Malware Analysis Report

2025-08-10 20:50

Sample ID 250502-l136tszsgv
Target Thorium.exe
SHA256 1fb147e3aaf58a990e163b1f14d80130a9817f8fcfa53a34ba48e983136b1e50
Tags
defense_evasion discovery persistence privilege_escalation ransomware adware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1fb147e3aaf58a990e163b1f14d80130a9817f8fcfa53a34ba48e983136b1e50

Threat Level: Known bad

The file Thorium.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence privilege_escalation ransomware adware stealer

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Boot or Logon Autostart Execution: Active Setup

Manipulates Digital Signatures

Drops file in Drivers directory

Event Triggered Execution: Component Object Model Hijacking

Checks computer location settings

Checks BIOS information in registry

Modifies system executable filetype association

Checks installed software on the system

Adds Run key to start application

Installs/modifies Browser Helper Object

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Program crash

System Location Discovery: System Language Discovery

Modifies data under HKEY_USERS

Modifies Internet Explorer start page

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies Control Panel

Modifies Internet Explorer settings

Modifies Internet Explorer Protected Mode

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-02 10:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-02 10:00

Reported

2025-05-02 10:03

Platform

win11-20250410-en

Max time kernel

123s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Thorium.exe"

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "䑐凮眊칪舱\uf709\ueeb8鯿䈴띢ᆬ䫖ꋉ褰꾴闦轑ㄷ깈" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "\u3130⟘耆\uf268䐋᳒⇁\ue6b2క저\uebcf쿛㵛" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ComponentID = "ꏷส捔ꊉ脱妙Ⱡ샟ꐬ\ua8de젰䦫㶠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ = "䟄愄慷㯑볣⼦\uef3f戶탪\ue285" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Version = "륚⭤峳㾃ᴇ\ueddf䕩郍兕撄늎逘\ueb67ﰝ喢掖돓濪焮\ue06eሧ赈좐" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\DontAsk = "\ue478͕͝ꗐ\ua7ce\ue148ꝢሐḐ\uf5ef▘㤵풂梀" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\ComponentID = "䚂䣆螱٘ꎋ땽畮鶢ಞΩ羚⃚㯀" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\ComponentID = "赑\uf7ba\uf4e4ᗅ쀾⢘ռ⬐⸠磜誰ᶻ笁₷射뛉뮭\ue6e9담ꩩݸ엦" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\LocalizedName = "ꐣ湪❑弔됝䀠厜\uf2c9ࠬ㰊" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ComponentID = "嵢Ῠ펾⽗찴ಝ竫考\uf395됕岯ࢩ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Locale = "礬扞⦑䌟繥\ueb4f랲뒽왘쥔眻讷位圥\U000b7df2\uee82돱ㅶ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\Version = "㛾惖⮐뗥紛ﰖ噘倝⾅㊟✁笢\U0004fd00\U000ba102镵" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Version = "컨ꏣ\u1a9d鐇磱ഩキ楷\uefdbޒ\uf2d8뇣䪶漢\uef31㔋춷翇\uec71攕矯ꎢꖭ럧" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\LocalizedName = "쪆銹͕냻찒鮩\ue95f啍脈Ĕ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\Locale = "ϖ铈쁭⽐羲氮쳵ퟲⓤ켈鋒\uf129扣얐㴝냗䔥\uedbe⠑" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\IsInstalled = "\uf678뷣磫㿍鶼☮鼔\ue84fՒ嗍" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "\ued17贲촒⩆ꏩ롬ℍ뺌\U0003466b" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "䚄⎉\ue5c3界ꄾ橕뻇麺뢛ㅶ\uf6e4阸䷯㼨▃" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "孤\uf814ᩨ్뵣狡쾹틁द\ue2a0ꃵ鍥ừഎ딈⬡鼀蔐纥\uab1dﴠ闎⑷" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\Locale = "Ꭶ雥⽈ꗊ⏵禷ΐ枹䜆ꭢ槵" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ = "ꆥ䴄ᕼ툺怔픉䕇輲ᅈꞽ◵\uec57ꖙ䤨ᙙ٩尓銍⎂䱲" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ComponentID = "\ue5dd\uf897\ue36a\U0010e363맾岒\uf619姽쾟屵툝\uf0b7" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Version = "仭鐖⃛踩ສ높⺾㵎䫚팉១㉬駁" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "\ue7dd\ue438ࣥ焮\uf3ccʎ\U000cafb3堀云蒿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "⫷\ue2f0쬨礵原妿鈴鈷\U000c1088捉쩼團ꆋ㫿Ⴁ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ComponentID = "痎\U0007486f\uf7c4羚\U0007b8af謇ꪙ\ue4ff" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Version = "⭗鬈꥟텗\U000bafdb言綧靈\uefe6\uf518뫇奫츍즰\ue172" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Locale = "Ꝭ\U000e3b96뮢筈싞\ue105偤쯥蚊슅" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\ComponentID = "耶垗ﹷꜞ븾멲뗹玶ﶇ㱒竘㷿着\U000670d7" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\IsInstalled = "𤋮\ue75a⸬\U0006de43⦧讆堀샸ࠢ袜ᦥ썁洛᧗㛩䕱" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Enabled = "棚ྼ䏼\U000f3135\u2ef7쫍\ue90a鎍狹" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ = "뚢簦䀋ꝭ懭뾆汹暒\ue07e즓\U00044bcc浖Ⓓ玛\ueac8穀\U0006b922褼㩨밸敏푮" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\Locale = "ᾼ絚쳑퇢垤\uf53e娶㮝ሊ뀦纤篞\ue177\U000df9d4\ue779쵱淟" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Locale = "殶\ue228앝༂랎ꎴ䷁쬘銘\uf854齁\ue26dᛌげ皚鼻" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "飐⡊ړ긞‟尺䧪꽠숄ᯮ\uf312╆맇驞洸" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "ﳷߒ䀡ミ\ued7a栀\uefcc댊甗쯔" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ComponentID = "鳍餢ﭴ\uef28难\ued7bἅ\ue5eb놽㎸⇠玙" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ = "㜗侫ᨃ䒽捣尿Sꢽ⦅蒋늝唵狐\uf6c6쐽\ue956DZ奰횻嫮\ue007\uee5a" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ComponentID = "ꦆ㎝䩞࢞隴梙а\ua48fꩼﱛ幒孏ꕛ겨\U0008aa64譁뛸뛼竣駿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\StubPath = "閇髃\uf654閚𦒕ꈵ蛱晨\u0de1䡗ӿ璌Ȉ᤹쫖" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\ = "督ꬄ환鄦溇\ue769琸羱헳䘚ₐ\uf318賹\U000829bf禬쨪" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\StubPath = "ꔩ\u0a62蛡厨匙䏂赚콴ጋ輟杏䷏읞" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Locale = "\u1a7eꈓ쮛2갼辂\U00060b76럕糊\ue63e捃➾燎熿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "꣕辻풺뙚桷몣ꂦ㷢耰薦\uf231뮜䷸鱏\uea4e鰴틋ၵŋ⓫ꍵ毬鞘" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ = "뽤슩ม쒽ꩫ⬿㠌걷똽坎镦\U0004d188쎿Α鵀⮪㰒" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ = "订\U0010d7ba\ue58d與夁᧧寃늂̬錝۱贎Ⓠ\u20feஂ唱곞\uf6a2쯱楌\uedf8" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ComponentID = "ᶱ\ue78b㈒ⵔ\U000b2c11螵ꉪ㤂⇝ֲ炞ி鎠혭䙹苔鬲䀴夃" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ = "뉂詷\U000c5d77앭䜜ᡀ⨍演陳" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "蒀퇭礦瑎႙筡巩苑設⮂㢬Ⲁ抳ℏ\uf839륂倽귰ꀖ薬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\Version = "쿱萩葘䥣圁䘲쨨㴰闼嗭鎒\ue057袉\ue336稢" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\ = "𖺀㟘\ue1ba롧㮸\ue2e9ᅲ\ue476賃繵ﴴ鑁𖾟謎ᥦ옞࣐\uf2a7䝌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ComponentID = "ꎶ皞陗帇锵㏏羽\ue8eb㍡ᖑ햨겝窌ꥎཆ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\IsInstalled = "﹒뇄Ṭ᳷礘殷춤હၶᢴ莪ॲ弚롔ᩁꇊ⊘鷠쨎㛙浴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "觽焧쐖鉛맥娓瞨Ṽꃳ\ue003ൣ볟湝倈㊚᫂" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Version = "빎K௮\ue7a4\ue48fꦎᑳ鷌屄⟧䡊⮌믬隮ꔽ㊞\uf867貒⭾⋳뻾" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "ꭔ鲼猯㼮竪მ坉쟚㪹ꋢ䥰諌\ue36b\U0004205c괚攔嶽썬퍝⋓欄\ue0c5鏀" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "㕶黯\ue0e2䙖⾮硋ኯ듡ﱻƇ薭" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\IsInstalled = "횦ꏼ뮦Ц䐁苹স駈樈頛\ue4f6\u244c炙祐铣◄ꖡ蛵랛㰪㏹⪒" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\IsInstalled = "栙導쏠節쾁ؼᘶ軑⏗뼭떉ྐྵ噪䦛贊ȫⵒ䭥芫䳘䲥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Locale = "㞮㰅㻢䲾࠸잵ꔹ嘘\ued10酁侃" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ = "튜異繘伄⡒嶾再弔魒쏯\uf598恷ꒈ䝩ꓓ餶④\u0ec5\uecb3䫑뭽섴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "髰쇼\U00066c00ᝤ▾ꆞ們ꖽ\ue76d㣪櫅䅷㞯즄饶箶" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Locale = "㯋处뚜\U0007086e孯룙쀮Ď虈\ue2b5ㅟ⟨\uab1f埂캙冀퍊ᯡ鋊џ焕\uf736甴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\ = "₀ⵖ峕ᕨ\uf103ꦭ쀞쾽協龳\ue077嶶\uf30d얶ꪫ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Version = "Ἑÿ怸⯶\uf8b7\u008d\U00075121헕샑ꍗ䕮镟푏" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "羞꠷\uf78f㜟羮闶몆ㄢᱠԚ吟燗ﱞ⸧殙˕樌띧溁塈ࢻꁸᄈ⥯" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\SysWOW64\drivers\hostsvc.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "鼰\uf7ae왫핫鴅⹔斿㧵䭁텈垩ŭ瀖ࡰ餘꠹\uf2e7캃簍襵Ð" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "麙遦㲱𣼷⮡ᙺ䈿ᶱ\U000afaea⫨" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyRevocation\DEFAULT\Dll = "仆癳밅\ue34f։ע벚햅ے\ue23f䟆꽅\ue49d䡸ᬝﻋ绑㝌ﱤ\uf770" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\FuncName = "㔆꛶嚖昵弄쁚뗑勏롆ᜉ쒛葹ᝯ聾䣪ઘೖ꩹ᄇ쨪优豥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "\ue724㗠뿨Ѽ荌ﳉ鸷䆁㠪琏쫬ȹ廌ႊ죾纃Ⱃ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "흞햬ᅯ飑뿯ᅎῙഀ\ue804⇼\ue5fa愐⸂퍓䰿玄8\uef93狸坯뵺" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCTLUsage\DEFAULT\Dll = "郵숏ᮊߵ⫋ꁦᢩ\ue779鰍\U00060f2c훑⊥娦띧鿝盪엡뮲ᶧ䷎꺼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$DLL = "쳐縜睱둲ᚵ쬆末韐⼞⽚国跘棡핉\U000435ba몊㚧鐲壬ՙ㬂ঋ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "莓샔捴쑃\U000f85ee\uef22\uf34b⽼격" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "閕\U000d23b5穸\ua82d焊劐䇘樋\ue5a0腭賫ꔙ萇ꪯ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "뀧힢ᚪ庮⬰\uea2d弩븨ⓕᥫ㌻쾰딞쫮뎸" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "㒖裚爖\ue78f\U000efa87쨋ꂟ﨣铌獱閎" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "ဖ囈\u10c6ᄍ㧚▐⯟遑䮼巏洂䡜̅\uf5db㐠퉻ᘈ빃ཊ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "髟玕叄죮퍄쩵ꋲ慭鯙퀘\U0005debe笥髫ą㫏푰㰟" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\Dll = "⯗ᐚ핪粇隬掓퐰\uf737棯귱璾\U00016098늂獺\ue26b澩뱚" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.3\Dll = "勻ᒜᰖ쒢巏짻昀\ue2ff渿綨弫쁮\uf596갫\ue410킮\uf6f9ꊎᚪ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\FuncName = "\uec94ꃲ㮃쇯Ќา̼\ue4c2鱩\U000e43b2궵\ue3fa쪪\uf666썊㉿ቑ种葉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "鑔刉憶←逗敷꺴潐碂쀼멗촷綾\ue5f4횼淇ዜ县\uf796˘눯" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\Dll = "ﮨ⺧旽黕\uf6a1䨒錩🂁캣랤\ued8c藎\ue35a⌜\uef67錗\U0009e8bd⅗\ue256㭢\u181a" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "퉿䕚몭N\U0003858b皛얠텠ꪻ\ueb7d⒋鎓쳜ᇫ뿰潅롗" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{06C9E010-38CE-11D4-A2A3-00104BD35090}\Dll = "\U0007cd37䰭뵽김혭搂嵐\ue15d\uf38e厈膟썭\ue276䕌羙뽎푿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "\uecd9\uf792뤩鮇根谳䶷壪\ufff2粍䈬뉺\U0005126e䋪ȇ\ue5daᣔ錳᱄鵳뉉䍠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "筏Ḗ橤긾\ue9b4ij犣褚\uf7fc팴\ue314䩔ᄉ磫㷧㤶盌\u177a\ueefc鄵兘쇓㌰" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "랙㫺ૻ牼ﰡ襁꧔娴峚狹ㆉ主" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "\ue1a8샄푆˜績흯冊\uf1b8\uf51b扽⾪ṫ릪〣좥먠锞떣ᣚクᚆ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.1\FuncName = "⋉➬ᱢ\U000160b6﵇㼟佸燊鐘翸ޥୠᘣ千ሲ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "鏠\ue6d2㐨ꉺ\U00037bbfⱻ缓\ue1b2⭂\uf4ff벀" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "鈝⅐䧤퉌\ue921蹛靚앺떒\uf7b8㦋⟤¨뚟﹉ଠ㴋뛼福" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "\uf798\ue451\uf765\uab18춫ꔅ\ue08b壠\U0009fad8嚅鎏囱⦓㰪" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "\U000f8fc2\ufff2㿬\U0005006eь\U0005c6ef⾀ꇢ冐윣䚫阙㐲ᖪ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{000C10F1-0000-0000-C000-000000000046}\FuncName = "羵㛛ᮛꬿꎳ\u0a55霆ͦ\ue236⋢繻膑\U000c13f3钫譙\u0d97惱藿끉뫼ᐔ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27\FuncName = "럺쥾䕗簾륧挤媨Ѐꈃユ冪寙㓮沋\u0ef8\ue157䋣\uf1a9곾\ue83b云\uf166" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "椀⌒䄥䖤ℙ偿⛉鳪ď\ued20\ue29d灒묜鰻葚✻\uedc6㑀Ⓦ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function = "竿不䐐ꓕ⫦ବǮ奈\uf2cc→칄ꫂ扆ⵡ㊽醪췝꓁嘀馈♰" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "\uecfd褅컝ヘᙻᐇラ⤰\U0010da23㼁쉻\ue340笗댝容" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\Dll = "䙺\U000ab6bd疎⸰ᰙꛏ蓆\ue780ꊪ扃\U000ad9b0䘚\ue51bㄵᐳ霖㇢樱佫䠷" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\Dll = "慇価䐡㠴솭ᐫ뉆⏿fi暼걊" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function = "᳒\uf516삂⢭面\ue5ee\u20ce\uf3b6ྲྀ躁瑬졖쒞萸眠縓᷇퇋醸쀌˓అ墊" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "溁檺蕛筼ୠꨝ봨෨䴐ꬬ\U000d682d诔⋧" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$Function = "㊶㙘振\u0e71吁蓂l稐쭦\uf244㿶\uf524𥫿蚹뙗\uf659埐ꔢꬑڈ趵㛹" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakEcdsaThirdPartyFlags = "\ue70d⫳깘䭋\U0009009b\U0008513a裪睛\uf854\U000a13c2⸼箣\ue87b燾\ue805" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25\Dll = "\U000ddd6c䍑渂닣窆&悦掾㹩䇧\u2d74ᛩ蓴뚽\uf448蛰꾔ᐭ滋䏴\uf1fd\ue74d" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "屮죗立괱追抉䝌\ue0a4䄐㡃禨脐⸻䊊" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "곮Ჿਂ\u20c1\U000fba1b\uee71爻\uf328ࡹ똞" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$DLL = "\U0008b071զ✚㩾捌ᜐ\U0003fd52搀鈡\uef6a咶읤\uf19b᠍췘" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "푢쫌罧憖\uf326ﰓ윁枪\uf6dc雖鮶㊻ꩫ䩄삎㓲詥㩀ꝺ簚\U000a8a5e" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\$DLL = "麃顊\uf5c2歹䬊뇩㸅벺⻲뿞䫰\ue960쬑\uf3fbꏹ⇰ၼ텅ꘉὍ幆쉈ⶦ\ue6b0" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\DefaultId = "\uefd7뷕놕剧\u1aef뤷绶玠莭⠰㑕𦮑靃\uee40醭⫱竱宣⺴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\Dll = "籞𦝬ᩂ㊯段䤤\u1af9Ǻ\u1c38戲殠罷뮱ﱘប襡೨鮾ꞅ麇꿩\ue245" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "싩ႉ\ue8a9\uf003熢⥜ಙ\u0a37厁뤙၇㒱뼠莮㪠\uf0ffᶗ邬ԣ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9F3053C5-439D-4BF7-8A77-04F0450A1D9F}\Dll = "엽嬐ׇ仼똏ㄜ振\ue2b0ꛑ䒉抮풂ᚣ醥밢" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008\FuncName = "<樀\uee50\ue5ef㞟脂憂\u2458屪횜難\U0009854e㑮鞾␘ᄋַ燒쎌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "囎꽢葕銺ꬉᾙ逪⮎\ue44a驼∲翪㶰銢起퍅崥풥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "薥왖耜⩬㯓烰\U00084f5aŪ溓\uef5a콪䫷晓䧝\uf8f7퍚" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\FuncName = "弉ᜌꅕ罜샒괥\uefee咩쥽瞢啑\uf594" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\FuncName = "㞥波ꄭ祓插ᘋ蒠\u0c64븮㒅窞ु㇜⠍" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{6078065b-8f22-4b13-bd9b-5b762776f386}\$Function = "쳖桨䱿\U000ede1b蜮⾓坱ꏶ삂콽믘\uf603\U000aa3f3ꜭ䏕顰" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "ꃒ륍翮펒얮ꕃ솕悍䬪遡氄㰚瑡嵩\u0e7cՐꚻ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "큔ࢩ\uf7e9沈쭶졾剓꤬↞\uef7e孴嵋백뫯Ქഃ틡蠡⚅ꨶ⩔碦碱趯" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\Dll = "웓Ꭓ䴅륕꒼둀귎㬸\ua957䟧\uf7ed뒣ఏ앵퍿ᆳꠕ濩ꥄ菿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.12\Dll = "쿸焁ꝴꍛ收൬ࣁ龮櫹㜓敩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\DefaultId = "\uf473澱랳\uee1b浨ꙏ䛯깂ꉍ⥟" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "蘙勄찧忷齄뗼\uebf9༐뙨腵Ӕ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\Dll = "벢ꊜ\U000ad0d8\u10ce稱⒋馼ꇓ뽳ꦩⵍ䳮Ṇ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate = "刅\ufaf4殮琸\uf5e7䎏娶包큳\uf77e䧚씡ꔰ倂龵ࢄ㺪腥蓙" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = "᭄羈뚏배竨ᢳ㲡\uf04d\uf1c2哑꾟慟䥉嗶ⷆꄼ畧ゴ\ue082儬촹" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Checks computer location settings

