.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Setup_WinThruster_2024.tmp

pid process

2136 Setup_WinThruster_2024.tmp
2136 Setup_WinThruster_2024.tmp

pid	process
2136	Setup_WinThruster_2024.tmp
2136	Setup_WinThruster_2024.tmp

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

WTNotifications.exe

description	pid	process
Token: SeBackupPrivilege	2784	WTNotifications.exe
Token: SeBackupPrivilege	2784	WTNotifications.exe
Token: SeSecurityPrivilege	2784	WTNotifications.exe
Token: SeSecurityPrivilege	2784	WTNotifications.exe
Token: SeBackupPrivilege	2784	WTNotifications.exe
Token: SeSecurityPrivilege	2784	WTNotifications.exe
Token: SeBackupPrivilege	2784	WTNotifications.exe
Token: SeSecurityPrivilege	2784	WTNotifications.exe
Token: SeBackupPrivilege	2784	WTNotifications.exe
Token: SeSecurityPrivilege	2784	WTNotifications.exe
Token: SeBackupPrivilege	2784	WTNotifications.exe
Token: SeSecurityPrivilege	2784	WTNotifications.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Setup_WinThruster_2024.tmpWTNotifications.exe

pid process

2136 Setup_WinThruster_2024.tmp
2784 WTNotifications.exe
2784 WTNotifications.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

WTNotifications.exe

pid process

2784 WTNotifications.exe
2784 WTNotifications.exe

pid	process
2136	Setup_WinThruster_2024.tmp
2784	WTNotifications.exe
2784	WTNotifications.exe

pid	process
2784	WTNotifications.exe
2784	WTNotifications.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Setup_WinThruster_2024.exeSetup_WinThruster_2024.tmpWinThruster.exe

description	pid	process	target process
PID 1688 wrote to memory of 2136	1688	Setup_WinThruster_2024.exe	Setup_WinThruster_2024.tmp
PID 1688 wrote to memory of 2136	1688	Setup_WinThruster_2024.exe	Setup_WinThruster_2024.tmp
PID 1688 wrote to memory of 2136	1688	Setup_WinThruster_2024.exe	Setup_WinThruster_2024.tmp
PID 1688 wrote to memory of 2136	1688	Setup_WinThruster_2024.exe	Setup_WinThruster_2024.tmp
PID 1688 wrote to memory of 2136	1688	Setup_WinThruster_2024.exe	Setup_WinThruster_2024.tmp
PID 1688 wrote to memory of 2136	1688	Setup_WinThruster_2024.exe	Setup_WinThruster_2024.tmp
PID 1688 wrote to memory of 2136	1688	Setup_WinThruster_2024.exe	Setup_WinThruster_2024.tmp
PID 2136 wrote to memory of 2784	2136	Setup_WinThruster_2024.tmp	WTNotifications.exe
PID 2136 wrote to memory of 2784	2136	Setup_WinThruster_2024.tmp	WTNotifications.exe
PID 2136 wrote to memory of 2784	2136	Setup_WinThruster_2024.tmp	WTNotifications.exe
PID 2136 wrote to memory of 2784	2136	Setup_WinThruster_2024.tmp	WTNotifications.exe
PID 2136 wrote to memory of 2788	2136	Setup_WinThruster_2024.tmp	WinThruster.exe
PID 2136 wrote to memory of 2788	2136	Setup_WinThruster_2024.tmp	WinThruster.exe
PID 2136 wrote to memory of 2788	2136	Setup_WinThruster_2024.tmp	WinThruster.exe
PID 2136 wrote to memory of 2788	2136	Setup_WinThruster_2024.tmp	WinThruster.exe
PID 2788 wrote to memory of 1436	2788	WinThruster.exe	schtasks.exe
PID 2788 wrote to memory of 1436	2788	WinThruster.exe	schtasks.exe
PID 2788 wrote to memory of 1436	2788	WinThruster.exe	schtasks.exe
PID 2788 wrote to memory of 1436	2788	WinThruster.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Setup_WinThruster_2024.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_WinThruster_2024.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\is-SPNKP.tmp\Setup_WinThruster_2024.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SPNKP.tmp\Setup_WinThruster_2024.tmp" /SL5="$30150,6737092,878080,C:\Users\Admin\AppData\Local\Temp\Setup_WinThruster_2024.exe"
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2136

