Analysis
-
max time kernel
129s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2025, 10:00
Static task
static1
Behavioral task
behavioral1
Sample
Thorium.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
Thorium.exe
Resource
win11-20250410-en
General
-
Target
Thorium.exe
-
Size
302KB
-
MD5
4a94c74790129bc41d75fe0c1bf5f351
-
SHA1
a5540af8fbaad2656afb3a7b76c42a50b5bbc366
-
SHA256
1fb147e3aaf58a990e163b1f14d80130a9817f8fcfa53a34ba48e983136b1e50
-
SHA512
9787fe4cffeaf150845cfe989aa6eac504cfa00d4911d7069be5fb3dca6052531b5cfafe1734b288856818e11cd331345f5f884477f566e23aa6ddf94ad8fc07
-
SSDEEP
3072:zKhJM9JdZ5usnvivd9vN3LaRHVbe7ufTxrr++U/e8mmmmmmmmmmmmmmmmmmmmmmR:zKE51nvivXvEVRUdzWE3
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "፸\ueb9d妓ﺻ谥𤱸൸\ue299\ue37e亖ꮤ裀枅똨믬" Thorium.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "莥\U000abd63\uee3d겶䟤휬틲ꛧ믢퐰劑ꏊ뎶풨뚠탊ꐭ喊⑭" Thorium.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "菤ㆼ픕뢅鴙ꞧꯁ䎘╄뱌䊟ꙗ轌≗堺\U00049498" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "繼폼\u17fc࿚鬤嘸\U0010309e嫀֘欜驟\U00052159ꎭ濟둎킐" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ComponentID = "⻄᮷䕤蟵궧履뗞箲鳦ᄔ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ComponentID = "컶聑疆聝靫媨\uee25㾮鴬囨娐諠鸟ꡗ袵ृ盡瓙෮㨅\ue7ae" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ComponentID = "碌梒\uf85fḪ㽳私烃垅㞨墧5롛壇馭峤轐" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ = "䛍᳠石鍈커齦眢瞨赧㊷銸\uf7acᅓ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\IsInstalled = "ꘌ▜\ue80d䌥봺\u1978\uaad0땓ⴅ꼐\uec63虪\uedbdͻ샕䦼쩛逰뢑喤馃⻤ꊈ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\IsInstalled = "퍊㓈糢駥숷\ufde5落鄂⩞\ue52bⳗ勶䚌ԧ놦𫮟꠰刯\uee2a" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Version = "䏷穼\ueef3\ue701暘臉罹옋툦䵀뗖鵌ꁯ佺姳㓥" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Version = "朅둺鴶궽퍎酥⋨췁ㆃ\U000dae73ꔋ\u0e3d떻炊" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Version = "鏧\U00015e91̛쿄\uedaa\ue10c\ue0f1撧⽔剌㼨皒炾\U00036530杴䷡ඛ揜럹Ⱬ\uf78aꟲ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\IsInstalled = "⏩澪㖈釬層䀴讵▔〣迭㯮㵟ᕔ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\ComponentID = "玝\uf812\uf3bc\U00016ff2ﭣ먪侄킝Ԓ僘婖̒" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Locale = "ﯨ\ue13d遙証㉤鳮爌韔퇖㶸靍偣뜡픈宪뻀刼\uf6cd\ue00f" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Version = "﮹矰\ue3a7㒀틀通㞿갉ꌃ᱅冀氵ۧ臟\uf8d6\ue8c0\ueacfΆ⸖㔀᠋숮嗜촔" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "冀騬\ue43a\u0bbb犏麦\ue7c0ͽﯯ봂" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Version = "㛽댖䁽鲦\ue491\uab6e餘⼕飞᧞藉漤䔻픪姝\ue4c1栫䠵펯䉙춻\u0e6e⪙ⶔ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "㏱臦웿\u0c5e큶\U00055ff4呔\U00067116ꢅ꧟鷿淰▔䱚㭅釔鐲" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\ComponentID = "⼋瀽酠ﲆ珻颫쐖\uf0e0袲뫄Ꝗ\u1ccb뛜" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "鞔룖\ue7b5\ue71e몊냿瑪쨹⋻\ue6d7෩钁덑ꢕ㠤\uf80d\ue8c3\uf656문" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\Version = "\uea1e椌ᆚᗇㄲ걥캑罽싖\ue116\ue308﵎嘗ⵍ裄矏" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "\u0ef3놼盋⑀\uef9d荹ᘿ⒀뇀瞾㧹鋝嶥狔ꎆ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "䨣偦ȣ䒣☥麈䋨ꇗ\uf89a䈘靶毀鈡Ⴋ썔㒉懛뭶→㍖" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Locale = "㭲\u0b53㓱뷡\U00061c41췣釰牗ᨶ냘瓟Ը䒨镞" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Locale = "緣냵㛕渡墰侈ꚺ폻枌踐̓ర鯁㽘㡖ﯥ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ = "쐞륤귃ݣ甅廜荁팊\ue62b\ueba9\ue178聎䳦罜\uf511\ue88c⬂큂옝댅㑸놛༩" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ComponentID = "\uef64そ伭軯锒칗곉痾绁訖靈" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\StubPath = "邘쵯褫颿駱屋䚤\ued9e\uf325칩" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\ = "\uf0a1죿깋Ẕᵦ匤⦘觋ꎷ淆" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Locale = "\ue26f廊┓髏喡鱄짰聄릍늦鱤ﱠ\uf8b1" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\IsInstalled = "驄铰嬟캌䶑쥳훠鷧톍䚔ⳅ\ufadaℚ腤늶엨⡪" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\StubPath = "㏿끔䡯穱羀孋ཹꁷ\uee26柶㵔䶱\ued15" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\ = "\ue173ប翫敦酷\u1a8cᇱ䓔筽⯦렸琝壺" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\ = "湿ꇺ扄熳뾆\u175d啶䔯흛䌺陎\uf325ඌ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\Locale = "ꛫ迼쌏搬⁺∄짔\U00083b3eⳗ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "榹魈䌋鵅洣摂酿餳濠੍ٹ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ = "时\ue41f艏耺ꄕᛟ雂\ue3fe䯢쿮鷚벋늋" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ComponentID = "\u245f\uef5fẈ⊲쒁㿇ț爴䴆䈽딬醳㺩퇶麝\U00052517" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "料盹ࣇ敺⇰\u1b4f褨屬닐猙궛覑鱤ᎥἌ鋿䃰薭" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\IsInstalled = "\uef64猛\uab08﨑䊑\ueba4\ue8c5倵Ἶ㤭ṓ湈묁잘ꭚ䤷ꬆ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13}\Version = "讉ュ뀴\ue300톶䆕㌅㫲呾쨜뀘" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Version = "㙑\U0005c2fcﹰ\ua87b━営鞎걕ꛒ㕘" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13}\Locale = "╱ー⡵ᡠ䫤\u0893\uf69c챾\uf7b7\uf4f9扫ꭔ룹ꈕ訾\ua7e0\ueaea騃῝\ue85d" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "䦏\ue1d1鼷졲摋䵮・䱜榭摚㿋⍴\ue382퐍抎킁銛ﬞ雒ࡹ厨렷趵" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\ComponentID = "ථ⧛蛦៸褟ꉧ夾뵦풆뒧쩊⻃숺幫爮ৠ깩鄜숍逎" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\IsInstalled = "ﭛ舙lR뤚외鼇隩㐲皿\uf1d0鯁∹㎟뢊큂㚁⨋" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\DontAsk = "辶\uee7c駘鏿\ue97b无䗢揳휩县㞗⋇\U000379aa\u20c8푿\ue42d蕜檀荫ꘕ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\IsInstalled = "龟鍘읚揦沥ྰ≗\U000bc067卐磎ᒫ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\DontAsk = "㝋⥓脮ǭ\u128e티甆몛ᚲ앖\uecea箙턶傞憳" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "⁌ꩵ\ue136Ꮟᱵ黓磭憆숃\uee09彺鵜盥ቁ州\ueda4掤䁹" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ = "坁\U000b9ef4䉾啯栋㪜㌢沭뢟" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "ꎵ䞊㕸킱卡ꐫ滑䋡矨ﭮвꡭ⊥\uf469ᑑ\uf350佄\uf5b7㠘\ue506䱳" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13}\ComponentID = "뗀ۊ仺Ɩ똕\U000efccf冔왜폾\U0001c3e9恈ẻ㷭㟈跕쯓" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Enabled = "쟛㵝ᇪꝸﳚ\u177c篙ୁṑ\U000d4082\uee4a㯊君擄⚪웪F\ue768\uf0eaꗶ\u124f햙" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "룿픑ﳺ뽁椌\U000911a0䵍鐃x邁ω묱꼬暸螁" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\KeyFileName = "ꩂꕐ\ue0f4爻\ued2d쉖㘴𝄑꽾贠ᶝෂ專꜉" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Locale = "䶕궷㼃먀ᨀ峡俀龝誾飡\uf646" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Version = "榔琢룸\uec46ꭉ䃏낉쒿\uf629䳙阨㆑௲⩫ᴌ걕軫\uecbc鐹쎁" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ = "嬥帊뗜\uf5bb뼡⢧䎧\U00053577턘" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\IsInstalled = "숀\u0c3a譖先\U0008992bꍂ믤田鯨⮰瀾▃\ue029冾₫鱓駋겎\uebb2쫽" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Locale = "뒆朋햯ヰ\uece8∙㳍羅焷糙爚ᥙ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\IsInstalled = "。븛퍘ꃙ緅㟴閸裵檨\U000e518b쇣\ued4b垇䦡⾘珲T" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ = "쇙␦굉晿䑁뇕ꈬ၁「꧈죰\ueb41얡ඥ扝" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\Version = "\uf046\uf2bc玉䍮瑉牘껐묄滵\ue274◿唬㭜雼槧킜\uee9aṍ" Thorium.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\drivers\hostsvc.exe Thorium.exe -
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "趔雾ࢼ䷢甼镆꼮ꤛﳂ⢍" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\Dll = "슠吡䖼㰂ꠌ\uf221ⷰ췭仠ꊘ︃\uf3f9釈苅텠" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\Dll = "妘螛핿\u2ef8쀜錶ጙ㡉⦓㖶촰蓘䠐缒ﳞ美獠⤅纷籔\U0009029c" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "쩀䁋ꠓޝ縞\uf822틭=奠ⳅ쇀鏥绋\uf7c2\uea88輵褎" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\Dll = "\uf73d\uf10a椯榿ᰄ\uf8a6停牙䌡ય뇖丫Ⱀ\ue21b\ued9f梈훏ᣡꠟ۪粅" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "\uead0Фꁻ澱\uf8ac⇊沥뙯弭껨簾셂" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\FuncName = "쑠\u0fe1Ⱄ\u2067\ue310앷\uf4c4綟ᅴ벲ᴢ\U000a47ab\uf503\ueb85ϣ䯑銍糁逌帖㚤" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "톖턙䟲\uea4b᭖蕃䘏텮滷ⳌΞꨃ뎋\ue2a3绱喜봔㡉礔櫶鿄\ue260" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "ݷґ歄ඛ箞솢ǽ\ueca1嗊෬睼" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "\uf56b㛞옑漤\ueedf궣Ⱪ㑮잗濧᛫\uf5bfɁ殿\u09de婫ϳ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "餄\u19af煗볽\ue0b6싙䝅擅㺛ᝆ\u0ef2䞼ア醂䟮崞忀\ue3fe䷚\U000ed3cf윴樱쐢" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "\uf161Ỹ鶵뻸왟턚ᴌ恲遬蓔婣" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "酻㎈휄웮거ퟻ葕履ㇳ⅓" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.27\Dll = "읕㔀\u242a𗋠徫ᑙꅀ\U0010d80e덉폡꒵ᭅ\u1aae䴊㡡㕯꾈\uf2ee쯅⃒䭄" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16\Dll = "齉엉豑⾎䨰⾓䍂\U00072935桲햂뿨倜⧂㲟" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\FuncName = "듔襦ꆁ봼䳆\ue27a븰瘩\uf468帻縯ỵ崶㵃恳㻬睳ྵ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "등\u0e7a价\uf484烮\U000b023a\U000dee54\ue279ⓘ\ue730𪿸튆䛮\u008f" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllLogMismatchPinRules\DEFAULT\Dll = "\uf380\uf75c\uec49㹕긏\ue14c䝮䖼銴욥ᇝଢﰏ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "ᛪ곈\U0008d783箢㑗꣪㒅ફ涐ᆬ枡㼤\uf456ೄ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\Dll = "䍅\uf00f椠﹫族\U00049d2aઃ仐ᢆ릫黖\u2433쭿\uf6c0騨厝瞴ঊ휥" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.2\FuncName = "ĕ먒킽⅌䦟\ufb0dΓ㱖\ue9a4㝼ﴜཾㅌ騛幞퀟텽죝૭ੇ组蓮퓦◊" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "匰ꐤ넻솂玬\ue9c0➯娋込\U00033d8d鴔⃘ယ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "〥ཞ앣姖듼ꗮ\uf026鐱\uf43b㷮词鷦蔸" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "宪ハ溈냬ቌ瞿棗ꆴ˚옹瞫틾跕韥" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26\Dll = "\uec37쀵纛ࠔ킡퉺ൿ㓲㾟듵店ಇ掯爀믌ꓴ燑簜" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "ﳛꌁ튝ζ웴桀웍欄匿럘㳸" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "퀁韥놊\u1cbcルৄ鄑닮ꁸ涓엢꺌뉛︂뭏鵙欍㗀\ue4ddⅶ\ue2e5⽌염讪" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\FuncName = "藽ቘ齟ⷄ쏔㵃\U0001b7d9휖ᙜ뭝촌\uefd9\uf3b1\U00043da3" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\FuncName = "ꇫ\ueeb3㴾㌂㟃醦\ue944⤯\uf615㘡\ua62c虒뾓㠍湨ꕔ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "㡺걕她ⱶ\uea65떗涃㖲謌㱋㴤\uf400鏌Ū\ue09c\uf8b9ⱟ쳞劮碼" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "ᘒ餍簎ൌ憇멹뼲鵊짥ᣵ䶳ᬱ᫁\U0007ed99뚻챱弶剝" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "㵔\U0001e381黫\uaad0鹏\ue1eb簷뀵戺㿗忎䮦㢇ξᨿ經\U0005db4e\ue167맧" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "\ueae5視֧쨜㡚ࠄ헃십ܡ拊" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "ࣲ㡎黚\ue306웵쳌\ufff1\ue6a2\uf5ab쀗軾뵬綐\ue97e瀱ሚ녚鰚Ŝ䀬" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "䁕ಠগ鹫Ẁ幜䁔拺鮢琄罎膴ෳᏳ藈ອ࢞౮" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function = "궤덽ሊ뙵蔿㱒馛ͬ\uf71c栰㘵" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\Dll = "갅ᒙ榇畘䤢ℙ虾쎅ᣘ鄓徑璱ח휰沊媭ꚡ丶쬤痆쬃" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{06C9E010-38CE-11D4-A2A3-00104BD35090}\FuncName = "壻佼땏ﭑ\ue84b\U00074b7d\u0df7ች螺ﺎ⊖熰쯶ꊆ쫵䰇恌ⳅ럧䳝" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\FuncName = "蚯\u09d2눬愄蕭藇ڍ\ue72d챣᱑ꐈ⭲뤾湫缢赨蒌䱢蘨" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "䬜えꨶ큝น冥뱧趻മ\uf227ⶖ鉷兰\u0dc7㌑횘\uef39湗妘ໃ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMd5ThirdPartySha256Allow = "䁛珫\ue11a竿\U000da057ꆆ㶛\ue70b屃鍃먱惶煄\U000bc80e쓫쥪" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}\FuncName = "瓓銙갫\U000488b2͵ꈓ搆\u12c7㐨眀꾲볟\ue8b4ຨ镾\ueba0\U000d9777꺔﹟Έ응⟌" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "𧷛⹃챢ᑠ톳்塈骦鐧\u0e64\ue365\U0010f5b0Ԅ\U0010ebf6䂗" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "걇텂븈พ謕\uf009⦛\U000498df蟤\ued6c녑θ갹轓\ueae5跀β\ue95e횯쏡ఄ㳙" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "糰㲅昩\U00085caa蓿脘⺦眔䌈葫\U000c2e1a㪧颸ৎ먹\U000c3eb6膗ጿ唚" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap\Dll = "讻খ쿖岸餇┃⮪뻞៝촾⹃匕\uf7f1뺜쎰ᄶ肗垏" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "ꁠⶸ焚露\ueecd랡︳䅯ฒଚᯩ\uf70aẠ\ue5c5∸\uecec" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "\ufff7鈜㯗\uee75䶠\U000ee731\ueeb2\u18fd习≃漭绂閺篿粽텴倷" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3\DefaultId = "瞧Ὦ䰒꩑摄蟡蟕㤉짮씥ꚟ宬Ԝ\uf795㣬쳗輗⸀ꃘⴔ鼶\U000ee89f" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "ꆡጅ앰䤂푧\ue690ᇚ\uea7c䕆\uf658ꮐ髯俍鞽汻們簖" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2005\FuncName = "묜\U00012e15䛴\U000d922eᾖㄆ섄挭傛宦" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2010\Dll = "绪옎疌꣖⚓ꊸ㴣\uf00e㺏芽澣즎慒䬹稸៣\ue325ꈬ\uf670䃙" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\FuncName = "㋥䠘呐𪠙崜ꏮӛỿ悂騹쟧\u1c4c䦁樄뇨ㄚꗨ課Ᾱ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "ɍ挆뱯䂦酪᧩\uef18趕얧\uf8b9ດ酠啝꾮簬\ued40㶔元\u1257뙾囡᪈ᖇ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\Dll = "볊撳ᰤ㷛餯舼蝣耻綧ᴇ蝭" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008\FuncName = "\ue5f5鵭Ⳗ쟮ꙛἚ瑿튚酪𭴱旳͏뫕묅ᛎ︿" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{06C9E010-38CE-11D4-A2A3-00104BD35090}\FuncName = "杲휣៳鋋४嘠\u1311婤䛇զ䌯걸" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "绮ᦍ境㘎㬢㺅黗䰿빴誑\U000eb0af斉ᡚ쓍ꂖ鐋揭躲䔤璖젳" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9F3053C5-439D-4BF7-8A77-04F0450A1D9F}\FuncName = "þᩋ뼀찶᧲Ꙝ驢曽\uf695ᵌ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008\Dll = "潼ㅩ≰⨼⩴鷛雋躙\uf42f膝⺙犉㌮掖" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.1\Dll = "㼜햀쇿ౝ㑻퓣Dž鏬캪⎇㘡騼\U0007c023" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}\FuncName = "⧋䭊癿民륾\uea1b\U000e72e1녎㿛閵鐭킠◁봒㧈嗎禺" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "섗㎐㏍྇ᇝ싸䦴ᑨﱅ㧘說羓쌰硏茂믳捽\U000c9d1d鳝廲" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "맟刡袕台轥\ue261\ue8df沋鐺焹힚毮\ue2c4ௐ䍛涉熨\uebb8\U00060adb䪈ᛸ蚳" Thorium.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate = "뷺싍ꛅ騐甜爚颓軚ை偤ⴒ⒄\u0bd5﹣\U00062770爹頢ꅢ" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = "ㄸ詜\ue116̛띦左쟷ᐗᰣ䅢㜠졮\uf3d2\u13f6⓫\ua7e6袾䷡\uebcf" Thorium.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation = "ᬢ原ꂩǿ얉\ufae4\u2e6c굥찆說枫幨ꖋ╡紀跮쳽ūཤ\U0005fbcf篁≪\uf328" Thorium.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies system executable filetype association 2 TTPs 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler\ = "\U0004010cѧ\ue60b틦ྎ넦\uefaa\U0004ac68\uf07a宓뇖鉹衫픵ꇽ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command\ = "ೞ㗏凹詜ᇁ婎\ueae7暀媙㭰ቺᏒ鬑锫㽢Ἑ㙩殗떬൷⁘ཥ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command\ = "濨\uefa3洜몈\ue57d\uf4df꤀헼㈰충" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "띄ꕣ㎼䒑妪㯔ㅕ갾왦㮸焧ݫ桘ꖮ矦颗袦숵" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "ꎰȶ紗玼㌖㌞䂨륨㳺볬" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\EditFlags = "梠\ue9a4糧\ue052\uf66cϼ\ue1e6ñ҄ᙡ듾\uf4be䤚ຮ\uf295䪁Һ䇉" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "魏䁒㖽껵Ź᭡ྶ韀䑴剎₇벙ꝡ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page\ = "솽픽쟁粟봯\U00088d3e蔀牢࿐⑺촛驕抒㔔边콋㽋䆳\ue28a" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "勣➙洨⟴\ue98f䆚ꓱ辔尪⫿\uea76" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "縯蝑荜⊭\u1979诶ʠᯮ揽篾ﻅʸ讕" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended = "䗉犟䕉倗즪\ue222躄ⵀ빪乱ヴ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "\uefcc臣쏝ᯭ\u0df8飰㓽\uea75⊥ꖤ霏莿" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility\ = "쯷线퓦곊앟샑쮃慑ᡂ㦇⇣ꕻ\ue9fe硫\U000fc655졅" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "\uec40誉婧੮ꏑ鱜㼊㯚㕷ᾱ눇\uf6c4臘簵氡㽪\uf2c8\uaa5a䜹ﮪ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "ㆄ\ue756渭귷汛ࣤ\ued65悫\ue65b豊勤譶" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "쉏㖫ﳱꜲ燝砕쓼ڴⵠ\uee12⩮,\uf41cﻒ諝\uf0e2Ȕ粤헷Ⴢﻃ醑\uec65" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "롄俳ආ禇\uf687杄\ue243톦䷝\U0005aa90戠볏\U000da79cব笪壅" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield = "쒣妿哲珘㰎鬭뺧\ue29a\uf8f5䘹ᐁ틓댁\ua9ff뿏Ⰱ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\ = "꩷쯋䬮ᑳ始絥엕贵旫Ҽ䤈\ue98d焻⃝⋦䨿嚸" Thorium.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender Firewall = "C:\\WINDOWS\\system32\\oobe\\images\\" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "腠쥲\uf54bⲸ\ued7a伳틸厜\u1cfd愫쩶扖ᑘ퉐⅓ณ쎝䤗嗭" Thorium.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "볏躤䃡怙\ue791䀎ꭡ췬쾜妞졨芼繊䐟՞車畟\U000d5727컡" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "杣ᆣ䆡欥迩呞撫Ꮉ竣㳘핟坻ꡏ\U000d0e0c𗿒\uecb8鴽ⷹ\U00039583䮿" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer = "\ue4f2ˏ椯똊\u1cff詿⣊㐫寛뽭\ue11b䲉ノ⫲앒ﯟ㨚닶⁅ҽ䝾ꢮ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "浂웄ⓩ\U0005ddd6\u0ba7䢼\ue033潤簋" Thorium.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\WINDOWS\SysWOW64\msmgr.exe Thorium.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\WINDOWS\SysWOW64\svcboot.exe Thorium.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WallPaper = "\ue05b請\ue76b\uf387\uec1f炬♃\ue20d㜘쌪찆ᝊ\uf085" Thorium.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File opened for modification C:\Program Files\Internet Explorer\Connection Wizard\server.exe Thorium.exe File opened for modification C:\Program Files\Internet Explorer\images\thorium.ico.exe Thorium.exe File opened for modification C:\Program Files\Common Files\System\syswin.exe Thorium.exe File opened for modification C:\Program Files\Windows NT\logsvc.exe Thorium.exe File opened for modification C:\Program Files\Internet Explorer\svcagent.exe Thorium.exe File opened for modification C:\Program Files\Common Files\System\svcbackup.exe Thorium.exe File opened for modification C:\Program Files\Common Files\System\configtool.exe Thorium.exe File opened for modification C:\Program Files\Common Files\System\svchostcache.exe Thorium.exe File opened for modification C:\Program Files\Common Files\Network\netserv.exe Thorium.exe File opened for modification C:\Program Files\Common Files\System\hostagent.exe Thorium.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\WINDOWS\INF\driversvc.exe Thorium.exe File opened for modification C:\WINDOWS\Fonts\fontmgr.exe Thorium.exe File opened for modification C:\WINDOWS\bootcfg.dat Thorium.exe File opened for modification C:\WINDOWS\Fonts\fontdrvhost.exe Thorium.exe File opened for modification C:\WINDOWS\SystemApps\winoptimize.exe Thorium.exe File opened for modification C:\WINDOWS\SystemApps\taskfilter.exe Thorium.exe File opened for modification C:\WINDOWS\INF\infhost.exe Thorium.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Thorium.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Thorium.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Thorium.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1700 956 WerFault.exe 106 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Thorium.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks processor information in registry 2 TTPs 25 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information = "\ud7aaꗏ䟸\uf3d8䛃턚朖⛜쭽𤲷邭⢰" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "쮹饍甃뗞湏讼ಒ퇶譸썠尭\u200b꺍狽\u2e71許\u0ba1뀅뿕" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision = "뵿\uf7bbᇧŎ\uf3e4ᨚ䩜㵑\uec39棒笤\uf790쀔ⵙ" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier = "༤샀\uf85f᧽퇣鐕沆ᡄ쯏Ⲝ蘨헓槒㶟奔㌍蒇舿靶" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data = "ᑑ傗ꚿᦈ袤떔鈼釷蛾搑" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier = "혍⎨괞ค뼺䷨⏻圩㣲\U0007a31e嬸嬟\uab1d峸杖얳\ue9bdࣦ띩僓" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet = "湹뇟ꋲ৻᥉₍Ƃኳ궑跲꘢䌙솯፴엌拮둚쎩" Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "\ue525⃔妭궇찱啈핃䍣삦䠼돧\ue629吡䃮ᤅ" Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString = "ꘀ淸຺꪿䖳ⰾ좩Փ뀙\ued3e驯憱ꟲ쬅京ᡣ俀寜쮬脣뎏℀" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz = "韄ꦘ눫샇\ue4ec禍ᤗ섟ꛛ塳쁫\uf056㿺ᥱʳᅧ" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision = "\ue275쏢㍩腦溸囨깵謹殻𩆹턯⻠㻧Ὅ\ueb48ꄡ㍇訐᧸웚" Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "ၑ⎂ᓸ啓\uf4afꀄ\ue629惟誢\ue5f8ᕶ땾褭랂\ue2e2嬎ƃᓛ" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data = "꺈랁ᑐ擰脍ᔑ䗒듶究澮ⰹ\uee45㊭ఆ驔ሟ瞾㠖ꄛ늭禱಼" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet = "ꏗ\uf59a醟\uf0d8雎번쀒♯샤땨蛫曊䔃" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information = "팥朹\ue137糢뽙ꕻ챋⨣缶삞襒⺳쳌縘篏뙍蚘ﳶ뢻꙼㖜婇䘮" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "⋸ꂷ䬢竬禘앟觼ᶎ鴏仮뭤\U000dadca骰ຢ炁쮨摠䧭〹迣" Thorium.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Component Information = "玥\ue3b0\U00067018\uee72\u0bdc\ue1ba뒳텈\u0b84ꞅ𥱒ꖤ廔꼿\U000a0df6ᅲ︮\uf5f2" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information = "针土㞶\ue71aᯓ这\U000cacfb\uf558傺ሂᨑ穟馮䧜" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\ = "\U000850c4祜䔓ퟚ\ue9a8㯏쐈㊶歆萶떌躎\u2d2a䲗}豎\ue456蜙脒퉈˘" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000\ = "ﻻ뇨鴪К坧樭퐽擓嵔倥限\uf7d9眑מּᒙ죺彏ᣖ줃癌\ue223" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture = "權\ue6a9窬꜔樲ꞯ\ue380\uf4f3䐑︗뛴줹\uf106Ӄ狐\u1fb5⬰엞⧻ꑱ⚙" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data = "ਞᮑﲘﶀ䚼쫴㡅먩⯑⺗躡⢨" Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information = "ᾲ\ue025ᢡ\ueead\uf233圬\uec19\u074b啉\U0009f9a6ﳬ⦣瑚⢌" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier = "焛社䡉ሆ\uf801⏰ꮛꠟ箩濗鍡橏ࢀ肊\u2e65슰ᰪ쟎⺐" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data = "튝㓜炔\U00012971㡛뼘\U000c01fc靬" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information = "佽샛踘ⰸ\uf73cꏗﲑṎᰜ湯鱄⑵啔탧" Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier = "쑘䇵䗏셖⢫桻\uaaff撃ڽ⥧杵韄\u0d84ᦁ鵨旟쾸鴢\uf1d7匍ᴩ泤戮즂" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data = "蝜뉎⊣㚹\ue47f勘㆐\ue94d渋筲훯\ue93fﭺ쿺ϑ\ue71f\uea9e" Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information = "ᗹ覱磗ὦ뜵惕ၴ瓞衡ꡑ駾餖ᮯ" Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier = "\u0a31퓐灠됣尛\ud7aa㦤\uf72e횿쨎䟖咔릯ዴ" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier = "谵谌㼟셓峩埔ෙ팲ﰬﺓ\ued4f넱ڭ\ue3b3鏕ᠢ륣瘼ᆲ嬪癒┙" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data = "퓷춑鬋\U00083327餠쀺潦\ue7e5\uf330\uf2f5賛뫞૨䇟" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier = "α㴦❻\uf8b1봧숦瞬㩔緁덫ⳏↇ㦍繿緦寓쒭╭Ҕす\ueccd" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information = "\uaad0ꁅ᫇㚐凥ₚ彔क़⁶⊀뿡\ue444ྲྀ鿴혻獭ꯪ룻ﻀ匈" Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information = "ꘖ曍⍐돱▥뛪銧턭羭福穜\u1c4b" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data = "櫖\u0ad3\uab27\uf1ea၆榅\uf4f5师䧁僼炐\uf85f㘗㊽幅脯ퟚ" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile = "𗒂춠糢输疷䩇ﲲꤔ젒ѳሳ䨋년㩊Ꟁšꥋ됤\ueca6\ue0be⚐콖" Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier = "赝鹚紦滩냿᪰쇈襊쌣\uf24d﹁⸨֨⒔ả塆ᒅ宩죓꺌" Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information = "藀♴륥镴⨃כ\uf5f8嬀吲\ue64e" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information = "䫜흋\uf796⭂謾蜻ᣘえ璙쥟ᰩ" Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data = "㧤剟੯௯캙ຖ䈑↺쇤铍罦" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information = "짦슟扭蘣㋪ꦪ䠩꼓鮅볬羐䙸`딱脘뛜ᛄ㕤\uf08c㥺ᙱ" Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Thorium.