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\Geo\Nation = "櫹闆肪鷞ለ冏娋쾘ꁲ䍘㞪⬀ꅻ\U000afad9⍁㧳\u2ffd㭀啽稢祘\uec29" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "ᩓ\U00068fe6曫Ⴚ俵墬ൽ쳷숫ꆪ돱" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "䘲놖菁\U000f3a40违퍯䎢韢代ኸ曌饢誗ᤢⶳ澎" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command\ = "聢⯸톐䝥鹢\U000e4b08ꭩ鵼ᰆᐤ⮫寲為⏳䋔뾇" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield = "춛蓼匲ࣘ蓋덖᪈䭰潈嵣瀫\uf3c8谐㶚⒭푟혡퉨꙳" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command\ = "\uebaf\uf2f7憼聍隷羥㪻ⵆܚ죔\ue1fd똗\ue935\uf621\U0008fec7\ue757쥤" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "뀸\ue999肪李\ue573\u0a57㕪늡⠼╥౻\U000cefc4謄˔\uf0e9쥇㞧嶽ᱞ窄ᑡ늡빌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page\ = "啫숶닧낊甽堟ᝆ溡\uf717㯂꾠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "쏭ꄢ\uf475얬\U000877cd\u1680\uf0d2部鍍" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\EditFlags = "㡭િ绀젊\uf806㺪\uf8d2阸睃鷇힀" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "㓳\uea1e衁휦ⷰ㷅ၒ䤄萼ᗸ엋醱橍" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "\uec32㍌땥厕諸\uede9汜塶װ㧞鼍婏漢書" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "Ⱖ덄\uf24d竔咶爐\uea7d\U000ae39e㨿䠇촞ꭆ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "눞\uf39dᆱ遛\u0f6e䥈Ϋ쎣厬贆ꃗ\uf4caࠆ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "漇쨔甧Č럀霠릓Ꜭ⧣\ue70c덀薀셝\ue90c\ue45d㓨㵵" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended = "ꡖ璵抭\ue70e쾼뀉ᕶ膇芠녅\ue486閸\ueca0뫏j\U0007b6a4ർ温槀搡훟" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\ = "ꍡ빫\uf30eᮙꑎ쐸\uf5a6脯䲙뫉翑ࣀ䘳뤑" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility\ = "떯努ぁ⃚ꗵ䋧蜰鱵癟햽ꆶ爷宺⢆賘Ṙ跗於榪" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler\ = "礴ݹ\u0be3畇行ꟹ\ue3bb㙖顚楒J盲姩蛲" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "쑚鴱붡嗮ᙗ册쿆\u3100峪奼仸꽋굅\ue96d\U00055dcb" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender Firewall = "C:\\WINDOWS\\system32\\oobe\\images\\" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\uf434멢赇┼\ue711⡟앳\ua956\uefc6ኢ熑ﵢꟂ䬢岫⡑镾釢䱂㹶꒫㙷櫴煉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\configsvc.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\msmgr.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WallPaper = "Ằ﵀\ue69d祥蕙㙰ꁪ⢉깰㞒礴֓\ue396ꅰ㐺붫ﳳ\u0530煔촱鰼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\svcagent.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\System\configtool.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\System\svchostcache.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\Network\netserv.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\System\svcbackup.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Internet Explorer\Connection Wizard\server.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Internet Explorer\images\thorium.ico.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\System\syswin.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Windows NT\logsvc.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\System\hostagent.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\INF\infhost.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\INF\driversvc.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\Fonts\fontmgr.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\bootcfg.dat C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\Fonts\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\SystemApps\winoptimize.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\SystemApps\taskfilter.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "㰮֫怵⊠匴ꍟ郅櫏‸ጡܕ夂ﶫ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet = "穝ᾙ펔\ud7a6\uf866浅䣃鋬馲ꈚ\u0de4쏌잟㱊\uf122" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier = "쑹쭁ꘘ㧒䨖啳ⶐR頄㢵䗪줠孕Ҧ\ua95b᥌\ue5e4縚" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "嬥呛ভ\ue8c0䩡㟾᳥\ue6e4睫ȼ폅熅ᝊꄇ犒\u0ffa铎ᫀ倐믗鬎詠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "\u1cca뷔㢪顧攭뉢啁ㄘ鳌᮫뒁錮飬\uef69䚙\ueaba⎭괥Ἃ蟟\uf8cc" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information = "뎧Ậ隙\uee32\uf6ac쟗爝뙅↋眘\u0eda\uf0f0ȴ顸륏\u20f7\u0086嬟佥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString = "ோ⦕缿달ꧬ୲啖ঊ\ue951秣ꇦ몺\ue982ꃫ㠅\ue780藯뤫\ueddf秡\ue33d" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "\uf166囘샨䉛⪹䏻\u0ee6䢫ꞷの딓\uefc4죒ꬰ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision = "ꋠ\ue621\ue9b2鿸ἀꓢ聉삶朋鲉ᅥ\ue893䪝" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information = "젂᧱縵懚㽸쳬눢ﭑ럂붎⼣蒇㨒㮕紕潰趸嘫" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data = "덓톓뛗列鉝汻\ue6dc\ue565ƚ᧑홬㏑譯涸໔\uf3a2鹶⋷\ufae5鋻⟚㷇" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision = "㬊㟠窗ѐ굊캣㞽〈仱匔ꭑ押⢯좾渠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data = "ẛ\ue399瞗놷펧덩\ue4ae孔擭逛﨨\ue005喼㰭ㆸ繧殺勼骿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier = "鞃㢶戻文ᓂ⇖甁믍᱅弬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet = "轳\uf04bﱜ\u1c4c\u0c54ᜒ鳳\u0ef1娂挷ꬃ褧䚥鬶꣧ꣿ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz = "珞ꌛ⺅ꭧܫ\ua7ceЯꤨꄢ䕔욻᯦ឹ㰋\U0004501a㶺첦兞\ue506ꚳ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information = "呵⿰酇⣼缋₤탪闊\uee51擏" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information = "\uf82b䀄\ufb07⃯⯘줆윊徴\uf51e蕾瑆碯즾歫籴㲟\U001059e0ꈠ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information = "ե㝰䔨\ue9cd\uf4f8⟄餡舁횽\ue5f9" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data = "е⟴섐趋쾦陹⾾\uf6bd쿲ˊ郦\U000d73afꀥ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data = "脓鱺틆ᮖᕍ哺ꌳ⎺鉳콋\uefddᶴ試矪洳셷ᵇ䅟췌氾" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier = "⸓㩕钹⑾茋\uf071\U000ad90b駐\u244e\uf455⧏㦥쩫㭞౹힗␎꼸ቊ䀇轞⥀" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data = "️奲𘛼톥ꛏ⠪쭠⥊﹡" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information = "߰\U000a7701䯍\ue36a왆\uf543Ⓜᥥ돕乛憆䋙\u2002ҁ젨⏫\ue784紜♬鍺秘" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\ = "戒綷赊ʲﲤ\uedbd\U00076b5d\ue0c9⁶蟐\ue75f侱\uf703닳屸卻죆╜ޖ谨" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier = "Ἠ䴰\U000f6acf븇\uf328\uf67f춁篟\ueaef㘚\U0001d273픊瑹鴙鳋" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture = "豌衴鶬芯늰\uf3bb\ue899ꋝ棶淤顋뺣᧣䜟홇䇹Ჿᗽଅ䇔䠾儜漤" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Capabilities = "㜿麼풉纊術㣌럿잗툫\uf139穳\U000978fc씛䭑\ue3e7⒘᧷軦༫蕊责蹢" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data = "ퟏو\uea4d㿊৮⨐ᗛ亙늇斪" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier = "퓿➫\ue91d\uef67볨퍈⌃蒅㭜蜙㽄W현厱樔士蜀" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data = "萣⛔笓巺竿㟖圔歔\uf3b3ٌ㋛䷋" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data = "祰㇚層\uf027꠩䅪\uf0e1䊻\uf11d㾙쪥⚷쓶컐\uf541" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier = "\u218d戍덌䁵\ue069ᚌ끑羸駉戆慢㬹\u058cဍ\ue623鯫" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier = "䯇覦偧빃紖ꆩ悾온\ue7d2㪍絹䪈" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data = "뷦ꆺ貥ᡉ㏘匘맅\uf2bb\ue151刀敐䘿놢埫鞼ꂦ됰㱕뙡벩⁈" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "图䃪\U0007a717俕ᱛ㔦떀쑃멋摈ꙣ鳘깨䆖" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information = "뮛\ue4a2槨ᆎ魸㢆⩤夻⏿쬝ꃦ堶춒ࢅ긿虌秗\U000e8be8븛ස" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information = "饧䓩\uecb5ⴆ闁ᵏ\U000a0efc욷煱࠹ﴇ℃檝芮⎚\ua95b\ue80d伻鱀斯圕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data = "뼚\U0005370a䴱偉曫쟐믱緕⌬\uf54b\uf31a腐㬠㛗륨뜹殢⊼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\TranscodedImageCache = "㨙㔺\ue770磎鸅ꂋմᕘ겮巢存埏" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Mouse\DoubleClickWidth = "흶ᓐ쭋ゥ\ueb3eꝡ吚䮫輼♓整ۣܲ奞轹ぱ\uf2fc檓ᇈ盋" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\PowerCfg\PowerPolicies\0\Description = "⎚\uaaf9솮熲\uf6a4\ueb03㵥\u09e5誩댷鱽̑\ue9a2\ue62a욮수讞惧\ue735䯺퉅ᾟ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\PowerCfg\PowerPolicies\5\Description = "讔\ue901ᝯ變흆\u1af2헜籃傯覯\ue2f2룪ᶊ䅺\U000cdf37\uf545\ue2b5䲛졄饤꙽" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\PowerCfg\PowerPolicies\5\Policies = "\U000e6b72确\u0fed瓧谡⟋錄១ꈄ\ue97e\U0006f42e\u0dd7㜆ﰓ岕ꆺ즒삦" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\Keyboard Response\DelayBeforeAcceptance = "\uf79f\ue734몂ⶾ\uf501뮮\U00096890‐푶盁喺ꘗ⟨䛹\u18fb鸹" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\TimeOut\TimeToWait = "㭹ᣨꓝヌ쓹뤷䥚墕眗\U000d7634鎆僭慃誵쌰뙒去\ue0a0" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\LastUpdated = "Б\uf734輰昧훾鑉켠哵\uf865ᛥ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\Colors\InactiveBorder = "\ue66c\U00046b32姪耸䥭먬䏍鏜ꦛ둔꩜ᗟ㥚ί囱\u2431칆\uf2d9䭙⦇" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\s1159 = "\u197f䀔ᷙ唩\U000e6f61ķސ1슕輱᩼锵" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\SlateLaunch\ATapp = "告Ԏ綾魍诌嚖\uf3b7釿眂\ue5a2冧堠ㄦ\ue7d0ՋЗ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\Keyboard Response\BounceTime = "ꒀ꧌\ue9ed儔趫\uecbeൔ췋\ue4ac欣\uf81a瑂\ue735伐缴\U0006f2d2嵭Ӟ卪䭽" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\Keyboard Response\Last Valid Delay = "奐砋⊟寲嚫坋\uef5f釵耜ਵኛ濆ᷟ븺Ȫ\U000c3191鞀㽇\uf4d7著⬟응\ued5a" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Appearance\Schemes\@themeui.dll,-852 = "鮡鞡쬧癎lꃻ㺂빎材\ue2baⴼ\uf6ea饣방縆펻瀬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Appearance\Schemes\@themeui.dll,-854 = "뾞쯔죆௴㚅㪚䨒\ue709곬혽恠⼘㷰뉼\ueda8㧂䗻" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\MenuShowDelay = "虪靦렉ᜈ瘱㛬⤓✅퉜䠕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\Colors\Menu = "멻ﻖ䞙▚\uefe9촳捳铑ꇢ兜㙹㜈㛄ꦢ诟筻萝" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000071\Target IME = "櫃\U0010baae\ufaef튿ᤪ히鿄㈤㣁棇릫澫䊞\uecea⟐" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\SettingsExtensionAppSnapshot = "蠯\uf7e1勤뱤\ueefa鉔ꚶ㶰ɖ\ue2c6蘠挻༈瘩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WindowMetrics\AppliedDPI = "ꮌꗓ\ue92aꉻ늟ෟ辬\ue80a튞憈ᆱ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\sMonThousandSep = "볼ꇓ೫脌≤晃荣⾗펿胳\ueaf9䤜cﴚ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\Colors\InactiveTitle = "蔓学ꑋ绎왶\uebe2\U000ec440奔捁Ꮸ蛣缐봛ᷡᘑ禗ᛤ킷藦" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\sCurrency = "\u2062ᅧ垣⩝橔끿\ue750姭⥖\ue799㘱痔\uf0dd" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Sound\ExtendedSounds = "ૅ嗓፠梂㋊ᘽ蠒땞욡勧\ueff5擲\ueb03\U00080ddb薉\uec1c佖륏\ue637" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Colors\ActiveTitle = "㜤泉㕱⎥愔\uece0δ謟䶭ꤢ፪㱊\u0ef6ᦙ롟쇞㷇\uf3ec" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Cursors\Help = "鿎蘽䯑벾穣\ue37f뚇块\uf89f끮ᄚ¡袨梟" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\DragWidth = "鄰뀕ﭼۊ蜴\ue82c断匸릥\U000418bd쳋" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\Colors\TitleText = "諆鐬닱㸖Ƅ쫞璕䱺௱뿚\ue5f7췑谯" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\iNegCurr = "勖\u0095蠓\uf64bࡑ\uef5e㗒ꦪ瓣럮矩덣֖렞\uf3ba\ue2bf㴦" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\User Profile System Backup\ShowCasing = "䅩\uf69e\uf3ecY彬凥둨椃ࢰ谚悬䮅ᖱ搖뫇ﭒ戕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Mouse\MouseThreshold2 = "핾뻹悽\uf8a7Ͼ脗⥶䴚\ue300嬛ध\uec29\ueeef깋昢屠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Colors\ButtonAlternateFace = "뿦\uffd8\uaa3e촚쒌馬ᦶ෯\uab19ㇰ硌懻藆뜳\uf746" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Colors\GradientActiveTitle = "⡽\U000f2bc3琹뾷襪\uf734ↆ擀방\U000d2140삡䴃뙁쾇즆\uf357\ua4cc" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\DockMoving = "皛ꃪ諭\ue936무มɕ뉼씲䳊庰ꦓ\ueb7e쏕\U0007d714떿\U000f3386ﭹ禩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\DragFromMaximize = "\uef12㷶\U0009847cꊮ鿿ᩧ㏾惁﹄ᎂ폙変笖㞶肳ᒦ璍" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\FocusBorderWidth = "斏쒮뎲\ue513艮宁\ued85䄞뵀탩⪀孃" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\MaxMonitorDimension = "⽨㮣퉨Ⲭ鋐⭌鮮뵬㋎ڳ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000202\Target IME = "ꢜ\ue456␒㢂ᠱᇃ哨\ue128駆묍拱ﵷ밵ꈋม鑵\ue5d5渢궹푉别漸" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Mouse\SwapMouseButtons = "텟♎똄償뵥ᯙლ˔\ueb41ﺹᜊꧮꖤﴏ鶺鵀⚱" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\Colors\ActiveTitle = "忼࢘뫙䵊틥湒ᲁ廂姉౿\U000675c8" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\PowerCfg\PowerPolicies\1\Policies = "ባ禀內\uf277菕鬭왢솧鉗蹻\ue7f5⚓\ueec1솋淿㎳ᔺﻐ愅\U00102724圉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\PowerCfg\PowerPolicies\3\Policies = "℔ᜥܵ暸靸咻냂൛\ue439⋱ᨚ쇪" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\MouseKeys\TimeToMaximumSpeed = "崪弙\ue042쁵㠘놖퉫\U000ae148鶼ౡ쨦ᰞᩘ㕭⑭磁褽楛" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WindowMetrics\CaptionFont = "\uf3c6᯽獾軤㟝Ⴄꟻ\ue604⡥鞧\ueee1뎺\uf38c㴛\ueb7b㭂䏘米喁\ue6cf쾩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000011\Virtual Key = "嗫鮸낃ﴯ鹧\uf190厑綪\uf01b荋曁飑՝\u0b97힖䆰ⶵ뀜笒" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000203\Key Modifiers = "䈪へ㻱뒷ຆꐝ粥웒憩㩺" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Cursors\IBeam = "ꅓ濯쇠䝜䊸훩糉냡ო탽ㇿ획ꣶ䉩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WheelScrollChars = "桷ꉟ恷ꠄ黦\uf8a7뛹怦슘犰䊻沍럌膘ả" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\sTimeFormat = "ᓩ궱ᮙ莡﹦炾㶋\U00074e80\uf508㔴ᕸ橔ጙ풢죦\ued6e몜쨔\U00012f55䛍" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\User Profile\ShowTextPrediction = "≂긘굕ꐄ\uf221䔑鑓祇鋾熮읇" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value = "芎\U00100361쒞〒ꔏ钮휑텞䟐띕㸡" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\Keyboard Response\Last Valid Wait = "㗋餕碝곪畩鼊鮋렢쥞ソ癊" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Cursors\ = "梌\U00095ddc\uf830\uf397檩\uf5d2囹⻭嶨嵞퐧곹\uf31b\U000d7576璂왯\ue00b湺㣇\uef8d┓" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\ClickLockTime = "\ue2ff冢ֶ뫠\ue19dꟖ龿⏱\uf80cወ䝷车℉\ua4ca綾" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WindowMetrics\IconFont = "帊⻯⎸솦䎨ႊ㌡ګ鬝\ue4e9渒蜒\uf293蔢\ueace셟" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\sYearMonth = "拢㭊\U0010b3bb깃\U000897bf怦꽿퍟䎧桧\u2e6e䇏薭솟ꄬἙ脇" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\iMeasure = "ꇻ睺칝フ圽燆ꤸ海㰏樏켾팩由ﲓ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Colors\GradientInactiveTitle = "敜礄ય⑀챬꒦뭵ㄺ夒맊⍖传剋嘪둰㬧\ue942촹ὴ\uf730書邨" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = "㙵櫒䀏ꆤᡢ\ueaf2計쌞괆\U0007e74c퍂᳧䜴ⰷꣷ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000201\Key Modifiers = "\ue2ba痽ꑵ鈼뽲惄犈㊔㿜촄" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Cursors\Hand = "ꅲ黖環ら䂇P\uea83ᓏ\U000794b0쳁탃달" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Cursors\SizeNESW = "\uf21f鴡绻瀍ꎙ塼뤎\U000645f3끇尚룦髾曍贈ퟮԃ誁蕙ṁ귘։伐" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000010\Virtual Key = "鬏賓ዼ녺适查邗锳೮ᑡϝ桔뻗\ua4c8痈蚘냕泹䘔꽕\U000e8f17黈" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\sShortDate = "嶇ႝ捦瘤\ua7d4ⷨᆨ쯇磪\ue019♛倬⡇얦䪇" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "\U000955f4뿗㯞莱禬␤湪磃贮野" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{01E198E3-24FF-4602-9944-65E7B323296D}\FWLink = "ἥ庯끑\ua4cf䣹ꭰ엢뫞푌\U0001a4be\ue19a䝑쫭剦괠봵\uea87" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{053017A8-53F7-4EA3-AA38-A4CCAAF1F9E7}\BlockType = "㒶癒➰庹ၑ\ue10a웸鼈쨟哤\uf58bꚨ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8136114F-FAF9-11D3-B0D3-00C04F612FF1}\Compatibility Flags = "狆ꀦ႓㙮⺋撔\uf4ce✙㊉腃" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FRIENDLY_ERRORS\PlugUIText = "庈⣟끸ደ该寑轙\uedc0㋷皜ꔽۍ謿廖\ue36eꑤ埙" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.0\HKeyRoot = "\U00019671ឬ陦榇疨젂ꄈ㽗얞皦期脞➢ﶔ솳傍踰" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{724D43A0-0D85-11D4-9908-00400523E39A}\Version = "㴫꩜ϰ鯖ꭇﹸ쓢糪\ue1bb绗겴播𡒽힣廄\U000d5f7f䩦氕ⓓ蒜" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}\Version = "ড়\uee72啊Ԭ黾တ醋ꡤ섉ꕘ禗飝겝" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7}\CompatibilityFlags = "뮮Ⅱ옸뗕\u1ae6饋뼁ᙁ蝏\ud7c8\u0edb쯻\ue064ŧ〢" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ButtonText = "퇢\u20c9䐭躚醈裆悹⣔㤔⛠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ErrorThresholds\505 = "䫓藒꼮鞛\ue3c2勇\uf262\ue6f4곶딊荌㕿Ǚ싄뜪펹臃煿㞚" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4F496A52-13F7-483D-B5E2-0FC4AA567749}\Compatibility Flags = "侀\ue499뼹摘ϴ圁滛哟ꇁ鷐\uef7b竁\uf632牴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN\Type = "檎\ufde3盙ꦷꧬ걕䝜\uf16b筌뉌ⶸ舔" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{28AB0005-E845-4FFA-AA9B-F4665236141C}\Compatibility Flags = "폔갻誟繀\uf864\ue45c冴穕\ue8ab\ue439" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NSCSINGLEEXPAND\HelpID = "轂챩츟揼䦞༤㞍欦聘\uea87\ue564\ue364龰\ue2c5ퟮ哆䶭䜹憗䩈뺶" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_INFOBAR\RegPoliciesPath = "\ue0f2\U000f3f72穣㴞ঈƕع垛駚哆㖝\uefc4Ʒퟶ犷Ꝙ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\Policy = "뻸颣㠼昿휣ꕩ⦾絣ɹ鸼㹒棜ἠ㮴\U000f4a8cﮞ瘇இ敂蟼嵅䗜" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "䩎軭ያ뇤₩⊷ఝ훈䡧䨢▄筋봖%" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME\outlook.exe = "\uf8c2큺䜆㸛陬\uf4bc殤鬳阓爩\uf1bcḜ써ᩘꬅ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\5F3EF8894394826345EB838C8C72F3A40B521893\Policy = "ᑩ휡뻻茓⤝⟇\uf80c丵Ʉ눐䅥袜쎪跓਼\U000f1bd9㮢驣၁읅" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BC6-3C52-11D0-9200-848C1D000000}\Compatibility Flags = "טּ☦쿕\U000b10ea飭倌孫ꔪ댒踔尧\u2450쏜력Ꝣ液ຝ킸㱓瘖婧\uf232" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\BLOCKMIXEDIMAGES\ValueName = "륔睝ࣚ蔥䜠䢗\ue362\uee41瘖偖猥訟觬ꃴ芃⤚蝅曏娞变\u0c75" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\BlockType = "覴鳆勩㢋扝敽蹊輋ﴠ鋙䭮賄吸䵽珢蟕笈" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Enable_Disk_Cache = "Ꭰ\uf157뾸綴뼐씞\U000129ab쇋全으⯔睒奦䧻╪䒾蚊옶ଘ\ue467" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CC7DA087-B7F4-4829-B038-DA01DFB5D879}\Compatibility Flags = "苤“稸骘節䇛췋渫\uece6믦쨠ⴚ褩煐䦀洱軻뱪뚅옺\ue437パᘕ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ACTIVITIES\RegPoliciesPath = "䎩룸\u0ff8茠쮚龅\uf8dc\U000d0382䒌⁘鼯㍠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CERTREV\HKeyRoot = "侐療⮂ﴍṕ硩嬨믥뻎న觧뤂쮻뉖\u0cf4饠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{124D001A-BDCB-472F-AA59-BBE7E4BC3204}\CompatibilityFlags = "᠍㪐˰\uebcc\uf035㓺賢蚐次왕ׅ䎚‣鹣\ueeb8훎㋃㟍ᖭ粞⬺꪿鏕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\Policy = "\uedef펧谑ᇶ艪\U000b5d27\uf847\uf0ceᰫO嫤\U0003a2d1崟\uef81縑⒫ᥭ횹逍" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\AppPath = "萭쾾㮬淏\ua8caヱ㞁\uf3c6숆夰쨪﵃♉햙\U001098d4栈흥\uf207㠰帐ᦚũ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{15D6504A-5494-499C-886C-973C9E53B9F1}\Compatibility Flags = "䟍꒟灗\U0008ddc2蜜灶橿藨믣㛌柁黳\ue423⚈" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9E797ED0-5253-4243-A9B7-BD06C58F8EF3}\Compatibility Flags = "룂镶鴃ꤡ隞谅൴垭\U0005a206ቘ蓭琞뻹\U0007ffde" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{DC99E960-6594-45E3-9D5D-141D825B8096}\FWLink = "\U0005fbf8\u0c65ꙩ纖佋㳨\ue504鐤엦䪸걔㴲迶鯖䜩既\U000d0afdᨆ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\* = "幄\ue42b鸾퍂迷ƒ\ue20c歛卑ꅉ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\UserAgent\UserAgent = "ӌ\ua7dc䈃绗콆꿯酔협嶬\ue90eꌊ❏뷑ח⇛鴓" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{69AD90EF-1C20-11d1-8801-00C04FC29D46}\Compatibility Flags = "\ue5d1攔蹦䧩ᬀﱳ韫秨䫔⧟괲錴넠涄\ueb2a\uf4f3ꖅཤ瓇鸁" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f21-c551-11d3-89b9-0000f81fe221}\Compatibility Flags = "铷앉痚蹅댓ࢤҬ蚎绨洵ₗ⒱健犋䩛ଯ舉缽鶊☽ু" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS\PlugUIText = "퀇洔\uf7b7崎쏓\uee74\ue549\ued74\u0d11葂잂췡" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\MOVSYSCARET\UncheckedValue = "ḹ按즮늭\U000cc135磌\uf59b꙽䙉\uef0b☭蓟瘴삳鼏" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FLIP_AHEAD\RegPoliciesPath = "\U0007ae2f㸒\uec57ᄉ\u12b7笡꜅킵\U000d5e04䕥䓾亩\uf4ac৶ⲫ\ue745ꅵ㳴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\SOUNDS\CheckedValue = "뜴컥\u2efe㍋洩떡亘\ue798ⶦ뿄뀃㝍郰荒可즕弼\uf331" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{0C1E01A6-7923-46D8-8E3D-0F62B4A0250B}\DllName = "\uf6db黍ር謺馸품n懾ꨩᆅ\uf685⧩聓뭊ꋜ鷉⦑\uf6d7ᗣ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8E929F51-5914-11D6-971F-0050FC3F9161}\BlockType = "ᮄ瀳⎃ᔟ̐䐡\uec7bᴾ\ue331胦寀탹" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AB049B11-607B-46C8-BBF7-F4D6AF301046}\Compatibility Flags = "า嶁ꦮ瞫ŵ▝\uf1f1ᅤơ簦鹀\ue8cd沢뀐ꎻﮘ熏˕寋뇴ꗺீ䤶託" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BE4-3C52-11D0-9200-848C1D000000}\Compatibility Flags = "泸ᴴኝ䥚\uec44\U00038e62ퟳ눅፳ꔰ쎾\ue1f5" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\CARETBROWSING\RegPath = "淮ዶ틴\U00038718䫍䦬ꪡ僑큵ԟ䆙夦ಖ괈⸇\u0de1\uee87⺗廮\u0a62" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}\CompatibilityFlags = "\uf36bկ쀦碁竽䌏駌ⅆ큙ᑇ㒅畲튜\U000c6784⣷摪虴᙭៵ﳍ꽋" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4becf16c-74f0-429b-8d3e-4fba507ac661}\AppPath = "㱒㯻钣ㄎ靥焼Ḩ䯕⸬ዓ뫦ֈᨊ鑔耸\ua7e2꽦駶⑲\U000a8818臶ᱸ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\iexplore.exe = "鹻퍖축羓锛컪蕷뉺侟髿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{e0f158e1-cb04-11d0-bd4e-00a0c911ce86}\Compatibility Flags = "\ued81\uef49혖룖柋揈谷䔣\ue3bdᆗ\uef1a獖⡡늯鎄鷙郿\u0e3b䋧\uef2fמּ퀟\ue016" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{92085AD4-F48A-450D-BD93-B28CC7DF67CE}\Version = "욝쵄揶䔬试ⶣ\u1c8b\ued22䬞ꖺ\uee25ŢỨ퐊ꂶ韌琉\uebec" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\CompatibilityViewDomains\CompatibilityViewDomains = "\u0a0c㉌涚꽅ﳘ癬↑荦笀൴Ⱋԅ꜌ᴮ鉋쿖\ue348" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ECDB03D2-6E99-11d2-875F-00A0C93C09B3}\Compatibility Flags = "簹뚦⸋炼\u2ef5塄ᠵἵਾ\ue5f1\uf763䑙菇쁩\U000de4e8ﮉ\U0006c7a1ˈ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SYNC_SETTINGS\RegPath = "ﻥ㢼葹姅宎樽▛ീ祛\U000756cc鼣倿똿먁㓛" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{26EC0B63-AA90-458A-8DF4-5659F2C8A18A}\Compatibility Flags = "ⵉ\uf692뺌薃籀綢窱甫瀖\uf7a0ᗬ뎾놂숫\uf675硲뱒皓\U000f5f7b店ᆊ്" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4CFB5280-800B-4367-848F-5A13EBF27F1D}\Compatibility Flags = "湯쥦ⴽ꒰\ue52fꫮ☡톞⋖쭚蠐\U000cb3a9괾潎+ꓶḁ㋘嗓募䑠\U000e8177" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CDAF9CEC-F3EC-4B22-ABA3-9726713560F8}\Compatibility Flags = "퇒鰿ꞅ䨨皦㟄\uabefၟ\u20f1闬\U0007db38\u0f70똏榝煸ወ鼲昭㴀ꇗ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\PLAYSOUNDS\DefaultValue = "褮늡鬇\ue41c뉔ﮃ䐪젵쾻憹랭䬪\U00012bb8她" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_SHOWPUNY\UncheckedValue = "䢏ፄ\ue20b둘\ue6af\uebac\u0dfcᖦ뚅ꑚ婖" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8469A9DE-A3BF-4218-A1D2-F19AA9EA1617}\Compatibility Flags = "⫗ᙶʙ\uf6b2\U0004f322১蟳됦즀载\ue139ㅅ垛阁칯뻚起喒ݶ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D4C0DB38-B682-42A8-AF62-DB9247543354}\Compatibility Flags = "혏삀ⶌ簷庭ᙚ窤睕െ旍㭲\U0002f630" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\CTRLTABMRU\UncheckedValue = "骽啘ᆦ䅰\uf062㍭뽄磼䊔ჾ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CHECK_SIG\DefaultValue = "殿眡࣡錙靣瞼녑甂⺋밈ꅒ꧙ﺋ堊踬ᱞ쉌힁⢒⿃ꉲ\ue64f姷䂍" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PICTS\PlugUIText = "崻뺵尘\ueaf3\U0001a44d위崯괐ڿ罼Ṏ蝑" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\StartPage\RegistryRoot = "瑤\uf785도鹗쌎쀕界쿸쓇嗳딎櫞虤䄨∾辌ⰶ캲ꉼ沮漸₢븨\uf201" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "⾾ꝿ킐揩\ua7e4\uf07d\ue24f隬\ueb8f㤬᭜Q훚椕ᚯ\U00059f97晭℟谾\uf28f\ue31f\ue6f7" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "믓ה\ued88䥴겆겄叿㸣닁偰囄阹琎" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\System32\drivers\ws2ifsl.sys,-1000 = "⼴넀壛紺\ue9d9\uec1b賸뜊猊愧纨\ue936" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\drivers\EhStorClass.sys,-100 = "\ue5ea𫿋\uf4de㙫曑\uef69북팳묤抲豚" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%Systemroot%\system32\rasmans.dll,-200 = "攗\uf711⮓䨒쐡뀯읟⠾䦟햪䷁็핟拫倲ꍂ쎢䷰" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.DevicesFlow\appType = "ଗ뾞됦팕㦁䌚\U00108688ᷤ庩࿊ຠ䃼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Microsoft.Windows.InputSwitchToastHandler\wnsId = "\ue219哳흲\ue9a1ᗢ約㮂႔㨥𐲓" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70\Quick.AssociatedWord = "翥谝㟒氖셏샶ౚ뷡ঃἺꜱ徂﹩꯰¥\ue96d씓ग熹\u009a" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70\FuzzyScheme\Name = "誂喳髏㠷抿⋊몡럓沬\U000d9fc6Æ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.NfpAppAcquire\appType = "杵趵\ue6fe㮪䩗蟆\U000690c3韏훚蜾Sᱞㅑ萯≲竸Ⴣ䖠벂編塋ᨥ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "\uebd4ῴ転\uebfd桤鎭巡僺뢨ﳽ菆" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "튏跟ᷞ㔬굃\uf407⇉⸢㗔橓뷤⛃䦜ᱵ맱ⴅ↘忀┊痚\uf114꽭" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe\FontFamily = "㡩괣㳺潙\ua6ff略שּׂ\uf2c9䧸\ue8de쎹ꕰﶩϰ塸\ue152ﷀ敲" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Lock Screen\LockAppAumId = "Эᡉ㙉\U00105f91ꗎ硒ΌꁁҐ\ue183꒔筁➺㉅暀𰑇" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\lpasvc.dll,-1000 = "凿ᆩ㲞⽞‸‗ଂ㬅ﮟ⤺鈓⎱藹噻뢜쨋" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\MoveMenuItem\ = "熉몵╊ҷ糰컋\uec02ৌ䳝삅\ue544" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\DiagSvc.dll,-100 = "ꊯ乖폴퀋\ue740\U0004dc67\uf355ꕊ矔煄沧ಟ涡跑桫襫" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Cursors\Help = "\uf825㝇弯詂ꊖ訤칧怎曆\U0004fafeᬔ濖\ue8a3" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Renderers\SubscribedContent-338387\Version = "퇅븉쪗\uef92瘠\uec46㤌㬝蜂⏼㍰\ue819에純\uf545爽糱锝盶\ue1dd욮㠊ꬠ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\Microsoft.Graphics.Display.DisplayEnhancementService.dll,-1000 = "암⫚̐閴쎙᫂ꍮ\ue8df碔斐\ue4c2" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Colors\TitleText = "ᐌ䱜쇽걮叇퀹褖뵁\U00035059Ꝛ砬頹헫倬覣早獛街喙Ꮳ縷≇仠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Colors\WindowFrame = "簛͟緯㪨쐧ᰴ怉檘葤▸㊉뼎⊬狣䤧" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.AudioTroubleshooter\Setting = "島㸕⒠ꍄ\ue533忝䔩\u0af6倂⣫澏뗥蝃씥櫓꘨\uea3b" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Accessibility\Keyboard Response\Last Valid Repeat = "ゆ\uf6b8ᇃ偸⻲ﳐ濋뇯獝㞐ẉ潚㣊鸙ጠᾃ谲邱◟譐\ueee4쇸뵪" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Colors\Window = "씵啷ڨ륢룒鋑\U000ae5bb\U0001647f\ue48d救㪄ັ\ue0e6䢨ጲ鹁" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%windir%\system32\bisrv.dll,-100 = "癙툁孧蕡Ո筪廚ꍪ皗ଗ\U000ff796⊣ҥ塅\U0001a100ⶬ맫䯕ꜜ\U0001c793㗋" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\tokenbroker.dll,-100 = "⒅䳁휰ꘚ꽈╴爵␤蘨湺꿻滮勉鳀寥矮칖ൻ柏\uf860陛笭ᜟ⼛" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "\u20ff稺鎍䌦䬯⢡\ua63c呧寳案ఋ䘈⥰\U0006a50c" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.EnterpriseDataProtection\Setting = "蔢쐽儙쾊篟椆ฌ\uf184ᔶ䭡ﵹ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\DragFullWindows = "㰥ꥵ㴬\u2dbf妧綱到㣬鑖迬皳쉟☯⑽ߩ烜䄽椾൹" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000201\Key Modifiers = "㌪샱㴸돂q抌굤\U0004bdcf䍰䚟펮慠括欑\ue409ꭗﮩ궢⩴妔" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\Notification.SMS\.Current\ = "핲\ue678\uf542\uefd5쇦\ue69b䢈廎ŋᄲ뵷𥓨侂發" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Speech\Preferences\AppCompatDisableMSAA\devenv.exe = "⓸粚迒둸យ㳋까嫫楹⹎ᦗ䖞컫˿錖䥉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\SystemExclamation\DispFileName = "ན돲앋\uf3a9䂂庻㱸\ue831鹈㰫婸樘藥灥⁾鸻惮ﺂ斈ﮑ쾾坛魦㶴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\WindowMetrics\ScrollHeight = "䟛⺭榵᭛롎搪십\u1ae6잗寝뒙\U0010a71aᕩ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\firefox.exe\SupportedTypes\.ico = "柦ᰚ顙㺻劀䳾죄붫䍕紝萾\ue601ާ㔙諡呍\uaac3裥䉻㶱\ue864ᇼ\U00088871" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{212690FB-83E5-4526-8FD7-74478B7939CD}\FriendlyName = "挬沱뾆\ue428│苝榃ー䇭Ἴ\uf6d8忨썛媆" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14DE3806-5D5B-405C-AB89-4AC936BCBF48}\InProcHandler32\ = "霉욞ᩍ㊌\ue105\U0009381f涁뛃見摒霟允튌ⵟ\U000cfc9fᤔ\U000d09eb牺" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "\ue0f3\U000b8b3c搘긿ﴑ涉읍망ﮍ瘰\uf626赛ᔖ㇘靿ꃩ㥹ᬅ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "룒\uf8e2꽜꧌戌宪訙쀅큧ﶥ榐䅴趖癄" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tar\PersistentHandler\ = "㍥⣁慗\U00038338ᝇ궴Ὤ병䱂\ue47e" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{FED4ACC3-87C9-45E9-A026-5B59A855E687}\Copyright = "⋪䁐\ue4c5㏣蹽戈Ꝁ☛\ue4ed裏嗫ꘌ疗果禥ꄛ꼼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3936E9E4-D92C-4EEE-A85A-BC16D5EA0819}\InProcServer32\ = "⛳窜劎㩋៱\u2069蚻ᙬ锗쀔虘\ue2b8桕\ufdcd㵕诩㴻\ua631" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.SystemToast.SoftLanding\DisplayName = "\u2e5e⇧Օ\uebb6⏐⮆\U000ea1be\ue43a䠀⎿뷜伯ꉄ즪붍ꥁ鼳\ue502灤" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050f4e1-98b5-11cf-bb82-00aa00bdce0b}\VersionIndependentProgID\ = "\U000426c8퀍郮䪢炮맩\uf0b5ꇈ\uf457譚\uecb4⩈訜첨" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.21302.1000_neutral__cw5n1h2txyewy\ActivatableClassId\App.AppXg4gma5adbcq51t954g3zyy8q4frw = "\u0ffe\uf2b5핢跈餕ⅴ䋥\U000155ee\ue690徧磍믶" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}\ = "Ꞥ䆺妎㪍妬\ua83e씠솶⤅摳㺜ꐣ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01FA60A0-BBFF-11D0-8825-00A0C903B83C}\InprocServer32\ = "ᦢ燪겣뽴ࢳ莿อ롏ζ楥텣瑱έ㨾uጚ﯀푶\uf17a㼩饠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C941FC5-975B-59BE-A960-9A2A262853A5}\InprocServer32\ = "⎘㱃㧐伪\uf31e\u1cfd许轁빥敛" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4020D514-E884-42E9-91DC-E1F09004D3F0}\ = "ꑨ旜᭭仑ꏄ徕狒ެ븄呹⏅ᒣ✥ഡ䭜" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.SystemToast.SpeechServices\IconBackgroundColor = "ꈧ黶䃜飿\ud7ae叐䪾ਜ좖힍\U0002f729荽\ue9db" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{115e13cf-cfe8-4821-b0da-e06aa4d51426}\ = "ፔ𑦼걢⮌\uf0b2誳ྋⵇ뵽ꂁ턟猿蘍伬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.midi\ = "蝨\uea05逇邺换\uf85f릂뛩ࣆ➰嶁헄ᏜẶꛆ悌붓⠍僟䎀螘ꁓ㰗ౄ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1fb2a002-4c6c-4de7-85c2-cb8db9a4f728}\DllSurrogate = "ᱻ㢘㏬ᎆ⯖\U000af0de턚橿咗\ueafdꟸ\uf28bꃛ荚促᫂\uec90灭" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7E84C44-F0C0-44F9-A4F2-68B5EA50B200}\ = "ﺤ낑낎됅况\U000d5f32\uf1de紈㚍\ue343力鄐謀捎䗋ᖉ㿁" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "遥뿥ᙊ坌\ue3b2햋\ue297㡢詣塗蓐ᖲ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F58F63F-244B-4c07-B29F-210BE59BE9B4}\InprocServer32\ = "葼\uf7f7㴩䭿ᬲ\uf533砀枨\uec8b\U000f11f1ꥭ孒\U0005b58aꏂM뗯㭈脹뤶ᛚ란" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C3B05FB-3498-40C3-9C03-4B22D735550C}\ = "\u1776ᕳ瀆ꌓ䳉孶옒鏼哿舂䩃ꕟ焊⎝" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F046ABF-3202-4DC1-8CB5-3C67617CE1FA}\ = "웸郺N䩫ᤩ薈䙃Ꞥ뛢ᣵ遑" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EE60F5C-9BAD-4CD8-8E21-AD2D001D06EB}\InprocServer32\ = "狣⬰ﴦ☤㗁\uef8bᄜ᜕즧幧惁㲫뱟을\ueaea赻速\ue81bﱤ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{549365d0-ec26-11cf-8310-00aa00b505db}\OLE DB Provider\ = "荅Ճᖸ䌣\u0b52聞ူ\U0008b1b2\uecb5捜弤엊땧뗲Ʇ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006D2EA4}\InprocServer32\ = "蚂压둕崦鸴ⅽꦄ\uf4cf쓘㔀濸ᅲ\u202a衺" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\InprocServer32\ = "㌓갹⟉렒㦯㝆漽២시蕡劵\ueeb1\ue247ঞ韕駛" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.CredDialogHost_10.0.19595.1001_neutral__cw5n1h2txyewy\ActivatableClassId\App.AppXhwyds4rk7x1n5d19trv30fn7fbe01fjx.mca\Ven = "즍\uf502ꬾᲞ켔\ue888峒߰컵波兩쁜\U0007398b忢⎪" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\ActivatableClassId\App.AppX3yakgvx5b9nqwwbf8gyghjzfc8dksct4.mca\Vendor = "㉁꠫\ue8eeһ䄯烉鄪顡훱똠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder\Attributes = "\uf124ኪ咡\uf7f1깮症쐄渱⬼ⶆ]鰍☍館呢薑깪寮얆먲櫘驀" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\MicrosoftWindows.Client.CBS_1000.22000.493.0_x64__cw5n1h2txyewy\ActivatableClassId\Global.ExperienceExtensions.AppXv6fd1nnf5a00yg2x = "誚刼ڛ䖮螧\ue5f3鋐\ueeef\ufdeeゾ艛桼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4062C116-0270-11D3-8BCB-00600893B1B6}\ProgID\ = "᪘鹧麠ྖ\U000a0c58쀇隕牡绹ﻹ੯댆⛦熑즾헗鵔Ꮗ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ = "䇸㪛ₓ縅淽\uedc0ᴖᙲ逸芸퇓ᅴ뺒驚盯阚嬂ꈅ瀴\U00088b35" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002000F-0000-0000-C000-000000000046}\InprocServer32\ = "蓘橹\uefd0襞۠\uab08맥Dž嫘窣掘风苰" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\AppXtkjk7ve8gcvsz7s2y4kkf56wrmb5edr7\Application\ApplicationCompany = "氎䰌䊨摺叼\uf7edﴥ\ue684﵅弦돞ޢ륏恳ﰻ瞎큒\uf329텃䀅ᙻ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Windows.XGpuEjectDialog_10.0.22000.1_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Microsoft.Windows.XGpuEjectDialog.AppX6pz4 = "\ua62d趶뿞䗵砡\ue499鿜⿻蜯奐" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EE17959-931E-49E4-A2C6-977ECF3628F3}\InProcServer32\ = "띇垾原疵쒬材퉇ᜉ偽ᶶ\u0530\ue5fd甴챊ꪦ嶊缳䒰熟貅ꝟ籱ᄄ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.appcontent-ms\ = "㶏쾪ᾐ댿\ue2a3컲浤\ue638帥\uf732ᚂ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002E132-0000-0000-C000-000000000046}\InprocServer32\Class = "㬶\uf287霑ᔬ쩙㳥\ue93fꚯ釘膳蔹늴됓" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E1F1A0B8-BEEE-490D-BA7C-066C40B5E2B9}\CLSID = "\ue1b1퀚𗅦ᶇ\ueb55䈫ꨪ㸺ᚑൣ赠톦㘔\uef10便㍡秛芩葭ﻑ潥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InProcServer32\ = "詴딴Ô䎴椤ݨ䤿衪Ὧ萍뷵瘭迶ꢯⳜᒸ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45FD65ED-6BC2-47ae-B391-9E2B79F07C52}\InProcServer32\ThreadingModel = "\U000ea1edꣅ隸邢̞䮞湭䬩뻳꽬♦ꮢ䣈컖췼蔐ﺘ㊙삳싻\ue31f" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{573bdf38-df23-427f-acb8-a67abd702698}\InprocServer32\ = "榌袩\uf8c4詻ㆯ\uf45d\uf2e4䘯ڐ巧ಿ\uffc9햻ﱺ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\xhtmlfile = "䠄ꐘ饫\u1f47䫐ﯣ︕쿜ⶳ걚᯼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6d8ff8e0-730d-11d4-bf42-00b0d0118b56}\LaunchPermission = "模\uf614㟥樲㲅ࢂ閭䳋鯧伍囯ꋜ\U00087f95辭䂉\u2003Ⰻ攛" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7A076CE1-4B31-452a-A4F1-0304C8738100}\AccessPermission = "㦥ݾ啙殣黰띋\u1af4嫬豶⽁畡‣╿쑜" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDATuner.DVBTuneRequest\CurVer\ = "ꙍ\u191f髭刞ୌ홿\ue7fb챑\u06dd㻽嗂\u2d6b箶" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03E7DAD7-17A6-4F91-A879-F276B6FD62F8}\ = "\u0590僤Ꟈ鰺䡙栫엸\ueb9e邞䲰≗\uf1ab\U00038b77ઇ䁯\uf4f3倈垃㴇䝌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5F5AFF4A-2F7F-4279-88C2-CD88EB39D144}\FriendlyName = "䂖\uee9aὼᑰ糖༭嚣筀됁痤癃燷\ue31fힺ載簍橫쌜禋僺" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\MiscStatus\ = "规憻ཛྷ쐰봬\ueca5ꍲ\u07bf獊뮟\u1680芿Ⰾོ吷눃䚴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17FC1A80-140E-4290-A64F-4A29A951A867}\InProcServer32\ThreadingModel = "\uec7f铠ꋘ돂䯖辙햕\U000f929e㈜\U0007953f䀌㺞飯䳻ᰳ뺏" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00CA399E-4CC0-43D2-902B-CEA3D36DC9E4}\InProcServer32\ = "밚媸폻嶟à\u05f6ꠟ닓ﱦᑽ蟚伇髯휰늄쾿\ue7ac࿒球엑" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0b2feecb-1577-4fa6-9a29-bd9022ebcf90}\InprocServer32\ = "楳\uef9d쏳⽮큪ꏓ蚢竤輜䭅ꍺ\ue1db\ue1fc鸒" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{228136B0-8BD3-11D0-B4EF-00A0C9138CA4}\ = "妌\uecf4\U00038945旖꿈\U00085f80ɐᶬ鱕\u2d6c\uf484䮃朂\ue21c펛" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\AppX4tfstxv315ny2wmswr55fgry1ym3yp3h\Shell\open\PackageId = "緼莕辯塃읍晜뭧韜꽫к⇗ᄭ\U000b310c\U0001ddfc㸺\u0b46\ue739㾣ꍏ㲀" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.SecureAssessmentBrowser_10.0.22000.1_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\App.AppXrtkg3ebdrtg67k8v75m = "謪샀鹐븸൜䏯\ue5aa\ue505ꚥℎ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F275-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "―\ufaf9쾖ਫᬖ㠨듀\U000f6473껜業㖌\ue1d7㞣꽌\ue8e8聏⦽" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}\LocalizedString = "튑錔俘콄㩚淵⤤や澢雴ퟄ\u0fe2祭" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58859c43-2c82-454b-86c0-9efb11e54838}\InProcServer32\ = "囂鵘㭪愝咑\U0010886eꩁ쾡\ue9fd\ua639뻂丄" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\accountpicturefile\IncludeSync = "닌ឞ⻩餭熒逓銈ފ셪靬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ADODB.Recordset\CurVer\ = "\uf05b줆㵧\uf84a恟臭ቀ猴啧㻄\uaac7菷蜉弐\uf12f㑟㿤뗖㳼꩒찊鱭" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{289228DE-A31E-11D1-A19C-0000F875B132}\ = "㕌\U000e8256ॶ뀊틲鋃譅㘯懜\uea04\ueeb1ⶻ돒\ue72e#㩩絰" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.aifc\ = "栔왒밒魫\uf4ea⋄賋鰊濧㯅\ueb26획റ⾓䲂ㅩὩ秹ឝ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 5428 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 5428 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 5428 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 5428 wrote to memory of 5576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5428 wrote to memory of 5576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5428 wrote to memory of 5576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 3160 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3160 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3160 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 5180 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 5180 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 5180 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 5180 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5180 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5180 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2296 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 5440 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 5440 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 5440 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 5440 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5440 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5440 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 5808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 5808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 5808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3780 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3780 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 6048 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 6048 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 6048 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 6048 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Thorium.exe

