File name:

Setup_WinThruster_2024.exe

Full analysis: https://app.any.run/tasks/08b52ac0-c383-4b43-bfc9-08a7220b5cac
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 08, 2024, 21:04:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
amsi-bypass
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

181D889E7EB54899E87C04259CA92D8E

SHA1:

057AB3B6C65FB3B21B39C980BE830B1C0670EB86

SHA256:

DE2B03685F485DCDC63F5E00A21969ECC97335186DA7B1066D0BA8A08945BACF

SSDEEP:

98304:E+cD4dncgcStn7vTAy5fM8PMPt55YoOlrSBzwNyOrs+Kclpp4BsI+d7HVB9X3MlR:xsbUbGFfKeEuqAma

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • WinThruster.exe (PID: 2112)

    • Actions looks like stealing of personal data

      • WinThruster.exe (PID: 2112)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Setup_WinThruster_2024.tmp (PID: 6188)
      • Setup_WinThruster_2024.tmp (PID: 5700)
      • RegAsm.exe (PID: 5888)
      • RegAsm.exe (PID: 1480)
      • RegAsm.exe (PID: 252)
      • RegAsm.exe (PID: 7000)
      • WinThruster.exe (PID: 2112)

    • Process drops legitimate windows executable

      • Setup_WinThruster_2024.tmp (PID: 5700)
      • mscorsvw.exe (PID: 2128)
      • mscorsvw.exe (PID: 6408)
      • mscorsvw.exe (PID: 4248)
      • mscorsvw.exe (PID: 6984)
      • mscorsvw.exe (PID: 6120)
      • mscorsvw.exe (PID: 6312)
      • mscorsvw.exe (PID: 6456)
      • mscorsvw.exe (PID: 5852)
      • mscorsvw.exe (PID: 2724)
      • mscorsvw.exe (PID: 236)
      • mscorsvw.exe (PID: 6456)
      • mscorsvw.exe (PID: 6344)
      • mscorsvw.exe (PID: 3832)
      • mscorsvw.exe (PID: 6964)

    • Process drops SQLite DLL files

      • Setup_WinThruster_2024.tmp (PID: 5700)

    • Executable content was dropped or overwritten

      • Setup_WinThruster_2024.exe (PID: 4092)
      • Setup_WinThruster_2024.exe (PID: 6176)
      • Setup_WinThruster_2024.tmp (PID: 5700)
      • mscorsvw.exe (PID: 6408)
      • mscorsvw.exe (PID: 2128)
      • mscorsvw.exe (PID: 4248)
      • mscorsvw.exe (PID: 6984)
      • mscorsvw.exe (PID: 6312)
      • mscorsvw.exe (PID: 6456)
      • mscorsvw.exe (PID: 6120)
      • mscorsvw.exe (PID: 2724)
      • mscorsvw.exe (PID: 6200)
      • mscorsvw.exe (PID: 5852)
      • mscorsvw.exe (PID: 236)
      • mscorsvw.exe (PID: 6456)
      • mscorsvw.exe (PID: 6344)
      • mscorsvw.exe (PID: 3832)
      • mscorsvw.exe (PID: 6964)

    • Reads the Windows owner or organization settings

      • Setup_WinThruster_2024.tmp (PID: 5700)

    • Uses TASKKILL.EXE to kill process

      • Setup_WinThruster_2024.tmp (PID: 5700)

    • Creates/Modifies COM task schedule object

      • RegAsm.exe (PID: 1480)
      • RegAsm.exe (PID: 7000)

    • Executes as Windows Service

      • WinThrusterSVC.exe (PID: 872)
      • WmiApSrv.exe (PID: 6372)
      • WmiApSrv.exe (PID: 320)
      • WmiApSrv.exe (PID: 8048)

    • The process checks if it is being run in the virtual environment

      • WinThrusterWidget.exe (PID: 1404)
      • WinThrusterWidget.exe (PID: 1116)
      • WinThrusterWidget.exe (PID: 7896)

    • Starts CMD.EXE for commands execution

      • WinThruster.exe (PID: 2112)