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\ButtonText = "䌑稍堪艷]ħា\u0ef8引꽥Ӊᑲꠠ뇧䊙" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\ForegroundLockTimeout = "㏣휅擔쮩릞\ue781읥흇㩉阎砉顗ⲣ⟏䵿艿鹉\ue534돑\uee82" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sLanguage = "뻬甍ॅ뙌锠\ue5eaﴗ\uf040猷訕꽴\uf2a6堓薁딝࠹\ueaa3됛窏" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sLongDate = "춴흹辖뛁绗黴葙淋骛爗輸뵃ቃ蘡\U0009253bᄞከ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sMonDecimalSep = "뎄끑ᘉ宊㫸ɷ䁰橽狨\u0a0cﰰ뺦\uf121⤋濼凜\ue91d둅⛑" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sNativeDigits = "묞쩓幜絙㔉免擥ꍟ\u0fddᴿఴ倏\uea49跩᭟働嶏\uf1d2㖫꽞" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\iCurrency = "奢ꀿሑ⫹奯뾎놎鞚\ue14c싘觗众웹Þ忲⊬\uec1b" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Accessibility\Keyboard Response\Last Valid Repeat = "谢\ued4a摭鐖ྞ烙೦妰䝵⸦㊁诼퇻窝啛쵸" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Appearance\Current = "\uf268╱斋岹놄㚈붗⨌핕쪈釉萞壽\U000afd05웷" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\InfoText = "鏿銅ો兖埙艏맾쫺ꀱ摨驃\U000f2c34⨘\u1ae0" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Cursors\UpArrow = "覫猨䍂㜣凹緛蚼젎㽇↧뷘砺\u05fd뇄₭傯⠳" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\FontSmoothingGamma = "侭Ḱ\u1f46ó臭獫ﰶᑤی懿ᵚ軳섈栀ﮔ\uedb8\uf65b镇Ƌመ㡾纰" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Keyboard\InitialKeyboardIndicators = "廅灢쒸ᑦ庪ꔜ⊘。훛긽킴걨浻矵ഁᢕԤ硫㧘" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Keyboard\KeyboardDelay = "\uf65d3ꊲ䑉籈㤦频ᒟ嗶◨\uf8bf\uef2a䅜쁋須ಸ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Cursors\SizeNS = "髨ঘ\ue7d4\uead8溓ⶶ䝀윍笄\uf401¼⇊惶賗\ue748﹂⃢╱" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\ActiveBorder = "趯衋褪ꍅ薴켶뱠\uf5dc阯ᄞƌ㤑뢾\U00035030ἥ鞡䵒ᱲ䍢" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\ButtonShadow = "ⷔ㰢篡뢟⋏얄\ue62a㻘廬\ue0c5땈" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\CaretWidth = "\ue3e1똼尊兟\U000c3236䁩섲\U000de999擵悑珃栘\uea85\ueee5\uefcf㏓裋力ᛤ䏡餇" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\MenuText = "ꡂ檲鐱炳滏\u086d믌⦴ꥡ틌\U0008bbca\U000c8ad3鱮꿮揧슸ᔺ兕" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\WindowText = "\U00092300ጼ熷៓\uee65ᓜ坩믴ͯ桎홸ͤᡸ鮹ᖥ☷ᴩꨀ⋓廖饟\u2fec" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Input Method\Hot Keys\00000201\Key Modifiers = "펨㤋\U000dae35ホႊ翇짱\uedd7\uf528\ueefa멻♲樀幺홇䵑㿫䕗懈" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sTimeFormat = "쾂頿튌Ϲ㤓࠺魚狚炩瑩" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\InactiveBorder = "ೕ养쯀⡐⎦씫\U000a97af䭵\uf73a泲⳹ᶵ\uf55fꪇ\uf8c4쵈죕" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Mouse\DoubleClickWidth = "\ue6d1杆沓捛Ꚉ踕ﺗ\ue8aaਘ쭼\uf8fb熉ꢷ彟ퟆᡙ肨왦" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\PowerCfg\PowerPolicies\0\Description = "\ue6e5\ue126\ue5ee䩖첖緲얽ꆍ釢쌈⑴呿付孱袕腤簄簂犇昔櫈\ue5bd輾哯" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\PowerCfg\PowerPolicies\3\Policies = "乆ꅥ뺪晴⽐纄\u0efcᚐᙇꢰᣗ睵̌㻢ᐪ꽝" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Accessibility\SoundSentry\TextEffect = "撁꩞꤁实選ة矜梊胝쏬频푸⟅ᖹ뢓굟\ufaf4\ueb7e㴛" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\Hilight = "볕빗㛚ᡊ䶰뺯䳐둋훃헧\ue058堤䠜덮빡" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WallpaperStyle = "厉말…ﳢ뷀ⷭ澒醔쥅쵰∾윕⨢鑖" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WheelScrollLines = "微\u2d29밄\uffe7谪慖⁝\uecc4Ꟗ\ue5c1" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\LastUpdated = "ᓂ䷆㣑笵뎧△ꃈᅂⴀ覩럔磹\U00105a72䢖" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\ButtonLight = "瞕㢊햦䢯졬\U0009914b播\ue5e3棙韊㷞迨ቇ筅飝ڽὤᥦ\ue220宝昱" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\InfoText = "ꍸ횋虉⣎猖\ued99臉돣纘\uf8fb㢓搉Ꞟꄤ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Cursors\CursorBaseSize = "\uea72묄㗒ꩼ飶\uea18ᬋ홗閐獝甀廙" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\DragFromMaximize = "恣ꦟ虦㷻굎潠搶\uf101꽮㾘\ue767讱" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WindowMetrics\StatusFont = "\uee2b裪ڭㇹᰜ샹ꑻ푞逧髯\uf773틽줿䱣̀辨쏈\U000afee5瀠狯ᇬ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sGrouping = "㪏邢쌦꩝襑\U000e342c\ue050Ż্耺\U000aaa4d㭘糜\uf1ac" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\User Profile System Backup\en-US\0409:00000409 = "鉟脷鵊⋇樸禒ᗃ䟞礃銁푕䣃蔅弓ꔮ胟ꆬ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Mouse\SmoothMouseYCurve = "얎䫦⽰ຉ断ࣟ髱盉鲡寷ꃈ蒳㗈┓\ue8b9⟷둩澶" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\ActiveTitle = "\uea52\uf1b8\U000b01fa朅ᐮᕋ焘Ⱓラ瑚⁄◜쟻蛦㺽집\U0010c0ae鰏ᒫ辎Ԯ劳" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Appearance\Schemes\@themeui.dll,-854 = "㙉胴⯊䟃枃卍倹닃彚\uf078\uf3da梖嚢য়콺ጋỢ萶ᳺ\U0010c475荋\uee94︡" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WindowMetrics\CaptionWidth = "\ue105퀰ꐖ慠䄃\uf857ꔇ㎱᪳\ueaf8㡹" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WindowMetrics\ScrollWidth = "줪ᛸ䛥䶘Ꜵ\ue5cc岅쯝K\uf45eꝙ\ua8c6⫺ø뱗\u08e2囀ႋ✵" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\User Profile\ShowTextPrediction = "凓\U0007e99a癎偂\ue218鏠\U000b8891ඵ㋰뜎曗\ue8c0" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Mouse\Beep = "\ua87dܘ\ue9ca逩输⤝槐\uea3c蝷귇㋈烡醓⑭匟瓡褎뢸⚨ⴶ\U000c6788ꁽ鶉" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Input Method\Hot Keys\00000072\Virtual Key = "菅ꫨ\U000f829c\uefd5贫\uf603朲꾨譭٢諐း餵祼垫牾㻌剛휏\ue8a8蛮놕礧" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Input Method\Hot Keys\00000104\Virtual Key = "ׅ김烏ꭑᑖ∱\uab6c\U000d222c譌纍ᛛ昤䃼潪붿\u0590" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\User Profile\ShowAutoCorrection = "萜흇ڰ趾𢶫\ue4d9枴➲㩧霽鄸형➦烤悚岼" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\PowerCfg\CurrentPowerPolicy = "킔誐\u2d7dຍ嘫𢕗㥉\uf194᎓\U00084d0d廒錾" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Accessibility\MinimumHitRadius = "壄僇玑福䗦卾튜습춐*剹觘볥\ue61eủ龒焔" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\Menu = "䄅愲킄\u0e63讽\uea77횜븷\ueb90﹅젳Ⴤᑿ⦉貴" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\TitleText = "〺ᅥ\uf002ꣷ苫泥\U0005c9a3幭鯠\uf091萂\uf297\u2ffc" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Cursors\IBeam = "鯁ᭉ⺲や丣奡榄곜࿚僩" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\GrayText = "貀\U00093781❙䩗\ue690鱍箪\uf2e7䈼ꡔ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Input Method\Hot Keys\00000010\Key Modifiers = "\uf177擤㨿俱뵢\U0005cf27䬈ퟂ奶ᅨవ䕟ⓝ絕ᄂ♚\uf72e䨼㬖䈱ﵹ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Input Method\Hot Keys\00000203\Target IME = "㞹\U000af193ᦎ즈屫돈\u0efe젲ﺃ\uf4e6ﴴ絜ᆜ麝蓒" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Mouse\ActiveWindowTracking = "𪗬墽듈獃䐚\uf1a8\u244bὪ簯ḃ쩌ᔁ폓阗⡂" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Accessibility\HighContrast\High Contrast Scheme = "玓㌛ꛎ쿥㊒姻Ṥ\uec8eᲰ䧅괰Ȏ\ueb55倓걇撡뜫놝詞ᔍꓲ\uf205" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WindowMetrics\AppliedDPI = "㹨䗗섿쑑\uebfbᅬ葃롍\U000a69a6୵䍊룸ப煳ⲥĊ蓗욵\ueccc" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\iNegCurr = "練ἄ蜄槄툵\U000394eb\u1aaf﮿㴔鯸辖ྣ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Mouse\MouseSensitivity = "榃\ue0b5ᲆⴴ\U00016bb5阄뢚阔\ue9d0呢⚑䌋럀翄" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Accessibility\SoundSentry\Flags = "䦧ﲍ·ﭲ\uf2ff牸ⴸꅉ笍\uf24a柵舭\ue3f5" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\GradientInactiveTitle = "探瓖欼荫\ue966ٸ\ue8fc渤帑삱奜龶틴\uee71\u2d9a쀡㭁" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WheelScrollChars = "\uebeb\ud7a8ڰ⚠覭袄蜁蘱ꂑ\ue1ce蔧\ue049\U000646a3" Thorium.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "依牔ꋻꀤ\uf711屧\uf4ca\ufbd1\uaa39\U000c97c4鎂ᦖ命봣Ḅᅩ泇\uf208瀏컁➃懍" Thorium.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\Compatibility Flags = "諽㗜\U000dca51萦灉밳瑔欞\ue3b1䪷氋빨⽔앤ϟ\ufbcb沓擞" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{285CAE3C-F16A-4A84-9A80-FF23D6E56D68}\Compatibility Flags = "⋥\ue8bb︼ᛢ뱚㚤倵༂椎창ⴶ폧Ꜧ┶" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6E5E167B-1566-4316-B27F-0DDAB3484CF7}\Compatibility Flags = "ȓ葫㑆\ueda0㬲堨梁\U000c7b1cᐕᴗ\uf1b3뗥邠⚹諰ಖ㳩칕" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E673DCF2-C316-4C6F-AA96-4E4DC6DC291E}\Compatibility Flags = "뽮ꋠ\ue01d螲ڷ郑\uf085\U000a2c00㿿\u2e6b蛕刪睘븈橊瀗坻ᓻ胹ꔔ\ue4e3奖崼" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SECURE\CheckedValue = "Œ숫ﺂϕៜ϶身렶춐옒쳓" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{759D9886-0C6F-4498-BAB6-4A5F47C6C72F}\BlockType = "裩畣\U0006bc42酤츌溶섈暅꒼⨀\ue7c9猱ᐣ𗼩帞赫ᥴ軒" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}\CompatibilityFlags = "浌䶼磪싔憩貼\ueda8ష㩖뉩ꕲᵤ熝\ueb45\ue340\ue11f" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "㖏\U000a44b3쒃领\u1af0쩤夵⭶欁ਚ伮꼉ᓵᢍ\uee79\ued20" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A9A7297E-969C-43F1-A1EF-51EBEA36F850}\Compatibility Flags = "擓迓𠐚લ辐ᠷ킞ꪑ손騠垻䣚" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F198A89A-5042-4294-ADF1-CB163E549798}\Compatibility Flags = "㦸ँ梀禨滤ffi儶蜴\u2d26᧩\U000792cc暹럔煷㥸簒\ue026" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\USEBHO\PlugUIText = "寪돓\ue179믹ೳ囱Ӳガ\uf185쑥ᅖ\u2fddꎳ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}\BlockType = "㩡\ue729쉯\U0003a4e7黙⼷埰쬟છꥩ輒鹔남\U000ff43e茫睓" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\HTTP2ENABLE\RegPoliciesPath = "ⶩ谦㗷〉讏\ue062䞣␌况瀺䚶ꅠ\u1943셅亠㶤\ufaec" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\MOVSYSCARET\CheckedValue = "\U0009a5c6劯⩤䟱洘侃⠛뚪䣚헎㍳냵䋝\uf0fb⎇\ueaac哇퓗迟ꀣ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\MOVSYSCARET\HKeyRoot = "䵜좻慼甞瑒麪㼱䟬墍ﷆ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\AUTOAPPENDIE\ValueName = "ሞⴈ槩ၦ雝搠ꥥᨘ𬬇繩" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_INTRANET\ValueName = "㴼诼\ue97e솹建桘ꅹ뇩\ue4a7웜" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_REPURPOSEDETECTION\PresentationHost.exe = "ᖓ⍈莐䣳\ue043鴆泋鮁ᒮ倿\ua87f鯠폝" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7584c670-2274-4efb-b00b-d6aaba6d3850}\AlternateCLSID = "\ue4fc귺㈙\ueda5\ueba4飓丷僯ꁹ᳢窵结ŗ캷鼾탶̷谹끣\uf808隒己" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1\RegPoliciesPath = "\ue2f4誣−굝괅獂ຫ䍏攣彭㟷ጮ鋞㵟선ம\U0010ad60睕" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{472734EA-242A-422B-ADF8-83D1E48CC825}\FWLink = "ᠲ吢퍤惶䪪뢛荹꼽\uf859ꈠ撤袊띪᪭✛\ue9d8䮑\ue9ff" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D09CFF09-A42A-4EDC-9804-E61224F59CA1}\BlockType = "ゾ䈕◛⤃ﬖ\uf416⅄\uf412ᕊ冂⚪當\uf024ꗮ羞刞䗏ኍ鱣켔䯁竵" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{261F6572-578B-40A7-B72E-61B7261D9F0C}\Compatibility Flags = "ׄ妙䉣軈曩䅂鞅甬앾➕驥᭡䥈ュ흄ꥲ焆" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5A20858B-000D-11D0-8C01-444553540000}\Compatibility Flags = "\ue09d颇묊吝ଜ誨≈\ue0d7ଅ\ue9bfێ㶫䤓웡器袻굴돞" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "餞랅撖錜\ue515Ɐᐄ엮൏娶諻ቍិ脙藫婨" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FD351EA1-4173-4AF4-821D-80D4AE979048}\Compatibility Flags = "맆帉ཀྵ\u0cdf駢战⟙\ufade蓜뼎ፅ⽇\ue753\uee85뎬㥁" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CHECK_SIG\CheckedValue = "虪|\uf6be놐ꏄḉ⫳퉩鍉㔹쳛\u18af儽鹃଼禶❑\uec28䱳\uea86癟ᶱ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\Version = "眗톼\ue077纗ࢂ\ue951휒癩\u187f赙鰒ᮿ氿㉧ҳ嫑ﶘὗ笗䌚\U00080528" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{48FFE35F-36D9-44bd-A6CC-1D34414EAC0D}\FWLink = "\uef50\uf140눴ꫀ珆\U001081d4猴Ⳋ缋⭩" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG\HelpPane.exe = "\uf82f㍄賒\uea6c㜳属ᆜ橎쯼㎔黧六颼㝥\ued9f㉥縏" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8DBC7A04-B478-41D5-BE05-5545D565B59C}\Compatibility Flags = "櫛㕯\u0a7b\ue9d4㪧ᎀ\ueaff\U000e7012℩§䯰ᕜꥰ껭" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9B8E377B-7291-491A-B611-BB3E1D5F99F0}\Compatibility Flags = "㥀ꮣа蜁Ѽ輏줉༜꘥Ⴑ处࿀頱ᮑ䭛㡎" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\CTRLTABMRU\PlugUIText = "犃쫂魎ﴈ봊襀걋⼝\ue9a4炷" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{43D9E6F0-1776-4897-AE14-ECEDECBAFEC0}\DllName = "ີ៍\uf287籂콵괤\u124e벫揃캆Ꞿᄀ\uee95폲ᗷ仼\ue4b9큃࿀魙㶓ȃᔝ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8DCB7100-DF86-4384-8842-8FA844297B3F}\DllName = "\u20c1ؑ悱曾쏫ⶓ榃恏ᄰ騜躘̐₠肴쌔춒젇쳄忛\uf0ad\u0cf5叆" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\DllName = "푂\U000bf54c娽\uee31럫焚牶⇗㑲⌎\U000a6722ᛖ魏" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DLCONTROL_BEHAVIORS\wlmail.exe = "宝\uf129퉞ῂ늠숕̜⑁戳祴ᆲꇄ婀" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Internet Explorer\Main\SearchBandMigrationVersion = "\ue92e橙გᇮ핖经䵬Ⴭ愓뗉鑢욯ᮛ㒝䡪쩌\ue7fa詞ⴽ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\074FF50D0FBF0CCEC37F65E137C91EE48442FE4C\Policy = "≊ㄊ貭땸눤먪윞踂턉睡족㛫➦泥\ue2bc뽝袧\u0c29슱饑㯁\U000a5af4" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\5F3EF8894394826345EB838C8C72F3A40B521893\Policy = "哄㑞\u1737ꁳ꙯あᲔ𮘀彅໕颏䩷嵺鱦匋楮" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE\Text = "䩛쑞刲ᣁ㔟膌ᕫ豓ꇽ⏡" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_INFOBAR\RegPoliciesPath = "\U001047dc榴褹\ued38兕ඌ㺴藒긍ɐ伩" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{054aae20-4bea-4347-8a35-64a533254a9d}\AppPath = "沐\ue9e2穱腺땑쨗⯙ꠢ\uf56f櫈퐑瓾띵㥁떚\ued0a" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\AutoHide = "\U0001aed9撹͖┧⩈׃፳砌闚\uf686嗋ॅ筎" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AD8E510D-217F-409B-8076-29C5E73B98E8}\Compatibility Flags = "\ufdcd氤\ue6c1堳擃焒줷\ue19a䡉\U000a3196Ꞁ︣ꐽ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\WinInet\InitialApplyCommandLine = "\uf2db\uf396贊缥說串챻辋횦﹉ㄡ䴞\U00080293뺊놱" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}\Version = "璉\ue813啳ꧥ깨쨼勶၁ꩭ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4A5BE5EE-CFAD-11D9-8FAD-0007E9AA247E}\BlockType = "춍䬃炧\ue231\ue690ꎡ饿ిꃊ奄ゴ瘗琤뮽\uef11գ☢ꮾ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{79CEEA4E-C231-4614-9E3B-53B2A02F39B7}\FWLink = "ꖄ㘇舒ᗺ赪끠\uf1ed鏰ꆶỜ\ue0e4熝ꅳ⥄" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Placeholder_Height = "햝硖札ᕟⰜ莞駟\uede9ꑆ騎䝤ﵒﭏ\ufdd2ꭒ\uf827\U0001a295錃" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "\U00064192\uf46c奫畄脤胼\U000e6d98덵⡥숞졑ṋ熚윴앭\u09a9᷐" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39A2C2A6-4778-11D2-9BDB-204C4F4F5020}\Compatibility Flags = "眥፝\ueeb2⚰ࠈ픛쇧\U0004fb19䟠\uee0c닇ㆇ긱ר⧜យ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{68BBCA71-E1F6-47B2-87D3-369E1349D990}\Compatibility Flags = "㫟ཅ癷ᷣݵ뚍\U0004c6be娉盍뢏\uf150䓏ꡡ숬欢ʜ㢚甪ូ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{991DA7E5-953F-435B-BE5E-B92A05EDFC42}\Compatibility Flags = "餼祠ﳸ溱숤狙ງⱅﷱ⊡훋猦懣뽕\u0a46时" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E38FD381-6404-4041-B5E9-B2739258941F}\Compatibility Flags = "麬⺳\uf174繠撹鶭ḃ︮\ue89d䷰児龏䐝㋑䢬᧟扸셃" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CACHE_PAGES\ValueName = "점⅞\uec97\uf33d継\uf596릾䂥皲賓Ꞗ熝ሷ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SITECERT\RequiresReboot = "\ue980幖빎㮯䆧홋括㾍ބ챊Ꮘ埦\u0c50㊒" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN\CheckedValue = "뻱㊀쇨뢚蘿\uf36d憏䩧竿ﺯ퍁饖\uf26eۈ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS\NEVER\ValueName = "冝\ue8ed醙䧝\u31ec\uf225\ue4b2狊鲡ꤱ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\GENABLE\Type = "諒쪍鯵\ue728僉簜磑䂢↋釷䭬힅\ue572䒀蔷䙨갟\uefd3땕儘캃墻" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PLACEHOLDERS\PlugUIText = "\ue1f2휻ꙙ㔛䧂⸸寭\uf355ࠓ\u0c4e졿䬸ɼ㕪긌\uebd2㷓튰쨺颩\ue4bd" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{179E4A98-A3C4-407D-8C66-E63B67BB6F4A}\Version = "멫쀘免ꌌ⇔厠ᔰ䮗Э啡Ⴘ싻䗴丬□\uea07㲱ꏏ葑걕\u2008\uf0f4칉群" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{724D43A0-0D85-11D4-9908-00400523E39A}\DllName = "ɜ磸⢗༵瓡⡃즛醓릹\uee86쀽ូ䛴楫㧠䬤ⱞ\u2fe4斆î炙\U000d96b2矌" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\ms-settings-displays-topology\WarnOnOpen = "┣ᾠ牷擴蔐ꚱ᷵춋⯿搅燡鴛數䘐" Thorium.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "뻜\u0ce5\uf034髿虯갪৯\u2eff傏暾ҡ\ue644甈ފ亍ࡷ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "ด惈沵丐\U000a4208閐ꗳ픁⟺⣠㴊\U00050eab載⋀\u173e\uebad횈Ჰ\uef28" Thorium.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Cursors\SizeNWSE = "靣켣ㆂ얤摆䇢衶\ueaa3\uf8d6勐\uf46d\uec3b\u009b犫邼頬" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\DragFullWindows = "壹蛖㽮掎詏ぷ䎤䟄얞ᬩ䔐㞜⫝䮿똢យ\ue093叺刄" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.XGpuEjectDialog_cw5n1h2txyewy%5Cresources.pri\1d7e536746cabe0\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\re = "⸕绢멼鐊痷㋖웶\U000ac16bꭴ\uee20\u0bd3ᕷ" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\drivers\filetrace.sys,-10001 = "\uf292㐬䮢鷹ᯋ♴ࢀ硫䍑籗" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Accessibility\SoundSentry\Flags = "쥟頜禐㖓㖋넓\u1ae8欂嬆왾쐇궐\uf4f2\ue6c6癹ჽ狳" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.MobilityExperience\Capabilities = "붿齄鷡钏泷亙ૣ䗔欲谋¬\uf16e鍡┸ű哻熍ᵊ䚚Ȇ졜" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\Notification.Looping.Alarm9\ = "遀ᅛ쾆夣㌆ﳸ\uedae䥬陒땣\ue8b4ꌇ澞\uedaa䩠럣㩁" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\lfsvc.dll,-1 = "⮼띩肅㝔蘭蓝\uef19Ϭ翇欭ﰅ뢟髵\uf102蕃ޒ儁玛侐廅힒皆ꖱ孍" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm6\.Default\ = "㳱緦ૉ竂䌕愁ᭊ찷≻켾\U000e35a0ʼn\ue85f最⥶釾瑵\ue534巰\uf583팉劉杞" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.CloudExperienceHostLauncher\PackageMoniker = "샨㺉☛༲뚍\U0001476b跒袇塰鈰ꄭ릿暂≈\ued80怋燸㲈䟼䫇鈠੫捺" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "㕙ᔬ꧙ᆮᲭ㚾ꊸ\U000848dbâ" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\BthAvctpSvc.dll,-101 = "័䝳䆾埥떪枷䲗ﻒ꾚剴䍹備ꍓ\ufde2䖍\ue3d6沺\uec76虉" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "ꡀ劊珧䊰蚄ᢱꠛ㍮睃쟯瓶ꢰ䍿\uf5ea娄" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Desktop\FontSmoothingGamma = "祏샻뗯뇻敶ᾳ꒟ꂉ數闀派븓㷼\ue696㋒" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000010\Target IME = "ᕞ踀唋䕹\ue667⊄譞삏አ਼" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\International\iFirstDayOfWeek = "蜫䩸ᡨ\uf1a9뀷\uf5eb砰㊫\ue30dﹺ纾顅魁Ϟ\uf800똙鋿ﭭ憪⬼㑹액" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\Notification.Looping.Alarm3\ = "弁ू襞\uef46剁쫺퐮짴퀺롑侜炷ᵖ䟺ੑ쨏≔쨭ꕳ" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace4cf7b9220\a37dfe62\@{C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906. = "犸꾉笙讎\ue0da䰖㌴콖涄攜칱眆諙ꢵ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\Console\InsertMode = "ꇇꥡꩪ換捹뉱ﰲ꿦왠Ꝓ㻾㌏닀絣" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Appearance\Schemes\@themeui.dll,-851 = "ᡥꗎq\ue3ee\uec48\ue933㰷盕钵\ued5e慥\U000c5423厙쉯ꆤ뉜滐赲区伩" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\PowerCfg\PowerPolicies\5\Description = "ꕉꟁ鵋예\U0008a2ceꇯ쏎蝙緎뽔禧唡\ued7c듛㔤ꓣὥ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands\upRight = "ฆ包ꇑ昤⡖ᛙ矿\U000681eaﺓ\ue29bㄧ켾ᕍㄴ" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\fdrespub.dll,-100 = "焇\ue985\ue2a1𗰇嚫\ue66d錶\ue545街큲ಣ壒뢿䥌" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri\1d5acdded540f4d\a37dfe62\@{C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8b = "苼젯ᣏℸ岍\ue9b3ꎗⷰ៙\u1f4f\uf320" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\Console\EnableColorSelection = "\uf8ee뼉솹岌떋軩ꅳ톔釴䬶쥚逃鎦" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\drivers\http.sys,-1 = "ୠ룑\ue246᷆除ﻛ⥄씊\U000ef1b8閸嫊ᓾᝋ\ue672\uf6a9鳮틝筢薨" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ = "톼㍻\ue47a\uf79a媛\uecf9ꐳ\U000e8f06뤳妕穧쀅" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\SnapSizing = "軾蘼㞑狶團橬윫蜧\uec18\uef78꾞蘀ﮉ例ܻӲ瓶迂禈嚎锨䪜뷍ꁀ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\PrintComplete\ = "ꝲ謅ꄂ傁筴\ue055\uee56意덃豥ffi뇉" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\International\User Profile\ShowAutoCorrection = "ഀ놙ਏ룯ᨑ쯷껜僪맊ᴛ\u03a2䱳哶冽섇\ue633禨ĭ髬" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70\SharedEudp = "ꧼꂾ㢧\U000ee47a䌈鄚繍𪏰\u1a1d櫳\ue91f榖藼ᴰ豹脣즹5\uf1ebῂ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\Notification.Looping.Call7\ = "턏\U000a6744⏄蔒彔啥ꟼ떠몬" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wbcat\ = "쀋烴崥䟤苹뷠呎⼒岚\ue191\uf0ee\u0cba圮襸ꁗ뛥൘" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wma\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}\ = "㛅䣿島盺̈麽ਈ䨑佞\ue8f5髗꘠岾럻ೊ⎼⟳䇐渑\uf442剖\uf7d6" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDATuner.SystemTuningSpaces\CurVer\ = "ᥱ\ue409趁틋➍じ櫱̠랩\ue50cꏛ降蝘ꈆ禺\ue815\uf782\u2d71쭿甍捻ค" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01C6CA30-792B-404B-A5C2-0A34434B3AA4}\ = "剄ᳯ\U0001523d汕鷖套妥亶岡ቹ捧Ϧ뼘鮠䍃耶䳗\ue80d骈慑縣㷈\uf34a" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\.mp4v\VLC.backup = "ޮ䄿\U000c939b樒฿爼姫䨙Ꭽ킠\uedd9塩폺틋풔濅\uf69a\u0e3d헻⺌璋ኚ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{274fae1f-3626-11d1-a3a4-00c04fb950dc}\InprocServer32\ThreadingModel = "П퇊⊈ꉵ⏷숃燇೭횚겨㗽\U000aa828㦶鲼℅ꙋ\ue81e쌼ႃ≁" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C3A70A7-A468-49B9-8ADA-28E11FCCAD5D}\LocalServer32\ = "⽮팺䍇欪ֽ豉敦都༙ᛛ顭ᆅ溚厲抝ㆸ狇\u09d8㐰" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51571744-7FE4-4FF2-A498-2DC34FF74F1B}\InProcServer32\ThreadingModel = "\uf68d؋꒛\ue3cf瘃ꢴꐍ塘ຒ\U000d28cd倴ਭ犮䖠㩑" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xlam\Content Type = "欂\ue46b쵓ޢ펫惍蒭\ueea5ᶍ\uf3f4߮퓕憫扵劂黊렒ඪ䣢" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CfgComp.CfgComp.1\ = "㢇鑅Ǻ\ue32a鎢총얄띻뤰ㇳ\u1c39甅勾嗉" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00022602-0000-0000-C000-000000000046}\TreatAs\ = "\ue065橚곿觧\uf3e4ꁀ굉쎝㙳⟚\uf790뵆" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\MicrosoftWindows.Client.CBS_120.2212.3920.0_x64__cw5n1h2txyewy\ActivatableClassId\ScreenClipping\Description = "\uf780\ue8afᄻ\uf28c变殴ꁩ蜖\U0008fdc0찆ꬨ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7071EC33-663B-4bc1-A1FA-B97F3B917C55}\InProcServer32\ThreadingModel = "䗈嘹뎁\ue1d7燗㛻\ue057攗ニ숚\ue7c0吝锭\ua879ઓ䇣ꃑ칵" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{778DE47F-7ADC-4C4D-974D-771BD1675DC5}\InProcServer32\ThreadingModel = "\ue600奡\ueffdꏐ걻ꢲƋ畦郄粍䔵橦\uf1d3" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A9D77BD-5403-11d2-8785-2E0420524153}\InfoTip = "䏴鳾ܵ㴌㷆ǎ\U00099f8d嘬爏ꓹ戹" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{80A09B21-11E7-462B-844A-1EB3415BB4A8}\ = "ꊵ뜽该뿙⎛悲㧿矼꙱褦⢟뒶脏ᵀ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E54333B-2A00-11d1-8198-0000F87557DB}\ProgID\ = "㳷쁲⁸≡끤回㙝ᨛ엣ᆧ衔醕讶\ued40襤》" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F391-98B5-11CF-BB82-00AA00BDCE0B}\InProcServer32\7.0.3300.0\Assembly = "ⶾ潨襪隽籐徜𫩘\u05f8艋\U0010bc56" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46080CA7-7CB8-3A55-A72E-8E50ECA4D4FC}\InprocServer32\Assembly = "⣬亖径痚䟺콉鼆⦨彆茿괸영ꮔ\uec9f\uebcc痡脵\uf595ꂫ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5210f8e4-b0bb-47c3-a8d9-7b2282cc79ed}\InprocServer32\ = "攋脖愻䳡⇰\uefbc뱍㶉쥲濡͓삲\ue66e憚ᐛ殐墩쟎럥驍" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54d38bf7-b1ef-4479-9674-1bd6ea465258}\TypeLib\ = "Ꭸ\ue975寂⠮쿗씪뙰\ue236പ㲊趀탅建캥堷ᘅ끲篋迗괬" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F681803-2900-4C43-A1CC-CF405404A676}\ProgID\ = "坳လ踸\uf00e풱鲡曼բ\u1717헻䷌瞨啰ﴽ瓐칞饓毦" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FA29220-36A1-40f9-89C6-F4B384B7642E}\OverrideFileSystemProperties\System.ItemPathDisplayNarrow = "偻뵷骃\ue259̑鞚⯵伓▃趕" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.prc\PersistentHandler\ = "뢰\u187c\uea94㞕沁빧⨘׆㯈赽䑥ኽ炾Ԍ邕댮㾇" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{12DD4DBB-532B-4FCE-8653-74CDB9C8FE5A}\MaxOutputConnections = "\uf364皗䛆뫶盙灰\ue00cꁤ⨟芹ꊑ㭛嘿" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}\FriendlyName = "\ueb8a䙱㉏蔏戟ꩰ⭰\u008c峯㦠寲腮팀딏玑\ued15괌瓷" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32624F4B-F1D5-4877-989E-555640109D2B}\InprocServer32\ = "氒ⰻ\uf790거鋕Ɏ\ueb59魿\U0001a743めᤑ㹲䀯⅟˂庨⧿\ue873欞韕ᚳ퀭" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86d5eb8a-859f-4c7b-a76b-2bd819b7a850}\AppId = "\ue2ad䬄銮⤳鮏衣䌋షⁿ凸⠂۽" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8973b4ef-7da5-4031-a333-f65609a4dcf4}\ = "⥱➮뵖멨\ueda9≈Ꮟ⿈煣ꐢ궸䵨𗺴捒䢛" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.hxt\ = "\ufdeb晅ھ\uf390柊\ued7b段ꐙᡱ偡\ue05e왖ᙟ覺㗗瓾鿠毮Ⱒ埊큍ḉ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1B162A5B-B67A-4468-9613-C3F9765B353B}\AccessPermission = "⼡ၣ\u2002핹伃⯁\u0a63\ueb02ꨯ퐧퍠筞鈿鬲ႎ姟澴矂쯵" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LoadUserSettings = "ꪆ僩≌䀌⒐\ueec4멷ꊏ喩絁\uf1d9\ue535ㇲ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{02844640-E37C-4322-A3B8-4C61A2E58879}\InProcServer32\ThreadingModel = "䝷㹣伍嫵줠櫱\U000af8ac閨溕\uf732奛뒈鵓" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}\DefaultIcon\ = "䝀蓰꿊\U0002ee0b倁\uf608쵃Ꝑ斺齔訜ⳣḅ㮟䌟鸕굕ᑢ潯첞ᜲ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89F2B8EB-AEDA-4057-A05B-A7D6181B63C6}\InProcServer32\ThreadingModel = "錶괯㣰้賕덁뻖뇔唐뻚豜웠\ue62a㵦숋寊リ螋ﲙ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B918B82-7985-4C24-89DF-C33AD2BBFBCD}\VersionIndependentProgID\ = "뛽Ӭꍼ텚闦넄廋᧧햄렕ケꄳ旜" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.getstarted_8wekyb3d8bbwe\ResourcesConfig\ManifestLanguagesList = "欼\uece5船\U00041838ㅙ읟⃫㽺蔛༷诫䮞罞况沼컚춚뒝䟪Ώみ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E}\LaunchPermission = "ꫭ嚞ᣦ皇닐냲컱ﻰ碁瀤娧抔" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CATFile\shell\open\command\ = "媦웹筳袣嶘Á獰㝾\u0cf5タცཐ법\uef789ᣑ䘚襡懵" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30d49246-d217-465f-b00b-ac9ddd652eb7}\ = "붨鹤쎗慍\u0b98쫍䋾୫ܢ稃♕潄諏" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BD95610-9434-43C2-886C-57852CC8A120}\ = "譞\U00065f3a죍뢳䶹웰\uec13촍\uf6f4顨ꈭ軒魙턺\uf0fc鄥렳臥ⴎ\ue9b5鴼\uf789隗" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{777BA87C-2498-4875-933A-3067DE883070}\InProcServer32\ThreadingModel = "\uf7f1⇱蓳橥☶鸓暷娠롛鈑嗒\U0009f055ꅊ怼왏帉坆꿙\uf446룠쳼" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.msc\ = "\u2d7a떫률讠ಒၰ簩ɞ\u20c2렴떩㮠렮\uecd3᱀㕼" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F4DD15E-F431-4536-AEE8-AF20BA847A33}\Version\ = "ᴠ戭⹖剦\uec89䱎᷎谜㪳ὕⰍ\ue013酅섴ԧ藽뎃ⷽ賔隻味䗥蹺駢" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BC09899-0CE6-11D1-BAAE-00C04FC2E20D}\InprocServer32\ThreadingModel = "룤㯜岬啲禪\uf883莝艧垑᷃牮접袯奛嬚䀡䷒ꮂ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B544C22-FD0B-11CE-8C63-00AA0044B51E}\InprocServer32\ThreadingModel = "Ⅼ秭㜒덀魈鍅뀖睽\u192eɄ뺯劄鿫楶" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1d16438c-54dc-404f-83a9-c041e77a32dd}\InprocServer32\ = "\uaad3\ue198窽Ũ쾕牝⁽䔪䏩ꣾ쩠开" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Windows.Networking.Backg = "澲\u0a11槝⣟餞芑ᰭఄ\u0fed\ue424읳됭\U000c72fb臄" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2050-217d-11da-b2a4-000e7bbb2b09}\Elevation\Enabled = "뙬ᚁ\uee98녲㜩纻僖齗髣꯸첌풜麱䋐ⲳ﨣\ue0c8⁔뜱欂짇뛎ᤡ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a0e-f192-11d4-a65f-0040963251e5}\ProgID\ = "웪槁ℹ縂秞畡瓛綳桾瞚ⲓ\U000a6ab2휐簫ࡶ젎" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\UpdateEncryptionSettingsWork\ImpliedSelectionModel = "蠘ꤱ䩉忯爲鯷阚ዱ粳瀛볽醴窗㜖駳⅛딊" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13EE36D8-2EFD-44F6-AF3B-75FF35E6C691}\ = "\uebf3苕誱ᕝ\ue4ec⓶쒈府\u1fd5蟪\uec7a빋ᘃ\ue01d᯿" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2af6bcaa-f526-4803-aeb8-5777ce386647}\InprocServer32\ThreadingModel = "棺\uf549ӑ刻춍䮛紾鎻鯣戶藡텶\uf2fb䠝쮝ᙗ\U000ab642鼗愀\U0009817c讶␠" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}\System.IsPinnedToNameSpaceTree = "題\U000cfa5b낙縞ع뻈\ue4d8Ⲉ샺㉭娦惴䅖呧࿗뽄饖쎏它" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{487af411-1d5e-4f7f-b4f4-4721fe1e95d9}\ = "꒿놌땨\u0ad8⤃㙫瀄扜㈂\u06dd됐\uee3e捔䷈辐唛烩" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83C25742-A9F7-49FB-9138-434302C88D07}\InprocServer32\ = "ಮ鐟䱈쀍烵\U00056cfcᘱ靀ﶈ՝\uf584" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B6C292BC-7C88-41EE-8B54-8EC92617E599}\ = "拀ፏ줱樣㨁\uee26\uf0fb諸\u12b7콥炒Ẫꚅ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20cd9315-87d0-40b4-b925-0a8f208e1f8d}\InprocServer32\ = "鱧콙ܶ\ue1d3김刂冡\ueaff\uaa3a풖ట㱛䯧ምለጎ黛欹" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\Elevation\Enabled = "䟺麠㆙窠귖雃带↷괣枇㇌둡雍䦈잛ᆝ핸螧\uf18b溫制잨䵎" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C1C243A-2146-3342-8078-AC4BFB9DB4E9}\InprocServer32\Assembly = "ₒ縡凨쑊뀘圕ᕵ\ue3ddꂵ깦\ue893츝ɐ␥阥蚞" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73257e95-0378-49d6-a954-44aabc841eab}\InprocServer32\ThreadingModel = "Ή䙭䗥䆸⫖瘝榹ᢢ냏黌" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84589833-40D7-36E2-8545-67A92B97C408}\InprocServer32\ = "ㅁﺢ臿ᣂᰚꆂྦྷ刼\ue19bྈ⚵毋삪ꀼ\ufae0ྀ뿺䠟㪙ཛྷ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "႐Ꮊጂ큸椬픒\uf194오␉ᨚூ\uf03f儛傛" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E6D2639-4C23-4325-B8DB-6E373F20C733}\InprocServer32\ = "䚚⁷\ue37dᗁ⣌絥삫દ⟔ᣟ汆綵⠴绨" Thorium.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5972 Thorium.exe 5972 Thorium.exe 956 Thorium.exe 956 Thorium.exe 1420 powershell.exe 1420 powershell.exe 1420 powershell.exe 1420 powershell.exe 956 Thorium.exe 956 Thorium.exe 4076 powershell.exe 4076 powershell.exe 4076 powershell.exe 4076 powershell.exe 956 Thorium.exe 956 Thorium.exe 5276 powershell.exe 5276 powershell.exe 5276 powershell.exe 5276 powershell.exe 956 Thorium.exe 956 Thorium.exe 1528 powershell.exe 1528 powershell.exe 1528 powershell.exe 1528 powershell.exe 956 Thorium.exe 956 Thorium.exe 5676 powershell.exe 5676 powershell.exe 5676 powershell.exe 5676 powershell.exe 956 Thorium.exe 956 Thorium.exe 1468 powershell.exe 1468 powershell.exe 1468 powershell.exe 1468 powershell.exe 956 Thorium.exe 956 Thorium.exe 1972 powershell.exe 1972 powershell.exe 1972 powershell.exe 1972 powershell.exe 956 Thorium.exe 956 Thorium.exe 1524 powershell.exe 1524 powershell.exe 1524 powershell.exe 1524 powershell.exe 956 Thorium.exe 956 Thorium.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 956 Thorium.exe 956 Thorium.exe 5116 powershell.exe 5116 powershell.exe 5116 powershell.exe 5116 powershell.exe 956 Thorium.exe 956 Thorium.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTcbPrivilege 5972 Thorium.exe Token: SeDebugPrivilege 5972 Thorium.exe Token: SeTcbPrivilege 5972 Thorium.exe Token: SeImpersonatePrivilege 5972 Thorium.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 4076 powershell.exe Token: SeDebugPrivilege 5276 powershell.exe Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 5676 powershell.exe Token: SeDebugPrivilege 1468 powershell.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeDebugPrivilege 5116 powershell.exe Token: SeDebugPrivilege 5452 powershell.exe Token: SeDebugPrivilege 5720 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 4752 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 5900 powershell.exe Token: SeDebugPrivilege 4208 powershell.exe Token: SeDebugPrivilege 4820 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 4984 powershell.exe Token: SeDebugPrivilege 4060 powershell.exe Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 5732 powershell.exe Token: SeDebugPrivilege 5760 powershell.exe Token: SeDebugPrivilege 6128 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 5484 powershell.exe Token: SeDebugPrivilege 4788 powershell.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeDebugPrivilege 6096 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 3932 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 1184 powershell.exe Token: SeDebugPrivilege 5652 powershell.exe Token: SeDebugPrivilege 5268 powershell.exe Token: SeDebugPrivilege 528 powershell.exe Token: SeDebugPrivilege 3432 powershell.exe Token: SeDebugPrivilege 6044 powershell.exe Token: SeDebugPrivilege 3760 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 4372 powershell.exe Token: SeDebugPrivilege 784 powershell.exe Token: SeDebugPrivilege 5600 powershell.exe Token: SeDebugPrivilege 4280 powershell.exe Token: SeDebugPrivilege 4244 powershell.exe Token: SeDebugPrivilege 4456 powershell.exe Token: SeDebugPrivilege 4328 powershell.exe Token: SeDebugPrivilege 1368 powershell.exe Token: SeDebugPrivilege 4572 powershell.exe Token: SeDebugPrivilege 5472 powershell.exe Token: SeDebugPrivilege 4704 powershell.exe Token: SeDebugPrivilege 4948 powershell.exe Token: SeDebugPrivilege 6136 powershell.exe Token: SeDebugPrivilege 3472 powershell.exe Token: SeDebugPrivilege 5304 powershell.exe Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 952 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 956 wrote to memory of 5064 956 Thorium.exe 107 PID 956 wrote to memory of 5064 956 Thorium.exe 107 PID 956 wrote to memory of 5064 956 Thorium.exe 107 PID 5064 wrote to memory of 1420 5064 cmd.exe 109 PID 5064 wrote to memory of 1420 5064 cmd.exe 109 PID 5064 wrote to memory of 1420 5064 cmd.exe 109 PID 956 wrote to memory of 4016 956 Thorium.exe 110 PID 956 wrote to memory of 4016 956 Thorium.exe 110 PID 956 wrote to memory of 4016 956 Thorium.exe 110 PID 4016 wrote to memory of 4076 4016 cmd.exe 112 PID 4016 wrote to memory of 4076 4016 cmd.exe 112 PID 4016 wrote to memory of 4076 4016 cmd.exe 112 PID 956 wrote to memory of 3872 956 Thorium.exe 113 PID 956 wrote to memory of 3872 956 Thorium.exe 113 PID 956 wrote to memory of 3872 956 Thorium.exe 113 PID 3872 wrote to memory of 5276 3872 cmd.exe 115 PID 3872 wrote to memory of 5276 3872 cmd.exe 115 PID 3872 wrote to memory of 5276 3872 cmd.exe 