"C:\Users\Admin\AppData\Local\Temp\Thorium.exe"

C:\Users\Admin\AppData\Local\Temp\Thorium.exe

C:\Users\Admin\AppData\Local\Temp\Thorium.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 2364

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\oobe\images\浡挠湡潮⁴敢爠湵椠佄⁓潭敤മ਍$

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ⿾쓪똔药๚ㄭዉ嬞

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 䲩뿕񞸏덽羢徺彼堺

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 멢赇┼⡟앳꥖ኢ熑ﵢꟂ䬢岫⡑镾釢䱂㹶꒫㙷櫴煉

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 鍧┫ﮟ醓뙶ɏ㺙䌝皦䢦

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ܋⦅ꉼ었⦕ꤔ이Ꮷ㋢﵋

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1408 -ip 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 948

Network

Files

memory/5576-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

memory/5576-1-0x00000000053C0000-0x00000000053F6000-memory.dmp

memory/5576-2-0x0000000074D60000-0x0000000075511000-memory.dmp

memory/5576-3-0x0000000005B90000-0x00000000061BA000-memory.dmp

memory/5576-4-0x0000000074D60000-0x0000000075511000-memory.dmp

memory/5576-5-0x0000000005990000-0x00000000059B2000-memory.dmp

memory/5576-7-0x0000000005B10000-0x0000000005B76000-memory.dmp

memory/5576-6-0x0000000005A30000-0x0000000005A96000-memory.dmp

C:\Windows\Temp\__PSScriptPolicyTest_ifa53rhn.0m4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5576-16-0x0000000006380000-0x00000000066D7000-memory.dmp

memory/5576-17-0x0000000006840000-0x000000000685E000-memory.dmp

memory/5576-18-0x0000000006880000-0x00000000068CC000-memory.dmp

memory/5576-19-0x0000000007810000-0x00000000078A6000-memory.dmp

memory/5576-20-0x0000000006D50000-0x0000000006D6A000-memory.dmp

memory/5576-21-0x0000000006DA0000-0x0000000006DC2000-memory.dmp

memory/5576-22-0x0000000007E60000-0x0000000008406000-memory.dmp

memory/5576-25-0x0000000074D60000-0x0000000075511000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 e080d58e6387c9fd87434a502e1a902e
SHA1 ae76ce6a2a39d79226c343cfe4745d48c7c1a91a
SHA256 6fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425
SHA512 6c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede

memory/5000-27-0x0000000074D60000-0x0000000075511000-memory.dmp

memory/5000-28-0x0000000074D60000-0x0000000075511000-memory.dmp

memory/5000-29-0x0000000074D60000-0x0000000075511000-memory.dmp

memory/5000-38-0x0000000006350000-0x00000000066A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f5633b6fdb00af6607ab845c98a2700a
SHA1 b4c15145657093363cb05a36461b2b4162de5bd9
SHA256 e576cc06446553840c2a97c906e2af8a960fcb8587023d8629b46d50e625d1ad
SHA512 fa15d90442129afd031f86850a99f60d780e5bbb6b5a6ce1cebe96aec7a3f7479cb5c83d894a4fd42f35fdee19c01ed61f68d580a2a98979d4f758cb86b7346a

memory/5000-41-0x0000000074D60000-0x0000000075511000-memory.dmp

memory/5088-50-0x0000000005D40000-0x0000000006097000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fe35986aca10afeedd70bdc55f526a75
SHA1 46029547c2f2ba9deea1eef5aa69c4f99dc866db
SHA256 edd34addb464cc9e79960f292abca14eaea6a9f965ce79705a63ffd00b03230b
SHA512 d8d9c6acde46f7d847dbce1ad022e479910754647c3f7af6dbf7709ad6f4b66f7fd78f693e68a35d5191e68f1f2bfef57c898be63a034cd0748c875f1e7bb837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c350963d6c4f535ecd978a544c4d2db3
SHA1 9d2e290c8338e2e251966d5934a0a471259791df
SHA256 85c331f73bb3e66b28972caf46c57f4f020173c56b648c7dee5bf7ea9d625108
SHA512 fc9ba4a53dd6b1c726d96985ebf136e736777095ec71ff12e8122aef4a0712536f62bbce7378c51770b3ac64e178f8abc25f15359adee8d35ac1958c4a648745

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 661a05d253a676b0d34e51cba9eedfaf
SHA1 d818844a8fabd15ba3a860556bfcb8a3e8089ca4
SHA256 8275701d65512d15e1ce378e9abab84199f321e778248e736e655120b2cec139
SHA512 a97d76bc262795cf08d7dc3484d542afb3b1ab6ffb4efb9146807159ac623c63e7bc924b2da2e65af99c1af99f583d24655ebba4dda178dc0bd9e8405a269029

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a87ee6317b3d781c767df70af6540047
SHA1 533ee3c7eca19bbbd69c1449ec42f7b37ed0a960
SHA256 5abaa2c2f5acd62e8accb93c6741387099d6a39048100054b1d72d0361888010
SHA512 3f2b70c710d6646a97293c7d373997e39f646eba9c7192b5467e5bf8407685ae746c4eca419fb39a6500ac0e44f46d39ee6f4ddb5489417bfc4964aa786ac158

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4e1a8bf22a4858a6f39043f5aabf1fac
SHA1 8e64779e1dbc5ffa61008d0a349da8af23e9201d
SHA256 1d17e0e927be4debd1970f1747eed86b795d669ae8abe00e76084186a331c769
SHA512 7a581e3144f8dd086edba69dca1c0e5ea78b96555599faeab52a862af168aafa94e09784b9683f99c0dbbf9cad46d062653dee56c7678aca93a5d2ed8b9109c9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 376a78c42dd21c47f04b7ea40478eb98
SHA1 83407fd533237032f573e65275fb09c13214c338
SHA256 e4074ad0a6e28b9e5f3c63710f9e63f232039d9e10196f8097f242b4ad2f3383
SHA512 adca3d6b089bf02a40ae29c4cb5821c37788d933250265309d4020ed254c6112c8cbd03bddbdcf9c1bbb6ea51e14c1e058f4df0de81d37291fc8cc40a556847a

memory/5108-102-0x0000000005A80000-0x0000000005DD7000-memory.dmp

memory/5808-112-0x0000000005960000-0x0000000005CB7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6da6be01fb06ab121838f6ebabff7c30
SHA1 d56471925f4c20eed6b46cf6ef3ae2ed2090f169
SHA256 bf300254a69e95a95c485db7f71d6edb84c7c27b3e797d8e801da378e63c91f5
SHA512 d8caf8fec4eb6c214d09b22a362767ac5fc5025287496f96f84961e73dbd2a4671c9bdf632e7423f08d765d41d99b55fcfe0d3e052cbcde9121a2e9869f727c6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c8f7fc479884ee669045389fe30c52f6
SHA1 37db640d09b5dee7be2ad1c6ba9320b0f0b43921
SHA256 70d05fd23b8424d01e981d4e9a6eddc840f21c6433e1b689094e447cd9175d6f
SHA512 2aad67665cc6ad7bcaeb6a892d161d6e6d38ad25e18f14621279f1853bf3ee3f0ad9d8daab6f54296f637c41aa166e8c9bc40bace3f2b0263fb221a06617b537