C:\Program Files (x86)\WinThruster\WinThruster.exe
"C:\Program Files (x86)\WinThruster\WinThruster.exe" /START
3⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "WinThruster automatic scan and notifications" /TR "\"C:\Program Files (x86)\WinThruster\WTNotifications.exe\"" /SC ONLOGON /RL HIGHEST /F
4⤵
- Creates scheduled task(s)
PID:1436

C:\Program Files (x86)\WinThruster\WTNotifications.exe
"C:\Program Files (x86)\WinThruster\WTNotifications.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinThruster\Cookies.txt
Filesize
177B

MD5
2bde23fc871c1b6a552f83d4e18157f2

SHA1
bd00a74b0c45898195295464a1e6105774a034da

SHA256
60ece1ea1e17fd213400438616aacc395665e5e56fbc04c2c98067b445fe68e9

SHA512
72402035285dfc8da6a3d1200bca65982fc5495b50fc0e61ce5d4082e256571508f460e81477a331f120a70d3fd536ef73a5e4ead59ab76ff5348a3a710bd052

Download Submit
C:\Program Files (x86)\WinThruster\English.ini
Filesize
81KB

MD5
05d92a969983b83314a0ea2fcef74203

SHA1
9ee3aa567438a28285e1141e4014bb6c473195fc

SHA256
7d07617e39f7dfeccaf894c89b6f85d35d41082b8bed893513bb1b7cad4ac823

SHA512
00fde33bc30148f2e81f2054fe585c9a7605390af013c3aa84b23d59f35413c5f2d494974878d9891db14c9bb43ab2e77a1c707326e7052f2440655272914033

Download Submit
C:\Program Files (x86)\WinThruster\IDs.txt
Filesize
1KB

MD5
3773c8efba54912d59c27b03d4790479

SHA1
48c71bf4680d180295be0c975dbcfbf8d89840dd

SHA256
a4e44a28ccac2dfbcd03104ec32f8589bd55988af981cd167a486c2181112514

SHA512
64f0de1c862391bf86bc15bd8e4f430420cb0c8f6d4eaef67770e6c9f99cff874fa44ef73d8ae73f6416df35f7763d56da451f5237e3c3b1868371f4bf534957

Download Submit
C:\Program Files (x86)\WinThruster\SList.txt
Filesize
77KB

MD5
e246b232635098d4f0fb5fa2d33b15fd

SHA1
92a900a20d5f00923cc69902409310990df6cd68

SHA256
75143874b8165e82187d430a55bb732e7eb765cc0b378c1b9da8638b091875b1

SHA512
19da2beee854d9c2d66f2556a5744ff311666f9d7d8a27e7ac5c50c9d3b3754ef37f13690df42cb0468f18d0619c35c789080415aecf3d22373fc1f3e55be2ca

Download Submit
C:\Program Files (x86)\WinThruster\SiteNtf.txt
Filesize
4KB

MD5
023938522a2335379044391c1b83656a

SHA1
1761b2dcadb48689c7c052393490043e050e5fea

SHA256
66aae467ef3636628b6eb4c4dc2e210990bb6440653cc3aafb7800b89a8da1ec

SHA512
0f88726ee74a9d51dfd888120d0e0dc1c66949374388ef4a394b4a2cd59056dbada68fe75929f4374b4441cfd8b8100e5edfaaa2982dba9f02d0322f1d1dd389

Download Submit
C:\Program Files (x86)\WinThruster\WTNotifications.exe
Filesize
1.1MB

MD5
4e8601b100f1c06c8dd9d2e59b7f5b03

SHA1
63898d07382fd65c2633627838cd70ee0b6645a0

SHA256
d006c79e1833c2c4962870b7eb63baaad3cc757f39dd766a7fde4aadb685bb9f

SHA512
4aa3a19e41c87461eb00900b3bbce53cec89f177117276ed2579f2e7e982923d521d7840cd07367da845358ddbbb26202d6b7650a8e15a6ea16f654f95a13e1f