115 PID 956 wrote to memory of 3396 956 Thorium.exe 116 PID 956 wrote to memory of 3396 956 Thorium.exe 116 PID 956 wrote to memory of 3396 956 Thorium.exe 116 PID 3396 wrote to memory of 1528 3396 cmd.exe 118 PID 3396 wrote to memory of 1528 3396 cmd.exe 118 PID 3396 wrote to memory of 1528 3396 cmd.exe 118 PID 956 wrote to memory of 908 956 Thorium.exe 119 PID 956 wrote to memory of 908 956 Thorium.exe 119 PID 956 wrote to memory of 908 956 Thorium.exe 119 PID 908 wrote to memory of 5676 908 cmd.exe 121 PID 908 wrote to memory of 5676 908 cmd.exe 121 PID 908 wrote to memory of 5676 908 cmd.exe 121 PID 956 wrote to memory of 1584 956 Thorium.exe 122 PID 956 wrote to memory of 1584 956 Thorium.exe 122 PID 956 wrote to memory of 1584 956 Thorium.exe 122 PID 1584 wrote to memory of 1468 1584 cmd.exe 124 PID 1584 wrote to memory of 1468 1584 cmd.exe 124 PID 1584 wrote to memory of 1468 1584 cmd.exe 124 PID 956 wrote to memory of 216 956 Thorium.exe 125 PID 956 wrote to memory of 216 956 Thorium.exe 125 PID 956 wrote to memory of 216 956 Thorium.exe 125 PID 216 wrote to memory of 1972 216 cmd.exe 127 PID 216 wrote to memory of 1972 216 cmd.exe 127 PID 216 wrote to memory of 1972 216 cmd.exe 127 PID 956 wrote to memory of 4828 956 Thorium.exe 128 PID 956 wrote to memory of 4828 956 Thorium.exe 128 PID 956 wrote to memory of 4828 956 Thorium.exe 128 PID 4828 wrote to memory of 1524 4828 cmd.exe 130 PID 4828 wrote to memory of 1524 4828 cmd.exe 130 PID 4828 wrote to memory of 1524 4828 cmd.exe 130 PID 956 wrote to memory of 3540 956 Thorium.exe 131 PID 956 wrote to memory of 3540 956 Thorium.exe 131 PID 956 wrote to memory of 3540 956 Thorium.exe 131 PID 3540 wrote to memory of 2208 3540 cmd.exe 133 PID 3540 wrote to memory of 2208 3540 cmd.exe 133 PID 3540 wrote to memory of 2208 3540 cmd.exe 133 PID 956 wrote to memory of 3980 956 Thorium.exe 134 PID 956 wrote to memory of 3980 956 Thorium.exe 134 PID 956 wrote to memory of 3980 956 Thorium.exe 134 PID 3980 wrote to memory of 5116 3980 cmd.exe 136 PID 3980 wrote to memory of 5116 3980 cmd.exe 136 PID 3980 wrote to memory of 5116 3980 cmd.exe 136 PID 956 wrote to memory of 4816 956 Thorium.exe 137 PID 956 wrote to memory of 4816 956 Thorium.exe 137 PID 956 wrote to memory of 4816 956 Thorium.exe 137 PID 4816 wrote to memory of 5452 4816 cmd.exe 139
Processes
-
C:\Users\Admin\AppData\Local\Temp\Thorium.exe"C:\Users\Admin\AppData\Local\Temp\Thorium.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5972 -
C:\Users\Admin\AppData\Local\Temp\Thorium.exeC:\Users\Admin\AppData\Local\Temp\Thorium.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks BIOS information in registry
- Checks computer location settings
- Modifies system executable filetype association
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Event Triggered Execution: Netsh Helper DLL
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Control Panel
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:5700
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:5836
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:4480
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:3060
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:6104
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:1436
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:1876
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:4748
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:2100
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:4356
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:4452
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:3636
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:4284 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5760
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5580 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:6128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:1396
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:2456
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Suspicious use of AdjustPrivilegeToken
PID:5484
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:4944
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:4040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:5980
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:3972
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:3184
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5656 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:2172
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:4844
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:4156
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:2676
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:1744
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:660
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3660 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:2836
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:4180
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:5732
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:440
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:5216
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3580 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4244
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:4964
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:2260
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:1296
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:2300
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3268 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:5452
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:4228
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:1144
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:5612
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:544
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:5904
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
PID:4568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3432 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- System Location Discovery: System Language Discovery
PID:5008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:100 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
PID:3044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:2636
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵PID:3504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:4688
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵PID:5152
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:5424
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Modifies data under HKEY_USERS
PID:4248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5928 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
PID:992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:3892
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:452 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:1228
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
PID:5304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:3512
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:4112
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵PID:2472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:3320
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5340 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Modifies data under HKEY_USERS
PID:3412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:6068
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
PID:4732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:2004
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
PID:4596
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:4880
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
PID:608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:4172 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
PID:1424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:4744
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵PID:1420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:5916
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- System Location Discovery: System Language Discovery
PID:2908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:2212
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
PID:1588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:2948
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Modifies data under HKEY_USERS
PID:2148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:5440
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:2784
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵PID:2884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵PID:60
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:3608
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5388 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3836
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:3804
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- System Location Discovery: System Language Discovery
PID:5624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5472 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- System Location Discovery: System Language Discovery
PID:2848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:6096 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵PID:2380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:4948
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:3904
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵PID:5096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:5876
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
PID:5168
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:2088
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵PID:5956
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:6004 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5660 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵PID:6000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5696 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 59724⤵PID:636
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 9803⤵
- Program crash
PID:1700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\oobe\images\浡挠湡潮⁴敢爠湵椠佄⁓潭敤മ$1⤵PID:5640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 䁢ꭧ뼀蚬쮷⭋婓馺㶞闧똹젼楰ͷ蝯鶗1⤵PID:4580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ᪆䜕鋮퍄退詍룿鹡잛૿럱堯湋愠喬쿿⭏湩1⤵PID:5940
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 腠쥲Ⲹ伳틸厜愫쩶扖ᑘ퉐⅓ณ쎝䤗嗭1⤵PID:1888
-
C:\Windows\System32\InputMethod\CHT\ChtIME.exeC:\Windows\System32\InputMethod\CHT\ChtIME.exe -Embedding1⤵PID:5232
-
C:\Windows\System32\InputMethod\CHS\ChsIME.exeC:\Windows\System32\InputMethod\CHS\ChsIME.exe -Embedding1⤵PID:4736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 956 -ip 9561⤵PID:4556