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb7a8f54ab4c0f9af2732d61c2e476d8
SHA1 4e01bb56ae9cc11fbb86e7d8bff7856e654f25c1
SHA256 5ca5078ab9ca67d6a4efb40c57102e4b33941919250bb5f710edb6c0e6cf375e
SHA512 294561af3eb32db05472dd552fab50d3b451f079a89c47200bd5c2b06be39db4c65edf0356beed10d156c972309e75631d9d7b942bce5f52d6b6dc18e4ef62f7

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3bdf2d9264d8ae187116462ad18307a1
SHA1 bd245a7cdffc045765e793a16f630135e59eea4a
SHA256 c4424dee00cfec62c0ffd3a63807492656b1ab952f3332225d5f8a140f21b2fc
SHA512 da45f7c7be1f7d767bfe6993cda1493dfcf8f4abec64760000a92ef9c440c51887eda8c9d3183cd6ef803757bd6876c33b46c44580d250a99d0c993ee666feac

memory/2112-153-0x0000000005FC0000-0x0000000006317000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2cd5954215dca550d54c023b971d16c9
SHA1 fd328c99965fb7598d42e7303b5efa90e249b0bb
SHA256 bc5e245c38aad0eb7b023c4ba2005c6d1f72b6d1d38d3633371257899b6f8378
SHA512 0343a98ec69459a0908f3b5513d2515f437a68b28b273717ace5b7deb7ceb96c837b13dc19006777f7977c1935d5b0f32a0cb41ca181b25f4d75162847b44013

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 08c144fb5731dbbd8aebf23a30f349cf
SHA1 d9ae2546a10f9b806262ae61d1c5b3b53bfb1530
SHA256 93a6e30716ab0d7a311ffc9ab50e426243ddd55e7768da235c3530e756fa44e8
SHA512 c35cbdc18891797491a1633deb8eb202624f5b14900840636654c460b9a61be696f0dc5ad7f023309c9edb7fa5b6f69a164680b3ab76c41db68c6f8aa2d984a5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aadf27a4a49675f35f5af7dff555bfae
SHA1 4764572b20ac0ee6d4d3a419fd36ef594b444582
SHA256 40bcc4a3e8c9ed030c104b0b1b24579ccc76dd8b7d7fa7df9ac7fd32927bfeee
SHA512 5532395c2b5fff7d6f6067b664be4a5fd9afd61fc2fdcf5dd6e368d4a0fab81420fa2695d1c1bee365c4affc8ff3928443a054de8391c36fed6fca75ed7f66c0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f7eb297e1b37cfbe175b3fab4de87fb8
SHA1 d7acf2b1c9d0ffe06249e7764cb4b1835a00c29a
SHA256 6bf4397ed50561ce7a25991a0d2d9da3fd2d875445b4b6c1fdcbea78e6bb7639
SHA512 bf3befe91021b90caf4e6063f54830c0df3878ad89b77446a3a270d7e17fb87d792b355f4bc897d428e40c807533536883a55ae8efc4ebac05c532997a362704

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d0a6b6e9dd5bed2f2475d66df4fa3ba4
SHA1 41d8205cb99ea1a17e70f19520178ba36dce3e99
SHA256 9a8489b2f5e809e51f095ea5ed2c2a462d267c655776f4b2ecfb8dd03bbe6318
SHA512 076f6ca143bdcbca536177501efc94dc3c84e1848fb634f313e6b7d34b2414e005b2f5037e9a3359306cf22cfd4a0b6a193f7359dc9509b5248a52919abe7191

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8682b2472f84fd3f310c8f75ad61b43e
SHA1 736f6371b68f945243288cffc8c21ac85aa2edb8
SHA256 6ee8028578e1582d9acabcc6bcbeb89b38fba6fe6aefbc780a2babbef702db37
SHA512 d2ec5fb22e4261cef8faeed9d9898fc79a3d5741627051370971d3f6f3daeffb357ce8e345ef2a3ed38241025c4b276a95e9b2193cb7d74b14ca4185930e42f5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1f1f8686662d8344bdbee7e7f81e6307
SHA1 7bb2b0ce8eef53c26e3f6a75536d565ed784859a
SHA256 6926dcf9a204a581b4c7d62050b0818a8fac89bf79094183e6c50f53c4bc93fa
SHA512 2d721309d3e348138c3fa08d3bf7949fecf7dbf177af12503d63a34c436b4823473289c0d62becda7433133c5235e3717446f905eef6bfcdfc9909fdaaf54df5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a302af9be80aeb7874be2deb0a7444c8
SHA1 926b40dc0adec67a7b5b9df15cd87d52db534006
SHA256 797ad19a352acf06dfc3b4e018724c186c01ebbc021bb2f54d13d5e585fa0cdf
SHA512 485b2c3f8f057c70a38fe0dabb228fade12acd5ad8715a9482b0d5085f9322c649000c13710d6131bde46df3c586072c3e11d5cf00b583a0abfee87c4b8ef155

memory/1944-234-0x0000000005F20000-0x0000000006277000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3781d35ac290f616dc25ef7ca8174dd2
SHA1 d697871cc802ff690252b69dbb3bc4b9f51acd89
SHA256 b117469ff3a3a727247c0a834bb55170eee0260c89f9ece3e71d00ad74c1b324
SHA512 40e3af3d40aa3baa3b8764078fb67efc6e244983593359df01a99eb3dd6e29dca3f71c53c74094263bddb733bb56bd2249f4e13fb28cb6accf8bca79216e9626

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 888031cc38b7b722c6e8b59370562c02
SHA1 c9cd4e50faba3be6d406889430fc2c41b2ac96c9
SHA256 2925d11791b3b12f1a99d39d98c6b56a941e2aac86139d0ca0201bb186247a4b
SHA512 61668e01a482f0a5f712f447a214d3f91af9b93b53276384c57dbfc988e09d6e361a1dbc5cb35b679d8482f72221e6cf6259a932f97ecb1018a02a31ae6657ee

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3c45f724bb40e8f87a7a54046c3dc0
SHA1 3083e66d8646ee13bfa1378eb255842802148bf8
SHA256 a5475b5ff7721e216f9ee94cec287c6041fc654e64527004a0e27afe708195f2
SHA512 b8b9ead5e1fc92ce21a9620cfc0e08e6d883bc982012a91f9d281133fcaa9433cb1ecf50366b70c7907c57f2189542d36efe798f2e0c10ac5826d3aab0874eef

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 de3e5bcf51659f589a3fb0fbb306c2b7
SHA1 a28978e45a6c23a81c8780cbc132123e457bacc7
SHA256 96e0ffe25061ffc37a6dc918f7aee05f91a4707c3909c10974c37e73a93f2e76
SHA512 d6040ee0f3d52df8e30e30672993089b593e7dea937ad51d13b3741aa58fca2a2075a823b876f31036cecb6d41461e266422fe5da40584623e2742add5568e2a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8021a6faf7ca3c41c2a6a818e93f452f
SHA1 49a261075e7ab3429f0d04e4f9822dff2a66113c
SHA256 1a034ff0032e03ffb699ee44d19aa8046daa94700fa1d6a248637e9581267eca
SHA512 ea03fab4acea186e58401153dee2a455c851f18604dda9e4d87635d1a13198c8efd341ebeec66e9ae15ed640560c9511a74c63a69e2beb609821b91254a92e4c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b6c2097b89792a51aba8925176e635a7
SHA1 8a5ece4e51ffbcd150cd87392e974d8336ac6d97
SHA256 e35c926fc769469d5fe8e632cfcbdd9bdfa4830c2c950acf49e979e627e8f770
SHA512 ff51f38ee4602b605a58ad78c2fdb84f28d07755a2d343d36a3f69c77abd68b66a3dd0f8b5679c9cf6ebc4b41c5379cd949d80e273d7faaad7fc01cc4a0954ff

memory/3336-295-0x0000000005CA0000-0x0000000005FF7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8cf24c4af42742de34d86b4d60caad7c
SHA1 c55e911f5e628a557ee2e051dc00216d769b29df
SHA256 0661d85e75d5f152d3c4a7cac1ce26236e7dbac4082a0ed5b65b8e1610e42dbb
SHA512 1331979275a309c1f9c60858c1d688375c4725348175e99bea489f4a7c9347ac6ec21dd5c26cc9de5307b3cdd9db6d7445ceae89b377405421700b8101007153

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15fb97dc4473e4f61ee7e5838bb45f81
SHA1 3764da53da5a3e59ec5cd4675acb36a5bacc8046
SHA256 db81e9da12b8982733b53c398e015bf67ca1ea023f22cc05fcb43d7ab922e081
SHA512 15671fc026590e460c434fcc7e414fd6ab2afb4b0d7b68929602f3b7492978e0caf234f12bcd6e086f9d71dd80039b99a3c300cbfe08533976cb12a90a3fa5a6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8753d0e521e02e125c9a35a99823431
SHA1 00b0b302099c9de64ec484457c573c6d079dbfad
SHA256 5cb24b6864f8f38fbb46265e85206ce16e3512b12f3d45898e783fb093ce6309
SHA512 a665d86c4b98e9a01e6111887687a12e3e644484813d85125c3811b43d42ba54b935c5d8dcd7f94ae840cf7119d9483d4ffaf773193e11fcea49f03a325df458

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 16a0cdfe31a7a2fa15462f170dd1a79b
SHA1 b5050fbd2002ab5d5b0d962c082d0cc6ae08f49b
SHA256 c32c5d7cff30d3329b7aa123d38a0f6969279e7a70b0b1603ea0d72ab0713f28
SHA512 09136418c3a777bc68f93c3bd75892a8c364cd84eaa55e7eb77bd6841cb679d78e11f80914fa0dadcce01167ac284515d73706e758e0a202b2dacee2025ba49c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5478eb4d645ce6cf8c34be223269d40d
SHA1 5f6e1ff77edf84667bb5f4b238dd78df66aec12f
SHA256 aeb28fd54de53e323e30d4c087164eb39855035c8b6daf296682dfd805f5404b
SHA512 4618192f91c3a6f9c62f025cd4fbe8168270f7a56931a204aa344162347ddef369bbc14d440154436ae26e4e8d10ab8bb4e778477a197fa53e51bdeeda0e7e1f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c9afda6e856e08433097d56a85683e2
SHA1 587331a64f0aee7ddf395ce07440cbeab2cca549
SHA256 704b40cc2c8f863fb6de709176679b8bb66d944c5acf86be21eb538ca501be9f
SHA512 d4da70690f9a2e2f2de0224da03e51bf79480a6431bda23c07dab06c3653913e5d64f44577c3bf95100eb61b15e3a08cba82924b86d9cfb09876b3c0c0a0f5fc

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ee512969fd8d047322923d1455d777a3
SHA1 bb184520f63d6196fafb7424f8fea428bccb1ac3
SHA256 f280bd3822c9d87b07e13086057d0d407f135f9ebbfbc78f63df6d15fe7183a7
SHA512 c4931bdf05c3c903c9f18db4cdd6b1382b48ced778e41924fc7c9e9ab74c3858039a49d6ff2fd722e3462bb3e9c18c789e7ea83443f38fa7764bdf62083d8821

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 98047991bb6242110afec81c2c80849a
SHA1 a9155681abcfc0473f1b1cca1368307ad07b698e
SHA256 609819daa6dbac554a87fb2c14f3037a7e72c64189ba6c7ba69a6de7a4a1e611
SHA512 2b3488a7f42a74db233b4249b60521fde60d6eb84b1b6e8ca29da1fb49c488bfcf608ee992060a0eaf75f6c1aee55f76ab3e7096b08fe35b9ed635df8c1fb75b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 191dd4839ea254e770cd74d23ce21b0c
SHA1 a379de171ac9955e7aaff3004f97a7ec05ba07b4
SHA256 dc6a65bace739ddd5d35af8d9f0c6566debdc7335f22540d27f08b374499bed4
SHA512 011250f58d614ad163052f717042fc9bca27f193cee2eb289b87a192c690f5566db5d53dbf7af34ad39f51bd4c79a8a5dd2a451fa4ef9b60c8e2e9eaadc28e05

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fd4e48335a8f3b630181c64decadcf0c
SHA1 58e9fd9fa9b1f35bc43b824772fcc3cbbc989976
SHA256 2efcf7cf330ca919707b6bfd9abe107e95cf85454be4908b96d77fcdc26d3b56
SHA512 3cd5d66fb992050cbad6ecd0314735f6e067eac795d71a240b6ae7564e477eb50601669812b8a1bfc382868f8aa450709c26365308a91179afbadb3385a94abc

memory/4888-396-0x0000000006310000-0x0000000006667000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cd43fd50d4b7af2b3b2383b81369c5ff
SHA1 9775da426390fbd883f3baa52a3876903f442f75
SHA256 6ec2aaccc0b4c5ba0ff3ae73cf0d2499e53640c44767bf58dfd56b299d8e1a90
SHA512 e684d00785e544ea39fb92dca2162f59ea884ec3899281c976227c228bfa40b0ea6343b182b1b98db48ec0f078f36823544d6c635438d6b103686defe4d55990

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2fa00569edf70b81eb773f5c3df2eca6
SHA1 ddcc2bd57673896d8e7e5904d59d8ff88d93f6fa
SHA256 3c5db275f79d29f9922ad12ccafbe866f7449841de1576608ef1516f0704488b
SHA512 e6d01a91971b2a25f48357a44316a88e1de6f4262cebb4c472a2d18d5b3c7d7286563fc13b5834522776ab27014bfba95092467942ab965c42585c9c73f42a7a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d7170b4be3fd15ddc8f45ae0785f7a2d
SHA1 2b047fb3556e28cb32587b9eb38f8b9d6b8fb75d
SHA256 96d587c37b8902e9c39443b0f3f21c867322e608a6ef5694aede49bd58e7dd4c
SHA512 f68d6643fae6da4f776962a2da7bb334dfb49ea05323b195fb05c494577e6bc8bf4223c199bc6fff11493d37f2a7ff935ad56547786ece77022b7b96a77e69e8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d75e594b0dd0ca74affadf1109691a72
SHA1 8398d3c67c039646d4f1984515320fe1dddf82d4
SHA256 82e5f60bca568b0fc438120881ee0a726cb09386fec4818b87bf429f9ef6559b
SHA512 6fc0617517e2956a96d9c4efb4061a701d10bedcdabfd439e802f4fb3cbcb6a7c74fc429870cb2bf37a908a4229873d3e946f0eafb6e22f2c5555e4474c34009

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 90806d556573e2c869ed4321d2bd14c3
SHA1 115ee0fe557bd27e1f280dabe103f340a5b4af46
SHA256 f0cced39bb42777170ebe03ee6407ac88a228252a9d6fcfc4d9677540788c90d
SHA512 48d35d034f8f6ce25ef9152a3998d52756eb0c94932e2e829aa2a141d36407dff2aa50a9c41048cd1f548e948980a1c7e5e853ce58e4ef51fda0440f1d3f6081

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dc9034a7b108c693c6e3ba3c619eaf90
SHA1 7944e99264a97b72ce10136f64ab4e6d362c4643
SHA256 7df9e6ab28023f592fa537fdd2dd05b7fe7a8b6d1b874819554048569c0de12b
SHA512 0df494694cf7d3d6093328581b89709057eab12ed2d2abf22c6bb1916c218d25b61609e8c1b61fe0259b562cecdd66a08b520bb2d5f720ef3ce4ae843bc70272

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a2787069d8c0d3fc368f46cba78e036
SHA1 3e98fde45ae59256ce19c83cc23e27de5eba4be1
SHA256 97bdaec935c6e50e7f2616dc923f7e7dc9f43a52204360c39a2d8bb9fa4ed60c
SHA512 21ea5b411a92bab2a9394f7648d8ee18f611d10d58d722a250e3009bc2b7659ac2b837f994a803f77931d3643a01ed030e4f03cfc7606ab62fff9a11b3bb7489

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 71f9f9014626ad76d8b3fbd1af20d976
SHA1 a7295d3250053d8fce0c3f714a8a1a9318e87189
SHA256 d54d97788691060aabe8f259df0aa6250d6e110eea446a8f5f460aec2ddee693
SHA512 d5ba746f3bfb445efb9df50c8885072d9dfe278d0d42c7ceb3ea7e75daebbffb7967a18f1d2011c4976311fcde82b6a00ab9b9c04900abc739f725cd5474744f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4e192307cdc099a2010d15314ab96a54
SHA1 84ba86aeeab4a00b59c520d0ec69649a5fce7495
SHA256 9596ed362ca7bbc9deafa37111a18d0bed367cd74b155f4ee382d53cd3216bd1
SHA512 cbbdafa8f93c134ec11147b708b40489acb78f4ede9ae54e5cce8521971fa8710636f81c8d5f278e881f48a776c0ccd74ee38cefe4bd2762167de5213ecf5f61

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d7eefc731ac53119bdfd20594eb45eeb
SHA1 536b25c81b914cdd9e8e3198a7433d649d13856f
SHA256 e1fa0db1f0a7edc648d8355ca0b40c24ed41fc36012ab132218bee7a62eb9970
SHA512 cf8585734ca75c65253294c317001ffa70b474e8abe204aed68a10826f311f806ee25ae795ea9ca119156618d833b7b163fec9fd443af953c18ed6752da8ec6a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b7abcba3d8003e65c69cfbbe3dee403e
SHA1 f478781b41f7cdbdd0cefb17d91d0b89ec3e47fe
SHA256 d296ef09fa0938e16e7a5d29870c3b3be8a7454d649822f1457ea10e2e70ab34
SHA512 33e31839567279a36513d6acf46101a63d119ec980d199a528aa746bfd441d2afb6f2bbc61ecb97c2c9e24565f35c41c5b2cb242b52c18569092b3456f70c5b6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 14eb9bf1fdfbbc3e49d7676f3e92c805
SHA1 e1b6555106c580842423683d4b43148cf8b9f228
SHA256 fd2b74e95cb9600832a3922153214377adedc2b298c275e334fd8af71545ab9d
SHA512 f38a8a4eefaa8b236da463dc0536ddfafc4746c2e6efabdd3f4960f61100fca1dabed3f04b733f88fd3bb8f3caf2aaccb45d364cbc3389942cfca446e9f2cc84

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3804f9a1f10bcbcb89fd36b9626a7be2
SHA1 9a7ecb8cb4876057eb2136c85b9729c4ae22a9a0
SHA256 78c9e49d306be3338d3264dc7348cecda2a1f615b499875bf1a136796a86fdda
SHA512 2e987793b1ba6cb11a98580660cfbd46dba76960eeed5a5f3d9be5c3fe179a8207448f1f6c7752fd5a545000eb9da976516bd754302e0e69a4789104782726d6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2d18051f0467b7cd743e489d18cb778
SHA1 6f43eb1adbcfc806a054b82b1766fdc213e9dd10
SHA256 04bebe07b963b75531bba957debadb0575ccbce52b1f7d0e2f666c0bb27af3f9
SHA512 b50c4cd60c2b78dca20cd5e58a34f6d172eb37e599ed301594d7f3a7cde6375a6301e46d4af84cf3c39cd5597badf50acfac5bf92ef834f5d80c50bb1cbd8bb6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5525342486822cc09a128362f2f41e4c
SHA1 84d33ec73f2150a3dec9b01ac7c9b51c79133031
SHA256 425a6d8ba6c01845abf17357f97ff7894e59ddc8b5a78cd700f21f49f6e10bb6
SHA512 ecc0a71477d4526c38546aaea3b13d8f017ea60ce78422f418c07bd17ff8fe448981f2c40b49e48b523f77fede6949c82ceb11c57c1b9e5aab681ebb8671f396

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5c853dede02e31fe243872eabfe7732f
SHA1 5af79f1d946bb09454b148795eacde6fc7a47a93
SHA256 9e15f6ff0a1bb3cfad97027f7c6ebe4eb99d7a763432533c27b81b6574ff83d7
SHA512 55d5a7140a0f2c5a02b348de3859a028f7bd2ea27e5e7563d4815aad2f1b0088a4bd95058e0aece81a89301d6650ac7d3b9d5d766defd12d2203135390586f03

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b482a886820030024e05b9a718127e5b
SHA1 9c0aec1acbcacf8ad04816059e9f261b33a7bacd
SHA256 9648f3852b4a9944bc16a69724966fb451099f6e1507b65d0a4786dfad878c99
SHA512 1fa4870d1da63123027ce3f0ec1d64c056da7e1a2827870a596254a37b8390c79bd4caf8ffa9d37b486720ec4832ef59b8632e0105e69f70c1ebeef7c69bff44

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ea1c50f99c1ee3ed5dd8f0f7b8183d4b
SHA1 9cce273401da24dbea685c1c719aa4fb974f8ae7
SHA256 b0f7c5a34dd2ed5c9fbd56b590905bd4b8e1512f51d86eb03ba471256c83ff15
SHA512 c797a16257ac0efdf8000d80f35fd66d7e4b75d1c4006b4d68b78b0f77d740a61e1d0366511218fea0c0b134505475d2094ea367cf80e38f5d1844747919beb0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2127564631c6c6e2daac6df274bf15df
SHA1 40c9710c98e0ca9bc4be59f0354d8049d1245389
SHA256 3a4f2c0c6b654607acd1d05eb9a0cb1f7692dc69fea39cd35c413178fa362d8f
SHA512 8c0208fb5121ca98093acd919d7b7e442eacb1187f574df68499d763ee76353434bed4654b497e0015b20e34563147d5cf092ce20b6f891f42d97aad6af8a1d1

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3e28d53dd984326d0709abcd2aebebb
SHA1 66bca500f154edd6b97313f469e2555811baf1df
SHA256 d6e7c68e6bad7b1c7daebfed6c573d0260c911a166d8e62ff014878a5d1b2b9b
SHA512 d4623bc6d820f0ce5aef3081ef646746af60b49c24e5077ec714dd76984b550d0d4deb5ff88b03b2bfb79e0d0898dc5a65eabdc643eeeedc5123f83b3c009ab6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 44b970f405aa77b3b78ad861648112b6
SHA1 16ee6b26afdb807246bd53b4cb62dd373ce539ec
SHA256 eddf2045216a4057d4da872aea42924f35145342960f7322394cb0c6c5cc4dce
SHA512 a47ac42daa69c559f17ef69c5e446adaee9caf12e998ac1feb7a7775d287d804a08721bb4e62f8f4ac9a16126a0abc13dfefaa737c3d5e3f61f509a59a22c922

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 210ea3c7c95db3c810d5736d85c503c5
SHA1 4b91e8e37bf3bb98f669103035d29c9869edbcd0
SHA256 6ff585357db8f3221860020b445bc19fb19bdf2090105a125ac7a98f087e99f2
SHA512 3955beec9d56571787f146d23f3f1663459ba788e245bd832e85dd89609be47a3511c56d76e7556b5735be190c14764193b085c8b47bb690fff151a404d0e1c1

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 25f074131d29e563dd387fc6033aa2b7
SHA1 69714a53fa1ec7f688deb276180aabb17d6a44c3
SHA256 3daba0f869f1a3c9e9ddeb2786fc1fe2a0b19ce20e792c8d7c19000e9d8f00e0
SHA512 d0d1410127dd40c4404b183c982763c85a39c6341b96aa36d3b08207a7c934a86df697e216cf26fb327cf1f27d9bff59dc0d20d22b54d4a61a2dcb44991c897e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3220c2456bd6fb19e93ec3fb3dd69803
SHA1 b1ee1c385715f858e042a99c6119f3adc6e05d8f
SHA256 fb8707d9ef913b45965ca72ad6ee551efc9257d5427fe0cb9f9f39381e2b83d5
SHA512 4a5e21dafdddf64312a953b8eb6d0b894e81cf3723c958756c6cf42d9faf00448021b23ebbdbff462c0305c37e3e9aa530c3df5cd0b7e1857ce19b9cae33fca9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aea89d53ee131637f6c200220721ba68
SHA1 a283aaf8736fe9e3fe9d04a3f0b2f1bfe6587792
SHA256 0bb01da8881fcd770a8c2f95cd1cdede636187dbd0a3544b54e5bf3b2d362cd1
SHA512 7858752359e5895c57d82002a0d3f1cc09bdbd7e8ef0b1365aa45c6974baa54bf930b22f2f124621d9a7c7d2a48d103bbacbd52d0f0b04c8acd7e26543302c07

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7bb150ff0d1889b423aaf2ca45cb1478
SHA1 30086d0884bd6ec1905ad0454a9b0bda866e7a63
SHA256 9f528a9d8b2cd41a2c201fac2931851b834c3d287dd8281fb7e8d173b7dd964e
SHA512 4348e34a942c3aba6903be70034f41d5c534f207dae78db51f542ae5418a40ab4e20b719f55a8b1ba15987e2e0f5ea12eb64ee7e760df369ef0f42b658e489c8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a881a411d67014c1df9d601b9eca56dd
SHA1 cdaaba1836877af0e6cb7be544d0c7e5ecd0e93b
SHA256 b44730c8c0f95124878523a2f972df90f8c872a8e40bf19c02bd38a7be9fb372
SHA512 a21739193c337890ff68e93311b39c0cba1000b3372e55d6a10e50274f096d525b3b2dd4977798501c1a51005735ac467d5efeb5b000a3013f380c3b48a6cf31

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 61174b8c52739b81126a7f1d8aee366f
SHA1 0af1b5f011ce9fc77779549882028b88866848e3
SHA256 4b8e47070b02d9601d0656447febb5c03b935e0ac844dd687667e64ccb3f6644
SHA512 96c05dd9464e0ee8706193d0e952181260b868240c50967a3b2bf43cf4fbab16e52224877024de7f59318b97202d4d41ed61423f7f16760f41d3a0d01516bb9d

memory/3776-804-0x0000000006100000-0x0000000006457000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-02 10:00