    • Searches for installed software

      • WinThruster.exe (PID: 2112)

  • INFO

    • Reads the computer name

      • Setup_WinThruster_2024.tmp (PID: 6188)
      • Setup_WinThruster_2024.tmp (PID: 5700)
      • ngen.exe (PID: 2112)
      • mscorsvw.exe (PID: 2724)
      • mscorsvw.exe (PID: 3728)
      • mscorsvw.exe (PID: 6408)
      • mscorsvw.exe (PID: 4248)
      • RegAsm.exe (PID: 5888)
      • mscorsvw.exe (PID: 6456)
      • mscorsvw.exe (PID: 6120)
      • mscorsvw.exe (PID: 2128)
      • mscorsvw.exe (PID: 6000)
      • mscorsvw.exe (PID: 6984)
      • mscorsvw.exe (PID: 6312)
      • mscorsvw.exe (PID: 1288)
      • mscorsvw.exe (PID: 4344)
      • mscorsvw.exe (PID: 608)
      • mscorsvw.exe (PID: 3832)
      • ngen.exe (PID: 4084)
      • mscorsvw.exe (PID: 4708)
      • mscorsvw.exe (PID: 6200)
      • mscorsvw.exe (PID: 5504)
      • mscorsvw.exe (PID: 4824)
      • mscorsvw.exe (PID: 2724)
      • mscorsvw.exe (PID: 5852)
      • mscorsvw.exe (PID: 4060)
      • mscorsvw.exe (PID: 1332)
      • mscorsvw.exe (PID: 6740)
      • mscorsvw.exe (PID: 5476)
      • mscorsvw.exe (PID: 2476)
      • ngen.exe (PID: 6984)
      • mscorsvw.exe (PID: 2080)
      • mscorsvw.exe (PID: 3728)
      • mscorsvw.exe (PID: 6456)
      • mscorsvw.exe (PID: 3980)
      • mscorsvw.exe (PID: 236)
      • mscorsvw.exe (PID: 3832)
      • mscorsvw.exe (PID: 6964)
      • mscorsvw.exe (PID: 6344)
      • mscorsvw.exe (PID: 1748)
      • mscorsvw.exe (PID: 4876)
      • mscorsvw.exe (PID: 7132)
      • mscorsvw.exe (PID: 6380)
      • WinThrusterSVC.exe (PID: 872)
      • WinThrusterWidget.exe (PID: 1404)
      • RegAsm.exe (PID: 1480)
      • WinThruster.exe (PID: 2112)
      • RegAsm.exe (PID: 252)
      • RegAsm.exe (PID: 7000)
      • WinThrusterWidget.exe (PID: 1116)
      • WinThrusterWidget.exe (PID: 7896)
      • identity_helper.exe (PID: 7020)

    • Process checks computer location settings

      • Setup_WinThruster_2024.tmp (PID: 6188)
      • Setup_WinThruster_2024.tmp (PID: 5700)
      • WinThruster.exe (PID: 2112)