Download Submit
C:\Program Files (x86)\WinThruster\WinThruster.exe
Filesize
1.6MB

MD5
c5b9aa13cc069f4eeead8cdb4d8cd744

SHA1
66fde536f929183a0b556b56bb491018fd5a34db

SHA256
90750d2967b4e5d106ba857ac958051f9114515da89f58bc6146fac6b71fc0f2

SHA512
9f81e408d248cb67548d11168506a7ef6a9e8795d7c4f4d49c8a5d40538343da17ff54dc0f76de9eca6247deeff47569f39686f1cec2b8f3de9098806e3ec81c

Download Submit
C:\Program Files (x86)\WinThruster\WinThruster.exe
Filesize
370KB

MD5
966cf0c9773a3774bc1262b748e0a654

SHA1
07050837cad6f3cbf0cd52da786959cc260dc2e1

SHA256
b04efc2de158029110c798babd24a4a6650ae4e497fe5830aee40076f8a4114b

SHA512
726568fcb2e2dbc1f8555cd285ca509af6e2270b945592e81bc812554673de2b46d072fe897b1c735f61e646d01f57e926c5357f9bc080785921dec971238400

Download Submit
C:\Program Files (x86)\WinThruster\WinThruster.exe
Filesize
1.9MB

MD5
2054d050be976063652663dfe1e1809f

SHA1
841c051277eaf487e3c329ec6b9b062a7be5d2b9

SHA256
6a1c7651f15a6b2dc46c9661d9b24fd694dae50dc478f9333866e5d204be2ff6

SHA512
f9f8fca84d1d7739d419d6fef9acda9cf679e6869b7a2bf2e01d8451c2e06a571557aab79487667fba29d692fa9954a54ce3ebe59d563545d67f90cc21aa67c0

Download Submit
C:\Program Files (x86)\WinThruster\net.db
Filesize
1.2MB

MD5
0dbd2a5a724a726bd1090af1b931a201

SHA1
fff56ea8658c3e3b697f1563941bb3748e0c543d

SHA256
1bbc401b93dd2508de9a3f1a4e9e0c5f92dfe288a5ebc5c13f91d6745b36f591

SHA512
6f5e0187aae681e6bd25d18af48ff6d772b0d3680556d13e447478e8dac5914d603fe44529f58fbed18c1c03638016ee5e8d8052deda94cefd43dcd197c6b41e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinThruster\Uninstall WinThruster.lnk
Filesize
1KB

MD5
0e61b9c3fa79fa2b5c2c5321edc30d70

SHA1
172ba7cdea840d0bd2c7607c70bc804a4110779e

SHA256
67f233c517d90fb917f6988bf812cc325b0d8bcf7017d3a67f00b2bb481f9201

SHA512
7ee37d0f736f239e85b83609c0ffeb70b26f0edb3f6a92fdb0fe85fa9edb155629dc9203800c2b5a421ac3a5b5e37121b1577238a70f8e08f09c51c88653fa31

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinThruster\WinThruster on the Web.lnk
Filesize
1KB

MD5
777408d0c74916fa1c9fc82b96e8407d

SHA1
5c684e96d3a57d8667734dbcb9c9a97b58fd22f5

SHA256
b3d81df235925bdf9001f9ec6f2e1012f8e3db74356d0dac42f5b2120ae48f0a

SHA512
f192be59336d3176a16614fffb0e4f81776b7b074489cdc8770e9285bbab40d7f8bdbc9cc27be3de37b3148aaff085e901ffbdd67db91f01bfc60be5511d59a3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinThruster\WinThruster.lnk
Filesize
1KB

MD5
49a6312d14de8e1b415d3deaf1aaeba0

SHA1
6dd9e5aba43572917318bb66dc1af42743625352

SHA256
7b9870e226b43dd74c4bc75fa3f8b07d4e99d273af8a08763a58a2fd2edcb670

SHA512
a0d773f8113743015de9805c912918ba0c4faa6cb1ef0167fe9a0f676cff7151cf59f4307539d5aff83281f604e670524a720da722dc7f2eb4b42ca152c9275a

Download Submit
C:\Users\Admin\AppData\Roaming\WinThruster\Log\Tasks.log
Filesize
416B