Reported

2025-05-02 10:03

Platform

win10v2004-20250410-en

Max time kernel

129s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Thorium.exe"

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "፸\ueb9d妓ﺻ谥𤱸൸\ue299\ue37e亖ꮤ裀枅똨믬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "莥\U000abd63\uee3d겶䟤휬틲ꛧ믢퐰劑ꏊ뎶풨뚠탊ꐭ喊⑭" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "菤ㆼ픕뢅鴙ꞧꯁ䎘╄뱌䊟ꙗ轌≗堺\U00049498" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "繼폼\u17fc࿚鬤嘸\U0010309e嫀֘欜驟\U00052159ꎭ濟둎킐" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ComponentID = "⻄᮷䕤蟵궧履뗞箲鳦ᄔ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ComponentID = "컶聑疆聝靫媨\uee25㾮鴬囨娐諠鸟ꡗ袵ृ盡瓙෮㨅\ue7ae" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ComponentID = "碌梒\uf85fḪ㽳私烃垅㞨墧5롛壇馭峤轐" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ = "䛍᳠石鍈커齦眢瞨赧㊷銸\uf7acᅓ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\IsInstalled = "ꘌ▜\ue80d䌥봺\u1978\uaad0땓ⴅ꼐\uec63虪\uedbdͻ샕䦼쩛逰뢑喤馃⻤ꊈ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\IsInstalled = "퍊㓈糢駥숷\ufde5落鄂⩞\ue52bⳗ勶䚌ԧ놦𫮟꠰刯\uee2a" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Version = "䏷穼\ueef3\ue701暘臉罹옋툦䵀뗖鵌ꁯ佺姳㓥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Version = "朅둺鴶궽퍎酥⋨췁ㆃ\U000dae73ꔋ\u0e3d떻炊" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Version = "鏧\U00015e91̛쿄\uedaa\ue10c\ue0f1撧⽔剌㼨皒炾\U00036530杴䷡ඛ揜럹Ⱬ\uf78aꟲ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\IsInstalled = "⏩澪㖈釬層䀴讵▔〣迭㯮㵟ᕔ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\ComponentID = "玝\uf812\uf3bc\U00016ff2ﭣ먪侄킝Ԓ僘婖̒" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Locale = "ﯨ\ue13d遙証㉤鳮爌韔퇖㶸靍偣뜡픈宪뻀刼\uf6cd\ue00f" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Version = "﮹矰\ue3a7㒀틀通㞿갉ꌃ᱅冀氵ۧ臟\uf8d6\ue8c0\ueacfΆ⸖㔀᠋숮嗜촔" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "冀騬\ue43a\u0bbb犏麦\ue7c0ͽﯯ봂" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Version = "㛽댖䁽鲦\ue491\uab6e餘⼕飞᧞藉漤䔻픪姝\ue4c1栫䠵펯䉙춻\u0e6e⪙ⶔ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "㏱臦웿\u0c5e큶\U00055ff4呔\U00067116ꢅ꧟鷿淰▔䱚㭅釔鐲" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\ComponentID = "⼋瀽酠ﲆ珻颫쐖\uf0e0袲뫄Ꝗ\u1ccb뛜" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "鞔룖\ue7b5\ue71e몊냿瑪쨹⋻\ue6d7෩钁덑ꢕ㠤\uf80d\ue8c3\uf656문" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\Version = "\uea1e椌ᆚᗇㄲ걥캑罽싖\ue116\ue308﵎嘗ⵍ裄矏" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "\u0ef3놼盋⑀\uef9d荹ᘿ⒀뇀瞾㧹鋝嶥狔ꎆ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "䨣偦ȣ䒣☥麈䋨ꇗ\uf89a䈘靶毀鈡Ⴋ썔㒉懛뭶→㍖" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Locale = "㭲\u0b53㓱뷡\U00061c41췣釰牗ᨶ냘瓟Ը䒨镞" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Locale = "緣냵㛕渡墰侈ꚺ폻枌踐̓ర鯁㽘㡖ﯥ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ = "쐞륤귃ݣ甅廜荁팊\ue62b\ueba9\ue178聎䳦罜\uf511\ue88c⬂큂옝댅㑸놛༩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ComponentID = "\uef64そ伭軯锒칗곉痾绁訖靈" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\StubPath = "邘쵯褫颿駱屋䚤\ued9e\uf325칩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\ = "\uf0a1죿깋Ẕᵦ匤⦘觋ꎷ淆" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Locale = "\ue26f廊┓髏喡鱄짰聄릍늦鱤ﱠ\uf8b1" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\IsInstalled = "驄铰嬟캌䶑쥳훠鷧톍䚔ⳅ\ufadaℚ腤늶엨⡪" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\StubPath = "㏿끔䡯穱羀孋ཹꁷ\uee26柶㵔䶱\ued15" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\ = "\ue173ប翫敦酷\u1a8cᇱ䓔筽⯦렸琝壺" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\ = "湿ꇺ扄熳뾆\u175d啶䔯흛䌺陎\uf325ඌ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\Locale = "ꛫ迼쌏搬⁺∄짔\U00083b3eⳗ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "榹魈䌋鵅洣摂酿餳濠੍ٹ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ = "时\ue41f艏耺ꄕᛟ雂\ue3fe䯢쿮鷚벋늋" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ComponentID = "\u245f\uef5fẈ⊲쒁㿇ț爴䴆䈽딬醳㺩퇶麝\U00052517" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "料盹ࣇ敺⇰\u1b4f褨屬닐猙궛覑鱤ᎥἌ鋿䃰薭" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\IsInstalled = "\uef64猛\uab08﨑䊑\ueba4\ue8c5倵Ἶ㤭ṓ湈묁잘ꭚ䤷ꬆ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13}\Version = "讉ュ뀴\ue300톶䆕㌅㫲呾쨜뀘" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Version = "㙑\U0005c2fcﹰ\ua87b━営鞎걕ꛒ㕘" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13}\Locale = "╱ー⡵ᡠ䫤\u0893\uf69c챾\uf7b7\uf4f9扫ꭔ룹ꈕ訾\ua7e0\ueaea騃῝\ue85d" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "䦏\ue1d1鼷졲摋䵮・䱜榭摚㿋⍴\ue382퐍抎킁銛ﬞ雒ࡹ厨렷趵" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\ComponentID = "ථ⧛蛦៸褟ꉧ夾뵦풆뒧쩊⻃숺幫爮ৠ깩鄜숍逎" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\IsInstalled = "ﭛ舙lR뤚외鼇隩㐲皿\uf1d0鯁∹㎟뢊큂㚁⨋" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\DontAsk = "辶\uee7c駘鏿\ue97b无䗢揳휩县㞗⋇\U000379aa\u20c8푿\ue42d蕜檀荫ꘕ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\IsInstalled = "龟鍘읚揦沥ྰ≗\U000bc067卐磎ᒫ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\DontAsk = "㝋⥓脮ǭ\u128e티甆몛ᚲ앖\uecea箙턶傞憳" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "⁌ꩵ\ue136Ꮟᱵ黓磭憆숃\uee09彺鵜盥ቁ州\ueda4掤䁹" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ = "坁\U000b9ef4䉾啯栋㪜㌢沭뢟" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "ꎵ䞊㕸킱卡ꐫ滑䋡矨ﭮвꡭ⊥\uf469ᑑ\uf350佄\uf5b7㠘\ue506䱳" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13}\ComponentID = "뗀ۊ仺Ɩ똕\U000efccf冔왜폾\U0001c3e9恈ẻ㷭㟈跕쯓" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Enabled = "쟛㵝ᇪꝸﳚ\u177c篙ୁṑ\U000d4082\uee4a㯊君擄⚪웪F\ue768\uf0eaꗶ\u124f햙" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "룿픑ﳺ뽁椌\U000911a0䵍鐃x邁ω묱꼬暸螁" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\KeyFileName = "ꩂꕐ\ue0f4爻\ued2d쉖㘴𝄑꽾贠ᶝෂ專꜉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Locale = "䶕궷㼃먀ᨀ峡俀龝誾飡\uf646" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Version = "榔琢룸\uec46ꭉ䃏낉쒿\uf629䳙阨㆑௲⩫ᴌ걕軫\uecbc鐹쎁" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ = "嬥帊뗜\uf5bb뼡⢧䎧\U00053577턘" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\IsInstalled = "숀\u0c3a譖先\U0008992bꍂ믤田鯨⮰瀾▃\ue029冾₫鱓駋겎\uebb2쫽" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Locale = "뒆朋햯ヰ\uece8∙㳍羅焷糙爚ᥙ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\IsInstalled = "。븛퍘ꃙ緅㟴閸裵檨\U000e518b쇣\ued4b垇䦡⾘珲T" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ = "쇙␦굉晿䑁뇕ꈬ၁「꧈죰\ueb41얡ඥ扝" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\Version = "\uf046\uf2bc玉䍮瑉牘껐묄滵\ue274◿唬㭜雼槧킜\uee9aṍ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\SysWOW64\drivers\hostsvc.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "趔雾ࢼ䷢甼镆꼮ꤛﳂ⢍" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\Dll = "슠吡䖼㰂ꠌ\uf221ⷰ췭仠ꊘ︃\uf3f9釈苅텠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\Dll = "妘螛핿\u2ef8쀜錶ጙ㡉⦓㖶촰蓘䠐缒ﳞ美獠⤅纷籔\U0009029c" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "쩀䁋ꠓޝ縞\uf822틭=奠ⳅ쇀鏥绋\uf7c2\uea88輵褎" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\Dll = "\uf73d\uf10a椯榿ᰄ\uf8a6停牙䌡ય뇖丫Ⱀ\ue21b\ued9f梈훏ᣡꠟ۪粅" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "\uead0Фꁻ澱\uf8ac⇊沥뙯弭껨簾셂" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\FuncName = "쑠\u0fe1Ⱄ\u2067\ue310앷\uf4c4綟ᅴ벲ᴢ\U000a47ab\uf503\ueb85ϣ䯑銍糁逌帖㚤" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "톖턙䟲\uea4b᭖蕃䘏텮滷ⳌΞꨃ뎋\ue2a3绱喜봔㡉礔櫶鿄\ue260" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "ݷґ歄ඛ箞솢ǽ\ueca1嗊෬睼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "\uf56b㛞옑漤\ueedf궣Ⱪ㑮잗濧᛫\uf5bfɁ殿\u09de婫ϳ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "餄\u19af煗볽\ue0b6싙䝅擅㺛ᝆ\u0ef2䞼ア醂䟮崞忀\ue3fe䷚\U000ed3cf윴樱쐢" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "\uf161Ỹ鶵뻸왟턚ᴌ恲遬蓔婣" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "酻㎈휄웮거ퟻ葕履ㇳ⅓" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.27\Dll = "읕㔀\u242a𗋠徫ᑙꅀ\U0010d80e덉폡꒵ᭅ\u1aae䴊㡡㕯꾈\uf2ee쯅⃒䭄" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16\Dll = "齉엉豑⾎䨰⾓䍂\U00072935桲햂뿨倜⧂㲟" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\FuncName = "듔襦ꆁ봼䳆\ue27a븰瘩\uf468帻縯ỵ崶㵃恳㻬睳ྵ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "등\u0e7a价\uf484烮\U000b023a\U000dee54\ue279ⓘ\ue730𪿸튆䛮\u008f" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllLogMismatchPinRules\DEFAULT\Dll = "\uf380\uf75c\uec49㹕긏\ue14c䝮䖼銴욥ᇝଢﰏ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "ᛪ곈\U0008d783箢㑗꣪㒅ફ涐ᆬ枡㼤\uf456ೄ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\Dll = "䍅\uf00f椠﹫族\U00049d2aઃ仐ᢆ릫黖\u2433쭿\uf6c0騨厝瞴ঊ휥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.2\FuncName = "ĕ먒킽⅌䦟\ufb0dΓ㱖\ue9a4㝼ﴜཾㅌ騛幞퀟텽죝૭ੇ组蓮퓦◊" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "匰ꐤ넻솂玬\ue9c0➯娋込\U00033d8d鴔⃘ယ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "〥ཞ앣姖듼ꗮ\uf026鐱\uf43b㷮词鷦蔸" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "宪ハ溈냬ቌ瞿棗ꆴ˚옹瞫틾跕韥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26\Dll = "\uec37쀵纛ࠔ킡퉺ൿ㓲㾟듵店ಇ掯爀믌ꓴ燑簜" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "ﳛꌁ튝ζ웴桀웍欄匿럘㳸" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "퀁韥놊\u1cbcルৄ鄑닮ꁸ涓엢꺌뉛︂뭏鵙欍㗀\ue4ddⅶ\ue2e5⽌염讪" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\FuncName = "藽ቘ齟ⷄ쏔㵃\U0001b7d9휖ᙜ뭝촌\uefd9\uf3b1\U00043da3" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\FuncName = "ꇫ\ueeb3㴾㌂㟃醦\ue944⤯\uf615㘡\ua62c虒뾓㠍湨ꕔ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "㡺걕她ⱶ\uea65떗涃㖲謌㱋㴤\uf400鏌Ū\ue09c\uf8b9ⱟ쳞劮碼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "ᘒ餍簎ൌ憇멹뼲鵊짥ᣵ䶳ᬱ᫁\U0007ed99뚻챱弶剝" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "㵔\U0001e381黫\uaad0鹏\ue1eb簷뀵戺㿗忎䮦㢇ξᨿ經\U0005db4e\ue167맧" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "\ueae5視֧쨜㡚ࠄ헃십ܡ拊" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "ࣲ㡎黚\ue306웵쳌\ufff1\ue6a2\uf5ab쀗軾뵬綐\ue97e瀱ሚ녚鰚Ŝ䀬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "䁕ಠগ鹫Ẁ幜䁔拺鮢琄罎膴ෳᏳ藈ອ࢞౮" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function = "궤덽ሊ뙵蔿㱒馛ͬ\uf71c栰㘵" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\Dll = "갅ᒙ榇畘䤢ℙ虾쎅ᣘ鄓徑璱ח휰沊媭ꚡ丶쬤痆쬃" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{06C9E010-38CE-11D4-A2A3-00104BD35090}\FuncName = "壻佼땏ﭑ\ue84b\U00074b7d\u0df7ች螺ﺎ⊖熰쯶ꊆ쫵䰇恌ⳅ럧䳝" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\FuncName = "蚯\u09d2눬愄蕭藇ڍ\ue72d챣᱑ꐈ⭲뤾湫缢赨蒌䱢蘨" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "䬜えꨶ큝น冥뱧趻മ\uf227ⶖ鉷兰\u0dc7㌑횘\uef39湗妘ໃ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMd5ThirdPartySha256Allow = "䁛珫\ue11a竿\U000da057ꆆ㶛\ue70b屃鍃먱惶煄\U000bc80e쓫쥪" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}\FuncName = "瓓銙갫\U000488b2͵ꈓ搆\u12c7㐨眀꾲볟\ue8b4ຨ镾\ueba0\U000d9777꺔﹟Έ응⟌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "𧷛⹃챢ᑠ톳்塈骦鐧\u0e64\ue365\U0010f5b0Ԅ\U0010ebf6䂗" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "걇텂븈พ謕\uf009⦛\U000498df蟤\ued6c녑θ갹轓\ueae5跀β\ue95e횯쏡ఄ㳙" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "糰㲅昩\U00085caa蓿脘⺦眔䌈葫\U000c2e1a㪧颸ৎ먹\U000c3eb6膗ጿ唚" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap\Dll = "讻খ쿖岸餇┃⮪뻞៝촾⹃匕\uf7f1뺜쎰ᄶ肗垏" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "ꁠⶸ焚露\ueecd랡︳䅯ฒଚᯩ\uf70aẠ\ue5c5∸\uecec" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "\ufff7鈜㯗\uee75䶠\U000ee731\ueeb2\u18fd习≃漭绂閺篿粽텴倷" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3\DefaultId = "瞧Ὦ䰒꩑摄蟡蟕㤉짮씥ꚟ宬Ԝ\uf795㣬쳗輗⸀ꃘⴔ鼶\U000ee89f" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "ꆡጅ앰䤂푧\ue690ᇚ\uea7c䕆\uf658ꮐ髯俍鞽汻們簖" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2005\FuncName = "묜\U00012e15䛴\U000d922eᾖㄆ섄挭傛宦" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2010\Dll = "绪옎疌꣖⚓ꊸ㴣\uf00e㺏芽澣즎慒䬹稸៣\ue325ꈬ\uf670䃙" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\FuncName = "㋥䠘呐𪠙崜ꏮӛỿ悂騹쟧\u1c4c䦁樄뇨ㄚꗨ課Ᾱ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "ɍ挆뱯䂦酪᧩\uef18趕얧\uf8b9ດ酠啝꾮簬\ued40㶔元\u1257뙾囡᪈ᖇ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\Dll = "볊撳ᰤ㷛餯舼蝣耻綧ᴇ蝭" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008\FuncName = "\ue5f5鵭Ⳗ쟮ꙛἚ瑿튚酪𭴱旳͏뫕묅ᛎ︿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{06C9E010-38CE-11D4-A2A3-00104BD35090}\FuncName = "杲휣៳鋋४嘠\u1311婤䛇զ䌯걸" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "绮ᦍ境㘎㬢㺅黗䰿빴誑\U000eb0af斉ᡚ쓍ꂖ鐋揭躲䔤璖젳" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9F3053C5-439D-4BF7-8A77-04F0450A1D9F}\FuncName = "þᩋ뼀찶᧲Ꙝ驢曽\uf695ᵌ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008\Dll = "潼ㅩ≰⨼⩴鷛雋躙\uf42f膝⺙犉㌮掖" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.1\Dll = "㼜햀쇿ౝ㑻퓣Dž鏬캪⎇㘡騼\U0007c023" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}\FuncName = "⧋䭊癿民륾\uea1b\U000e72e1녎㿛閵鐭킠◁봒㧈嗎禺" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "섗㎐㏍྇ᇝ싸䦴ᑨﱅ㧘說羓쌰硏茂믳捽\U000c9d1d鳝廲" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "맟刡袕台轥\ue261\ue8df沋鐺焹힚毮\ue2c4ௐ䍛涉熨\uebb8\U00060adb䪈ᛸ蚳" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate = "뷺싍ꛅ騐甜爚颓軚ை偤ⴒ⒄\u0bd5﹣\U00062770爹頢ꅢ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = "ㄸ詜\ue116̛띦左쟷ᐗᰣ䅢㜠졮\uf3d2\u13f6⓫\ua7e6袾䷡\uebcf" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Checks computer location settings

