Analysis Overview
SHA256
1fb147e3aaf58a990e163b1f14d80130a9817f8fcfa53a34ba48e983136b1e50
Threat Level: Known bad
The file Thorium.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
Boot or Logon Autostart Execution: Active Setup
Manipulates Digital Signatures
Drops file in Drivers directory
Event Triggered Execution: Component Object Model Hijacking
Checks computer location settings
Checks BIOS information in registry
Modifies system executable filetype association
Checks installed software on the system
Adds Run key to start application
Installs/modifies Browser Helper Object
Drops file in System32 directory
Sets desktop wallpaper using registry
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Program crash
System Location Discovery: System Language Discovery
Modifies data under HKEY_USERS
Modifies Internet Explorer start page
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Modifies registry class
Suspicious use of WriteProcessMemory
Modifies Control Panel
Modifies Internet Explorer settings
Modifies Internet Explorer Protected Mode
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-02 10:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-02 10:00
Reported
2025-05-02 10:03
Platform
win11-20250410-en
Max time kernel
123s
Max time network
102s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "䑐凮眊칪舱\uf709\ueeb8鯿䈴띢ᆬ䫖ꋉ褰꾴闦轑ㄷ깈" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "\u3130⟘耆\uf268䐋᳒⇁\ue6b2క저\uebcf쿛㵛" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ComponentID = "ꏷส捔ꊉ脱妙Ⱡ샟ꐬ\ua8de젰䦫㶠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ = "䟄愄慷㯑볣⼦\uef3f戶탪\ue285" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Version = "륚⭤峳㾃ᴇ\ueddf䕩郍兕撄늎逘\ueb67ﰝ喢掖돓濪焮\ue06eሧ赈좐" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\DontAsk = "\ue478͕͝ꗐ\ua7ce\ue148ꝢሐḐ\uf5ef▘㤵풂梀" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\ComponentID = "䚂䣆螱٘ꎋ땽畮鶢ಞΩ羚⃚㯀" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\ComponentID = "赑\uf7ba\uf4e4ᗅ쀾⢘ռ⬐⸠磜誰ᶻ笁₷射뛉뮭\ue6e9담ꩩݸ엦" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\LocalizedName = "ꐣ湪❑弔됝䀠厜\uf2c9ࠬ㰊" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ComponentID = "嵢Ῠ펾⽗찴ಝ竫考\uf395됕岯ࢩ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Locale = "礬扞⦑䌟繥\ueb4f랲뒽왘쥔眻讷位圥\U000b7df2\uee82돱ㅶ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\Version = "㛾惖⮐뗥紛ﰖ噘倝⾅㊟✁笢\U0004fd00\U000ba102镵" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Version = "컨ꏣ\u1a9d鐇磱ഩキ楷\uefdbޒ\uf2d8뇣䪶漢\uef31㔋춷翇\uec71攕矯ꎢꖭ럧" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\LocalizedName = "쪆銹͕냻찒鮩\ue95f啍脈Ĕ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\Locale = "ϖ铈쁭⽐羲氮쳵ퟲⓤ켈鋒\uf129扣얐㴝냗䔥\uedbe⠑" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\IsInstalled = "\uf678뷣磫㿍鶼☮鼔\ue84fՒ嗍" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "\ued17贲촒⩆ꏩ롬ℍ뺌\U0003466b" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "䚄⎉\ue5c3界ꄾ橕뻇麺뢛ㅶ\uf6e4阸䷯㼨▃" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "孤\uf814ᩨ్뵣狡쾹틁द\ue2a0ꃵ鍥ừഎ딈⬡鼀蔐纥\uab1dﴠ闎⑷" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\Locale = "Ꭶ雥⽈ꗊ⏵禷ΐ枹䜆ꭢ槵" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ = "ꆥ䴄ᕼ툺怔픉䕇輲ᅈꞽ◵\uec57ꖙ䤨ᙙ٩尓銍⎂䱲" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ComponentID = "\ue5dd\uf897\ue36a\U0010e363맾岒\uf619姽쾟屵툝\uf0b7" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Version = "仭鐖⃛踩ສ높⺾㵎䫚팉១㉬駁" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "\ue7dd\ue438ࣥ焮\uf3ccʎ\U000cafb3堀云蒿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "⫷\ue2f0쬨礵原妿鈴鈷\U000c1088捉쩼團ꆋ㫿Ⴁ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ComponentID = "痎\U0007486f\uf7c4羚\U0007b8af謇ꪙ\ue4ff" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Version = "⭗鬈꥟텗\U000bafdb言綧靈\uefe6\uf518뫇奫츍즰\ue172" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Locale = "Ꝭ\U000e3b96뮢筈싞\ue105偤쯥蚊슅" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\ComponentID = "耶垗ﹷꜞ븾멲뗹玶ﶇ㱒竘㷿着\U000670d7" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\IsInstalled = "𤋮\ue75a⸬\U0006de43⦧讆堀샸ࠢ袜ᦥ썁洛᧗㛩䕱" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Enabled = "棚ྼ䏼\U000f3135\u2ef7쫍\ue90a鎍狹" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ = "뚢簦䀋ꝭ懭뾆汹暒\ue07e즓\U00044bcc浖Ⓓ玛\ueac8穀\U0006b922褼㩨밸敏푮" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\Locale = "ᾼ絚쳑퇢垤\uf53e娶㮝ሊ뀦纤篞\ue177\U000df9d4\ue779쵱淟" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Locale = "殶\ue228앝༂랎ꎴ䷁쬘銘\uf854齁\ue26dᛌげ皚鼻" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "飐⡊ړ긞‟尺䧪꽠숄ᯮ\uf312╆맇驞洸" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "ﳷߒ䀡ミ\ued7a栀\uefcc댊甗쯔" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ComponentID = "鳍餢ﭴ\uef28难\ued7bἅ\ue5eb놽㎸⇠玙" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ = "㜗侫ᨃ䒽捣尿Sꢽ⦅蒋늝唵狐\uf6c6쐽\ue956DZ奰횻嫮\ue007\uee5a" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ComponentID = "ꦆ㎝䩞࢞隴梙а\ua48fꩼﱛ幒孏ꕛ겨\U0008aa64譁뛸뛼竣駿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\StubPath = "閇髃\uf654閚𦒕ꈵ蛱晨\u0de1䡗ӿ璌Ȉ᤹쫖" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\ = "督ꬄ환鄦溇\ue769琸羱헳䘚ₐ\uf318賹\U000829bf禬쨪" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\StubPath = "ꔩ\u0a62蛡厨匙䏂赚콴ጋ輟杏䷏읞" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Locale = "\u1a7eꈓ쮛2갼辂\U00060b76럕糊\ue63e捃➾燎熿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "꣕辻풺뙚桷몣ꂦ㷢耰薦\uf231뮜䷸鱏\uea4e鰴틋ၵŋ⓫ꍵ毬鞘" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ = "뽤슩ม쒽ꩫ⬿㠌걷똽坎镦\U0004d188쎿Α鵀⮪㰒" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ = "订\U0010d7ba\ue58d與夁᧧寃늂̬錝۱贎Ⓠ\u20feஂ唱곞\uf6a2쯱楌\uedf8" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ComponentID = "ᶱ\ue78b㈒ⵔ\U000b2c11螵ꉪ㤂⇝ֲ炞ி鎠혭䙹苔鬲䀴夃" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ = "뉂詷\U000c5d77앭䜜ᡀ⨍演陳" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "蒀퇭礦瑎႙筡巩苑設⮂㢬Ⲁ抳ℏ\uf839륂倽귰ꀖ薬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\Version = "쿱萩葘䥣圁䘲쨨㴰闼嗭鎒\ue057袉\ue336稢" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\ = "𖺀㟘\ue1ba롧㮸\ue2e9ᅲ\ue476賃繵ﴴ鑁𖾟謎ᥦ옞࣐\uf2a7䝌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ComponentID = "ꎶ皞陗帇锵㏏羽\ue8eb㍡ᖑ햨겝窌ꥎཆ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\IsInstalled = "﹒뇄Ṭ᳷礘殷춤હၶᢴ莪ॲ弚롔ᩁꇊ⊘鷠쨎㛙浴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "觽焧쐖鉛맥娓瞨Ṽꃳ\ue003ൣ볟湝倈㊚᫂" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Version = "빎K௮\ue7a4\ue48fꦎᑳ鷌屄⟧䡊⮌믬隮ꔽ㊞\uf867貒⭾⋳뻾" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "ꭔ鲼猯㼮竪მ坉쟚㪹ꋢ䥰諌\ue36b\U0004205c괚攔嶽썬퍝⋓欄\ue0c5鏀" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "㕶黯\ue0e2䙖⾮硋ኯ듡ﱻƇ薭" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\IsInstalled = "횦ꏼ뮦Ц䐁苹স駈樈頛\ue4f6\u244c炙祐铣◄ꖡ蛵랛㰪㏹⪒" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\IsInstalled = "栙導쏠節쾁ؼᘶ軑⏗뼭떉ྐྵ噪䦛贊ȫⵒ䭥芫䳘䲥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Locale = "㞮㰅㻢䲾࠸잵ꔹ嘘\ued10酁侃" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ = "튜異繘伄⡒嶾再弔魒쏯\uf598恷ꒈ䝩ꓓ餶④\u0ec5\uecb3䫑뭽섴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "髰쇼\U00066c00ᝤ▾ꆞ們ꖽ\ue76d㣪櫅䅷㞯즄饶箶" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Locale = "㯋处뚜\U0007086e孯룙쀮Ď虈\ue2b5ㅟ⟨\uab1f埂캙冀퍊ᯡ鋊џ焕\uf736甴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139}\ = "₀ⵖ峕ᕨ\uf103ꦭ쀞쾽協龳\ue077嶶\uf30d얶ꪫ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Version = "Ἑÿ怸⯶\uf8b7\u008d\U00075121헕샑ꍗ䕮镟푏" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "羞꠷\uf78f㜟羮闶몆ㄢᱠԚ吟燗ﱞ⸧殙˕樌띧溁塈ࢻꁸᄈ⥯" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\SysWOW64\drivers\hostsvc.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "鼰\uf7ae왫핫鴅⹔斿㧵䭁텈垩ŭ瀖ࡰ餘꠹\uf2e7캃簍襵Ð" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "麙遦㲱𣼷⮡ᙺ䈿ᶱ\U000afaea⫨" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyRevocation\DEFAULT\Dll = "仆癳밅\ue34f։ע벚햅ے\ue23f䟆꽅\ue49d䡸ᬝﻋ绑㝌ﱤ\uf770" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\FuncName = "㔆꛶嚖昵弄쁚뗑勏롆ᜉ쒛葹ᝯ聾䣪ઘೖ꩹ᄇ쨪优豥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "\ue724㗠뿨Ѽ荌ﳉ鸷䆁㠪琏쫬ȹ廌ႊ죾纃Ⱃ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "흞햬ᅯ飑뿯ᅎῙഀ\ue804⇼\ue5fa愐⸂퍓䰿玄8\uef93狸坯뵺" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCTLUsage\DEFAULT\Dll = "郵숏ᮊߵ⫋ꁦᢩ\ue779鰍\U00060f2c훑⊥娦띧鿝盪엡뮲ᶧ䷎꺼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$DLL = "쳐縜睱둲ᚵ쬆末韐⼞⽚国跘棡핉\U000435ba몊㚧鐲壬ՙ㬂ঋ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "莓샔捴쑃\U000f85ee\uef22\uf34b⽼격" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.15\Dll = "閕\U000d23b5穸\ua82d焊劐䇘樋\ue5a0腭賫ꔙ萇ꪯ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "뀧힢ᚪ庮⬰\uea2d弩븨ⓕᥫ㌻쾰딞쫮뎸" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "㒖裚爖\ue78f\U000efa87쨋ꂟ﨣铌獱閎" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "ဖ囈\u10c6ᄍ㧚▐⯟遑䮼巏洂䡜̅\uf5db㐠퉻ᘈ빃ཊ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "髟玕叄죮퍄쩵ꋲ慭鯙퀘\U0005debe笥髫ą㫏푰㰟" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\Dll = "⯗ᐚ핪粇隬掓퐰\uf737棯귱璾\U00016098늂獺\ue26b澩뱚" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.3\Dll = "勻ᒜᰖ쒢巏짻昀\ue2ff渿綨弫쁮\uf596갫\ue410킮\uf6f9ꊎᚪ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\FuncName = "\uec94ꃲ㮃쇯Ќา̼\ue4c2鱩\U000e43b2궵\ue3fa쪪\uf666썊㉿ቑ种葉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\Dll = "鑔刉憶←逗敷꺴潐碂쀼멗촷綾\ue5f4횼淇ዜ县\uf796˘눯" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\Dll = "ﮨ⺧旽黕\uf6a1䨒錩🂁캣랤\ued8c藎\ue35a⌜\uef67錗\U0009e8bd⅗\ue256㭢\u181a" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "퉿䕚몭N\U0003858b皛얠텠ꪻ\ueb7d⒋鎓쳜ᇫ뿰潅롗" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{06C9E010-38CE-11D4-A2A3-00104BD35090}\Dll = "\U0007cd37䰭뵽김혭搂嵐\ue15d\uf38e厈膟썭\ue276䕌羙뽎푿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "\uecd9\uf792뤩鮇根谳䶷壪\ufff2粍䈬뉺\U0005126e䋪ȇ\ue5daᣔ錳᱄鵳뉉䍠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "筏Ḗ橤긾\ue9b4ij犣褚\uf7fc팴\ue314䩔ᄉ磫㷧㤶盌\u177a\ueefc鄵兘쇓㌰" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "랙㫺ૻ牼ﰡ襁꧔娴峚狹ㆉ主" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "\ue1a8샄푆˜績흯冊\uf1b8\uf51b扽⾪ṫ릪〣좥먠锞떣ᣚクᚆ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.1\FuncName = "⋉➬ᱢ\U000160b6﵇㼟佸燊鐘翸ޥୠᘣ千ሲ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "鏠\ue6d2㐨ꉺ\U00037bbfⱻ缓\ue1b2⭂\uf4ff벀" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "鈝⅐䧤퉌\ue921蹛靚앺떒\uf7b8㦋⟤¨뚟﹉ଠ㴋뛼福" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "\uf798\ue451\uf765\uab18춫ꔅ\ue08b壠\U0009fad8嚅鎏囱⦓㰪" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "\U000f8fc2\ufff2㿬\U0005006eь\U0005c6ef⾀ꇢ冐윣䚫阙㐲ᖪ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{000C10F1-0000-0000-C000-000000000046}\FuncName = "羵㛛ᮛꬿꎳ\u0a55霆ͦ\ue236⋢繻膑\U000c13f3钫譙\u0d97惱藿끉뫼ᐔ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27\FuncName = "럺쥾䕗簾륧挤媨Ѐꈃユ冪寙㓮沋\u0ef8\ue157䋣\uf1a9곾\ue83b云\uf166" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "椀⌒䄥䖤ℙ偿⛉鳪ď\ued20\ue29d灒묜鰻葚✻\uedc6㑀Ⓦ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function = "竿不䐐ꓕ⫦ବǮ奈\uf2cc→칄ꫂ扆ⵡ㊽醪췝꓁嘀馈♰" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "\uecfd褅컝ヘᙻᐇラ⤰\U0010da23㼁쉻\ue340笗댝容" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\Dll = "䙺\U000ab6bd疎⸰ᰙꛏ蓆\ue780ꊪ扃\U000ad9b0䘚\ue51bㄵᐳ霖㇢樱佫䠷" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\Dll = "慇価䐡㠴솭ᐫ뉆⏿fi暼걊" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function = "᳒\uf516삂⢭面\ue5ee\u20ce\uf3b6ྲྀ躁瑬졖쒞萸眠縓᷇퇋醸쀌˓అ墊" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "溁檺蕛筼ୠꨝ봨෨䴐ꬬ\U000d682d诔⋧" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$Function = "㊶㙘振\u0e71吁蓂l稐쭦\uf244㿶\uf524𥫿蚹뙗\uf659埐ꔢꬑڈ趵㛹" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakEcdsaThirdPartyFlags = "\ue70d⫳깘䭋\U0009009b\U0008513a裪睛\uf854\U000a13c2⸼箣\ue87b燾\ue805" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25\Dll = "\U000ddd6c䍑渂닣窆&悦掾㹩䇧\u2d74ᛩ蓴뚽\uf448蛰꾔ᐭ滋䏴\uf1fd\ue74d" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "屮죗立괱追抉䝌\ue0a4䄐㡃禨脐⸻䊊" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "곮Ჿਂ\u20c1\U000fba1b\uee71爻\uf328ࡹ똞" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$DLL = "\U0008b071զ✚㩾捌ᜐ\U0003fd52搀鈡\uef6a咶읤\uf19b᠍췘" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "푢쫌罧憖\uf326ﰓ윁枪\uf6dc雖鮶㊻ꩫ䩄삎㓲詥㩀ꝺ簚\U000a8a5e" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\$DLL = "麃顊\uf5c2歹䬊뇩㸅벺⻲뿞䫰\ue960쬑\uf3fbꏹ⇰ၼ텅ꘉὍ幆쉈ⶦ\ue6b0" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\DefaultId = "\uefd7뷕놕剧\u1aef뤷绶玠莭⠰㑕𦮑靃\uee40醭⫱竱宣⺴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\Dll = "籞𦝬ᩂ㊯段䤤\u1af9Ǻ\u1c38戲殠罷뮱ﱘប襡೨鮾ꞅ麇꿩\ue245" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "싩ႉ\ue8a9\uf003熢⥜ಙ\u0a37厁뤙၇㒱뼠莮㪠\uf0ffᶗ邬ԣ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9F3053C5-439D-4BF7-8A77-04F0450A1D9F}\Dll = "엽嬐ׇ仼똏ㄜ振\ue2b0ꛑ䒉抮풂ᚣ醥밢" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008\FuncName = "<樀\uee50\ue5ef㞟脂憂\u2458屪횜難\U0009854e㑮鞾␘ᄋַ燒쎌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "囎꽢葕銺ꬉᾙ逪⮎\ue44a驼∲翪㶰銢起퍅崥풥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "薥왖耜⩬㯓烰\U00084f5aŪ溓\uef5a콪䫷晓䧝\uf8f7퍚" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\FuncName = "弉ᜌꅕ罜샒괥\uefee咩쥽瞢啑\uf594" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\FuncName = "㞥波ꄭ祓插ᘋ蒠\u0c64븮㒅窞ु㇜⠍" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{6078065b-8f22-4b13-bd9b-5b762776f386}\$Function = "쳖桨䱿\U000ede1b蜮⾓坱ꏶ삂콽믘\uf603\U000aa3f3ꜭ䏕顰" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "ꃒ륍翮펒얮ꕃ솕悍䬪遡氄㰚瑡嵩\u0e7cՐꚻ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "큔ࢩ\uf7e9沈쭶졾剓꤬↞\uef7e孴嵋백뫯Ქഃ틡蠡⚅ꨶ⩔碦碱趯" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007\Dll = "웓Ꭓ䴅륕꒼둀귎㬸\ua957䟧\uf7ed뒣ఏ앵퍿ᆳꠕ濩ꥄ菿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.12\Dll = "쿸焁ꝴꍛ收൬ࣁ龮櫹㜓敩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\DefaultId = "\uf473澱랳\uee1b浨ꙏ䛯깂ꉍ⥟" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "蘙勄찧忷齄뗼\uebf9༐뙨腵Ӕ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\Dll = "벢ꊜ\U000ad0d8\u10ce稱⒋馼ꇓ뽳ꦩⵍ䳮Ṇ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate = "刅\ufaf4殮琸\uf5e7䎏娶包큳\uf77e䧚씡ꔰ倂龵ࢄ㺪腥蓙" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = "᭄羈뚏배竨ᢳ㲡\uf04d\uf1c2哑꾟慟䥉嗶ⷆꄼ畧ゴ\ue082儬촹" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\Geo\Nation = "櫹闆肪鷞ለ冏娋쾘ꁲ䍘㞪⬀ꅻ\U000afad9⍁㧳\u2ffd㭀啽稢祘\uec29" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "ᩓ\U00068fe6曫Ⴚ俵墬ൽ쳷숫ꆪ돱" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "䘲놖菁\U000f3a40违퍯䎢韢代ኸ曌饢誗ᤢⶳ澎" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command\ = "聢⯸톐䝥鹢\U000e4b08ꭩ鵼ᰆᐤ⮫寲為⏳䋔뾇" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield = "춛蓼匲ࣘ蓋덖᪈䭰潈嵣瀫\uf3c8谐㶚⒭푟혡퉨꙳" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command\ = "\uebaf\uf2f7憼聍隷羥㪻ⵆܚ죔\ue1fd똗\ue935\uf621\U0008fec7\ue757쥤" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "뀸\ue999肪李\ue573\u0a57㕪늡⠼╥౻\U000cefc4謄˔\uf0e9쥇㞧嶽ᱞ窄ᑡ늡빌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page\ = "啫숶닧낊甽堟ᝆ溡\uf717㯂꾠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "쏭ꄢ\uf475얬\U000877cd\u1680\uf0d2部鍍" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\EditFlags = "㡭િ绀젊\uf806㺪\uf8d2阸睃鷇힀" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "㓳\uea1e衁휦ⷰ㷅ၒ䤄萼ᗸ엋醱橍" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "\uec32㍌땥厕諸\uede9汜塶װ㧞鼍婏漢書" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "Ⱖ덄\uf24d竔咶爐\uea7d\U000ae39e㨿䠇촞ꭆ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "눞\uf39dᆱ遛\u0f6e䥈Ϋ쎣厬贆ꃗ\uf4caࠆ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "漇쨔甧Č럀霠릓Ꜭ⧣\ue70c덀薀셝\ue90c\ue45d㓨㵵" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended = "ꡖ璵抭\ue70e쾼뀉ᕶ膇芠녅\ue486閸\ueca0뫏j\U0007b6a4ർ温槀搡훟" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\ = "ꍡ빫\uf30eᮙꑎ쐸\uf5a6脯䲙뫉翑ࣀ䘳뤑" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility\ = "떯努ぁ⃚ꗵ䋧蜰鱵癟햽ꆶ爷宺⢆賘Ṙ跗於榪" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler\ = "礴ݹ\u0be3畇行ꟹ\ue3bb㙖顚楒J盲姩蛲" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "쑚鴱붡嗮ᙗ册쿆\u3100峪奼仸꽋굅\ue96d\U00055dcb" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender Firewall = "C:\\WINDOWS\\system32\\oobe\\images\\" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\uf434멢赇┼\ue711⡟앳\ua956\uefc6ኢ熑ﵢꟂ䬢岫⡑镾釢䱂㹶꒫㙷櫴煉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\WINDOWS\SysWOW64\configsvc.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\WINDOWS\SysWOW64\msmgr.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WallPaper = "Ằ﵀\ue69d祥蕙㙰ꁪ⢉깰㞒礴֓\ue396ꅰ㐺붫ﳳ\u0530煔촱鰼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Internet Explorer\svcagent.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\configtool.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\svchostcache.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Network\netserv.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\svcbackup.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\Connection Wizard\server.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\images\thorium.ico.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\syswin.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\logsvc.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\hostagent.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\INF\infhost.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\INF\driversvc.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\Fonts\fontmgr.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\bootcfg.dat | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\Fonts\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\SystemApps\winoptimize.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\SystemApps\taskfilter.