MD5
f3dbef81b21879b19cb6b032346cd38a

SHA1
cfb07be05e66db66a64448ac005650ee82eb519d

SHA256
dfc6f6215a152211543914daa81e726b5598d7f68c1d748c77a29fc870a91acb

SHA512
d85ec8161e448cc85327f158c81a765e474d2da359781c0f8871e279a1c8dd6295de2edcc582eceae606cff87e04927e8ae68670c78e0c9b14e08c7af5fa0b26

Download Submit
C:\Users\Admin\Desktop\WinThruster.lnk
Filesize
1KB

MD5
4c2db38c9ccfb3fdf108a493663a7891

SHA1
33852dbd029529acbf91d966fb6aeebcb12e26a6

SHA256
807876a6b594dfc8955dc55a0b1d0c85a0b68af137d16749a9c0f09afddc54ad

SHA512
22656b1001476a92c2d88c13a71892579bd5d473d4729640ab29b4fd8c95e0f9e81b258d5775ad74f32d5769976d936ec586330ecd768a49d06a8a8da0911a71

Download Submit
\Program Files (x86)\WinThruster\WTNotifications.exe
Filesize
1.6MB

MD5
d0dc3d8f06003a61fac301a8eeeee76a

SHA1
fccf833a8dcbf2dc0a1a99fc239f33f505c7d75b

SHA256
af9bc96440542c40ccbe131a7edf352b5510358e69e0f0cfaba008519f96192e

SHA512
bbcd5991d879387e71c4fb1f89c0de78166569966bdc0c28233bf6b097c39bcc97101b2e11437fc08b4f33e4e97849b0b20707fd4f1d3296d3a55f7be6e8bc72

Download Submit
\Program Files (x86)\WinThruster\WinThruster.exe
Filesize
310KB

MD5
c9504bab9feb64ebbbe06ed053c0dccb

SHA1
5e246b156b14600d076f803a5e430dd8e859dee7

SHA256
c3b0ba517a757dde8fe4f42bfda8c39746565464175b642c0c9f0174c130c628

SHA512
e806a5e38b306c1de4df5cbe572e86078af3b68fcebb51fd7770d8ee779bc9e383905bdae5fe58fcb385581ec61da48ec53257d9ea5d1f0f0922668b33943530

Download Submit
\Program Files (x86)\WinThruster\WinThruster.exe
Filesize
2.4MB

MD5
19ba5413289bd5bdb23016dd81f68df5

SHA1
e78f400fd1d08ff49ba6f9ca497de9d68bbf1e49

SHA256
9e679d2e9a1b06dc676128c9899f3ddd5f607f42c1776836714b6370846cb2d2

SHA512
ec275c5fdcead323753ca3e3384d3edf9b99955ad7ed4d64fcd4c32be9570a44eef24a53360b2c95160878607e415c2b0f47a09223bfe4841d76f01f341ac61b

Download Submit
\Program Files (x86)\WinThruster\WinThruster.exe
Filesize
1.6MB

MD5
3cb3ad207b050c6e7722071efaed7e31

SHA1
a4212194185dc949dcfa46e266e323579d9d5ad5

SHA256
6cdd1c8d553c1c8b21d376b5e2c974960cc674a203794bd993e001fdd1be7cfe

SHA512
0b241ad33eb66898cd11c0168b59160b654387c083f4f16be92d6cebfb326516938d02bf16047da8a535d06e0ec1b163eebdc043689b09f9a8bf4d56230e99d6

Download Submit
\Program Files (x86)\WinThruster\WinThruster.exe
Filesize
1.3MB

MD5
1990e34c5997476abeef4ac6ed945555

SHA1
99cf28fe3a61eeca6fc5d1a42a8ef89e9aae9053

SHA256
9e91496fba927e9ae82e7a0ac687c496053c1e7b2108c0c519ef2ce6655f5429

SHA512
c1c4608e4fed6e4b94721ffc6b0b9af08899d69e3e8dd289e79ef778c742d55d7953625f6392de35e4efbddc5a8beeb1b1c51c7dedbd4cf0656f02d2efae49da