    • Checks supported languages

      • Setup_WinThruster_2024.exe (PID: 6176)
      • Setup_WinThruster_2024.exe (PID: 4092)
      • Setup_WinThruster_2024.tmp (PID: 5700)
      • Setup_WinThruster_2024.tmp (PID: 6188)
      • ngen.exe (PID: 2112)
      • mscorsvw.exe (PID: 2724)
      • mscorsvw.exe (PID: 4248)
      • mscorsvw.exe (PID: 6456)
      • mscorsvw.exe (PID: 6408)
      • RegAsm.exe (PID: 5888)
      • mscorsvw.exe (PID: 3728)
      • mscorsvw.exe (PID: 6120)
      • mscorsvw.exe (PID: 6000)
      • mscorsvw.exe (PID: 2128)
      • mscorsvw.exe (PID: 6312)
      • mscorsvw.exe (PID: 1288)
      • mscorsvw.exe (PID: 6984)
      • mscorsvw.exe (PID: 4344)
      • mscorsvw.exe (PID: 608)
      • ngen.exe (PID: 4084)
      • mscorsvw.exe (PID: 4708)
      • mscorsvw.exe (PID: 4060)
      • mscorsvw.exe (PID: 6200)
      • mscorsvw.exe (PID: 5504)
      • mscorsvw.exe (PID: 4824)
      • mscorsvw.exe (PID: 3832)
      • mscorsvw.exe (PID: 5852)
      • mscorsvw.exe (PID: 2724)
      • mscorsvw.exe (PID: 6740)
      • mscorsvw.exe (PID: 1332)
      • mscorsvw.exe (PID: 5476)
      • mscorsvw.exe (PID: 2476)
      • ngen.exe (PID: 6984)
      • mscorsvw.exe (PID: 2080)
      • mscorsvw.exe (PID: 6456)
      • mscorsvw.exe (PID: 6964)
      • mscorsvw.exe (PID: 236)
      • mscorsvw.exe (PID: 3980)
      • mscorsvw.exe (PID: 3832)
      • mscorsvw.exe (PID: 3728)
      • mscorsvw.exe (PID: 4876)
      • mscorsvw.exe (PID: 1748)
      • mscorsvw.exe (PID: 7132)
      • mscorsvw.exe (PID: 6380)
      • mscorsvw.exe (PID: 6344)
      • WinThrusterSVC.exe (PID: 872)
      • WinThrusterWidget.exe (PID: 1404)
      • WinThrusterWidget.exe (PID: 1116)
      • WinThruster.exe (PID: 2112)
      • RegAsm.exe (PID: 1480)
      • RegAsm.exe (PID: 7000)
      • RegAsm.exe (PID: 252)
      • WinThrusterWidget.exe (PID: 7896)
      • identity_helper.exe (PID: 7020)

    • Create files in a temporary directory

      • Setup_WinThruster_2024.exe (PID: 6176)
      • Setup_WinThruster_2024.exe (PID: 4092)
      • Setup_WinThruster_2024.tmp (PID: 5700)

    • Creates files in the program directory

      • Setup_WinThruster_2024.tmp (PID: 5700)

    • The process uses the downloaded file

      • Setup_WinThruster_2024.tmp (PID: 5700)
      • RegAsm.exe (PID: 5888)
      • RegAsm.exe (PID: 1480)
      • RegAsm.exe (PID: 252)
      • RegAsm.exe (PID: 7000)
      • WinThruster.exe (PID: 2112)

    • Reads the machine GUID from the registry

      • RegAsm.exe (PID: 5888)
      • mscorsvw.exe (PID: 2724)
      • mscorsvw.exe (PID: 3728)
      • mscorsvw.exe (PID: 6408)
      • mscorsvw.exe (PID: 4248)
      • mscorsvw.exe (PID: 6120)
      • mscorsvw.exe (PID: 6456)
      • mscorsvw.exe (PID: 6000)
      • mscorsvw.exe (PID: 6312)
      • mscorsvw.exe (PID: 4708)
      • mscorsvw.exe (PID: 6200)
      • mscorsvw.exe (PID: 4060)
      • mscorsvw.exe (PID: 2724)
      • mscorsvw.exe (PID: 1332)
      • mscorsvw.exe (PID: 5852)
      • mscorsvw.exe (PID: 2080)
      • mscorsvw.exe (PID: 3728)
      • mscorsvw.exe (PID: 6456)
      • mscorsvw.exe (PID: 6964)
      • mscorsvw.exe (PID: 3832)
      • mscorsvw.exe (PID: 3980)
      • RegAsm.exe (PID: 1480)
      • WinThrusterWidget.exe (PID: 1404)
      • WinThrusterWidget.exe (PID: 1116)
      • WinThruster.exe (PID: 2112)
      • RegAsm.exe (PID: 252)
      • RegAsm.exe (PID: 7000)
      • WinThrusterSVC.exe (PID: 872)
      • WinThrusterWidget.exe (PID: 7896)

    • Creates files or folders in the user directory

      • Setup_WinThruster_2024.tmp (PID: 5700)
      • WinThruster.exe (PID: 2112)