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation = "ᬢ原ꂩǿ얉\ufae4\u2e6c굥찆說枫幨ꖋ╡紀跮쳽ūཤ\U0005fbcf篁≪\uf328" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler\ = "\U0004010cѧ\ue60b틦ྎ넦\uefaa\U0004ac68\uf07a宓뇖鉹衫픵ꇽ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command\ = "ೞ㗏凹詜ᇁ婎\ueae7暀媙㭰ቺᏒ鬑锫㽢Ἑ㙩殗떬൷⁘ཥ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command\ = "濨\uefa3洜몈\ue57d\uf4df꤀헼㈰충" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "띄ꕣ㎼䒑妪㯔ㅕ갾왦㮸焧ݫ桘ꖮ矦颗袦숵" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "ꎰȶ紗玼㌖㌞䂨륨㳺볬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\EditFlags = "梠\ue9a4糧\ue052\uf66cϼ\ue1e6ñ҄ᙡ듾\uf4be䤚ຮ\uf295䪁Һ䇉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "魏䁒㖽껵Ź᭡ྶ韀䑴剎₇벙ꝡ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page\ = "솽픽쟁粟봯\U00088d3e蔀牢࿐⑺촛驕抒㔔边콋㽋䆳\ue28a" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "勣➙洨⟴\ue98f䆚ꓱ辔尪⫿\uea76" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "縯蝑荜⊭\u1979诶ʠᯮ揽篾ﻅʸ讕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended = "䗉犟䕉倗즪\ue222躄ⵀ빪乱ヴ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "\uefcc臣쏝ᯭ\u0df8飰㓽\uea75⊥ꖤ霏莿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility\ = "쯷线퓦곊앟샑쮃慑ᡂ㦇⇣ꕻ\ue9fe硫\U000fc655졅" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "\uec40誉婧੮ꏑ鱜㼊㯚㕷ᾱ눇\uf6c4臘簵氡㽪\uf2c8\uaa5a䜹ﮪ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "ㆄ\ue756渭귷汛ࣤ\ued65悫\ue65b豊勤譶" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "쉏㖫ﳱꜲ燝砕쓼ڴⵠ\uee12⩮,\uf41cﻒ諝\uf0e2Ȕ粤헷Ⴢﻃ醑\uec65" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "롄俳ආ禇\uf687杄\ue243톦䷝\U0005aa90戠볏\U000da79cব笪壅" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield = "쒣妿哲珘㰎鬭뺧\ue29a\uf8f5䘹ᐁ틓댁\ua9ff뿏Ⰱ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\ = "꩷쯋䬮ᑳ始絥엕贵旫Ҽ䤈\ue98d焻⃝⋦䨿嚸" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender Firewall = "C:\\WINDOWS\\system32\\oobe\\images\\" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "腠쥲\uf54bⲸ\ued7a伳틸厜\u1cfd愫쩶扖ᑘ퉐⅓ณ쎝䤗嗭" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "볏躤䃡怙\ue791䀎ꭡ췬쾜妞졨芼繊䐟՞車畟\U000d5727컡" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "杣ᆣ䆡欥迩呞撫Ꮉ竣㳘핟坻ꡏ\U000d0e0c𗿒\uecb8鴽ⷹ\U00039583䮿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer = "\ue4f2ˏ椯똊\u1cff詿⣊㐫寛뽭\ue11b䲉ノ⫲앒ﯟ㨚닶⁅ҽ䝾ꢮ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "浂웄ⓩ\U0005ddd6\u0ba7䢼\ue033潤簋" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\msmgr.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\svcboot.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WallPaper = "\ue05b請\ue76b\uf387\uec1f炬♃\ue20d㜘쌪찆ᝊ\uf085" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\Connection Wizard\server.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Internet Explorer\images\thorium.ico.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\System\syswin.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Windows NT\logsvc.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Internet Explorer\svcagent.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\System\svcbackup.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\System\configtool.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\System\svchostcache.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\Network\netserv.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\System\hostagent.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\INF\driversvc.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\Fonts\fontmgr.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\bootcfg.dat C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\Fonts\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\SystemApps\winoptimize.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\SystemApps\taskfilter.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\INF\infhost.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information = "\ud7aaꗏ䟸\uf3d8䛃턚朖⛜쭽𤲷邭⢰" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "쮹饍甃뗞湏讼ಒ퇶譸썠尭\u200b꺍狽\u2e71許\u0ba1뀅뿕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision = "뵿\uf7bbᇧŎ\uf3e4ᨚ䩜㵑\uec39棒笤\uf790쀔ⵙ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier = "༤샀\uf85f᧽퇣鐕沆ᡄ쯏Ⲝ蘨헓槒㶟奔㌍蒇舿靶" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data = "ᑑ傗ꚿᦈ袤떔鈼釷蛾搑" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier = "혍⎨괞ค뼺䷨⏻圩㣲\U0007a31e嬸嬟\uab1d峸杖얳\ue9bdࣦ띩僓" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet = "湹뇟ꋲ৻᥉₍Ƃኳ궑跲꘢䌙솯፴엌拮둚쎩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "\ue525⃔妭궇찱啈핃䍣삦䠼돧\ue629吡䃮ᤅ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString = "ꘀ淸຺꪿䖳ⰾ좩Փ뀙\ued3e驯憱ꟲ쬅京ᡣ俀寜쮬脣뎏℀" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz = "韄ꦘ눫샇\ue4ec禍ᤗ섟ꛛ塳쁫\uf056㿺ᥱʳᅧ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision = "\ue275쏢㍩腦溸囨깵謹殻𩆹턯⻠㻧Ὅ\ueb48ꄡ㍇訐᧸웚" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "ၑ⎂ᓸ啓\uf4afꀄ\ue629惟誢\ue5f8ᕶ땾褭랂\ue2e2嬎ƃᓛ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data = "꺈랁ᑐ擰脍ᔑ䗒듶究澮ⰹ\uee45㊭ఆ驔ሟ瞾㠖ꄛ늭禱಼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet = "ꏗ\uf59a醟\uf0d8雎번쀒♯샤땨蛫曊䔃" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information = "팥朹\ue137糢뽙ꕻ챋⨣缶삞襒⺳쳌縘篏뙍蚘ﳶ뢻꙼㖜婇䘮" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "⋸ꂷ䬢竬禘앟觼ᶎ鴏仮뭤\U000dadca骰ຢ炁쮨摠䧭〹迣" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Component Information = "玥\ue3b0\U00067018\uee72\u0bdc\ue1ba뒳텈\u0b84ꞅ𥱒ꖤ廔꼿\U000a0df6ᅲ︮\uf5f2" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information = "针土㞶\ue71aᯓ这\U000cacfb\uf558傺ሂᨑ穟馮䧜" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\ = "\U000850c4祜䔓ퟚ\ue9a8㯏쐈㊶歆萶떌躎\u2d2a䲗}豎\ue456蜙脒퉈˘" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000\ = "ﻻ뇨鴪К坧樭퐽擓嵔倥限\uf7d9眑מּᒙ죺彏ᣖ줃癌\ue223" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture = "權\ue6a9窬꜔樲ꞯ\ue380\uf4f3䐑︗뛴줹\uf106Ӄ狐\u1fb5⬰엞⧻ꑱ⚙" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data = "ਞᮑﲘﶀ䚼쫴㡅먩⯑⺗躡⢨" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information = "ᾲ\ue025ᢡ\ueead\uf233圬\uec19\u074b啉\U0009f9a6ﳬ⦣瑚⢌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier = "焛社䡉ሆ\uf801⏰ꮛꠟ箩濗鍡橏ࢀ肊\u2e65슰ᰪ쟎⺐" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data = "튝㓜炔\U00012971㡛뼘\U000c01fc靬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information = "佽샛踘ⰸ\uf73cꏗﲑṎᰜ湯鱄⑵啔탧" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier = "쑘䇵䗏셖⢫桻\uaaff撃ڽ⥧杵韄\u0d84ᦁ鵨旟쾸鴢\uf1d7匍ᴩ泤戮즂" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data = "蝜뉎⊣㚹\ue47f勘㆐\ue94d渋筲훯\ue93fﭺ쿺ϑ\ue71f\uea9e" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information = "ᗹ覱磗ὦ뜵惕ၴ瓞衡ꡑ駾餖ᮯ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier = "\u0a31퓐灠됣尛\ud7aa㦤\uf72e횿쨎䟖咔릯ዴ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier = "谵谌㼟셓峩埔ෙ팲ﰬﺓ\ued4f넱ڭ\ue3b3鏕ᠢ륣瘼ᆲ嬪癒┙" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data = "퓷춑鬋\U00083327餠쀺潦\ue7e5\uf330\uf2f5賛뫞૨䇟" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier = "α㴦❻\uf8b1봧숦瞬㩔緁덫ⳏↇ㦍繿緦寓쒭╭Ҕす\ueccd" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information = "\uaad0ꁅ᫇㚐凥ₚ彔क़⁶⊀뿡\ue444ྲྀ鿴혻獭ꯪ룻ﻀ匈" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information = "ꘖ曍⍐돱▥뛪銧턭羭福穜\u1c4b" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data = "櫖\u0ad3\uab27\uf1ea၆榅\uf4f5师䧁僼炐\uf85f㘗㊽幅脯ퟚ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile = "𗒂춠糢输疷䩇ﲲꤔ젒ѳሳ䨋년㩊Ꟁšꥋ됤\ueca6\ue0be⚐콖" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier = "赝鹚紦滩냿᪰쇈襊쌣\uf24d﹁⸨֨⒔ả塆ᒅ宩죓꺌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information = "藀♴륥镴⨃כ\uf5f8嬀吲\ue64e" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information = "䫜흋\uf796⭂謾蜻ᣘえ璙쥟ᰩ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data = "㧤剟੯௯캙ຖ䈑↺쇤铍罦" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information = "짦슟扭蘣㋪ꦪ䠩꼓鮅볬羐䙸`딱脘뛜ᛄ㕤\uf08c㥺ᙱ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\ButtonText = "䌑稍堪艷]ħា\u0ef8引꽥Ӊᑲꠠ뇧䊙" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\ForegroundLockTimeout = "㏣휅擔쮩릞\ue781읥흇㩉阎砉顗ⲣ⟏䵿艿鹉\ue534돑\uee82" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sLanguage = "뻬甍ॅ뙌锠\ue5eaﴗ\uf040猷訕꽴\uf2a6堓薁딝࠹\ueaa3됛窏" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sLongDate = "춴흹辖뛁绗黴葙淋骛爗輸뵃ቃ蘡\U0009253bᄞከ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sMonDecimalSep = "뎄끑ᘉ宊㫸ɷ䁰橽狨\u0a0cﰰ뺦\uf121⤋濼凜\ue91d둅⛑" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sNativeDigits = "묞쩓幜絙㔉免擥ꍟ\u0fddᴿఴ倏\uea49跩᭟働嶏\uf1d2㖫꽞" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\iCurrency = "奢ꀿሑ⫹奯뾎놎鞚\ue14c싘觗众웹Þ忲⊬\uec1b" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Accessibility\Keyboard Response\Last Valid Repeat = "谢\ued4a摭鐖ྞ烙೦妰䝵⸦㊁诼퇻窝啛쵸" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Appearance\Current = "\uf268╱斋岹놄㚈붗⨌핕쪈釉萞壽\U000afd05웷" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\InfoText = "鏿銅ો兖埙艏맾쫺ꀱ摨驃\U000f2c34⨘\u1ae0" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Cursors\UpArrow = "覫猨䍂㜣凹緛蚼젎㽇↧뷘砺\u05fd뇄₭傯⠳" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\FontSmoothingGamma = "侭Ḱ\u1f46ó臭獫ﰶᑤی懿ᵚ軳섈栀ﮔ\uedb8\uf65b镇Ƌመ㡾纰" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Keyboard\InitialKeyboardIndicators = "廅灢쒸ᑦ庪ꔜ⊘。훛긽킴걨浻矵ഁᢕԤ硫㧘" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Keyboard\KeyboardDelay = "\uf65d3ꊲ䑉籈㤦频ᒟ嗶◨\uf8bf\uef2a䅜쁋須ಸ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Cursors\SizeNS = "髨ঘ\ue7d4\uead8溓ⶶ䝀윍笄\uf401¼⇊惶賗\ue748﹂⃢╱" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\ActiveBorder = "趯衋褪ꍅ薴켶뱠\uf5dc阯ᄞƌ㤑뢾\U00035030ἥ鞡䵒ᱲ䍢" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\ButtonShadow = "ⷔ㰢篡뢟⋏얄\ue62a㻘廬\ue0c5땈" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\CaretWidth = "\ue3e1똼尊兟\U000c3236䁩섲\U000de999擵悑珃栘\uea85\ueee5\uefcf㏓裋力ᛤ䏡餇" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\MenuText = "ꡂ檲鐱炳滏\u086d믌⦴ꥡ틌\U0008bbca\U000c8ad3鱮꿮揧슸ᔺ兕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\WindowText = "\U00092300ጼ熷៓\uee65ᓜ坩믴ͯ桎홸ͤᡸ鮹ᖥ☷ᴩꨀ⋓廖饟\u2fec" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Input Method\Hot Keys\00000201\Key Modifiers = "펨㤋\U000dae35ホႊ翇짱\uedd7\uf528\ueefa멻♲樀幺홇䵑㿫䕗懈" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sTimeFormat = "쾂頿튌Ϲ㤓࠺魚狚炩瑩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\InactiveBorder = "ೕ养쯀⡐⎦씫\U000a97af䭵\uf73a泲⳹ᶵ\uf55fꪇ\uf8c4쵈죕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Mouse\DoubleClickWidth = "\ue6d1杆沓捛Ꚉ踕ﺗ\ue8aaਘ쭼\uf8fb熉ꢷ彟ퟆᡙ肨왦" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\PowerCfg\PowerPolicies\0\Description = "\ue6e5\ue126\ue5ee䩖첖緲얽ꆍ釢쌈⑴呿付孱袕腤簄簂犇昔櫈\ue5bd輾哯" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\PowerCfg\PowerPolicies\3\Policies = "乆ꅥ뺪晴⽐纄\u0efcᚐᙇꢰᣗ睵̌㻢ᐪ꽝" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Accessibility\SoundSentry\TextEffect = "撁꩞꤁实選ة矜梊胝쏬频푸⟅ᖹ뢓굟\ufaf4\ueb7e㴛" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\Hilight = "볕빗㛚ᡊ䶰뺯䳐둋훃헧\ue058堤䠜덮빡" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WallpaperStyle = "厉말…ﳢ뷀ⷭ澒醔쥅쵰∾윕⨢鑖" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WheelScrollLines = "微\u2d29밄\uffe7谪慖⁝\uecc4Ꟗ\ue5c1" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\LastUpdated = "ᓂ䷆㣑笵뎧△ꃈᅂⴀ覩럔磹\U00105a72䢖" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\ButtonLight = "瞕㢊햦䢯졬\U0009914b播\ue5e3棙韊㷞迨ቇ筅飝ڽὤᥦ\ue220宝昱" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\InfoText = "ꍸ횋虉⣎猖\ued99臉돣纘\uf8fb㢓搉Ꞟꄤ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Cursors\CursorBaseSize = "\uea72묄㗒ꩼ飶\uea18ᬋ홗閐獝甀廙" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\DragFromMaximize = "恣ꦟ虦㷻굎潠搶\uf101꽮㾘\ue767讱" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WindowMetrics\StatusFont = "\uee2b裪ڭㇹᰜ샹ꑻ푞逧髯\uf773틽줿䱣̀辨쏈\U000afee5瀠狯ᇬ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sGrouping = "㪏邢쌦꩝襑\U000e342c\ue050Ż্耺\U000aaa4d㭘糜\uf1ac" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\User Profile System Backup\en-US\0409:00000409 = "鉟脷鵊⋇樸禒ᗃ䟞礃銁푕䣃蔅弓ꔮ胟ꆬ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Mouse\SmoothMouseYCurve = "얎䫦⽰ຉ断ࣟ髱盉鲡寷ꃈ蒳㗈┓\ue8b9⟷둩澶" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\ActiveTitle = "\uea52\uf1b8\U000b01fa朅ᐮᕋ焘Ⱓラ瑚⁄◜쟻蛦㺽집\U0010c0ae鰏ᒫ辎Ԯ劳" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Appearance\Schemes\@themeui.dll,-854 = "㙉胴⯊䟃枃卍倹닃彚\uf078\uf3da梖嚢য়콺ጋỢ萶ᳺ\U0010c475荋\uee94︡" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WindowMetrics\CaptionWidth = "\ue105퀰ꐖ慠䄃\uf857ꔇ㎱᪳\ueaf8㡹" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WindowMetrics\ScrollWidth = "줪ᛸ䛥䶘Ꜵ\ue5cc岅쯝K\uf45eꝙ\ua8c6⫺ø뱗\u08e2囀ႋ✵" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\User Profile\ShowTextPrediction = "凓\U0007e99a癎偂\ue218鏠\U000b8891ඵ㋰뜎曗\ue8c0" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Mouse\Beep = "\ua87dܘ\ue9ca逩输⤝槐\uea3c蝷귇㋈烡醓⑭匟瓡褎뢸⚨ⴶ\U000c6788ꁽ鶉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Input Method\Hot Keys\00000072\Virtual Key = "菅ꫨ\U000f829c\uefd5贫\uf603朲꾨譭٢諐း餵祼垫牾㻌剛휏\ue8a8蛮놕礧" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Input Method\Hot Keys\00000104\Virtual Key = "ׅ김烏ꭑᑖ∱\uab6c\U000d222c譌纍ᛛ昤䃼潪붿\u0590" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\User Profile\ShowAutoCorrection = "萜흇ڰ趾𢶫\ue4d9枴➲㩧霽鄸형➦烤悚岼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\PowerCfg\CurrentPowerPolicy = "킔誐\u2d7dຍ嘫𢕗㥉\uf194᎓\U00084d0d廒錾" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Accessibility\MinimumHitRadius = "壄僇玑福䗦卾튜습춐*剹觘볥\ue61eủ龒焔" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\Menu = "䄅愲킄\u0e63讽\uea77횜븷\ueb90﹅젳Ⴤᑿ⦉貴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\TitleText = "〺ᅥ\uf002ꣷ苫泥\U0005c9a3幭鯠\uf091萂\uf297\u2ffc" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Cursors\IBeam = "鯁ᭉ⺲や丣奡榄곜࿚僩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\GrayText = "貀\U00093781❙䩗\ue690鱍箪\uf2e7䈼ꡔ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Input Method\Hot Keys\00000010\Key Modifiers = "\uf177擤㨿俱뵢\U0005cf27䬈ퟂ奶ᅨవ䕟ⓝ絕ᄂ♚\uf72e䨼㬖䈱ﵹ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Input Method\Hot Keys\00000203\Target IME = "㞹\U000af193ᦎ즈屫돈\u0efe젲ﺃ\uf4e6ﴴ絜ᆜ麝蓒" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Mouse\ActiveWindowTracking = "𪗬墽듈獃䐚\uf1a8\u244bὪ簯ḃ쩌ᔁ폓阗⡂" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Accessibility\HighContrast\High Contrast Scheme = "玓㌛ꛎ쿥㊒姻Ṥ\uec8eᲰ䧅괰Ȏ\ueb55倓걇撡뜫놝詞ᔍꓲ\uf205" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WindowMetrics\AppliedDPI = "㹨䗗섿쑑\uebfbᅬ葃롍\U000a69a6୵䍊룸ப煳ⲥĊ蓗욵\ueccc" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\iNegCurr = "練ἄ蜄槄툵\U000394eb\u1aaf﮿㴔鯸辖ྣ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Mouse\MouseSensitivity = "榃\ue0b5ᲆⴴ\U00016bb5阄뢚阔\ue9d0呢⚑䌋럀翄" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Accessibility\SoundSentry\Flags = "䦧ﲍ·ﭲ\uf2ff牸ⴸꅉ笍\uf24a柵舭\ue3f5" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\GradientInactiveTitle = "探瓖欼荫\ue966ٸ\ue8fc渤帑삱奜龶틴\uee71\u2d9a쀡㭁" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WheelScrollChars = "\uebeb\ud7a8ڰ⚠覭袄蜁蘱ꂑ\ue1ce蔧\ue049\U000646a3" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "依牔ꋻꀤ\uf711屧\uf4ca\ufbd1\uaa39\U000c97c4鎂ᦖ命봣Ḅᅩ泇\uf208瀏컁➃懍" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\Compatibility Flags = "諽㗜\U000dca51萦灉밳瑔欞\ue3b1䪷氋빨⽔앤ϟ\ufbcb沓擞" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{285CAE3C-F16A-4A84-9A80-FF23D6E56D68}\Compatibility Flags = "⋥\ue8bb︼ᛢ뱚㚤倵༂椎창ⴶ폧Ꜧ┶" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6E5E167B-1566-4316-B27F-0DDAB3484CF7}\Compatibility Flags = "ȓ葫㑆\ueda0㬲堨梁\U000c7b1cᐕᴗ\uf1b3뗥邠⚹諰ಖ㳩칕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E673DCF2-C316-4C6F-AA96-4E4DC6DC291E}\Compatibility Flags = "뽮ꋠ\ue01d螲ڷ郑\uf085\U000a2c00㿿\u2e6b蛕刪睘븈橊瀗坻ᓻ胹ꔔ\ue4e3奖崼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SECURE\CheckedValue = "Œ숫ﺂϕៜ϶身렶춐옒쳓" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{759D9886-0C6F-4498-BAB6-4A5F47C6C72F}\BlockType = "裩畣\U0006bc42酤츌溶섈暅꒼⨀\ue7c9猱ᐣ𗼩帞赫ᥴ軒" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}\CompatibilityFlags = "浌䶼磪싔憩貼\ueda8ష㩖뉩ꕲᵤ熝\ueb45\ue340\ue11f" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "㖏\U000a44b3쒃领\u1af0쩤夵⭶欁ਚ伮꼉ᓵᢍ\uee79\ued20" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A9A7297E-969C-43F1-A1EF-51EBEA36F850}\Compatibility Flags = "擓迓𠐚લ辐ᠷ킞ꪑ손騠垻䣚" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F198A89A-5042-4294-ADF1-CB163E549798}\Compatibility Flags = "㦸ँ梀禨滤ffi儶蜴\u2d26᧩\U000792cc暹럔煷㥸簒\ue026" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\USEBHO\PlugUIText = "寪돓\ue179믹ೳ囱Ӳガ\uf185쑥ᅖ\u2fddꎳ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}\BlockType = "㩡\ue729쉯\U0003a4e7黙⼷埰쬟છꥩ輒鹔남\U000ff43e茫睓" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\HTTP2ENABLE\RegPoliciesPath = "ⶩ谦㗷〉讏\ue062䞣␌况瀺䚶ꅠ\u1943셅亠㶤\ufaec" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\MOVSYSCARET\CheckedValue = "\U0009a5c6劯⩤䟱洘侃⠛뚪䣚헎㍳냵䋝\uf0fb⎇\ueaac哇퓗迟ꀣ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\MOVSYSCARET\HKeyRoot = "䵜좻慼甞瑒麪㼱䟬墍ﷆ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\AUTOAPPENDIE\ValueName = "ሞⴈ槩ၦ雝搠ꥥᨘ𬬇繩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_INTRANET\ValueName = "㴼诼\ue97e솹建桘ꅹ뇩\ue4a7웜" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_REPURPOSEDETECTION\PresentationHost.exe = "ᖓ⍈莐䣳\ue043鴆泋鮁ᒮ倿\ua87f鯠폝" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7584c670-2274-4efb-b00b-d6aaba6d3850}\AlternateCLSID = "\ue4fc귺㈙\ueda5\ueba4飓丷僯ꁹ᳢窵结ŗ캷鼾탶̷谹끣\uf808隒己" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1\RegPoliciesPath = "\ue2f4誣−굝괅獂ຫ䍏攣彭㟷ጮ鋞㵟선ம\U0010ad60睕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{472734EA-242A-422B-ADF8-83D1E48CC825}\FWLink = "ᠲ吢퍤惶䪪뢛荹꼽\uf859ꈠ撤袊띪᪭✛\ue9d8䮑\ue9ff" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D09CFF09-A42A-4EDC-9804-E61224F59CA1}\BlockType = "ゾ䈕◛⤃ﬖ\uf416⅄\uf412ᕊ冂⚪當\uf024ꗮ羞刞䗏ኍ鱣켔䯁竵" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{261F6572-578B-40A7-B72E-61B7261D9F0C}\Compatibility Flags = "ׄ妙䉣軈曩䅂鞅甬앾➕驥᭡䥈ュ흄ꥲ焆" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5A20858B-000D-11D0-8C01-444553540000}\Compatibility Flags = "\ue09d颇묊吝ଜ誨≈\ue0d7ଅ\ue9bfێ㶫䤓웡器袻굴돞" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "餞랅撖錜\ue515Ɐᐄ엮൏娶諻ቍិ脙藫婨" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FD351EA1-4173-4AF4-821D-80D4AE979048}\Compatibility Flags = "맆帉ཀྵ\u0cdf駢战⟙\ufade蓜뼎ፅ⽇\ue753\uee85뎬㥁" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CHECK_SIG\CheckedValue = "虪|\uf6be놐ꏄḉ⫳퉩鍉㔹쳛\u18af儽鹃଼禶❑\uec28䱳\uea86癟ᶱ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\Version = "眗톼\ue077纗ࢂ\ue951휒癩\u187f赙鰒ᮿ氿㉧ҳ嫑ﶘὗ笗䌚\U00080528" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{48FFE35F-36D9-44bd-A6CC-1D34414EAC0D}\FWLink = "\uef50\uf140눴ꫀ珆\U001081d4猴Ⳋ缋⭩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG\HelpPane.exe = "\uf82f㍄賒\uea6c㜳属ᆜ橎쯼㎔黧六颼㝥\ued9f㉥縏" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8DBC7A04-B478-41D5-BE05-5545D565B59C}\Compatibility Flags = "櫛㕯\u0a7b\ue9d4㪧ᎀ\ueaff\U000e7012℩§䯰ᕜꥰ껭" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9B8E377B-7291-491A-B611-BB3E1D5F99F0}\Compatibility Flags = "㥀ꮣа蜁Ѽ輏줉༜꘥Ⴑ处࿀頱ᮑ䭛㡎" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\CTRLTABMRU\PlugUIText = "犃쫂魎ﴈ봊襀걋⼝\ue9a4炷" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{43D9E6F0-1776-4897-AE14-ECEDECBAFEC0}\DllName = "ີ៍\uf287籂콵괤\u124e벫揃캆Ꞿᄀ\uee95폲ᗷ仼\ue4b9큃࿀魙㶓ȃᔝ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8DCB7100-DF86-4384-8842-8FA844297B3F}\DllName = "\u20c1ؑ悱曾쏫ⶓ榃恏ᄰ騜躘̐₠肴쌔춒젇쳄忛\uf0ad\u0cf5叆" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\DllName = "푂\U000bf54c娽\uee31럫焚牶⇗㑲⌎\U000a6722ᛖ魏" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DLCONTROL_BEHAVIORS\wlmail.exe = "宝\uf129퉞ῂ늠숕̜⑁戳祴ᆲꇄ婀" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Internet Explorer\Main\SearchBandMigrationVersion = "\ue92e橙გᇮ핖经䵬Ⴭ愓뗉鑢욯ᮛ㒝䡪쩌\ue7fa詞ⴽ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\074FF50D0FBF0CCEC37F65E137C91EE48442FE4C\Policy = "≊ㄊ貭땸눤먪윞踂턉睡족㛫➦泥\ue2bc뽝袧\u0c29슱饑㯁\U000a5af4" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\5F3EF8894394826345EB838C8C72F3A40B521893\Policy = "哄㑞\u1737ꁳ꙯あᲔ𮘀彅໕颏䩷嵺鱦匋楮" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE\Text = "䩛쑞刲ᣁ㔟膌ᕫ豓ꇽ⏡" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_INFOBAR\RegPoliciesPath = "\U001047dc榴褹\ued38兕ඌ㺴藒긍ɐ伩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{054aae20-4bea-4347-8a35-64a533254a9d}\AppPath = "沐\ue9e2穱腺땑쨗⯙ꠢ\uf56f櫈퐑瓾띵㥁떚\ued0a" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\AutoHide = "\U0001aed9撹͖┧⩈׃፳砌闚\uf686嗋ॅ筎" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AD8E510D-217F-409B-8076-29C5E73B98E8}\Compatibility Flags = "\ufdcd氤\ue6c1堳擃焒줷\ue19a䡉\U000a3196Ꞁ︣ꐽ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\WinInet\InitialApplyCommandLine = "\uf2db\uf396贊缥說串챻辋횦﹉ㄡ䴞\U00080293뺊놱" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}\Version = "璉\ue813啳ꧥ깨쨼勶၁ꩭ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4A5BE5EE-CFAD-11D9-8FAD-0007E9AA247E}\BlockType = "춍䬃炧\ue231\ue690ꎡ饿ిꃊ奄ゴ瘗琤뮽\uef11գ☢ꮾ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{79CEEA4E-C231-4614-9E3B-53B2A02F39B7}\FWLink = "ꖄ㘇舒ᗺ赪끠\uf1ed鏰ꆶỜ\ue0e4熝ꅳ⥄" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Placeholder_Height = "햝硖札ᕟⰜ莞駟\uede9ꑆ騎䝤ﵒﭏ\ufdd2ꭒ\uf827\U0001a295錃" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "\U00064192\uf46c奫畄脤胼\U000e6d98덵⡥숞졑ṋ熚윴앭\u09a9᷐" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39A2C2A6-4778-11D2-9BDB-204C4F4F5020}\Compatibility Flags = "眥፝\ueeb2⚰ࠈ픛쇧\U0004fb19䟠\uee0c닇ㆇ긱ר⧜យ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{68BBCA71-E1F6-47B2-87D3-369E1349D990}\Compatibility Flags = "㫟ཅ癷ᷣݵ뚍\U0004c6be娉盍뢏\uf150䓏ꡡ숬欢ʜ㢚甪ូ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{991DA7E5-953F-435B-BE5E-B92A05EDFC42}\Compatibility Flags = "餼祠ﳸ溱숤狙ງⱅﷱ⊡훋猦懣뽕\u0a46时" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E38FD381-6404-4041-B5E9-B2739258941F}\Compatibility Flags = "麬⺳\uf174繠撹鶭ḃ︮\ue89d䷰児龏䐝㋑䢬᧟扸셃" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CACHE_PAGES\ValueName = "점⅞\uec97\uf33d継\uf596릾䂥皲賓Ꞗ熝ሷ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SITECERT\RequiresReboot = "\ue980幖빎㮯䆧홋括㾍ބ챊Ꮘ埦\u0c50㊒" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN\CheckedValue = "뻱㊀쇨뢚蘿\uf36d憏䩧竿ﺯ퍁饖\uf26eۈ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS\NEVER\ValueName = "冝\ue8ed醙䧝\u31ec\uf225\ue4b2狊鲡ꤱ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\GENABLE\Type = "諒쪍鯵\ue728僉簜磑䂢↋釷䭬힅\ue572䒀蔷䙨갟\uefd3땕儘캃墻" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PLACEHOLDERS\PlugUIText = "\ue1f2휻ꙙ㔛䧂⸸寭\uf355ࠓ\u0c4e졿䬸ɼ㕪긌\uebd2㷓튰쨺颩\ue4bd" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{179E4A98-A3C4-407D-8C66-E63B67BB6F4A}\Version = "멫쀘免ꌌ⇔厠ᔰ䮗Э啡Ⴘ싻䗴丬□\uea07㲱ꏏ葑걕\u2008\uf0f4칉群" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{724D43A0-0D85-11D4-9908-00400523E39A}\DllName = "ɜ磸⢗༵瓡⡃즛醓릹\uee86쀽ូ䛴楫㧠䬤ⱞ\u2fe4斆î炙\U000d96b2矌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\ms-settings-displays-topology\WarnOnOpen = "┣ᾠ牷擴蔐ꚱ᷵춋⯿搅燡鴛數䘐" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "뻜\u0ce5\uf034髿虯갪৯\u2eff傏暾ҡ\ue644甈ފ亍ࡷ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "ด惈沵丐\U000a4208閐ꗳ픁⟺⣠㴊\U00050eab載⋀\u173e\uebad횈Ჰ\uef28" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Cursors\SizeNWSE = "靣켣ㆂ얤摆䇢衶\ueaa3\uf8d6勐\uf46d\uec3b\u009b犫邼頬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\DragFullWindows = "壹蛖㽮掎詏ぷ䎤䟄얞ᬩ䔐㞜⫝䮿똢យ\ue093叺刄" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.XGpuEjectDialog_cw5n1h2txyewy%5Cresources.pri\1d7e536746cabe0\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\re = "⸕绢멼鐊痷㋖웶\U000ac16bꭴ\uee20\u0bd3ᕷ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\drivers\filetrace.sys,-10001 = "\uf292㐬䮢鷹ᯋ♴ࢀ硫䍑籗" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Accessibility\SoundSentry\Flags = "쥟頜禐㖓㖋넓\u1ae8欂嬆왾쐇궐\uf4f2\ue6c6癹ჽ狳" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.MobilityExperience\Capabilities = "붿齄鷡钏泷亙ૣ䗔欲谋¬\uf16e鍡┸ű哻熍ᵊ䚚Ȇ졜" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\Notification.Looping.Alarm9\ = "遀ᅛ쾆夣㌆ﳸ\uedae䥬陒땣\ue8b4ꌇ澞\uedaa䩠럣㩁" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\lfsvc.dll,-1 = "⮼띩肅㝔蘭蓝\uef19Ϭ翇欭ﰅ뢟髵\uf102蕃ޒ儁玛侐廅힒皆ꖱ孍" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm6\.Default\ = "㳱緦ૉ竂䌕愁ᭊ찷≻켾\U000e35a0ʼn\ue85f最⥶釾瑵\ue534巰\uf583팉劉杞" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.CloudExperienceHostLauncher\PackageMoniker = "샨㺉☛༲뚍\U0001476b跒袇塰鈰ꄭ릿暂≈\ued80怋燸㲈䟼䫇鈠੫捺" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "㕙ᔬ꧙ᆮᲭ㚾ꊸ\U000848dbâ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\BthAvctpSvc.dll,-101 = "័䝳䆾埥떪枷䲗ﻒ꾚剴䍹備ꍓ\ufde2䖍\ue3d6沺\uec76虉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "ꡀ劊珧䊰蚄ᢱꠛ㍮睃쟯瓶ꢰ䍿\uf5ea娄" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Desktop\FontSmoothingGamma = "祏샻뗯뇻敶ᾳ꒟ꂉ數闀派븓㷼\ue696㋒" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000010\Target IME = "ᕞ踀唋䕹\ue667⊄譞삏አ਼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\International\iFirstDayOfWeek = "蜫䩸ᡨ\uf1a9뀷\uf5eb砰㊫\ue30dﹺ纾顅魁Ϟ\uf800똙鋿ﭭ憪⬼㑹액" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\Notification.Looping.Alarm3\ = "弁ू襞\uef46剁쫺퐮짴퀺롑侜炷ᵖ䟺ੑ쨏≔쨭ꕳ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace4cf7b9220\a37dfe62\@{C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906. = "犸꾉笙讎\ue0da䰖㌴콖涄攜칱眆諙ꢵ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Console\InsertMode = "ꇇꥡꩪ換捹뉱ﰲ꿦왠Ꝓ㻾㌏닀絣" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Appearance\Schemes\@themeui.dll,-851 = "ᡥꗎq\ue3ee\uec48\ue933㰷盕钵\ued5e慥\U000c5423厙쉯ꆤ뉜滐赲区伩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\PowerCfg\PowerPolicies\5\Description = "ꕉꟁ鵋예\U0008a2ceꇯ쏎蝙緎뽔禧唡\ued7c듛㔤ꓣὥ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands\upRight = "ฆ包ꇑ昤⡖ᛙ矿\U000681eaﺓ\ue29bㄧ켾ᕍㄴ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\fdrespub.dll,-100 = "焇\ue985\ue2a1𗰇嚫\ue66d錶\ue545街큲ಣ壒뢿䥌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri\1d5acdded540f4d\a37dfe62\@{C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8b = "苼젯ᣏℸ岍\ue9b3ꎗⷰ៙\u1f4f\uf320" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Console\EnableColorSelection = "\uf8ee뼉솹岌떋軩ꅳ톔釴䬶쥚逃鎦" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\drivers\http.sys,-1 = "ୠ룑\ue246᷆除ﻛ⥄씊\U000ef1b8閸嫊ᓾᝋ\ue672\uf6a9鳮틝筢薨" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ = "톼㍻\ue47a\uf79a媛\uecf9ꐳ\U000e8f06뤳妕穧쀅" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\SnapSizing = "軾蘼㞑狶團橬윫蜧\uec18\uef78꾞蘀ﮉ例ܻӲ瓶迂禈嚎锨䪜뷍ꁀ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\PrintComplete\ = "ꝲ謅ꄂ傁筴\ue055\uee56意덃豥ffi뇉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\International\User Profile\ShowAutoCorrection = "ഀ놙ਏ룯ᨑ쯷껜僪맊ᴛ\u03a2䱳哶冽섇\ue633禨ĭ髬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70\SharedEudp = "ꧼꂾ㢧\U000ee47a䌈鄚繍𪏰\u1a1d櫳\ue91f榖藼ᴰ豹脣즹5\uf1ebῂ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\Notification.Looping.Call7\ = "턏\U000a6744⏄蔒彔啥ꟼ떠몬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wbcat\ = "쀋烴崥䟤苹뷠呎⼒岚\ue191\uf0ee\u0cba圮襸ꁗ뛥൘" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wma\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}\ = "㛅䣿島盺̈麽ਈ䨑佞\ue8f5髗꘠岾럻ೊ⎼⟳䇐渑\uf442剖\uf7d6" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BDATuner.SystemTuningSpaces\CurVer\ = "ᥱ\ue409趁틋➍じ櫱̠랩\ue50cꏛ降蝘ꈆ禺\ue815\uf782\u2d71쭿甍捻ค" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01C6CA30-792B-404B-A5C2-0A34434B3AA4}\ = "剄ᳯ\U0001523d汕鷖套妥亶岡ቹ捧Ϧ뼘鮠䍃耶䳗\ue80d骈慑縣㷈\uf34a" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\.mp4v\VLC.backup = "ޮ䄿\U000c939b樒฿爼姫䨙Ꭽ킠\uedd9塩폺틋풔濅\uf69a\u0e3d헻⺌璋ኚ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{274fae1f-3626-11d1-a3a4-00c04fb950dc}\InprocServer32\ThreadingModel = "П퇊⊈ꉵ⏷숃燇೭횚겨㗽\U000aa828㦶鲼℅ꙋ\ue81e쌼ႃ≁" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C3A70A7-A468-49B9-8ADA-28E11FCCAD5D}\LocalServer32\ = "⽮팺䍇欪ֽ豉敦都༙ᛛ顭ᆅ溚厲抝ㆸ狇\u09d8㐰" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51571744-7FE4-4FF2-A498-2DC34FF74F1B}\InProcServer32\ThreadingModel = "\uf68d؋꒛\ue3cf瘃ꢴꐍ塘ຒ\U000d28cd倴ਭ犮䖠㩑" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xlam\Content Type = "欂\ue46b쵓ޢ펫惍蒭\ueea5ᶍ\uf3f4߮퓕憫扵劂黊렒ඪ䣢" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CfgComp.CfgComp.1\ = "㢇鑅Ǻ\ue32a鎢총얄띻뤰ㇳ\u1c39甅勾嗉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00022602-0000-0000-C000-000000000046}\TreatAs\ = "\ue065橚곿觧\uf3e4ꁀ굉쎝㙳⟚\uf790뵆" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\MicrosoftWindows.Client.CBS_120.2212.3920.0_x64__cw5n1h2txyewy\ActivatableClassId\ScreenClipping\Description = "\uf780\ue8afᄻ\uf28c变殴ꁩ蜖\U0008fdc0찆ꬨ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7071EC33-663B-4bc1-A1FA-B97F3B917C55}\InProcServer32\ThreadingModel = "䗈嘹뎁\ue1d7燗㛻\ue057攗ニ숚\ue7c0吝锭\ua879ઓ䇣ꃑ칵" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{778DE47F-7ADC-4C4D-974D-771BD1675DC5}\InProcServer32\ThreadingModel = "\ue600奡\ueffdꏐ걻ꢲƋ畦郄粍䔵橦\uf1d3" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A9D77BD-5403-11d2-8785-2E0420524153}\InfoTip = "䏴鳾ܵ㴌㷆ǎ\U00099f8d嘬爏ꓹ戹" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{80A09B21-11E7-462B-844A-1EB3415BB4A8}\ = "ꊵ뜽该뿙⎛悲㧿矼꙱褦⢟뒶脏ᵀ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E54333B-2A00-11d1-8198-0000F87557DB}\ProgID\ = "㳷쁲⁸≡끤回㙝ᨛ엣ᆧ衔醕讶\ued40襤》" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F391-98B5-11CF-BB82-00AA00BDCE0B}\InProcServer32\7.0.3300.0\Assembly = "ⶾ潨襪隽籐徜𫩘\u05f8艋\U0010bc56" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46080CA7-7CB8-3A55-A72E-8E50ECA4D4FC}\InprocServer32\Assembly = "⣬亖径痚䟺콉鼆⦨彆茿괸영ꮔ\uec9f\uebcc痡脵\uf595ꂫ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5210f8e4-b0bb-47c3-a8d9-7b2282cc79ed}\InprocServer32\ = "攋脖愻䳡⇰\uefbc뱍㶉쥲濡͓삲\ue66e憚ᐛ殐墩쟎럥驍" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54d38bf7-b1ef-4479-9674-1bd6ea465258}\TypeLib\ = "Ꭸ\ue975寂⠮쿗씪뙰\ue236പ㲊趀탅建캥堷ᘅ끲篋迗괬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F681803-2900-4C43-A1CC-CF405404A676}\ProgID\ = "坳လ踸\uf00e풱鲡曼բ\u1717헻䷌瞨啰ﴽ瓐칞饓毦" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FA29220-36A1-40f9-89C6-F4B384B7642E}\OverrideFileSystemProperties\System.ItemPathDisplayNarrow = "偻뵷骃\ue259̑鞚⯵伓▃趕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.prc\PersistentHandler\ = "뢰\u187c\uea94㞕沁빧⨘׆㯈赽䑥ኽ炾Ԍ邕댮㾇" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{12DD4DBB-532B-4FCE-8653-74CDB9C8FE5A}\MaxOutputConnections = "\uf364皗䛆뫶盙灰\ue00cꁤ⨟芹ꊑ㭛嘿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}\FriendlyName = "\ueb8a䙱㉏蔏戟ꩰ⭰\u008c峯㦠寲腮팀딏玑\ued15괌瓷" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32624F4B-F1D5-4877-989E-555640109D2B}\InprocServer32\ = "氒ⰻ\uf790거鋕Ɏ\ueb59魿\U0001a743めᤑ㹲䀯⅟˂庨⧿\ue873欞韕ᚳ퀭" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86d5eb8a-859f-4c7b-a76b-2bd819b7a850}\AppId = "\ue2ad䬄銮⤳鮏衣䌋షⁿ凸⠂۽" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8973b4ef-7da5-4031-a333-f65609a4dcf4}\ = "⥱➮뵖멨\ueda9≈Ꮟ⿈煣ꐢ궸䵨𗺴捒䢛" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.hxt\ = "\ufdeb晅ھ\uf390柊\ued7b段ꐙᡱ偡\ue05e왖ᙟ覺㗗瓾鿠毮Ⱒ埊큍ḉ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1B162A5B-B67A-4468-9613-C3F9765B353B}\AccessPermission = "⼡ၣ\u2002핹伃⯁\u0a63\ueb02ꨯ퐧퍠筞鈿鬲ႎ姟澴矂쯵" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LoadUserSettings = "ꪆ僩≌䀌⒐\ueec4멷ꊏ喩絁\uf1d9\ue535ㇲ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{02844640-E37C-4322-A3B8-4C61A2E58879}\InProcServer32\ThreadingModel = "䝷㹣伍嫵줠櫱\U000af8ac閨溕\uf732奛뒈鵓" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}\DefaultIcon\ = "䝀蓰꿊\U0002ee0b倁\uf608쵃Ꝑ斺齔訜ⳣḅ㮟䌟鸕굕ᑢ潯첞ᜲ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89F2B8EB-AEDA-4057-A05B-A7D6181B63C6}\InProcServer32\ThreadingModel = "錶괯㣰้賕덁뻖뇔唐뻚豜웠\ue62a㵦숋寊リ螋ﲙ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B918B82-7985-4C24-89DF-C33AD2BBFBCD}\VersionIndependentProgID\ = "뛽Ӭꍼ텚闦넄廋᧧햄렕ケꄳ旜" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.getstarted_8wekyb3d8bbwe\ResourcesConfig\ManifestLanguagesList = "欼\uece5船\U00041838ㅙ읟⃫㽺蔛༷诫䮞罞况沼컚춚뒝䟪Ώみ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E}\LaunchPermission = "ꫭ嚞ᣦ皇닐냲컱ﻰ碁瀤娧抔" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CATFile\shell\open\command\ = "媦웹筳袣嶘Á獰㝾\u0cf5タცཐ법\uef789ᣑ䘚襡懵" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30d49246-d217-465f-b00b-ac9ddd652eb7}\ = "붨鹤쎗慍\u0b98쫍䋾୫ܢ稃♕潄諏" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BD95610-9434-43C2-886C-57852CC8A120}\ = "譞\U00065f3a죍뢳䶹웰\uec13촍\uf6f4顨ꈭ軒魙턺\uf0fc鄥렳臥ⴎ\ue9b5鴼\uf789隗" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{777BA87C-2498-4875-933A-3067DE883070}\InProcServer32\ThreadingModel = "\uf7f1⇱蓳橥☶鸓暷娠롛鈑嗒\U0009f055ꅊ怼왏帉坆꿙\uf446룠쳼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.msc\ = "\u2d7a떫률讠ಒၰ簩ɞ\u20c2렴떩㮠렮\uecd3᱀㕼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F4DD15E-F431-4536-AEE8-AF20BA847A33}\Version\ = "ᴠ戭⹖剦\uec89䱎᷎谜㪳ὕⰍ\ue013酅섴ԧ藽뎃ⷽ賔隻味䗥蹺駢" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BC09899-0CE6-11D1-BAAE-00C04FC2E20D}\InprocServer32\ThreadingModel = "룤㯜岬啲禪\uf883莝艧垑᷃牮접袯奛嬚䀡䷒ꮂ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B544C22-FD0B-11CE-8C63-00AA0044B51E}\InprocServer32\ThreadingModel = "Ⅼ秭㜒덀魈鍅뀖睽\u192eɄ뺯劄鿫楶" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1d16438c-54dc-404f-83a9-c041e77a32dd}\InprocServer32\ = "\uaad3\ue198窽Ũ쾕牝⁽䔪䏩ꣾ쩠开" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Windows.Networking.Backg = "澲\u0a11槝⣟餞芑ᰭఄ\u0fed\ue424읳됭\U000c72fb臄" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2050-217d-11da-b2a4-000e7bbb2b09}\Elevation\Enabled = "뙬ᚁ\uee98녲㜩纻僖齗髣꯸첌풜麱䋐ⲳ﨣\ue0c8⁔뜱欂짇뛎ᤡ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a0e-f192-11d4-a65f-0040963251e5}\ProgID\ = "웪槁ℹ縂秞畡瓛綳桾瞚ⲓ\U000a6ab2휐簫ࡶ젎" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\UpdateEncryptionSettingsWork\ImpliedSelectionModel = "蠘ꤱ䩉忯爲鯷阚ዱ粳瀛볽醴窗㜖駳⅛딊" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13EE36D8-2EFD-44F6-AF3B-75FF35E6C691}\ = "\uebf3苕誱ᕝ\ue4ec⓶쒈府\u1fd5蟪\uec7a빋ᘃ\ue01d᯿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2af6bcaa-f526-4803-aeb8-5777ce386647}\InprocServer32\ThreadingModel = "棺\uf549ӑ刻춍䮛紾鎻鯣戶藡텶\uf2fb䠝쮝ᙗ\U000ab642鼗愀\U0009817c讶␠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}\System.IsPinnedToNameSpaceTree = "題\U000cfa5b낙縞ع뻈\ue4d8Ⲉ샺㉭娦惴䅖呧࿗뽄饖쎏它" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{487af411-1d5e-4f7f-b4f4-4721fe1e95d9}\ = "꒿놌땨\u0ad8⤃㙫瀄扜㈂\u06dd됐\uee3e捔䷈辐唛烩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83C25742-A9F7-49FB-9138-434302C88D07}\InprocServer32\ = "ಮ鐟䱈쀍烵\U00056cfcᘱ靀ﶈ՝\uf584" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B6C292BC-7C88-41EE-8B54-8EC92617E599}\ = "拀ፏ줱樣㨁\uee26\uf0fb諸\u12b7콥炒Ẫꚅ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20cd9315-87d0-40b4-b925-0a8f208e1f8d}\InprocServer32\ = "鱧콙ܶ\ue1d3김刂冡\ueaff\uaa3a풖ట㱛䯧ምለጎ黛欹" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\Elevation\Enabled = "䟺麠㆙窠귖雃带↷괣枇㇌둡雍䦈잛ᆝ핸螧\uf18b溫制잨䵎" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C1C243A-2146-3342-8078-AC4BFB9DB4E9}\InprocServer32\Assembly = "ₒ縡凨쑊뀘圕ᕵ\ue3ddꂵ깦\ue893츝ɐ␥阥蚞" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73257e95-0378-49d6-a954-44aabc841eab}\InprocServer32\ThreadingModel = "Ή䙭䗥䆸⫖瘝榹ᢢ냏黌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84589833-40D7-36E2-8545-67A92B97C408}\InprocServer32\ = "ㅁﺢ臿ᣂᰚꆂྦྷ刼\ue19bྈ⚵毋삪ꀼ\ufae0ྀ뿺䠟㪙ཛྷ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "႐Ꮊጂ큸椬픒\uf194오␉ᨚூ\uf03f儛傛" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E6D2639-4C23-4325-B8DB-6E373F20C733}\InprocServer32\ = "䚚⁷\ue37dᗁ⣌絥삫દ⟔ᣟ汆綵⠴绨" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 956 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5064 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5064 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 5276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3872 wrote to memory of 5276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3872 wrote to memory of 5276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 5676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 908 wrote to memory of 5676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 908 wrote to memory of 5676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 1584 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 216 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 216 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 4828 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4828 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 3540 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3540 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3980 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3980 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 5452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Thorium.exe