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Browser Extensions
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
10Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD574740893ba71f21bafb6eaa1f4e73c99
SHA163d0f89e396778187ddf6af571b99baa547ffc8b
SHA2562637549dbe957a19e194d52f7bd102694ef0d1fc4e4521100d1f6341680bcf75
SHA51213c693ded94c44bdb0122926d3117ec65f4b37f4956de6ca36530540ae7df55e3b15a1dd4b9ad57323ddacfc10e3e3f1d0349ecc82aac9a0853b136cfa41f8a3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD58f954fc35b468a73a17c45400fb33acc
SHA135e4d03170b98f1b39a9fc6b113d4ec240baeb8f
SHA256011d5ca75b61295bb3f15ab17ac6a5b5d6148d367b78000393d7827dfada0eeb
SHA5127c2ae5e678432eb718eb6bba70bc698561cd3254bec0bdcf08652b4c6097b2a82d0033fb837b096ae91665ef036e38386d36f1fb5183d4dbe7cef1f46928add0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD51e6db2657e6fc0d0c76c1df4e0441733
SHA1dc9485897f8322df23c2174369f45889ad5abdb9
SHA2564a8faf74404fc4163dd3a140eec6a0463f3e95a4c98e4b73909b37f9ff899153
SHA512edb8141d3756b31e87166f8609827feeedb60ed42241f495687cad9fbd904c7ea02317905955fa76a50e3bcd14c4e23f21f74d675777d9a5e092f7894ad8bcd8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5f408e25401a3e87754f8711f57e949e8
SHA1ac762462e0d1153ca347539abd58e8d77f32880d
SHA256d1c88ca06bd48a30886ee55746aa719dd864d4b2c43941961ecc2fbf15500326
SHA51277d164d8bd6dd990b5551ba9ce049dad5c20f5e15165cf74aa9c6f176f5c8da9bf45627be81b950fabe07eafcdc12708093fb5b707be5527f5a9dfc17d2dff6e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD58caa827646e155ff425ddfc5adcd865c
SHA13454539e7cbf0a6e5b45243ac06507991848bb55
SHA2568450a31dc35784d0809de1c4599ed6f1c372e0a1299b707591cb950e34cac952
SHA5122041c858a3ac27c554262ba4a83df5930cde4fa9b367664b6ed7dbdcb030693e75b5b5d2bbac3bc6f80dc824e631176bafe9b25df726e66002409aba52823035
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5a025948c4776e8ee9a3b2f90fdeeb9d4
SHA1895c94f28bf1fbebb94934a9e321763968976b2b
SHA25659e224dfbd20a4ce6e5be781cc3a1697dca88aac3cd829704ca8e763640e324c
SHA512bfbe397441059f7412a399c887940ccc5bb6c3929aef4c100a099b060046ab0bdbf53ed2dfb1e89f6fdb13f022d18b0b57044bd95f7fe634bb97ef244ae18215
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD56fb02560ccfa87ce881263c8656ba6ca
SHA132b2ef4197f3e1ed5df392b944a86c039961b2e9
SHA256e574b308201d588d502ed6fcfea5f3a97d08afe2eb7dbf6e92c30cf2ddc9297d
SHA5126e81231f8c42ad439c3d28a77af142df23714d4d18971370568fe3a1104637b480448434ab593b811e975cfa8db6dc2442d5608862aaef63331c82570bb1410b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5b4af06b97759ab598be39a07a19017d6
SHA170234b21ac83964c6db103aa18f46df2894fc635
SHA256b6598a0607bb5fbb3762c431684aa28781cd2e5974c44b42676db07c42ea472b
SHA512212fc42fe9eac113b77b6a47ad1d8ca8e4210cb420db9997f0bbe9927d41529de019c1f949040d23d860afbf011f107da3ed78ac9a41dd409cb070e87393ccfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD55cbb9fe6da9993fce9f7eee244cdbc2a
SHA1ddd0351e73097fa85de7ade05cf5a273ce879a09
SHA2564892b101cff81e371b821bed3636906b32f9c12ce25143bc4417c0c0fda01481
SHA512381df35dc34255ef37976da67f421726e1b37eb01bd24975d1b70e6134b77f5a4eab4316adf2529430e0180b2e6ef246ee9b2d63ef32e091cde779a8cb1195dc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5aa0f81f9caceb100a5f28300267f2a4d
SHA16d28b93293eb587ab12f6535d33a532a62227204
SHA256866d3ff31f19faeb57789f673ae7e01177d45db3837fea46412a048a26d53d33
SHA51242554e71f8363a6dd7cc76be98f36e869f95dfae19c925b70bffeeb6b5fb7d749747194a5246f834a3fd95590d2321fdbc9cc84e1be38b3138c5ca6d78bd805d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5eb0c1c93990647c585655493ce89ac9b
SHA1687144d5ab9badc2272e39c47749b1c6002887e6
SHA256ae49cf643feb363780c50f3d8590f2f70671961bbc853d26187c9e07c21db164
SHA512d87de862d7c8ddaf02c4b525a6d1e2567db7c02e02aa57b61a9b0c6d28889ee3dbe5c05df47d40dac96ad5591a81d59b81473ac4fa1568c37cd1e9bb306590b9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5fe0e9d3e00d3f0ac14788b124d4247a0
SHA1d25beef87a217be03ebbbe3ba322954ad3720167
SHA2564e730008d92bed5f7cf99896a5f1e42bc7ca23157eb9168530c83b15cec6d8c5
SHA512d3166cca79d8eda54b451c53b824293d3d6bfb29d46c8b19c0afbdbf7bccc6a2d29c5a790b51a1cb5a9843e242f795943564fe21c5ecd5fb719f3f1e677d48cf
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD579abf9677bef38520efb207ad9d14524
SHA1a013341b56ce03a0e75e874f086b861b0c8490df
SHA2562dad17a6dd00ceb8520e319c138907a4a2515ac6cb1034798f851b407f13aef8
SHA512e77f0ef5ed591ae46f497ce99597a7fd0d775051eee7dfe2742d8e764a9b2c64f97752daee35b2cb5539938782016497fdf1c0e4bb10f8d72e789ee6f197e13d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5be299099de44aa6575795915e3fee167
SHA12874cbaaf66babb494b1e7bddce7eee8960a2b22
SHA25611b9e93f7f0b7b478033feb43f15b9fb06e94818263e026ab980ff18afedb7c4
SHA51243c2051bd31b119b4a0571dbc797cd18b3932bd68ce25086f1c869af2eceba9d7b3671d5cf36a37d11b33ea1a13ebb09be2597b9308c246e5ea12e545210c4d9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD549e9f81d3933ba2a6c1b9a06ab76d427
SHA1f9b1699069160d03eaf56a457e325afe145188d0
SHA25698afb793edaf5f1b85162b7d3f46e49b0549754d8cc6c3e3a050354c6a7c5ef9
SHA5127ac25ea99a782a66ce59528265d22fd6d17b5080bc53c0dd5cdca7dc44ab1f23959218cada7e1395c52ea4261b391d4ac1b2a1739d63670b4e4ac667ce602406
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD583aeff5af0ee9d3770fabcbec231d1bf
SHA1141a41f4e784557a7815bc4588e29ba26b2b4ffc
SHA256907bf15b98596c53f8535f146f9a2ed681565a2cdc11973842be9db6391b64e8
SHA5124cb3610edf4de20f4046fc07b1449f303c2081b2ef9da39964d2e28cf5e31b26307f50485cf2a869f8abaa370ebcb9d4c99cc50f720955c29e402475379e09d0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5cd1f872f8943414edba790230d15dc34
SHA115b70f9e988e9d85478f09a8b3c7a0846892d62e
SHA256a679d3ad725a034354bd8ea557b2fc61b45069657ef0e1e52006fbeab40d3558
SHA5128a3756b36eea878763797fef29cb096b6d2596bbf87a497d98de2de6bb9a7f4afbc1321be8524b7a392e6734cf2fd0dcd20f68f7677a135f6b4d94c67b3db3f7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD576d5cdfea135f591e1df44b7d5f0ef01
SHA1d28ba2da8857650bd2b8693f7d54c6bd2d255d7d
SHA2568b60e9e83cc5ea0876e6587bb5f300d629dc7a3858a7c8cadf9e56e45cb756a2
SHA5126210f08e6620bb134b86b78facdb78396b7e921697c2cdd2fc9f5822b770067c1702126e56f08cc4282ec032c317893f8658e13f25b6de1850f157d9af2a1709
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD50dfccc52ec66ad40558b5f2d1154d35d
SHA167eeb47a6b8c68a61c0346607448395723222634
SHA256b072dc254be00b8ed46f67159b4cac672c7eaa13455a52a9a76b1ed60e8eb803
SHA5128de338e73fd063ec2266d2c44e88557ebc7e8ee08f794055ee7f73c1577a9a9a8bbdb966f5214650b681222f5eecf8fda9d9a2d2b064d63c39e718f922891c13
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5d5e8c52d2c9cd55576df7d3695c5c425
SHA1af6cc5e1007e44f230a9ef9e78c664ce583f69da
SHA25649aab17e92d981b7e55e61ff34a30d0e7d78858b9463885c8ad4b9393793df91
SHA512e5dd7e0f30d86c0a8f45ec0a2c8502adb03d641b0f72aca8fc937d14968840def0a68e327777881e79a2d5c8c2331bfbdc5cb3a4d5e5c01960669bc3ca589088
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5043f11fe506c2c03c2edfacdf1230608
SHA1748450b4b90de37a65888cc11c80de6be033e541
SHA2565e453363002b8b204abab6c1465a75c6ee39533ac2f5cb34d2d54846cf817c63
SHA512277a502828d113a754a22f50390ceb6225b592d2fd1385d3ba399a0a7ab848f151113f688e63e8ed298a8c81082acf29fa51356792388b71bcd4f65a50a50c17
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5c980b6777d07ce52aca6820c62a8c37f
SHA1a07ca8a2660c77fa051b26988c2ade636585b939
SHA256e0a828ee878dd4aa3b100e39efdf2be2ca72908ac4011c307955e6213f36761d
SHA512a02593f9340f03f9dfd7807083ded997c93f88ee09e57045ed1d8358d36fc034880a9c6d18dc804d990335d1ca2400b3438d18c2ccec4b55f14e44b516d2e2c2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD542ccd6d0f61a262a9166d99e07dfe625
SHA1e4bc4c0d98bf578dd8db9d50f7abecc11bba97f0
SHA256d167a935ea9480025ed17881eb38eae2e1af8d980b01a81e7a4e51fa5fd56ea6
SHA5120831426603bb9bc222df576c9ab4cb8fde15bdf797e7ead94382eaa0f9ecb31537fe01918fbb5d9e4314f4f6160fcbc09f7f8524c28f87882e2d8b86f3528ca1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD56397e3be021fe9591ce143438d8ecf33
SHA1aba0214acfef47799f52828677bb9ed56c6bc241
SHA256540417d038bbc3a0b7c5d2e9ca14871daedc6c94b4727bae1bd185d0fcb34031
SHA51218d7b1474dd88bcbc3b4142d5912244d9aa4a6645181cb3f5c3fed89dd4ee0c70961bd37eeae52ae660c9e8d6b1cfbc90f2f867991922aba0ad43db79a0e0439
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD593bcd10dc8319202f4559ebb22433ab0
SHA1c3daebca4511aa258a15c21d5d46d07fef9060fd
SHA25655a32d95f91eec0bb1bc070b992c9d0f54e0fb1629d5c0f3d9f403123a268f6a
SHA51254430a3003fce46b1c73b4e350f192e58fdc34b3228810426f6c99293c47ebde540eeec3a9cfe27768bab1f681c4038d21e588eaafbcba335d408705888504fa
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5f785fbb539d4f7b544603ac8a786d345
SHA142a06251f06103c208760b1212dca71e63f716ff
SHA2563be20b50265fcc62606e313cf55d41403c15d2e34cfd38448635007f58865546
SHA5124749426c8881ca7867e086541c3e558a691814a581dae5b611738c5def8aee610a82cbe1751f55a318fe39fc7faa02b395b2a4f10efe098b482771c9c82cc6dc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5b2fcd6e871af03a1e3e1abe1c4b9c248
SHA1448bef75f085779f70ad92d88b95f146161fcf7e
SHA2567e029d749cac9c9f754c8c7d8bce35a2587dc44cefa4cc6c98fe34be635379e2
SHA5129478a3487292b0f3e1958c1af6c759971e1df38a81786ef7a9bd917cccd21fca9dee3e5c69fff625aca7cdf52df0c342cb9f232159b541f5dc1518606dcfdf34
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5c2e640c515efae2b4a054e0751f03094
SHA19341fea3961560d1dff019a16926beec1a2c2a2b
SHA256d9a7385dd677e0720aa3f97de4449bf816cebfa0cdf06985518ea177c2336f41
SHA51253d16fe272b5cd67e90bcc95337ea90740a98890ca712745723bc1694b7bc174e23af983b2d1a4635b39038c96468e650bc4cba8c37a8618b73273fe6ecebc38
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5d060cee6aeb98c82cb18645e4ee888b4
SHA1f065640b4cf7cb722265c1e71d484d675496c93a
SHA2567c932d52b708809ab0d77a721516e8e34aa6974e8b7e4ba88d202ca6d3466aac
SHA5124df5bf70901f01630437b0d6f6b74f83a8acd12cf0109df5a1ad3f57771b2bfaaf9693b6720ccf9da7490a2b9e93e7c032ba47f15b6cb7acc6344373877769d1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD54c70e7f1360afa9c5f0fe178574a1bbe
SHA1e81923519515b6e1eee2c37fbef173dc7d880197
SHA2564f7c8a4b9258f44adbf548a8f3331cd9da1a8e2aecdbf927cf90b46dcbe8eac1
SHA51294e590460d6f88316fa0991af4b418bd906591a73b724944ca48c4ace1293415179735b7a0278e035da845c49566ceb49af28d74569fca31e24ea0c775e4f3fa
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD56910f1a3a09b3b1a3edf079ac4d8dce9
SHA14f2000fc04fc3a4967fe4395be1cd8cac2951394
SHA25676519f36fa6200896f17622a278d87b3a006f2bf3f5ebe3e2fe2b81317277a21
SHA5120ac219b4c0f862fb43535ed26886c1c6d2ece5792c1a55274319901d25c15fb8237818c871f41d92205aeaff9314cbe146509db71269f15f51ceda0d1c66dced
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5f6a82579f2f88b8aba38cf24fe1a60a5
SHA163264b02c03212236f29ca5ad0a2df3b812e2fd1