    • Creates a software uninstall entry

      • Setup_WinThruster_2024.tmp (PID: 5700)

    • Reads the time zone

      • WinThrusterWidget.exe (PID: 1404)
      • WinThrusterWidget.exe (PID: 1116)
      • WinThrusterWidget.exe (PID: 7896)

    • Sends debugging messages

      • WinThrusterWidget.exe (PID: 1404)
      • WinThrusterWidget.exe (PID: 1116)
      • WinThruster.exe (PID: 2112)
      • WinThrusterWidget.exe (PID: 7896)

    • Reads CPU info

      • WinThrusterWidget.exe (PID: 1404)
      • WinThrusterWidget.exe (PID: 1116)
      • WinThrusterWidget.exe (PID: 7896)

    • Manual execution by a user

      • msedge.exe (PID: 6684)

    • Application launched itself

      • msedge.exe (PID: 6684)
      • msedge.exe (PID: 2128)

    • Disables trace logs

      • WinThruster.exe (PID: 2112)

    • Checks proxy server information

      • WinThruster.exe (PID: 2112)

    • Reads Environment values

      • identity_helper.exe (PID: 7020)

    • Reads the software policy settings

      • WinThruster.exe (PID: 2112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:14 16:10:23+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 284672
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.8.11.0
ProductVersionNumber: 1.8.11.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Solvusoft Corporation.
FileDescription: WinThruster Setup
FileVersion: 1.8.11.0
LegalCopyright: © 2010 - 2024 Solvusoft Corporation.
OriginalFileName:
ProductName: WinThruster
ProductVersion: 1.8.11.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
261
Monitored processes
133
Malicious processes
8
Suspicious processes
4

Behavior graph

Click at the process to see the details
start setup_winthruster_2024.exe setup_winthruster_2024.tmp no specs setup_winthruster_2024.exe setup_winthruster_2024.tmp taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs regasm.exe no specs conhost.exe no specs ngen.exe no specs conhost.exe no specs mscorsvw.exe no specs mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe no specs mscorsvw.exe mscorsvw.exe mscorsvw.exe no specs mscorsvw.exe mscorsvw.exe mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs ngen.exe no specs conhost.exe no specs mscorsvw.exe no specs mscorsvw.exe mscorsvw.exe no specs mscorsvw.exe mscorsvw.exe mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs ngen.exe no specs conhost.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe no specs mscorsvw.exe mscorsvw.exe mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs regasm.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs winthrustersvc.exe no specs sc.exe no specs conhost.exe no specs winthrusterwidget.exe wmiapsrv.exe no specs winthrusterwidget.exe winthruster.exe msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs regasm.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe wmiapsrv.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs regasm.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs winthrusterwidget.exe sc.exe no specs sc.exe no specs wmiapsrv.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 0 -NGENProcess 318 -Pipe 328 -Comment "NGen Worker Process"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
ngen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
.NET Runtime Optimization Service
Exit code:
0
Version:
4.8.9093.0 built by: NET481REL1LAST_C
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\vcruntime140_clr0400.dll
c:\windows\syswow64\advapi32.dll
252C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\regasm.exe "C:\Program Files (x86)\WinThruster\WinThrusterShellExt.dll" /uC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
300"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4808 --field-trial-handle=2316,i,804005813398891055,14498777267681040322,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
320C:\WINDOWS\system32\wbem\WmiApSrv.exeC:\Windows\System32\wbem\WmiApSrv.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Performance Reverse Adapter
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\psapi.dll
608C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 0 -NGENProcess 3b0 -Pipe 370 -Comment "NGen Worker Process"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exengen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
.NET Runtime Optimization Service
Exit code:
0
Version:
4.8.9093.0 built by: NET481REL1LAST_C
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
780"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7080 --field-trial-handle=2316,i,804005813398891055,14498777267681040322,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
872"C:\Program Files (x86)\WinThruster\WinThrusterSVC.exe"C:\Program Files (x86)\WinThruster\WinThrusterSVC.exeservices.exe
User:
SYSTEM
Company:
Solvusoft Corporation
Integrity Level:
SYSTEM
Description:
WinThruster Service
Version:
1.8.9.0
Modules
Images
c:\program files (x86)\winthruster\winthrustersvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
1076"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6804 --field-trial-handle=2316,i,804005813398891055,14498777267681040322,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1116"C:\Program Files (x86)\WinThruster\WinThrusterWidget.exe" C:\Program Files (x86)\WinThruster\WinThrusterWidget.exe
Setup_WinThruster_2024.tmp
User:
admin
Company:
Solvusoft Corporation
Integrity Level:
HIGH
Description:
WinThruster Widget
Exit code:
0
Version:
1.8.9.0
Modules
Images
c:\program files (x86)\winthruster\winthrusterwidget.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
1124\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
42 120
Read events
41 889
Write events
207
Delete events
24