"C:\Users\Admin\AppData\Local\Temp\Thorium.exe"

C:\Users\Admin\AppData\Local\Temp\Thorium.exe

C:\Users\Admin\AppData\Local\Temp\Thorium.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 5972

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\oobe\images\浡挠湡潮⁴敢爠湵椠佄⁓潭敤മ਍$

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 䁢ꭧ뼀蚬쮷⭋婓馺㶞闧똹젼楰ͷ蝯鶗

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ᪆䜕鋮򇮘퍄退詍룿鹡잛૿럱堯湋愠񑞗喬쿿⭏湩

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 腠쥲Ⲹ伳틸厜᳽愫쩶扖ᑘ퉐⅓ณ쎝䤗嗭

C:\Windows\System32\InputMethod\CHT\ChtIME.exe

C:\Windows\System32\InputMethod\CHT\ChtIME.exe -Embedding

C:\Windows\System32\InputMethod\CHS\ChsIME.exe

C:\Windows\System32\InputMethod\CHS\ChsIME.exe -Embedding

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 956 -ip 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 980

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 88.221.135.2:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.185.131:80 c.pki.goog tcp

Files

memory/1420-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

memory/1420-1-0x0000000002190000-0x00000000021C6000-memory.dmp

memory/1420-3-0x0000000004BE0000-0x0000000005208000-memory.dmp

memory/1420-2-0x0000000074A90000-0x0000000075240000-memory.dmp

memory/1420-4-0x0000000074A90000-0x0000000075240000-memory.dmp

memory/1420-5-0x00000000049C0000-0x00000000049E2000-memory.dmp

memory/1420-6-0x0000000004B60000-0x0000000004BC6000-memory.dmp

memory/1420-7-0x0000000005210000-0x0000000005276000-memory.dmp

C:\Windows\Temp\__PSScriptPolicyTest_ofz3gcty.1yz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1420-13-0x0000000005440000-0x0000000005794000-memory.dmp

memory/1420-18-0x0000000005AA0000-0x0000000005ABE000-memory.dmp

memory/1420-19-0x0000000005AD0000-0x0000000005B1C000-memory.dmp

memory/1420-20-0x0000000006000000-0x0000000006096000-memory.dmp

memory/1420-21-0x0000000005F70000-0x0000000005F8A000-memory.dmp

memory/1420-22-0x0000000005FC0000-0x0000000005FE2000-memory.dmp

memory/1420-23-0x0000000007040000-0x00000000075E4000-memory.dmp

memory/1420-26-0x0000000074A90000-0x0000000075240000-memory.dmp

memory/4076-28-0x0000000074A90000-0x0000000075240000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/4076-29-0x0000000074A90000-0x0000000075240000-memory.dmp

memory/4076-30-0x0000000074A90000-0x0000000075240000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c2e640c515efae2b4a054e0751f03094
SHA1 9341fea3961560d1dff019a16926beec1a2c2a2b
SHA256 d9a7385dd677e0720aa3f97de4449bf816cebfa0cdf06985518ea177c2336f41
SHA512 53d16fe272b5cd67e90bcc95337ea90740a98890ca712745723bc1694b7bc174e23af983b2d1a4635b39038c96468e650bc4cba8c37a8618b73273fe6ecebc38

memory/4076-42-0x0000000074A90000-0x0000000075240000-memory.dmp

memory/5276-52-0x0000000005ED0000-0x0000000006224000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d430dfdd72ae3fbbbe44e4e88d65f125
SHA1 106d8837416fc91b72da082cee43dd1f4065bd04
SHA256 dd266ff21cfe51cf65696d540c0ee40325ad2867b875df76045fb0dd5ece2912
SHA512 a7777e58b67e1773902e9e785374c88e0b081dda3a323c0773a2f4a5c29b99473e556094111095eba8f362726e283003e1141f497f31815f19292dc2c93bb7ca

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 56de59a062626874921f7d6218d65b73
SHA1 1e3850bb2c2f479453c45412a2eea8964e36a05a
SHA256 b0aea833412737beb7ed7d4a7be99abddd0c8ebe852de0cc08e0ace48cac20db
SHA512 fcdf831e544665d849c9069ea73e2b763d5dae656383b1df30de1dabcf47385a16bc07b8b1862b0a7b88b7ad19bc2f8382998aa5ac5eee7d2ff591cd16111127

memory/1528-65-0x0000000006350000-0x00000000066A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e255959712d32a38ded6d29fed6f4795
SHA1 fbb31c3faf34e73fd3ea1484f63694c194cbe9cb
SHA256 314f9741e71b09e9e7a7720b793c8e938dd7856f443a0df56c2c1452ec713d45
SHA512 ca20abdc480984904012374ceb329754ed3587cbd3445b2bbe5702143884553feea2b6b58f8374479c8ed49ff3505c57907d199e288e86b3e6f4c60a4a2134c5

memory/1468-87-0x0000000005540000-0x0000000005894000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 083f12355ff3660474136c8c49bdfe76
SHA1 62c98b1eee8c1fb83424968b05076f05dc92ab52
SHA256 1a29577c6c2056609259708285d778a71b4332c9e236af9487b21df7b666f9f0
SHA512 650d0e34bf7356539c2f08cbb84f3ada580f03f2aa07bcacf3ef63139e5d39210aa2c79178c92b7fffd70bbe6dafb90b9a967802635bc463ba8d7b2d759d5ae0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 07bb70d56edc1bcb049e4699bcc115f9
SHA1 9b08c74731f25e20b11972ed2177ae77e629e7c5
SHA256 53a6aa9eac8c13d5f57de21f5eab24e6235f5178aaa329fb649c225dd5b02bf6
SHA512 da8b85c5642e68dd88682e6b59b96e790dbcc890e8afdce4f28b16c91c86d69fee5a5e66dfda1a5a034ba921189025560cab009c1fe88bcc34f50938127c8529

memory/1524-110-0x00000000057A0000-0x0000000005AF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 74740893ba71f21bafb6eaa1f4e73c99
SHA1 63d0f89e396778187ddf6af571b99baa547ffc8b
SHA256 2637549dbe957a19e194d52f7bd102694ef0d1fc4e4521100d1f6341680bcf75
SHA512 13c693ded94c44bdb0122926d3117ec65f4b37f4956de6ca36530540ae7df55e3b15a1dd4b9ad57323ddacfc10e3e3f1d0349ecc82aac9a0853b136cfa41f8a3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8f954fc35b468a73a17c45400fb33acc
SHA1 35e4d03170b98f1b39a9fc6b113d4ec240baeb8f
SHA256 011d5ca75b61295bb3f15ab17ac6a5b5d6148d367b78000393d7827dfada0eeb
SHA512 7c2ae5e678432eb718eb6bba70bc698561cd3254bec0bdcf08652b4c6097b2a82d0033fb837b096ae91665ef036e38386d36f1fb5183d4dbe7cef1f46928add0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1e6db2657e6fc0d0c76c1df4e0441733
SHA1 dc9485897f8322df23c2174369f45889ad5abdb9
SHA256 4a8faf74404fc4163dd3a140eec6a0463f3e95a4c98e4b73909b37f9ff899153
SHA512 edb8141d3756b31e87166f8609827feeedb60ed42241f495687cad9fbd904c7ea02317905955fa76a50e3bcd14c4e23f21f74d675777d9a5e092f7894ad8bcd8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f408e25401a3e87754f8711f57e949e8
SHA1 ac762462e0d1153ca347539abd58e8d77f32880d
SHA256 d1c88ca06bd48a30886ee55746aa719dd864d4b2c43941961ecc2fbf15500326
SHA512 77d164d8bd6dd990b5551ba9ce049dad5c20f5e15165cf74aa9c6f176f5c8da9bf45627be81b950fabe07eafcdc12708093fb5b707be5527f5a9dfc17d2dff6e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8caa827646e155ff425ddfc5adcd865c
SHA1 3454539e7cbf0a6e5b45243ac06507991848bb55
SHA256 8450a31dc35784d0809de1c4599ed6f1c372e0a1299b707591cb950e34cac952
SHA512 2041c858a3ac27c554262ba4a83df5930cde4fa9b367664b6ed7dbdcb030693e75b5b5d2bbac3bc6f80dc824e631176bafe9b25df726e66002409aba52823035