SHA256705786b6f158769987f4446563b2d6154d4b722c240d422b5fe0c1d6bb9b3f9f
SHA512470038de2de4619949b67803a90a430e36138b95c7b523aeabaa6d88619942ff7a5f87a84c759483a95d7b08e944a5c39beabbc91c4fa4839e836ca85d3e021f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5a832fa5fc92bf3491d80671724032cdb
SHA1f6bafffda0f2db04425d655b6c558fc64e030844
SHA256b30fa654b07290ca53576021ba03901bdf7aac4788880dd57a1744838ee29b8a
SHA5125a13b9bc73e7e142c877c629c197cc021221e1b1eb081bf0f5b338da8e778d7af140f387823a056099a1f0078559a14221167ce3dd000a01e0faa3c76bfe0a5a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5c567d8132c515b1c4f7103e51f764558
SHA1789e4a3294f49caac8089f2ac5565f1b71a5b6bf
SHA256e8cc99a5194d720430a19c911fb748d0cb64a437a86765dca9371c7cfd5655d9
SHA5123444dab15aa9455d2f34e5b71ffa11b6eeaeedb93c081386d890dd9941ad2a91ca3353357d67a850c50d4de7c8aaf5501506fbc29e2dbb9143f938a488da2392
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD513c13c9805f4ab4ab5fb23b864ad4fad
SHA1631325eda0c3e87097a6521f424b4a1da42f470e
SHA256397705eb1ec7b2fee7290f47513b8ea2b2c5cccce351de2907b890b385c63f96
SHA512e909e7d2fbdb2e4f3572fe84c24e36b52da39e2284af180310a7593f2f794c657c621a0a99ba06d6a77e75bba759707c747eabfa91d1c6088c6847e76dc29d16
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5c6b2c4ebc7d93b018582102628c2863d
SHA1b384aa00a1e8a4668f361b99f530e4414b8c39e6
SHA256acc4afd8203ae04fd04115094c7212954e20b1e07dfa2bc9acc849efa7a0bae8
SHA512546b354b9ea21a51d2302bb428db64c83ea03e93d3d7a3f610682510c490c45188650ece140f30cbb9f72b76a7f2d7b403b59166f44f8557870dafcded1771e1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD52b5965aca3e3bd5b779be21dd350be76
SHA13af6f2e68545462f28c982453347880a8192145a
SHA2560186d025b3afc35f6e1df416c97a64ab8f8b3d6400158d10a5422b24c47922bd
SHA512c23149f1a03bca11585fd348df3fc3a02c1a9814e64ebc495b612171e229c88292ceca9e2e84b7ca141847e6c1063550a772191d71e5e513bd3a50ed88ec39b8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD541da95ba6790b91c84a7ae9f495c35c6
SHA155a3e6e5376a3d70972951afa80f2b328ef796eb
SHA25654d0c04dd60d6e5ba908048af1f9feab57d337cae4682f2d86c38394b6c600bc
SHA512f0c81821506c53c7945db5cd0acaee7f4bd4a2077e6a37f9ed74d50c39cdba43f6f3dbaeb6bb1c8501a342376d0d1ce1a61f4e20e0199bd8d18f9f98c4a2acf1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5bd4e1fa3de159c454d7d29c169863b25
SHA1650db7ac714569249b12e762d96ace4703516dfa
SHA256984373c74e74195bb995b0a719777660d71c4726d4b79a505796d00969af327f
SHA5123036975b5fd2a051dc8052e5c6a26e2aac177ec0ee3aaebd2b9d2753297ba347cdd6ffd3a0225b73dec43f7fc01131cd804d0994057e20dc52df5978946aa63d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5d430dfdd72ae3fbbbe44e4e88d65f125
SHA1106d8837416fc91b72da082cee43dd1f4065bd04
SHA256dd266ff21cfe51cf65696d540c0ee40325ad2867b875df76045fb0dd5ece2912
SHA512a7777e58b67e1773902e9e785374c88e0b081dda3a323c0773a2f4a5c29b99473e556094111095eba8f362726e283003e1141f497f31815f19292dc2c93bb7ca
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5566c9da595f3b9275ec4f13f720323b1
SHA1a85d5cb0a856739bb1b012e4ed130ffeb448788d
SHA256f63f42bd93e43884022e6d25dcab64feb63c1ab1830f5d7192440fd1fa90c08f
SHA512febef9222ebaeaff57c3263b0f1204fac94e0f84b04e19de6874ad3aa75a36094663f0b8b6bab73494b8f44a15f1631a3ca5f9da7f29b37a7c47c2ccc1227e6a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD539b398ea8d424faa1231265209699a8a
SHA14cd4db48a117c457d175e2ae11635d4fc313daf1
SHA25659f23cdfde769adaffba7cd77dc519fd6743138b62b4b6780241949eb8b2fe5c
SHA5128d422fbb8eb5a2e4990c06a118e336266376360cd84c21a52b6713cd323b3b52360aca9146a247676c68bdd4ba0943e6b774b38404975a06372e30d6972074f2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD505aa18cce9a6b25eb72ca3eea0253e32
SHA1787d15e7efdde59fcc40b6f5d8b1c31efa9a890c
SHA25634bbddcf7c42ac002d6d446cc45145609a5a636effe726f7b5f0cb83128b4d72
SHA512bbb5e14b86b9633d3d9a46c26d465c2aaedc3ce36f98a06f065a3c53206529179c952f2d525c32f9e4a1704ba96a88f36225547ada91902f30a9df4195e0112f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD54cabb80773c945d4698097f3da7efe34
SHA113c163fb73d31f046a2fce4b28cf2531e52f0875
SHA256f78fcbb700a2f18eefde2d6c482f5438d4ea4195de00bee532d2478468ad988d
SHA512574ca26775a28e28139547708664aae544de6814dec4e7fa0f96bea793efd67f7a19c57106316787745bb282e4fe020c139a1165f0b515f8b2aefd6daec5d6cf
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD558fb71dce168ccba355b17dd542dc8d0
SHA1bddbd6ffbd912d058f05781901e6a3d98350d17e
SHA256b00ff013ec43e606ab7466264946f06104db53b0cff1d018f5f0ecf268f333d1
SHA512925d42cf247e9ad05bfbed340889d4514923de95c66a6075802a173d5fe54a04e689dafef243766240ed742c81d5091c07067835922a1928494ff7a2027527f9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD56ae6ea5970cfe714560ca216df70541c
SHA1e8674c05859444a351472e49e37f7a3dab9ca335
SHA256642deb3af12182aba27f68146b45c4e3f44ddbcfbe9e45172f256396760425bf
SHA5122ac8932774dccfea804e7c552c64abf9f6ea3543534bd613cc1d586cbf25b05b6aed9923a68582b172bf338dbcf664fb84f5bd063c398b76bc12472ff0f70ae2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5cd7f2cfbe72d6c9bc4db0212f882c4a5
SHA1fe1e61a1186a387ff4a8413e57a15db56c7cf0bc
SHA2567db5b968483590e7d2b9c3d9e242d6262118435d8ad15d5d200a35c31bc56640
SHA5120cecf5a3a00ba3107c5879db6875da6b0189b069054ef897025ea4a0289d8a2dc4f2b93710caf80b4290099594def737ac95f74514902d4114ebf09a2fe908a1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5abaaeabfa6fb72fe635977bc8047289d
SHA1817ee0e6d5a4d23339f0b0bc83fe182718c5cf7c
SHA256a27b39b3af04102a7e49836ee7b0470cd50bca64d2bedff1c224af284565a4cd
SHA512764f5a5695fb7f2f2dd1aecd771c4efddd05accbf5a08d85d29f830e849208591dafc4cec38f4bf8970059f2320cb86d6016a1fe492f999159202310e1f46bcb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD515ebceeb08118b927fc40e5980381cd6
SHA10b5fa05b38b1f82a1c654e87361a7334aa1b6619
SHA2569cf1856fe235694eade0fe4ccceaf16d8fcabfbecec530bf1879238687bc8a52
SHA512a03da3e2e0a16ed477a33775d7fc4b3259a3894a33a1e1275d5034995bc8862dc4ffa20457f481477474f4dd61123d564304d0a9a5ac58a219fb6d51a91df608
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5bb4a8be3431c7a20f09afda78cd388e7
SHA13e48235f4be4b4066c8f2e07a92ff0b717c4a75a
SHA2568b7c8337567ef4d90f29d68909f4653133bb1c1aad731585150065c29fff5732
SHA5126212d29eafaf514af7687dcc3a32995f8792df0b9a3c61fb4d7da8711d9ef8f857e49cf7162383050e6516e8bfc058f372b059681a040dc0e85e04bea841681d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD556de59a062626874921f7d6218d65b73
SHA11e3850bb2c2f479453c45412a2eea8964e36a05a
SHA256b0aea833412737beb7ed7d4a7be99abddd0c8ebe852de0cc08e0ace48cac20db
SHA512fcdf831e544665d849c9069ea73e2b763d5dae656383b1df30de1dabcf47385a16bc07b8b1862b0a7b88b7ad19bc2f8382998aa5ac5eee7d2ff591cd16111127
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD567b09fcd5db00771cbf3b669eda11bfe
SHA1a4821b5d56cb4447ecfea28ceb7e1d3f9232b50c
SHA2563f76310559acabfb8e62804096445d3e3b8dd977174c135e65ff0855e0f87ecf
SHA5129022e38b8857db3d2cc5557b1d7e712263590d5eca86d77282a1fc26cdafc335349fa333664d045997ce0b6cb52f2dc2f37f24f678ba5b452762d135c49906d4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5991517ece1e5d99551542019ef359c4d
SHA1832235f3c6a3298f128aa75944b40078d7a5b378
SHA256da98483adb830585c97671c7f44465a64b60a2f97c0277d8629f830524cf55cc
SHA51295145f954641cc943e7aebb35ff5fcd1a9a66e4dcaead270dae751c35669ecd78d9394a0f358bbbf0c07db2c792b79e40c25c26c916369938e7bbd09f3240574
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD57256bb3a8d77976ec41859841fb858ba
SHA11f590981a5129d2c646711afc246f9bdf827fac2
SHA256bd5a7f90e6277931e3ba2feeed44799d81c159a07e8199adf8dac1ae61f6c8fd
SHA5123f7c8b5705037450b6bb052f64feb48f36156390ce93b7b77ea3aac7d6414af9c7361b1a43cf6e9d9e427af581990aaee5d4d14b32bed5d45f52bec05cecfe4c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD55574edeb47c46f702532dd10b3afce37
SHA11d9c208b104713961d26bd63f881b819519c2af4
SHA2560a27d935461744d3ae952b242c9ea39690218370d63565da2e2bdee43f15daef
SHA512b79db601a669ffadcb4f62f0e269661339953a131763fe3fefa09b378ce2541207fa80818cd1eac1bdaf0070aeecf974904b1f250755d4fc23e5b9dfbb63e164
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5a1b382ea200d6627395f9dbeec3b69e8
SHA1625f05ef91c4ebef8cb177a26f168ad83ca471f9
SHA2565e1f8400c2194c798b2b726a6f8cd16aa0644e5c52eb2f57a618ecab96330eed
SHA51263d1e0880f946f4accd3f555667feae588e36941ece1a8466bfc06d880354c09c23e4084d333e402bcbc9ba6c292a35462d103a3dc5ad2cc6b79470428c8f9be
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD545b0da4bfb5dd4c6f2a0986c2d7e06b6
SHA10f092350af8ef42d33b4c6338db8fb1d1588d3fc
SHA256979185cbb1b9199a5190338820d9c5fee522b502ac85fb328d4114f49de0b4e5
SHA512a4c2c5cdde04f93cbcd969edc64b2ecb5ce17f8f14cb55f1e80c46fb2f0e9f6e6f6cc38adda9a2c14d183c0c6e1548a29e84182fe76141f45f909c79b43193a5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5c92e4ecf499fc1d23025dbf7ef7d86d5
SHA1f4844982d200da72f08213e85d0da1a5a6caa040
SHA25654ea61ee9ddcb1934cddd488da6a3beade9ea59aba06de630780a86723987d23
SHA51288b80e34c5883b0fd2b7f017acffb98f8c413234587c62f230106f1a1ee9b1b822d891ff64549b170d1097c5d7a94b1fe705f35f7124b20d7613aa91ace13bab
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5d9e89a77a5334302bd58b9d52d2e6a0d
SHA1c24d5bbf08fc172cf78539672d87fe8a94961853
SHA2566b286d17c6af7ce01525d8c8cd7a9ecc44a315ca969dc93f84f9bfe0ecb98920
SHA512fb373db135a98c9bb59771d72d94bb86d2d298993a4217e339bfc33c4c40374a0211129bcd081830f8878c4f7bde87aaa5528e25cf2890b2609062a0011710ea
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5aac880e804538aea6bb250bb6e319e92
SHA117a0c3c228cb9722e9b506837890f46ab7a6b58a
SHA256c4e0b831fa2128bcf4f2f1894c994f3be597c044e34e1ceea8ca5ab62e647309
SHA512bc3dbb8ae85225e4cc383379ce42a5df5eb3700d25bf97858034211418a7636c0ff5a0a381f820b8b3b143bf0a043e22d255f07329319f605014bb5a15a03aca
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5e255959712d32a38ded6d29fed6f4795
SHA1fbb31c3faf34e73fd3ea1484f63694c194cbe9cb
SHA256314f9741e71b09e9e7a7720b793c8e938dd7856f443a0df56c2c1452ec713d45
SHA512ca20abdc480984904012374ceb329754ed3587cbd3445b2bbe5702143884553feea2b6b58f8374479c8ed49ff3505c57907d199e288e86b3e6f4c60a4a2134c5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5083f12355ff3660474136c8c49bdfe76
SHA162c98b1eee8c1fb83424968b05076f05dc92ab52
SHA2561a29577c6c2056609259708285d778a71b4332c9e236af9487b21df7b666f9f0
SHA512650d0e34bf7356539c2f08cbb84f3ada580f03f2aa07bcacf3ef63139e5d39210aa2c79178c92b7fffd70bbe6dafb90b9a967802635bc463ba8d7b2d759d5ae0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD507bb70d56edc1bcb049e4699bcc115f9
SHA19b08c74731f25e20b11972ed2177ae77e629e7c5
SHA25653a6aa9eac8c13d5f57de21f5eab24e6235f5178aaa329fb649c225dd5b02bf6
SHA512da8b85c5642e68dd88682e6b59b96e790dbcc890e8afdce4f28b16c91c86d69fee5a5e66dfda1a5a034ba921189025560cab009c1fe88bcc34f50938127c8529
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82