Modification events

(PID) Process:(5700) Setup_WinThruster_2024.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{915F9C13-69E6-49C5-A754-1B2431FB54E9}}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.2.1
(PID) Process:(5700) Setup_WinThruster_2024.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{915F9C13-69E6-49C5-A754-1B2431FB54E9}}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files (x86)\WinThruster
(PID) Process:(5700) Setup_WinThruster_2024.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{915F9C13-69E6-49C5-A754-1B2431FB54E9}}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\WinThruster\
(PID) Process:(5700) Setup_WinThruster_2024.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{915F9C13-69E6-49C5-A754-1B2431FB54E9}}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
WinThruster
(PID) Process:(5700) Setup_WinThruster_2024.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{915F9C13-69E6-49C5-A754-1B2431FB54E9}}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(5700) Setup_WinThruster_2024.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{915F9C13-69E6-49C5-A754-1B2431FB54E9}}_is1
Operation:writeName:Inno Setup: Language
Value:
en
(PID) Process:(5700) Setup_WinThruster_2024.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{915F9C13-69E6-49C5-A754-1B2431FB54E9}}_is1
Operation:writeName:DisplayName
Value:
WinThruster
(PID) Process:(5700) Setup_WinThruster_2024.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{915F9C13-69E6-49C5-A754-1B2431FB54E9}}_is1
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\WinThruster\WinThruster.exe
(PID) Process:(5700) Setup_WinThruster_2024.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{915F9C13-69E6-49C5-A754-1B2431FB54E9}}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\WinThruster\unins000.exe"
(PID) Process:(5700) Setup_WinThruster_2024.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{915F9C13-69E6-49C5-A754-1B2431FB54E9}}_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files (x86)\WinThruster\unins000.exe" /SILENT
Executable files
66
Suspicious files
329
Text files
83
Unknown types
1