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a025948c4776e8ee9a3b2f90fdeeb9d4
SHA1 895c94f28bf1fbebb94934a9e321763968976b2b
SHA256 59e224dfbd20a4ce6e5be781cc3a1697dca88aac3cd829704ca8e763640e324c
SHA512 bfbe397441059f7412a399c887940ccc5bb6c3929aef4c100a099b060046ab0bdbf53ed2dfb1e89f6fdb13f022d18b0b57044bd95f7fe634bb97ef244ae18215

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6fb02560ccfa87ce881263c8656ba6ca
SHA1 32b2ef4197f3e1ed5df392b944a86c039961b2e9
SHA256 e574b308201d588d502ed6fcfea5f3a97d08afe2eb7dbf6e92c30cf2ddc9297d
SHA512 6e81231f8c42ad439c3d28a77af142df23714d4d18971370568fe3a1104637b480448434ab593b811e975cfa8db6dc2442d5608862aaef63331c82570bb1410b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b4af06b97759ab598be39a07a19017d6
SHA1 70234b21ac83964c6db103aa18f46df2894fc635
SHA256 b6598a0607bb5fbb3762c431684aa28781cd2e5974c44b42676db07c42ea472b
SHA512 212fc42fe9eac113b77b6a47ad1d8ca8e4210cb420db9997f0bbe9927d41529de019c1f949040d23d860afbf011f107da3ed78ac9a41dd409cb070e87393ccfd

memory/5900-199-0x0000000006020000-0x0000000006374000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5cbb9fe6da9993fce9f7eee244cdbc2a
SHA1 ddd0351e73097fa85de7ade05cf5a273ce879a09
SHA256 4892b101cff81e371b821bed3636906b32f9c12ce25143bc4417c0c0fda01481
SHA512 381df35dc34255ef37976da67f421726e1b37eb01bd24975d1b70e6134b77f5a4eab4316adf2529430e0180b2e6ef246ee9b2d63ef32e091cde779a8cb1195dc

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa0f81f9caceb100a5f28300267f2a4d
SHA1 6d28b93293eb587ab12f6535d33a532a62227204
SHA256 866d3ff31f19faeb57789f673ae7e01177d45db3837fea46412a048a26d53d33
SHA512 42554e71f8363a6dd7cc76be98f36e869f95dfae19c925b70bffeeb6b5fb7d749747194a5246f834a3fd95590d2321fdbc9cc84e1be38b3138c5ca6d78bd805d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb0c1c93990647c585655493ce89ac9b
SHA1 687144d5ab9badc2272e39c47749b1c6002887e6
SHA256 ae49cf643feb363780c50f3d8590f2f70671961bbc853d26187c9e07c21db164
SHA512 d87de862d7c8ddaf02c4b525a6d1e2567db7c02e02aa57b61a9b0c6d28889ee3dbe5c05df47d40dac96ad5591a81d59b81473ac4fa1568c37cd1e9bb306590b9

memory/2756-233-0x0000000005E70000-0x00000000061C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fe0e9d3e00d3f0ac14788b124d4247a0
SHA1 d25beef87a217be03ebbbe3ba322954ad3720167
SHA256 4e730008d92bed5f7cf99896a5f1e42bc7ca23157eb9168530c83b15cec6d8c5
SHA512 d3166cca79d8eda54b451c53b824293d3d6bfb29d46c8b19c0afbdbf7bccc6a2d29c5a790b51a1cb5a9843e242f795943564fe21c5ecd5fb719f3f1e677d48cf

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 79abf9677bef38520efb207ad9d14524
SHA1 a013341b56ce03a0e75e874f086b861b0c8490df
SHA256 2dad17a6dd00ceb8520e319c138907a4a2515ac6cb1034798f851b407f13aef8
SHA512 e77f0ef5ed591ae46f497ce99597a7fd0d775051eee7dfe2742d8e764a9b2c64f97752daee35b2cb5539938782016497fdf1c0e4bb10f8d72e789ee6f197e13d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 be299099de44aa6575795915e3fee167
SHA1 2874cbaaf66babb494b1e7bddce7eee8960a2b22
SHA256 11b9e93f7f0b7b478033feb43f15b9fb06e94818263e026ab980ff18afedb7c4
SHA512 43c2051bd31b119b4a0571dbc797cd18b3932bd68ce25086f1c869af2eceba9d7b3671d5cf36a37d11b33ea1a13ebb09be2597b9308c246e5ea12e545210c4d9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 49e9f81d3933ba2a6c1b9a06ab76d427
SHA1 f9b1699069160d03eaf56a457e325afe145188d0
SHA256 98afb793edaf5f1b85162b7d3f46e49b0549754d8cc6c3e3a050354c6a7c5ef9
SHA512 7ac25ea99a782a66ce59528265d22fd6d17b5080bc53c0dd5cdca7dc44ab1f23959218cada7e1395c52ea4261b391d4ac1b2a1739d63670b4e4ac667ce602406

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 83aeff5af0ee9d3770fabcbec231d1bf
SHA1 141a41f4e784557a7815bc4588e29ba26b2b4ffc
SHA256 907bf15b98596c53f8535f146f9a2ed681565a2cdc11973842be9db6391b64e8
SHA512 4cb3610edf4de20f4046fc07b1449f303c2081b2ef9da39964d2e28cf5e31b26307f50485cf2a869f8abaa370ebcb9d4c99cc50f720955c29e402475379e09d0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cd1f872f8943414edba790230d15dc34
SHA1 15b70f9e988e9d85478f09a8b3c7a0846892d62e
SHA256 a679d3ad725a034354bd8ea557b2fc61b45069657ef0e1e52006fbeab40d3558
SHA512 8a3756b36eea878763797fef29cb096b6d2596bbf87a497d98de2de6bb9a7f4afbc1321be8524b7a392e6734cf2fd0dcd20f68f7677a135f6b4d94c67b3db3f7

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 76d5cdfea135f591e1df44b7d5f0ef01
SHA1 d28ba2da8857650bd2b8693f7d54c6bd2d255d7d
SHA256 8b60e9e83cc5ea0876e6587bb5f300d629dc7a3858a7c8cadf9e56e45cb756a2
SHA512 6210f08e6620bb134b86b78facdb78396b7e921697c2cdd2fc9f5822b770067c1702126e56f08cc4282ec032c317893f8658e13f25b6de1850f157d9af2a1709

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0dfccc52ec66ad40558b5f2d1154d35d
SHA1 67eeb47a6b8c68a61c0346607448395723222634
SHA256 b072dc254be00b8ed46f67159b4cac672c7eaa13455a52a9a76b1ed60e8eb803
SHA512 8de338e73fd063ec2266d2c44e88557ebc7e8ee08f794055ee7f73c1577a9a9a8bbdb966f5214650b681222f5eecf8fda9d9a2d2b064d63c39e718f922891c13

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d5e8c52d2c9cd55576df7d3695c5c425
SHA1 af6cc5e1007e44f230a9ef9e78c664ce583f69da
SHA256 49aab17e92d981b7e55e61ff34a30d0e7d78858b9463885c8ad4b9393793df91
SHA512 e5dd7e0f30d86c0a8f45ec0a2c8502adb03d641b0f72aca8fc937d14968840def0a68e327777881e79a2d5c8c2331bfbdc5cb3a4d5e5c01960669bc3ca589088

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 043f11fe506c2c03c2edfacdf1230608
SHA1 748450b4b90de37a65888cc11c80de6be033e541
SHA256 5e453363002b8b204abab6c1465a75c6ee39533ac2f5cb34d2d54846cf817c63
SHA512 277a502828d113a754a22f50390ceb6225b592d2fd1385d3ba399a0a7ab848f151113f688e63e8ed298a8c81082acf29fa51356792388b71bcd4f65a50a50c17

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c980b6777d07ce52aca6820c62a8c37f
SHA1 a07ca8a2660c77fa051b26988c2ade636585b939
SHA256 e0a828ee878dd4aa3b100e39efdf2be2ca72908ac4011c307955e6213f36761d
SHA512 a02593f9340f03f9dfd7807083ded997c93f88ee09e57045ed1d8358d36fc034880a9c6d18dc804d990335d1ca2400b3438d18c2ccec4b55f14e44b516d2e2c2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 42ccd6d0f61a262a9166d99e07dfe625
SHA1 e4bc4c0d98bf578dd8db9d50f7abecc11bba97f0
SHA256 d167a935ea9480025ed17881eb38eae2e1af8d980b01a81e7a4e51fa5fd56ea6
SHA512 0831426603bb9bc222df576c9ab4cb8fde15bdf797e7ead94382eaa0f9ecb31537fe01918fbb5d9e4314f4f6160fcbc09f7f8524c28f87882e2d8b86f3528ca1

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6397e3be021fe9591ce143438d8ecf33
SHA1 aba0214acfef47799f52828677bb9ed56c6bc241
SHA256 540417d038bbc3a0b7c5d2e9ca14871daedc6c94b4727bae1bd185d0fcb34031
SHA512 18d7b1474dd88bcbc3b4142d5912244d9aa4a6645181cb3f5c3fed89dd4ee0c70961bd37eeae52ae660c9e8d6b1cfbc90f2f867991922aba0ad43db79a0e0439

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 93bcd10dc8319202f4559ebb22433ab0
SHA1 c3daebca4511aa258a15c21d5d46d07fef9060fd
SHA256 55a32d95f91eec0bb1bc070b992c9d0f54e0fb1629d5c0f3d9f403123a268f6a
SHA512 54430a3003fce46b1c73b4e350f192e58fdc34b3228810426f6c99293c47ebde540eeec3a9cfe27768bab1f681c4038d21e588eaafbcba335d408705888504fa

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f785fbb539d4f7b544603ac8a786d345
SHA1 42a06251f06103c208760b1212dca71e63f716ff
SHA256 3be20b50265fcc62606e313cf55d41403c15d2e34cfd38448635007f58865546
SHA512 4749426c8881ca7867e086541c3e558a691814a581dae5b611738c5def8aee610a82cbe1751f55a318fe39fc7faa02b395b2a4f10efe098b482771c9c82cc6dc

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b2fcd6e871af03a1e3e1abe1c4b9c248
SHA1 448bef75f085779f70ad92d88b95f146161fcf7e
SHA256 7e029d749cac9c9f754c8c7d8bce35a2587dc44cefa4cc6c98fe34be635379e2
SHA512 9478a3487292b0f3e1958c1af6c759971e1df38a81786ef7a9bd917cccd21fca9dee3e5c69fff625aca7cdf52df0c342cb9f232159b541f5dc1518606dcfdf34

memory/5652-410-0x0000000005F10000-0x0000000006264000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d060cee6aeb98c82cb18645e4ee888b4
SHA1 f065640b4cf7cb722265c1e71d484d675496c93a
SHA256 7c932d52b708809ab0d77a721516e8e34aa6974e8b7e4ba88d202ca6d3466aac
SHA512 4df5bf70901f01630437b0d6f6b74f83a8acd12cf0109df5a1ad3f57771b2bfaaf9693b6720ccf9da7490a2b9e93e7c032ba47f15b6cb7acc6344373877769d1

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4c70e7f1360afa9c5f0fe178574a1bbe
SHA1 e81923519515b6e1eee2c37fbef173dc7d880197
SHA256 4f7c8a4b9258f44adbf548a8f3331cd9da1a8e2aecdbf927cf90b46dcbe8eac1
SHA512 94e590460d6f88316fa0991af4b418bd906591a73b724944ca48c4ace1293415179735b7a0278e035da845c49566ceb49af28d74569fca31e24ea0c775e4f3fa

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6910f1a3a09b3b1a3edf079ac4d8dce9
SHA1 4f2000fc04fc3a4967fe4395be1cd8cac2951394
SHA256 76519f36fa6200896f17622a278d87b3a006f2bf3f5ebe3e2fe2b81317277a21
SHA512 0ac219b4c0f862fb43535ed26886c1c6d2ece5792c1a55274319901d25c15fb8237818c871f41d92205aeaff9314cbe146509db71269f15f51ceda0d1c66dced

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f6a82579f2f88b8aba38cf24fe1a60a5
SHA1 63264b02c03212236f29ca5ad0a2df3b812e2fd1
SHA256 705786b6f158769987f4446563b2d6154d4b722c240d422b5fe0c1d6bb9b3f9f
SHA512 470038de2de4619949b67803a90a430e36138b95c7b523aeabaa6d88619942ff7a5f87a84c759483a95d7b08e944a5c39beabbc91c4fa4839e836ca85d3e021f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a832fa5fc92bf3491d80671724032cdb
SHA1 f6bafffda0f2db04425d655b6c558fc64e030844
SHA256 b30fa654b07290ca53576021ba03901bdf7aac4788880dd57a1744838ee29b8a
SHA512 5a13b9bc73e7e142c877c629c197cc021221e1b1eb081bf0f5b338da8e778d7af140f387823a056099a1f0078559a14221167ce3dd000a01e0faa3c76bfe0a5a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c567d8132c515b1c4f7103e51f764558
SHA1 789e4a3294f49caac8089f2ac5565f1b71a5b6bf
SHA256 e8cc99a5194d720430a19c911fb748d0cb64a437a86765dca9371c7cfd5655d9
SHA512 3444dab15aa9455d2f34e5b71ffa11b6eeaeedb93c081386d890dd9941ad2a91ca3353357d67a850c50d4de7c8aaf5501506fbc29e2dbb9143f938a488da2392

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 13c13c9805f4ab4ab5fb23b864ad4fad
SHA1 631325eda0c3e87097a6521f424b4a1da42f470e
SHA256 397705eb1ec7b2fee7290f47513b8ea2b2c5cccce351de2907b890b385c63f96
SHA512 e909e7d2fbdb2e4f3572fe84c24e36b52da39e2284af180310a7593f2f794c657c621a0a99ba06d6a77e75bba759707c747eabfa91d1c6088c6847e76dc29d16

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c6b2c4ebc7d93b018582102628c2863d
SHA1 b384aa00a1e8a4668f361b99f530e4414b8c39e6
SHA256 acc4afd8203ae04fd04115094c7212954e20b1e07dfa2bc9acc849efa7a0bae8
SHA512 546b354b9ea21a51d2302bb428db64c83ea03e93d3d7a3f610682510c490c45188650ece140f30cbb9f72b76a7f2d7b403b59166f44f8557870dafcded1771e1

memory/4372-499-0x0000000005CB0000-0x0000000006004000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2b5965aca3e3bd5b779be21dd350be76
SHA1 3af6f2e68545462f28c982453347880a8192145a
SHA256 0186d025b3afc35f6e1df416c97a64ab8f8b3d6400158d10a5422b24c47922bd
SHA512 c23149f1a03bca11585fd348df3fc3a02c1a9814e64ebc495b612171e229c88292ceca9e2e84b7ca141847e6c1063550a772191d71e5e513bd3a50ed88ec39b8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 41da95ba6790b91c84a7ae9f495c35c6
SHA1 55a3e6e5376a3d70972951afa80f2b328ef796eb
SHA256 54d0c04dd60d6e5ba908048af1f9feab57d337cae4682f2d86c38394b6c600bc
SHA512 f0c81821506c53c7945db5cd0acaee7f4bd4a2077e6a37f9ed74d50c39cdba43f6f3dbaeb6bb1c8501a342376d0d1ce1a61f4e20e0199bd8d18f9f98c4a2acf1

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd4e1fa3de159c454d7d29c169863b25
SHA1 650db7ac714569249b12e762d96ace4703516dfa
SHA256 984373c74e74195bb995b0a719777660d71c4726d4b79a505796d00969af327f
SHA512 3036975b5fd2a051dc8052e5c6a26e2aac177ec0ee3aaebd2b9d2753297ba347cdd6ffd3a0225b73dec43f7fc01131cd804d0994057e20dc52df5978946aa63d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 566c9da595f3b9275ec4f13f720323b1
SHA1 a85d5cb0a856739bb1b012e4ed130ffeb448788d
SHA256 f63f42bd93e43884022e6d25dcab64feb63c1ab1830f5d7192440fd1fa90c08f
SHA512 febef9222ebaeaff57c3263b0f1204fac94e0f84b04e19de6874ad3aa75a36094663f0b8b6bab73494b8f44a15f1631a3ca5f9da7f29b37a7c47c2ccc1227e6a

memory/4244-540-0x0000000005710000-0x0000000005A64000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 39b398ea8d424faa1231265209699a8a
SHA1 4cd4db48a117c457d175e2ae11635d4fc313daf1
SHA256 59f23cdfde769adaffba7cd77dc519fd6743138b62b4b6780241949eb8b2fe5c
SHA512 8d422fbb8eb5a2e4990c06a118e336266376360cd84c21a52b6713cd323b3b52360aca9146a247676c68bdd4ba0943e6b774b38404975a06372e30d6972074f2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 05aa18cce9a6b25eb72ca3eea0253e32
SHA1 787d15e7efdde59fcc40b6f5d8b1c31efa9a890c
SHA256 34bbddcf7c42ac002d6d446cc45145609a5a636effe726f7b5f0cb83128b4d72
SHA512 bbb5e14b86b9633d3d9a46c26d465c2aaedc3ce36f98a06f065a3c53206529179c952f2d525c32f9e4a1704ba96a88f36225547ada91902f30a9df4195e0112f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4cabb80773c945d4698097f3da7efe34
SHA1 13c163fb73d31f046a2fce4b28cf2531e52f0875
SHA256 f78fcbb700a2f18eefde2d6c482f5438d4ea4195de00bee532d2478468ad988d
SHA512 574ca26775a28e28139547708664aae544de6814dec4e7fa0f96bea793efd67f7a19c57106316787745bb282e4fe020c139a1165f0b515f8b2aefd6daec5d6cf

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 58fb71dce168ccba355b17dd542dc8d0
SHA1 bddbd6ffbd912d058f05781901e6a3d98350d17e
SHA256 b00ff013ec43e606ab7466264946f06104db53b0cff1d018f5f0ecf268f333d1
SHA512 925d42cf247e9ad05bfbed340889d4514923de95c66a6075802a173d5fe54a04e689dafef243766240ed742c81d5091c07067835922a1928494ff7a2027527f9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6ae6ea5970cfe714560ca216df70541c
SHA1 e8674c05859444a351472e49e37f7a3dab9ca335
SHA256 642deb3af12182aba27f68146b45c4e3f44ddbcfbe9e45172f256396760425bf
SHA512 2ac8932774dccfea804e7c552c64abf9f6ea3543534bd613cc1d586cbf25b05b6aed9923a68582b172bf338dbcf664fb84f5bd063c398b76bc12472ff0f70ae2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cd7f2cfbe72d6c9bc4db0212f882c4a5
SHA1 fe1e61a1186a387ff4a8413e57a15db56c7cf0bc
SHA256 7db5b968483590e7d2b9c3d9e242d6262118435d8ad15d5d200a35c31bc56640
SHA512 0cecf5a3a00ba3107c5879db6875da6b0189b069054ef897025ea4a0289d8a2dc4f2b93710caf80b4290099594def737ac95f74514902d4114ebf09a2fe908a1

memory/4704-611-0x0000000005A80000-0x0000000005DD4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 abaaeabfa6fb72fe635977bc8047289d
SHA1 817ee0e6d5a4d23339f0b0bc83fe182718c5cf7c
SHA256 a27b39b3af04102a7e49836ee7b0470cd50bca64d2bedff1c224af284565a4cd
SHA512 764f5a5695fb7f2f2dd1aecd771c4efddd05accbf5a08d85d29f830e849208591dafc4cec38f4bf8970059f2320cb86d6016a1fe492f999159202310e1f46bcb

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15ebceeb08118b927fc40e5980381cd6
SHA1 0b5fa05b38b1f82a1c654e87361a7334aa1b6619
SHA256 9cf1856fe235694eade0fe4ccceaf16d8fcabfbecec530bf1879238687bc8a52
SHA512 a03da3e2e0a16ed477a33775d7fc4b3259a3894a33a1e1275d5034995bc8862dc4ffa20457f481477474f4dd61123d564304d0a9a5ac58a219fb6d51a91df608

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bb4a8be3431c7a20f09afda78cd388e7
SHA1 3e48235f4be4b4066c8f2e07a92ff0b717c4a75a
SHA256 8b7c8337567ef4d90f29d68909f4653133bb1c1aad731585150065c29fff5732
SHA512 6212d29eafaf514af7687dcc3a32995f8792df0b9a3c61fb4d7da8711d9ef8f857e49cf7162383050e6516e8bfc058f372b059681a040dc0e85e04bea841681d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 67b09fcd5db00771cbf3b669eda11bfe
SHA1 a4821b5d56cb4447ecfea28ceb7e1d3f9232b50c
SHA256 3f76310559acabfb8e62804096445d3e3b8dd977174c135e65ff0855e0f87ecf
SHA512 9022e38b8857db3d2cc5557b1d7e712263590d5eca86d77282a1fc26cdafc335349fa333664d045997ce0b6cb52f2dc2f37f24f678ba5b452762d135c49906d4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 991517ece1e5d99551542019ef359c4d
SHA1 832235f3c6a3298f128aa75944b40078d7a5b378
SHA256 da98483adb830585c97671c7f44465a64b60a2f97c0277d8629f830524cf55cc
SHA512 95145f954641cc943e7aebb35ff5fcd1a9a66e4dcaead270dae751c35669ecd78d9394a0f358bbbf0c07db2c792b79e40c25c26c916369938e7bbd09f3240574

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7256bb3a8d77976ec41859841fb858ba
SHA1 1f590981a5129d2c646711afc246f9bdf827fac2
SHA256 bd5a7f90e6277931e3ba2feeed44799d81c159a07e8199adf8dac1ae61f6c8fd
SHA512 3f7c8b5705037450b6bb052f64feb48f36156390ce93b7b77ea3aac7d6414af9c7361b1a43cf6e9d9e427af581990aaee5d4d14b32bed5d45f52bec05cecfe4c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5574edeb47c46f702532dd10b3afce37
SHA1 1d9c208b104713961d26bd63f881b819519c2af4
SHA256 0a27d935461744d3ae952b242c9ea39690218370d63565da2e2bdee43f15daef
SHA512 b79db601a669ffadcb4f62f0e269661339953a131763fe3fefa09b378ce2541207fa80818cd1eac1bdaf0070aeecf974904b1f250755d4fc23e5b9dfbb63e164

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a1b382ea200d6627395f9dbeec3b69e8
SHA1 625f05ef91c4ebef8cb177a26f168ad83ca471f9
SHA256 5e1f8400c2194c798b2b726a6f8cd16aa0644e5c52eb2f57a618ecab96330eed
SHA512 63d1e0880f946f4accd3f555667feae588e36941ece1a8466bfc06d880354c09c23e4084d333e402bcbc9ba6c292a35462d103a3dc5ad2cc6b79470428c8f9be

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 45b0da4bfb5dd4c6f2a0986c2d7e06b6
SHA1 0f092350af8ef42d33b4c6338db8fb1d1588d3fc
SHA256 979185cbb1b9199a5190338820d9c5fee522b502ac85fb328d4114f49de0b4e5
SHA512 a4c2c5cdde04f93cbcd969edc64b2ecb5ce17f8f14cb55f1e80c46fb2f0e9f6e6f6cc38adda9a2c14d183c0c6e1548a29e84182fe76141f45f909c79b43193a5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c92e4ecf499fc1d23025dbf7ef7d86d5
SHA1 f4844982d200da72f08213e85d0da1a5a6caa040
SHA256 54ea61ee9ddcb1934cddd488da6a3beade9ea59aba06de630780a86723987d23
SHA512 88b80e34c5883b0fd2b7f017acffb98f8c413234587c62f230106f1a1ee9b1b822d891ff64549b170d1097c5d7a94b1fe705f35f7124b20d7613aa91ace13bab

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d9e89a77a5334302bd58b9d52d2e6a0d
SHA1 c24d5bbf08fc172cf78539672d87fe8a94961853
SHA256 6b286d17c6af7ce01525d8c8cd7a9ecc44a315ca969dc93f84f9bfe0ecb98920
SHA512 fb373db135a98c9bb59771d72d94bb86d2d298993a4217e339bfc33c4c40374a0211129bcd081830f8878c4f7bde87aaa5528e25cf2890b2609062a0011710ea

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aac880e804538aea6bb250bb6e319e92
SHA1 17a0c3c228cb9722e9b506837890f46ab7a6b58a
SHA256 c4e0b831fa2128bcf4f2f1894c994f3be597c044e34e1ceea8ca5ab62e647309
SHA512 bc3dbb8ae85225e4cc383379ce42a5df5eb3700d25bf97858034211418a7636c0ff5a0a381f820b8b3b143bf0a043e22d255f07329319f605014bb5a15a03aca

memory/5248-784-0x0000000006020000-0x0000000006374000-memory.dmp

memory/852-881-0x0000000005520000-0x0000000005874000-memory.dmp