Download Submit
\Program Files (x86)\WinThruster\sqlite3.dll
Filesize
1.1MB

MD5
fdf0245a035f89de1af8a2091258c9ac

SHA1
78536c09808a207f45e901f14de5b038aabaede3

SHA256
6120e410ff9e5cad41b47cd5fcb23cc3f8bd8f505a86e158c578e15869489367

SHA512
4bd214bc4dbd749a429e1753c59c395344607884e20cfa3e1c0dde655e2c6c1e49ab5388e70112e83c7c71b005a985019e39bb00c1e5c1b8e90b5a3d6219e1c3

Download Submit
\Program Files (x86)\WinThruster\unins000.exe
Filesize
1.3MB

MD5
2b951ce60041dab07e5cd7f3a1548473

SHA1
a342fd447166dbff03f12b6d13637e951e263401

SHA256
47dd8e2cdc2af38c518e0566463dd8715f0e97d6ab6563633652be53c65b60e2

SHA512
0fee475da945136c0f45254fee15f0dc864654e434ae30036765ddad25e2eb9850b3995ed4f6db43b46aad4999f42af6555d2c4435e79b68bbb21a732b0d9ce2

Download Submit
\Users\Admin\AppData\Local\Temp\is-SPNKP.tmp\Setup_WinThruster_2024.tmp
Filesize
3.1MB

MD5
16a420e714bb48a8d432e3fd4f30db9f

SHA1
989fcf9a41445934e108b0e6b5c65936e9aa242a

SHA256
a0b1ac070ed5fc2b0c7e0dcbcfa3d5a127d3fe2c33ac62baf1976ed244bef7a7

SHA512
79b866dffad2f0ef572700449a1bd56fd8fee86fb2b454fea2938e14cba3a1ebb979f3d233b81ea19b74480334947f157f7218bb8214c4b86142528d5dd01193

Download Submit
memory/1688-1-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1688-109-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2136-107-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/2136-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2784-176-0x0000000000220000-0x0000000000721000-memory.dmp

Filesize
5.0MB

Download
memory/2784-215-0x0000000000220000-0x0000000000721000-memory.dmp

Filesize
5.0MB

Download
memory/2784-158-0x0000000000220000-0x0000000000721000-memory.dmp

Filesize
5.0MB

Download
memory/2784-159-0x0000000061E00000-0x0000000061EF4000-memory.dmp

Filesize
976KB

Download
memory/2784-166-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2784-108-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2784-168-0x0000000000220000-0x0000000000721000-memory.dmp

Filesize
5.0MB

Download
memory/2788-161-0x0000000061E00000-0x0000000061EF4000-memory.dmp

Filesize
976KB

Download
memory/2788-164-0x0000000000C00000-0x000000000165E000-memory.dmp

Filesize
10.4MB

Download
memory/2788-178-0x0000000000C00000-0x000000000165E000-memory.dmp

Filesize
10.4MB

Download
memory/2788-183-0x0000000000C00000-0x000000000165E000-memory.dmp

Filesize
10.4MB

Download
memory/2788-187-0x0000000000C00000-0x000000000165E000-memory.dmp

Filesize
10.4MB

Download
memory/2788-170-0x0000000000C00000-0x000000000165E000-memory.dmp

Filesize
10.4MB

Download
memory/2788-167-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2788-174-0x0000000000C00000-0x000000000165E000-memory.dmp

Filesize
10.4MB

Download
memory/2788-160-0x0000000000C00000-0x000000000165E000-memory.dmp

Filesize
10.4MB

Download
memory/2788-195-0x0000000000C00000-0x000000000165E000-memory.dmp

Filesize
10.4MB

Download
memory/2788-199-0x0000000000C00000-0x000000000165E000-memory.dmp

Filesize
10.4MB

Download
memory/2788-211-0x0000000000C00000-0x000000000165E000-memory.dmp

Filesize
10.4MB

Download
memory/2788-213-0x0000000000C00000-0x000000000165E000-memory.dmp

Filesize
10.4MB

Download
memory/2788-214-0x0000000061E00000-0x0000000061EF4000-memory.dmp

Filesize
976KB

Download
memory/2788-111-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download