Dropped files

PID
Process
Filename
Type
4092Setup_WinThruster_2024.exeC:\Users\admin\AppData\Local\Temp\is-NGC3K.tmp\Setup_WinThruster_2024.tmpexecutable
MD5:5CEFDB2DE802D059FF1A7ABF575BBCF0
SHA256:D3E855D3D746B1D40C583CF3743DF569632B1D7F8993A2FE1B953ED2C426F005
5700Setup_WinThruster_2024.tmpC:\Program Files (x86)\WinThruster\is-DEIDQ.tmpexecutable
MD5:451C5BEA7ABBC94965E9617DEFD3F723
SHA256:4369968563500089420B656CB5BAE8B01F4B6A56659709B726FBE14CD519A663
5700Setup_WinThruster_2024.tmpC:\Program Files (x86)\WinThruster\Microsoft.Expression.Drawing.dllexecutable
MD5:DF234383C91C6F52386FF064F6521618
SHA256:C4F7B7D98DB894D7B19D2DD25B0B1987D195778B35302152ED3D5E4F3E5901A4
5700Setup_WinThruster_2024.tmpC:\Program Files (x86)\WinThruster\is-QBKBH.tmpexecutable
MD5:288954BAF4019CB2A9B1674E0484BF5B
SHA256:CC77DA240EE40794E978FEC4BB10E00E47DF353372B75A059BC0DDD09CD04F88
5700Setup_WinThruster_2024.tmpC:\Program Files (x86)\WinThruster\is-IGF72.tmpexecutable
MD5:DF234383C91C6F52386FF064F6521618
SHA256:C4F7B7D98DB894D7B19D2DD25B0B1987D195778B35302152ED3D5E4F3E5901A4
5700Setup_WinThruster_2024.tmpC:\Program Files (x86)\WinThruster\WinThruster.exeexecutable
MD5:288954BAF4019CB2A9B1674E0484BF5B
SHA256:CC77DA240EE40794E978FEC4BB10E00E47DF353372B75A059BC0DDD09CD04F88
5700Setup_WinThruster_2024.tmpC:\Program Files (x86)\WinThruster\WTRN.exeexecutable
MD5:821C587F429AF1D3349836048ACB3D56
SHA256:2CED1C8E8B7C07BE07B3F9365E8467154BEEAE05120B6A102A89A3E55C763DDA
5700Setup_WinThruster_2024.tmpC:\Users\admin\AppData\Local\Temp\is-FFL44.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5700Setup_WinThruster_2024.tmpC:\Program Files (x86)\WinThruster\is-5FTVM.tmpexecutable
MD5:FAAD3F97BFA669AB0302F0A4EBF46D6F
SHA256:68E8235C506C4F4A134837F6E2F37CDDB2C4F146C8A5112FF8C83F4D19616603
5700Setup_WinThruster_2024.tmpC:\Program Files (x86)\WinThruster\unins000.exeexecutable
MD5:451C5BEA7ABBC94965E9617DEFD3F723
SHA256:4369968563500089420B656CB5BAE8B01F4B6A56659709B726FBE14CD519A663
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
149
TCP/UDP connections
123
DNS requests
115
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4316
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
401
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
OPTIONS
23.48.23.51:443
https://bzib.nelreports.net/api/report?cat=bingbusiness
unknown
GET
200
13.107.246.45:443
https://edge-mobile-static.azureedge.net/eccp/get?settenant=edge-config&setplatform=win&setmkt=en-US&setchannel=stable
unknown
binary
13.7 Kb
GET
200
136.244.83.192:443
https://www.solvusoft.com/en/winthruster/install/?utm_source=site&utm_campaign=site&utm_medium=home
unknown
html
18.7 Kb
GET
200
204.79.197.239:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
binary
2.30 Kb
GET
401
13.107.6.158:443
https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox
unknown
binary
584 b
GET
200
136.244.83.192:443
https://www.solvusoft.com/winthruster/js/jquery.fancybox.js
unknown
text
47.5 Kb
GET
200
136.244.83.192:443
https://www.solvusoft.com/winthruster/css/fancybox.css
unknown
text
4.23 Kb
GET
200
136.244.83.192:443
https://www.solvusoft.com/css/960grid.css
unknown
text
4.25 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7008
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4316
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4316
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
7008
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 172.217.18.14
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.solvusoft.com
  • 136.244.83.192
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
api.edgeoffer.microsoft.com
  • 94.245.104.56
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
bzib.nelreports.net
  • 23.48.23.51
  • 23.48.23.26
  • 2.19.126.145
  • 2.19.126.152
whitelisted

Threats

PID
Process
Class
Message
4248
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
4248
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
4248
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
4248
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
Potentially Bad Traffic
ET INFO Possible Chrome Plugin install
1 ETPRO signatures available at the full report
Process
Message
WinThrusterWidget.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files (x86)\WinThruster\x86\SQLite.Interop.dll"...
WinThrusterWidget.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files (x86)\WinThruster\x86\SQLite.Interop.dll"...
WinThruster.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files (x86)\WinThruster\x86\SQLite.Interop.dll"...
WinThrusterWidget.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files (x86)\WinThruster\x86\SQLite.Interop.dll"...
WinThruster.exe
SQLite error (1): near "s": syntax error
WinThruster.exe
SQLite error (11): database corruption at line 63851 of [c7ee083322]
WinThruster.exe
SQLite error (11): database corruption at line 63892 of [c7ee083322]
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup_WinThruster_2024.exe