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "㰮֫怵⊠匴ꍟ郅櫏‸ጡܕ夂ﶫ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet = "穝ᾙ펔\ud7a6\uf866浅䣃鋬馲ꈚ\u0de4쏌잟㱊\uf122" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier = "쑹쭁ꘘ㧒䨖啳ⶐR頄㢵䗪줠孕Ҧ\ua95b᥌\ue5e4縚" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "嬥呛ভ\ue8c0䩡㟾᳥\ue6e4睫ȼ폅熅ᝊꄇ犒\u0ffa铎ᫀ倐믗鬎詠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "\u1cca뷔㢪顧攭뉢啁ㄘ鳌᮫뒁錮飬\uef69䚙\ueaba⎭괥Ἃ蟟\uf8cc" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information = "뎧Ậ隙\uee32\uf6ac쟗爝뙅↋眘\u0eda\uf0f0ȴ顸륏\u20f7\u0086嬟佥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString = "ோ⦕缿달ꧬ୲啖ঊ\ue951秣ꇦ몺\ue982ꃫ㠅\ue780藯뤫\ueddf秡\ue33d" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "\uf166囘샨䉛⪹䏻\u0ee6䢫ꞷの딓\uefc4죒ꬰ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision = "ꋠ\ue621\ue9b2鿸ἀꓢ聉삶朋鲉ᅥ\ue893䪝" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information = "젂᧱縵懚㽸쳬눢ﭑ럂붎⼣蒇㨒㮕紕潰趸嘫" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data = "덓톓뛗列鉝汻\ue6dc\ue565ƚ᧑홬㏑譯涸໔\uf3a2鹶⋷\ufae5鋻⟚㷇" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision = "㬊㟠窗ѐ굊캣㞽〈仱匔ꭑ押⢯좾渠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data = "ẛ\ue399瞗놷펧덩\ue4ae孔擭逛﨨\ue005喼㰭ㆸ繧殺勼骿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier = "鞃㢶戻文ᓂ⇖甁믍᱅弬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet = "轳\uf04bﱜ\u1c4c\u0c54ᜒ鳳\u0ef1娂挷ꬃ褧䚥鬶꣧ꣿ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz = "珞ꌛ⺅ꭧܫ\ua7ceЯꤨꄢ䕔욻᯦ឹ㰋\U0004501a㶺첦兞\ue506ꚳ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information = "呵⿰酇⣼缋₤탪闊\uee51擏" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information = "\uf82b䀄\ufb07⃯⯘줆윊徴\uf51e蕾瑆碯즾歫籴㲟\U001059e0ꈠ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information = "ե㝰䔨\ue9cd\uf4f8⟄餡舁횽\ue5f9" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data = "е⟴섐趋쾦陹⾾\uf6bd쿲ˊ郦\U000d73afꀥ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data = "脓鱺틆ᮖᕍ哺ꌳ⎺鉳콋\uefddᶴ試矪洳셷ᵇ䅟췌氾" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier = "⸓㩕钹⑾茋\uf071\U000ad90b駐\u244e\uf455⧏㦥쩫㭞౹힗␎꼸ቊ䀇轞⥀" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data = "️奲𘛼톥ꛏ⠪쭠⥊﹡" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information = "߰\U000a7701䯍\ue36a왆\uf543Ⓜᥥ돕乛憆䋙\u2002ҁ젨⏫\ue784紜♬鍺秘" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\ = "戒綷赊ʲﲤ\uedbd\U00076b5d\ue0c9⁶蟐\ue75f侱\uf703닳屸卻죆╜ޖ谨" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier = "Ἠ䴰\U000f6acf븇\uf328\uf67f춁篟\ueaef㘚\U0001d273픊瑹鴙鳋" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture = "豌衴鶬芯늰\uf3bb\ue899ꋝ棶淤顋뺣᧣䜟홇䇹Ჿᗽଅ䇔䠾儜漤" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Capabilities = "㜿麼풉纊術㣌럿잗툫\uf139穳\U000978fc씛䭑\ue3e7⒘᧷軦༫蕊责蹢" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data = "ퟏو\uea4d㿊৮⨐ᗛ亙늇斪" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier = "퓿➫\ue91d\uef67볨퍈⌃蒅㭜蜙㽄W현厱樔士蜀" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data = "萣⛔笓巺竿㟖圔歔\uf3b3ٌ㋛䷋" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data = "祰㇚層\uf027꠩䅪\uf0e1䊻\uf11d㾙쪥⚷쓶컐\uf541" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier = "\u218d戍덌䁵\ue069ᚌ끑羸駉戆慢㬹\u058cဍ\ue623鯫" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier = "䯇覦偧빃紖ꆩ悾온\ue7d2㪍絹䪈" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data = "뷦ꆺ貥ᡉ㏘匘맅\uf2bb\ue151刀敐䘿놢埫鞼ꂦ됰㱕뙡벩⁈" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "图䃪\U0007a717俕ᱛ㔦떀쑃멋摈ꙣ鳘깨䆖" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information = "뮛\ue4a2槨ᆎ魸㢆⩤夻⏿쬝ꃦ堶춒ࢅ긿虌秗\U000e8be8븛ස" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information = "饧䓩\uecb5ⴆ闁ᵏ\U000a0efc욷煱࠹ﴇ℃檝芮⎚\ua95b\ue80d伻鱀斯圕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data = "뼚\U0005370a䴱偉曫쟐믱緕⌬\uf54b\uf31a腐㬠㛗륨뜹殢⊼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\TranscodedImageCache = "㨙㔺\ue770磎鸅ꂋմᕘ겮巢存埏" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Mouse\DoubleClickWidth = "흶ᓐ쭋ゥ\ueb3eꝡ吚䮫輼♓整ۣܲ奞轹ぱ\uf2fc檓ᇈ盋" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\PowerCfg\PowerPolicies\0\Description = "⎚\uaaf9솮熲\uf6a4\ueb03㵥\u09e5誩댷鱽̑\ue9a2\ue62a욮수讞惧\ue735䯺퉅ᾟ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\PowerCfg\PowerPolicies\5\Description = "讔\ue901ᝯ變흆\u1af2헜籃傯覯\ue2f2룪ᶊ䅺\U000cdf37\uf545\ue2b5䲛졄饤꙽" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\PowerCfg\PowerPolicies\5\Policies = "\U000e6b72确\u0fed瓧谡⟋錄១ꈄ\ue97e\U0006f42e\u0dd7㜆ﰓ岕ꆺ즒삦" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\Keyboard Response\DelayBeforeAcceptance = "\uf79f\ue734몂ⶾ\uf501뮮\U00096890‐푶盁喺ꘗ⟨䛹\u18fb鸹" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\TimeOut\TimeToWait = "㭹ᣨꓝヌ쓹뤷䥚墕眗\U000d7634鎆僭慃誵쌰뙒去\ue0a0" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\LastUpdated = "Б\uf734輰昧훾鑉켠哵\uf865ᛥ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\Colors\InactiveBorder = "\ue66c\U00046b32姪耸䥭먬䏍鏜ꦛ둔꩜ᗟ㥚ί囱\u2431칆\uf2d9䭙⦇" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\s1159 = "\u197f䀔ᷙ唩\U000e6f61ķސ1슕輱᩼锵" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\SlateLaunch\ATapp = "告Ԏ綾魍诌嚖\uf3b7釿眂\ue5a2冧堠ㄦ\ue7d0ՋЗ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\Keyboard Response\BounceTime = "ꒀ꧌\ue9ed儔趫\uecbeൔ췋\ue4ac欣\uf81a瑂\ue735伐缴\U0006f2d2嵭Ӟ卪䭽" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\Keyboard Response\Last Valid Delay = "奐砋⊟寲嚫坋\uef5f釵耜ਵኛ濆ᷟ븺Ȫ\U000c3191鞀㽇\uf4d7著⬟응\ued5a" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Appearance\Schemes\@themeui.dll,-852 = "鮡鞡쬧癎lꃻ㺂빎材\ue2baⴼ\uf6ea饣방縆펻瀬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Appearance\Schemes\@themeui.dll,-854 = "뾞쯔죆௴㚅㪚䨒\ue709곬혽恠⼘㷰뉼\ueda8㧂䗻" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\MenuShowDelay = "虪靦렉ᜈ瘱㛬⤓✅퉜䠕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\Colors\Menu = "멻ﻖ䞙▚\uefe9촳捳铑ꇢ兜㙹㜈㛄ꦢ诟筻萝" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000071\Target IME = "櫃\U0010baae\ufaef튿ᤪ히鿄㈤㣁棇릫澫䊞\uecea⟐" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\SettingsExtensionAppSnapshot = "蠯\uf7e1勤뱤\ueefa鉔ꚶ㶰ɖ\ue2c6蘠挻༈瘩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WindowMetrics\AppliedDPI = "ꮌꗓ\ue92aꉻ늟ෟ辬\ue80a튞憈ᆱ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\sMonThousandSep = "볼ꇓ೫脌≤晃荣⾗펿胳\ueaf9䤜cﴚ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\Colors\InactiveTitle = "蔓学ꑋ绎왶\uebe2\U000ec440奔捁Ꮸ蛣缐봛ᷡᘑ禗ᛤ킷藦" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\sCurrency = "\u2062ᅧ垣⩝橔끿\ue750姭⥖\ue799㘱痔\uf0dd" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Sound\ExtendedSounds = "ૅ嗓፠梂㋊ᘽ蠒땞욡勧\ueff5擲\ueb03\U00080ddb薉\uec1c佖륏\ue637" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Colors\ActiveTitle = "㜤泉㕱⎥愔\uece0δ謟䶭ꤢ፪㱊\u0ef6ᦙ롟쇞㷇\uf3ec" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Cursors\Help = "鿎蘽䯑벾穣\ue37f뚇块\uf89f끮ᄚ¡袨梟" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\DragWidth = "鄰뀕ﭼۊ蜴\ue82c断匸릥\U000418bd쳋" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\Colors\TitleText = "諆鐬닱㸖Ƅ쫞璕䱺௱뿚\ue5f7췑谯" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\iNegCurr = "勖\u0095蠓\uf64bࡑ\uef5e㗒ꦪ瓣럮矩덣֖렞\uf3ba\ue2bf㴦" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\User Profile System Backup\ShowCasing = "䅩\uf69e\uf3ecY彬凥둨椃ࢰ谚悬䮅ᖱ搖뫇ﭒ戕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Mouse\MouseThreshold2 = "핾뻹悽\uf8a7Ͼ脗⥶䴚\ue300嬛ध\uec29\ueeef깋昢屠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Colors\ButtonAlternateFace = "뿦\uffd8\uaa3e촚쒌馬ᦶ෯\uab19ㇰ硌懻藆뜳\uf746" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Colors\GradientActiveTitle = "⡽\U000f2bc3琹뾷襪\uf734ↆ擀방\U000d2140삡䴃뙁쾇즆\uf357\ua4cc" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\DockMoving = "皛ꃪ諭\ue936무มɕ뉼씲䳊庰ꦓ\ueb7e쏕\U0007d714떿\U000f3386ﭹ禩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\DragFromMaximize = "\uef12㷶\U0009847cꊮ鿿ᩧ㏾惁﹄ᎂ폙変笖㞶肳ᒦ璍" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\FocusBorderWidth = "斏쒮뎲\ue513艮宁\ued85䄞뵀탩⪀孃" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\MaxMonitorDimension = "⽨㮣퉨Ⲭ鋐⭌鮮뵬㋎ڳ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000202\Target IME = "ꢜ\ue456␒㢂ᠱᇃ哨\ue128駆묍拱ﵷ밵ꈋม鑵\ue5d5渢궹푉别漸" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Mouse\SwapMouseButtons = "텟♎똄償뵥ᯙლ˔\ueb41ﺹᜊꧮꖤﴏ鶺鵀⚱" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\Colors\ActiveTitle = "忼࢘뫙䵊틥湒ᲁ廂姉౿\U000675c8" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\PowerCfg\PowerPolicies\1\Policies = "ባ禀內\uf277菕鬭왢솧鉗蹻\ue7f5⚓\ueec1솋淿㎳ᔺﻐ愅\U00102724圉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\PowerCfg\PowerPolicies\3\Policies = "℔ᜥܵ暸靸咻냂൛\ue439⋱ᨚ쇪" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\MouseKeys\TimeToMaximumSpeed = "崪弙\ue042쁵㠘놖퉫\U000ae148鶼ౡ쨦ᰞᩘ㕭⑭磁褽楛" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WindowMetrics\CaptionFont = "\uf3c6᯽獾軤㟝Ⴄꟻ\ue604⡥鞧\ueee1뎺\uf38c㴛\ueb7b㭂䏘米喁\ue6cf쾩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000011\Virtual Key = "嗫鮸낃ﴯ鹧\uf190厑綪\uf01b荋曁飑՝\u0b97힖䆰ⶵ뀜笒" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000203\Key Modifiers = "䈪へ㻱뒷ຆꐝ粥웒憩㩺" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Cursors\IBeam = "ꅓ濯쇠䝜䊸훩糉냡ო탽ㇿ획ꣶ䉩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WheelScrollChars = "桷ꉟ恷ꠄ黦\uf8a7뛹怦슘犰䊻沍럌膘ả" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\sTimeFormat = "ᓩ궱ᮙ莡﹦炾㶋\U00074e80\uf508㔴ᕸ橔ጙ풢죦\ued6e몜쨔\U00012f55䛍" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\User Profile\ShowTextPrediction = "≂긘굕ꐄ\uf221䔑鑓祇鋾熮읇" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value = "芎\U00100361쒞〒ꔏ钮휑텞䟐띕㸡" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Accessibility\Keyboard Response\Last Valid Wait = "㗋餕碝곪畩鼊鮋렢쥞ソ癊" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Cursors\ = "梌\U00095ddc\uf830\uf397檩\uf5d2囹⻭嶨嵞퐧곹\uf31b\U000d7576璂왯\ue00b湺㣇\uef8d┓" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\ClickLockTime = "\ue2ff冢ֶ뫠\ue19dꟖ龿⏱\uf80cወ䝷车℉\ua4ca綾" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WindowMetrics\IconFont = "帊⻯⎸솦䎨ႊ㌡ګ鬝\ue4e9渒蜒\uf293蔢\ueace셟" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\sYearMonth = "拢㭊\U0010b3bb깃\U000897bf怦꽿퍟䎧桧\u2e6e䇏薭솟ꄬἙ脇" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\iMeasure = "ꇻ睺칝フ圽燆ꤸ海㰏樏켾팩由ﲓ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Colors\GradientInactiveTitle = "敜礄ય⑀챬꒦뭵ㄺ夒맊⍖传剋嘪둰㬧\ue942촹ὴ\uf730書邨" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = "㙵櫒䀏ꆤᡢ\ueaf2計쌞괆\U0007e74c퍂᳧䜴ⰷꣷ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000201\Key Modifiers = "\ue2ba痽ꑵ鈼뽲惄犈㊔㿜촄" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Cursors\Hand = "ꅲ黖環ら䂇P\uea83ᓏ\U000794b0쳁탃달" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Cursors\SizeNESW = "\uf21f鴡绻瀍ꎙ塼뤎\U000645f3끇尚룦髾曍贈ퟮԃ誁蕙ṁ귘։伐" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Input Method\Hot Keys\00000010\Virtual Key = "鬏賓ዼ녺适查邗锳೮ᑡϝ桔뻗\ua4c8痈蚘냕泹䘔꽕\U000e8f17黈" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\International\sShortDate = "嶇ႝ捦瘤\ua7d4ⷨᆨ쯇磪\ue019♛倬⡇얦䪇" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "\U000955f4뿗㯞莱禬湪磃贮野" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{01E198E3-24FF-4602-9944-65E7B323296D}\FWLink = "ἥ庯끑\ua4cf䣹ꭰ엢뫞푌\U0001a4be\ue19a䝑쫭剦괠봵\uea87" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{053017A8-53F7-4EA3-AA38-A4CCAAF1F9E7}\BlockType = "㒶癒➰庹ၑ\ue10a웸鼈쨟哤\uf58bꚨ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8136114F-FAF9-11D3-B0D3-00C04F612FF1}\Compatibility Flags = "狆ꀦ႓㙮⺋撔\uf4ce✙㊉腃" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FRIENDLY_ERRORS\PlugUIText = "庈⣟끸ደ该寑轙\uedc0㋷皜ꔽۍ謿廖\ue36eꑤ埙" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.0\HKeyRoot = "\U00019671ឬ陦榇疨젂ꄈ㽗얞皦期脞➢ﶔ솳傍踰" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{724D43A0-0D85-11D4-9908-00400523E39A}\Version = "㴫꩜ϰ鯖ꭇﹸ쓢糪\ue1bb绗겴播𡒽힣廄\U000d5f7f䩦氕ⓓ蒜" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}\Version = "ড়\uee72啊Ԭ黾တ醋ꡤ섉ꕘ禗飝겝" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7}\CompatibilityFlags = "뮮Ⅱ옸뗕\u1ae6饋뼁ᙁ蝏\ud7c8\u0edb쯻\ue064ŧ〢" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ButtonText = "퇢\u20c9䐭躚醈裆悹⣔㤔⛠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ErrorThresholds\505 = "䫓藒꼮鞛\ue3c2勇\uf262\ue6f4곶딊荌㕿Ǚ싄뜪펹臃煿㞚" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4F496A52-13F7-483D-B5E2-0FC4AA567749}\Compatibility Flags = "侀\ue499뼹摘ϴ圁滛哟ꇁ鷐\uef7b竁\uf632牴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN\Type = "檎\ufde3盙ꦷꧬ걕䝜\uf16b筌뉌ⶸ舔" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{28AB0005-E845-4FFA-AA9B-F4665236141C}\Compatibility Flags = "폔갻誟繀\uf864\ue45c冴穕\ue8ab\ue439" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NSCSINGLEEXPAND\HelpID = "轂챩츟揼䦞༤㞍欦聘\uea87\ue564\ue364龰\ue2c5ퟮ哆䶭䜹憗䩈뺶" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_INFOBAR\RegPoliciesPath = "\ue0f2\U000f3f72穣㴞ঈƕع垛駚哆㖝\uefc4Ʒퟶ犷Ꝙ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}\Policy = "뻸颣㠼昿휣ꕩ⦾絣ɹ鸼㹒棜ἠ㮴\U000f4a8cﮞ瘇இ敂蟼嵅䗜" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "䩎軭ያ뇤₩⊷ఝ훈䡧䨢▄筋봖%" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME\outlook.exe = "\uf8c2큺䜆㸛陬\uf4bc殤鬳阓爩\uf1bcḜ써ᩘꬅ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\5F3EF8894394826345EB838C8C72F3A40B521893\Policy = "ᑩ휡뻻茓⤝⟇\uf80c丵Ʉ눐䅥袜쎪跓਼\U000f1bd9㮢驣၁읅" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BC6-3C52-11D0-9200-848C1D000000}\Compatibility Flags = "טּ☦쿕\U000b10ea飭倌孫ꔪ댒踔尧\u2450쏜력Ꝣ液ຝ킸㱓瘖婧\uf232" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\BLOCKMIXEDIMAGES\ValueName = "륔睝ࣚ蔥䜠䢗\ue362\uee41瘖偖猥訟觬ꃴ芃⤚蝅曏娞变\u0c75" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\BlockType = "覴鳆勩㢋扝敽蹊輋ﴠ鋙䭮賄吸䵽珢蟕笈" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Enable_Disk_Cache = "Ꭰ\uf157뾸綴뼐씞\U000129ab쇋全으⯔睒奦䧻╪䒾蚊옶ଘ\ue467" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CC7DA087-B7F4-4829-B038-DA01DFB5D879}\Compatibility Flags = "苤“稸骘節䇛췋渫\uece6믦쨠ⴚ褩煐䦀洱軻뱪뚅옺\ue437パᘕ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ACTIVITIES\RegPoliciesPath = "䎩룸\u0ff8茠쮚龅\uf8dc\U000d0382䒌⁘鼯㍠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CERTREV\HKeyRoot = "侐療⮂ﴍṕ硩嬨믥뻎న觧뤂쮻뉖\u0cf4饠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{124D001A-BDCB-472F-AA59-BBE7E4BC3204}\CompatibilityFlags = "᠍㪐˰\uebcc\uf035㓺賢蚐次왕ׅ䎚‣鹣\ueeb8훎㋃㟍ᖭ粞⬺꪿鏕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\Policy = "\uedef펧谑ᇶ艪\U000b5d27\uf847\uf0ceᰫO嫤\U0003a2d1崟\uef81縑⒫ᥭ횹逍" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\AppPath = "萭쾾㮬淏\ua8caヱ㞁\uf3c6숆夰쨪﵃♉햙\U001098d4栈흥\uf207㠰帐ᦚũ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{15D6504A-5494-499C-886C-973C9E53B9F1}\Compatibility Flags = "䟍꒟灗\U0008ddc2蜜灶橿藨믣㛌柁黳\ue423⚈" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9E797ED0-5253-4243-A9B7-BD06C58F8EF3}\Compatibility Flags = "룂镶鴃ꤡ隞谅൴垭\U0005a206ቘ蓭琞뻹\U0007ffde" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{DC99E960-6594-45E3-9D5D-141D825B8096}\FWLink = "\U0005fbf8\u0c65ꙩ纖佋㳨\ue504鐤엦䪸걔㴲迶鯖䜩既\U000d0afdᨆ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\* = "幄\ue42b鸾퍂迷ƒ\ue20c歛卑ꅉ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\UserAgent\UserAgent = "ӌ\ua7dc䈃绗콆꿯酔협嶬\ue90eꌊ❏뷑ח⇛鴓" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{69AD90EF-1C20-11d1-8801-00C04FC29D46}\Compatibility Flags = "\ue5d1攔蹦䧩ᬀﱳ韫秨䫔⧟괲錴넠涄\ueb2a\uf4f3ꖅཤ瓇鸁" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f21-c551-11d3-89b9-0000f81fe221}\Compatibility Flags = "铷앉痚蹅댓ࢤҬ蚎绨洵ₗ⒱健犋䩛ଯ舉缽鶊☽ু" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS\PlugUIText = "퀇洔\uf7b7崎쏓\uee74\ue549\ued74\u0d11葂잂췡" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\MOVSYSCARET\UncheckedValue = "ḹ按즮늭\U000cc135磌\uf59b꙽䙉\uef0b☭蓟瘴삳鼏" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FLIP_AHEAD\RegPoliciesPath = "\U0007ae2f㸒\uec57ᄉ\u12b7笡꜅킵\U000d5e04䕥䓾亩\uf4ac৶ⲫ\ue745ꅵ㳴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\SOUNDS\CheckedValue = "뜴컥\u2efe㍋洩떡亘\ue798ⶦ뿄뀃㝍郰荒可즕弼\uf331" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{0C1E01A6-7923-46D8-8E3D-0F62B4A0250B}\DllName = "\uf6db黍ር謺馸품n懾ꨩᆅ\uf685⧩聓뭊ꋜ鷉⦑\uf6d7ᗣ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8E929F51-5914-11D6-971F-0050FC3F9161}\BlockType = "ᮄ瀳⎃ᔟ̐䐡\uec7bᴾ\ue331胦寀탹" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AB049B11-607B-46C8-BBF7-F4D6AF301046}\Compatibility Flags = "า嶁ꦮ瞫ŵ▝\uf1f1ᅤơ簦鹀\ue8cd沢뀐ꎻﮘ熏˕寋뇴ꗺீ䤶託" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BE4-3C52-11D0-9200-848C1D000000}\Compatibility Flags = "泸ᴴኝ䥚\uec44\U00038e62ퟳ눅፳ꔰ쎾\ue1f5" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\CARETBROWSING\RegPath = "淮ዶ틴\U00038718䫍䦬ꪡ僑큵ԟ䆙夦ಖ괈⸇\u0de1\uee87⺗廮\u0a62" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}\CompatibilityFlags = "\uf36bկ쀦碁竽䌏駌ⅆ큙ᑇ㒅畲튜\U000c6784⣷摪虴᙭៵ﳍ꽋" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4becf16c-74f0-429b-8d3e-4fba507ac661}\AppPath = "㱒㯻钣ㄎ靥焼Ḩ䯕⸬ዓ뫦ֈᨊ鑔耸\ua7e2꽦駶⑲\U000a8818臶ᱸ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\iexplore.exe = "鹻퍖축羓锛컪蕷뉺侟髿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{e0f158e1-cb04-11d0-bd4e-00a0c911ce86}\Compatibility Flags = "\ued81\uef49혖룖柋揈谷䔣\ue3bdᆗ\uef1a獖⡡늯鎄鷙郿\u0e3b䋧\uef2fמּ퀟\ue016" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{92085AD4-F48A-450D-BD93-B28CC7DF67CE}\Version = "욝쵄揶䔬试ⶣ\u1c8b\ued22䬞ꖺ\uee25ŢỨ퐊ꂶ韌琉\uebec" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\CompatibilityViewDomains\CompatibilityViewDomains = "\u0a0c㉌涚꽅ﳘ癬↑荦笀൴Ⱋԅ꜌ᴮ鉋쿖\ue348" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ECDB03D2-6E99-11d2-875F-00A0C93C09B3}\Compatibility Flags = "簹뚦⸋炼\u2ef5塄ᠵἵਾ\ue5f1\uf763䑙菇쁩\U000de4e8ﮉ\U0006c7a1ˈ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SYNC_SETTINGS\RegPath = "ﻥ㢼葹姅宎樽▛ീ祛\U000756cc鼣倿똿먁㓛" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{26EC0B63-AA90-458A-8DF4-5659F2C8A18A}\Compatibility Flags = "ⵉ\uf692뺌薃籀綢窱甫瀖\uf7a0ᗬ뎾놂숫\uf675硲뱒皓\U000f5f7b店ᆊ്" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4CFB5280-800B-4367-848F-5A13EBF27F1D}\Compatibility Flags = "湯쥦ⴽ꒰\ue52fꫮ☡톞⋖쭚蠐\U000cb3a9괾潎+ꓶḁ㋘嗓募䑠\U000e8177" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CDAF9CEC-F3EC-4B22-ABA3-9726713560F8}\Compatibility Flags = "퇒鰿ꞅ䨨皦㟄\uabefၟ\u20f1闬\U0007db38\u0f70똏榝煸ወ鼲昭㴀ꇗ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\PLAYSOUNDS\DefaultValue = "褮늡鬇\ue41c뉔ﮃ䐪젵쾻憹랭䬪\U00012bb8她" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_SHOWPUNY\UncheckedValue = "䢏ፄ\ue20b둘\ue6af\uebac\u0dfcᖦ뚅ꑚ婖" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8469A9DE-A3BF-4218-A1D2-F19AA9EA1617}\Compatibility Flags = "⫗ᙶʙ\uf6b2\U0004f322১蟳됦즀载\ue139ㅅ垛阁칯뻚起喒ݶ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D4C0DB38-B682-42A8-AF62-DB9247543354}\Compatibility Flags = "혏삀ⶌ簷庭ᙚ窤睕െ旍㭲\U0002f630" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\CTRLTABMRU\UncheckedValue = "骽啘ᆦ䅰\uf062㍭뽄磼䊔ჾ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CHECK_SIG\DefaultValue = "殿眡࣡錙靣瞼녑甂⺋밈ꅒ꧙ﺋ堊踬ᱞ쉌힁⢒⿃ꉲ\ue64f姷䂍" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PICTS\PlugUIText = "崻뺵尘\ueaf3\U0001a44d위崯괐ڿ罼Ṏ蝑" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\StartPage\RegistryRoot = "瑤\uf785도鹗쌎쀕界쿸쓇嗳딎櫞虤䄨∾辌ⰶ캲ꉼ沮漸₢븨\uf201" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "⾾ꝿ킐揩\ua7e4\uf07d\ue24f隬\ueb8f㤬᭜Q훚椕ᚯ\U00059f97晭℟谾\uf28f\ue31f\ue6f7" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "믓ה\ued88䥴겆겄叿㸣닁偰囄阹琎" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\System32\drivers\ws2ifsl.sys,-1000 = "⼴넀壛紺\ue9d9\uec1b賸뜊猊愧纨\ue936" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\drivers\EhStorClass.sys,-100 = "\ue5ea𫿋\uf4de㙫曑\uef69북팳묤抲豚" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%Systemroot%\system32\rasmans.dll,-200 = "攗\uf711⮓䨒쐡뀯읟⠾䦟햪䷁็핟拫倲ꍂ쎢䷰" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.DevicesFlow\appType = "ଗ뾞됦팕㦁䌚\U00108688ᷤ庩࿊ຠ䃼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Microsoft.Windows.InputSwitchToastHandler\wnsId = "\ue219哳흲\ue9a1ᗢ約㮂႔㨥𐲓" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70\Quick.AssociatedWord = "翥谝㟒氖셏샶ౚ뷡ঃἺꜱ徂﹩꯰¥\ue96d씓ग熹\u009a" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70\FuzzyScheme\Name = "誂喳髏㠷抿⋊몡럓沬\U000d9fc6Æ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.NfpAppAcquire\appType = "杵趵\ue6fe㮪䩗蟆\U000690c3韏훚蜾Sᱞㅑ萯≲竸Ⴣ䖠벂編塋ᨥ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "\uebd4ῴ転\uebfd桤鎭巡僺뢨ﳽ菆" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "튏跟ᷞ㔬굃\uf407⇉⸢㗔橓뷤⛃䦜ᱵ맱ⴅ↘忀┊痚\uf114꽭" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe\FontFamily = "㡩괣㳺潙\ua6ff略שּׂ\uf2c9䧸\ue8de쎹ꕰﶩϰ塸\ue152ﷀ敲" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Lock Screen\LockAppAumId = "Эᡉ㙉\U00105f91ꗎ硒ΌꁁҐ\ue183꒔筁➺㉅暀𰑇" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\lpasvc.dll,-1000 = "凿ᆩ㲞⽞‸‗ଂ㬅ﮟ⤺鈓⎱藹噻뢜쨋" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\MoveMenuItem\ = "熉몵╊ҷ糰컋\uec02ৌ䳝삅\ue544" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\DiagSvc.dll,-100 = "ꊯ乖폴퀋\ue740\U0004dc67\uf355ꕊ矔煄沧ಟ涡跑桫襫" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Cursors\Help = "\uf825㝇弯詂ꊖ訤칧怎曆\U0004fafeᬔ濖\ue8a3" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Renderers\SubscribedContent-338387\Version = "퇅븉쪗\uef92瘠\uec46㤌㬝蜂⏼㍰\ue819에純\uf545爽糱锝盶\ue1dd욮㠊ꬠ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\Microsoft.Graphics.Display.DisplayEnhancementService.dll,-1000 = "암⫚̐閴쎙᫂ꍮ\ue8df碔斐\ue4c2" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Colors\TitleText = "ᐌ䱜쇽걮叇퀹褖뵁\U00035059Ꝛ砬頹헫倬覣早獛街喙Ꮳ縷≇仠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Control Panel\Colors\WindowFrame = "簛͟緯㪨쐧ᰴ怉檘葤▸㊉뼎⊬狣䤧" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.AudioTroubleshooter\Setting = "島㸕⒠ꍄ\ue533忝䔩\u0af6倂⣫澏뗥蝃씥櫓꘨\uea3b" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Control Panel\Accessibility\Keyboard Response\Last Valid Repeat = "ゆ\uf6b8ᇃ偸⻲ﳐ濋뇯獝㞐ẉ潚㣊鸙ጠᾃ谲邱◟譐\ueee4쇸뵪" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Control Panel\Colors\Window = "씵啷ڨ륢룒鋑\U000ae5bb\U0001647f\ue48d救㪄ັ\ue0e6䢨ጲ鹁" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%windir%\system32\bisrv.dll,-100 = "癙툁孧蕡Ո筪廚ꍪ皗ଗ\U000ff796⊣ҥ塅\U0001a100ⶬ맫䯕ꜜ\U0001c793㗋" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\tokenbroker.dll,-100 = "⒅䳁휰ꘚ꽈╴爵蘨湺꿻滮勉鳀寥矮칖ൻ柏\uf860陛笭ᜟ⼛" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "\u20ff稺鎍䌦䬯⢡\ua63c呧寳案ఋ䘈⥰\U0006a50c" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.EnterpriseDataProtection\Setting = "蔢쐽儙쾊篟椆ฌ\uf184ᔶ䭡ﵹ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\DragFullWindows = "㰥ꥵ㴬\u2dbf妧綱到㣬鑖迬皳쉟☯⑽ߩ烜䄽椾൹" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000201\Key Modifiers = "㌪샱㴸돂q抌굤\U0004bdcf䍰䚟펮慠括欑\ue409ꭗﮩ궢⩴妔" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\Notification.SMS\.Current\ = "핲\ue678\uf542\uefd5쇦\ue69b䢈廎ŋᄲ뵷𥓨侂發" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Speech\Preferences\AppCompatDisableMSAA\devenv.exe = "⓸粚迒둸យ㳋까嫫楹⹎ᦗ䖞컫˿錖䥉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\SystemExclamation\DispFileName = "ན돲앋\uf3a9䂂庻㱸\ue831鹈㰫婸樘藥灥⁾鸻惮ﺂ斈ﮑ쾾坛魦㶴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\WindowMetrics\ScrollHeight = "䟛⺭榵᭛롎搪십\u1ae6잗寝뒙\U0010a71aᕩ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\firefox.exe\SupportedTypes\.ico = "柦ᰚ顙㺻劀䳾죄붫䍕紝萾\ue601ާ㔙諡呍\uaac3裥䉻㶱\ue864ᇼ\U00088871" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{212690FB-83E5-4526-8FD7-74478B7939CD}\FriendlyName = "挬沱뾆\ue428│苝榃ー䇭Ἴ\uf6d8忨썛媆" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{14DE3806-5D5B-405C-AB89-4AC936BCBF48}\InProcHandler32\ = "霉욞ᩍ㊌\ue105\U0009381f涁뛃見摒霟允튌ⵟ\U000cfc9fᤔ\U000d09eb牺" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "\ue0f3\U000b8b3c搘긿ﴑ涉읍망ﮍ瘰\uf626赛ᔖ㇘靿ꃩ㥹ᬅ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "룒\uf8e2꽜꧌戌宪訙쀅큧ﶥ榐䅴趖癄" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.tar\PersistentHandler\ = "㍥⣁慗\U00038338ᝇ궴Ὤ병䱂\ue47e" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{FED4ACC3-87C9-45E9-A026-5B59A855E687}\Copyright = "⋪䁐\ue4c5㏣蹽戈Ꝁ☛\ue4ed裏嗫ꘌ疗果禥ꄛ꼼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3936E9E4-D92C-4EEE-A85A-BC16D5EA0819}\InProcServer32\ = "⛳窜劎㩋៱\u2069蚻ᙬ锗쀔虘\ue2b8桕\ufdcd㵕诩㴻\ua631" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.SystemToast.SoftLanding\DisplayName = "\u2e5e⇧Օ\uebb6⏐⮆\U000ea1be\ue43a䠀⎿뷜伯ꉄ즪붍ꥁ鼳\ue502灤" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050f4e1-98b5-11cf-bb82-00aa00bdce0b}\VersionIndependentProgID\ = "\U000426c8퀍郮䪢炮맩\uf0b5ꇈ\uf457譚\uecb4⩈訜첨" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Windows.OOBENetworkConnectionFlow_10.0.21302.1000_neutral__cw5n1h2txyewy\ActivatableClassId\App.AppXg4gma5adbcq51t954g3zyy8q4frw = "\u0ffe\uf2b5핢跈餕ⅴ䋥\U000155ee\ue690徧磍믶" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}\ = "Ꞥ䆺妎㪍妬\ua83e씠솶⤅摳㺜ꐣ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01FA60A0-BBFF-11D0-8825-00A0C903B83C}\InprocServer32\ = "ᦢ燪겣뽴ࢳ莿อ롏ζ楥텣瑱έ㨾uጚ﯀푶\uf17a㼩饠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C941FC5-975B-59BE-A960-9A2A262853A5}\InprocServer32\ = "⎘㱃㧐伪\uf31e\u1cfd许轁빥敛" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4020D514-E884-42E9-91DC-E1F09004D3F0}\ = "ꑨ旜᭭仑ꏄ徕狒ެ븄呹⏅ᒣ✥ഡ䭜" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.SystemToast.SpeechServices\IconBackgroundColor = "ꈧ黶䃜飿\ud7ae叐䪾ਜ좖힍\U0002f729荽\ue9db" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{115e13cf-cfe8-4821-b0da-e06aa4d51426}\ = "ፔ𑦼걢⮌\uf0b2誳ྋⵇ뵽ꂁ턟猿蘍伬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.midi\ = "蝨\uea05逇邺换\uf85f릂뛩ࣆ➰嶁헄ᏜẶꛆ悌붓⠍僟䎀螘ꁓ㰗ౄ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1fb2a002-4c6c-4de7-85c2-cb8db9a4f728}\DllSurrogate = "ᱻ㢘㏬ᎆ⯖\U000af0de턚橿咗\ueafdꟸ\uf28bꃛ荚促᫂\uec90灭" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A7E84C44-F0C0-44F9-A4F2-68B5EA50B200}\ = "ﺤ낑낎됅况\U000d5f32\uf1de紈㚍\ue343力鄐謀捎䗋ᖉ㿁" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "遥뿥ᙊ坌\ue3b2햋\ue297㡢詣塗蓐ᖲ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F58F63F-244B-4c07-B29F-210BE59BE9B4}\InprocServer32\ = "葼\uf7f7㴩䭿ᬲ\uf533砀枨\uec8b\U000f11f1ꥭ孒\U0005b58aꏂM뗯㭈脹뤶ᛚ란" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C3B05FB-3498-40C3-9C03-4B22D735550C}\ = "\u1776ᕳ瀆ꌓ䳉孶옒鏼哿舂䩃ꕟ焊⎝" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F046ABF-3202-4DC1-8CB5-3C67617CE1FA}\ = "웸郺N䩫ᤩ薈䙃Ꞥ뛢ᣵ遑" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EE60F5C-9BAD-4CD8-8E21-AD2D001D06EB}\InprocServer32\ = "狣⬰ﴦ☤㗁\uef8bᄜ᜕즧幧惁㲫뱟을\ueaea赻速\ue81bﱤ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{549365d0-ec26-11cf-8310-00aa00b505db}\OLE DB Provider\ = "荅Ճᖸ䌣\u0b52聞ူ\U0008b1b2\uecb5捜弤엊땧뗲Ʇ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000108-0000-0010-8000-00AA006D2EA4}\InprocServer32\ = "蚂压둕崦鸴ⅽꦄ\uf4cf쓘㔀濸ᅲ\u202a衺" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\InprocServer32\ = "㌓갹⟉렒㦯㝆漽២시蕡劵\ueeb1\ue247ঞ韕駛" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.CredDialogHost_10.0.19595.1001_neutral__cw5n1h2txyewy\ActivatableClassId\App.AppXhwyds4rk7x1n5d19trv30fn7fbe01fjx.mca\Ven = "즍\uf502ꬾᲞ켔\ue888峒߰컵波兩쁜\U0007398b忢⎪" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\ActivatableClassId\App.AppX3yakgvx5b9nqwwbf8gyghjzfc8dksct4.mca\Vendor = "㉁꠫\ue8eeһ䄯烉鄪顡훱똠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder\Attributes = "\uf124ኪ咡\uf7f1깮症쐄渱⬼ⶆ]鰍☍館呢薑깪寮얆먲櫘驀" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\MicrosoftWindows.Client.CBS_1000.22000.493.0_x64__cw5n1h2txyewy\ActivatableClassId\Global.ExperienceExtensions.AppXv6fd1nnf5a00yg2x = "誚刼ڛ䖮螧\ue5f3鋐\ueeef\ufdeeゾ艛桼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4062C116-0270-11D3-8BCB-00600893B1B6}\ProgID\ = "᪘鹧麠ྖ\U000a0c58쀇隕牡绹ﻹ੯댆⛦熑즾헗鵔Ꮗ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ = "䇸㪛ₓ縅淽\uedc0ᴖᙲ逸芸퇓ᅴ뺒驚盯阚嬂ꈅ瀴\U00088b35" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002000F-0000-0000-C000-000000000046}\InprocServer32\ = "蓘橹\uefd0襞۠\uab08맥Dž嫘窣掘风苰" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\AppXtkjk7ve8gcvsz7s2y4kkf56wrmb5edr7\Application\ApplicationCompany = "氎䰌䊨摺叼\uf7edﴥ\ue684﵅弦돞ޢ륏恳ﰻ瞎큒\uf329텃䀅ᙻ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Windows.XGpuEjectDialog_10.0.22000.1_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Microsoft.Windows.XGpuEjectDialog.AppX6pz4 = "\ua62d趶뿞䗵砡\ue499鿜⿻蜯奐" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EE17959-931E-49E4-A2C6-977ECF3628F3}\InProcServer32\ = "띇垾原疵쒬材퉇ᜉ偽ᶶ\u0530\ue5fd甴챊ꪦ嶊缳䒰熟貅ꝟ籱ᄄ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.appcontent-ms\ = "㶏쾪ᾐ댿\ue2a3컲浤\ue638帥\uf732ᚂ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002E132-0000-0000-C000-000000000046}\InprocServer32\Class = "㬶\uf287霑ᔬ쩙㳥\ue93fꚯ釘膳蔹늴됓" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E1F1A0B8-BEEE-490D-BA7C-066C40B5E2B9}\CLSID = "\ue1b1퀚𗅦ᶇ\ueb55䈫ꨪ㸺ᚑൣ赠톦㘔\uef10便㍡秛芩葭ﻑ潥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InProcServer32\ = "詴딴Ô䎴椤ݨ䤿衪Ὧ萍뷵瘭迶ꢯⳜᒸ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{45FD65ED-6BC2-47ae-B391-9E2B79F07C52}\InProcServer32\ThreadingModel = "\U000ea1edꣅ隸邢̞䮞湭䬩뻳꽬♦ꮢ䣈컖췼蔐ﺘ㊙삳싻\ue31f" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{573bdf38-df23-427f-acb8-a67abd702698}\InprocServer32\ = "榌袩\uf8c4詻ㆯ\uf45d\uf2e4䘯ڐ巧ಿ\uffc9햻ﱺ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\xhtmlfile = "䠄ꐘ饫\u1f47䫐ﯣ︕쿜ⶳ걚᯼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6d8ff8e0-730d-11d4-bf42-00b0d0118b56}\LaunchPermission = "模\uf614㟥樲㲅ࢂ閭䳋鯧伍囯ꋜ\U00087f95辭䂉\u2003Ⰻ攛" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7A076CE1-4B31-452a-A4F1-0304C8738100}\AccessPermission = "㦥ݾ啙殣黰띋\u1af4嫬豶⽁畡‣╿쑜" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BDATuner.DVBTuneRequest\CurVer\ = "ꙍ\u191f髭刞ୌ홿\ue7fb챑\u06dd㻽嗂\u2d6b箶" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03E7DAD7-17A6-4F91-A879-F276B6FD62F8}\ = "\u0590僤Ꟈ鰺䡙栫엸\ueb9e邞䲰≗\uf1ab\U00038b77ઇ䁯\uf4f3倈垃㴇䝌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5F5AFF4A-2F7F-4279-88C2-CD88EB39D144}\FriendlyName = "䂖\uee9aὼᑰ糖༭嚣筀됁痤癃燷\ue31fힺ載簍橫쌜禋僺" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\MiscStatus\ = "规憻ཛྷ쐰봬\ueca5ꍲ\u07bf獊뮟\u1680芿Ⰾོ吷눃䚴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17FC1A80-140E-4290-A64F-4A29A951A867}\InProcServer32\ThreadingModel = "\uec7f铠ꋘ돂䯖辙햕\U000f929e㈜\U0007953f䀌㺞飯䳻ᰳ뺏" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00CA399E-4CC0-43D2-902B-CEA3D36DC9E4}\InProcServer32\ = "밚媸폻嶟à\u05f6ꠟ닓ﱦᑽ蟚伇髯휰늄쾿\ue7ac࿒球엑" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0b2feecb-1577-4fa6-9a29-bd9022ebcf90}\InprocServer32\ = "楳\uef9d쏳⽮큪ꏓ蚢竤輜䭅ꍺ\ue1db\ue1fc鸒" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{228136B0-8BD3-11D0-B4EF-00A0C9138CA4}\ = "妌\uecf4\U00038945旖꿈\U00085f80ɐᶬ鱕\u2d6c\uf484䮃朂\ue21c펛" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\AppX4tfstxv315ny2wmswr55fgry1ym3yp3h\Shell\open\PackageId = "緼莕辯塃읍晜뭧韜꽫к⇗ᄭ\U000b310c\U0001ddfc㸺\u0b46\ue739㾣ꍏ㲀" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.SecureAssessmentBrowser_10.0.22000.1_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\App.AppXrtkg3ebdrtg67k8v75m = "謪샀鹐븸൜䏯\ue5aa\ue505ꚥℎ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F275-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "―\ufaf9쾖ਫᬖ㠨듀\U000f6473껜業㖌\ue1d7㞣꽌\ue8e8聏⦽" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}\LocalizedString = "튑錔俘콄㩚淵⤤や澢雴ퟄ\u0fe2祭" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58859c43-2c82-454b-86c0-9efb11e54838}\InProcServer32\ = "囂鵘㭪愝咑\U0010886eꩁ쾡\ue9fd\ua639뻂丄" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\accountpicturefile\IncludeSync = "닌ឞ⻩餭熒逓銈ފ셪靬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ADODB.Recordset\CurVer\ = "\uf05b줆㵧\uf84a恟臭ቀ猴啧㻄\uaac7菷蜉弐\uf12f㑟㿤뗖㳼꩒찊鱭" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{289228DE-A31E-11D1-A19C-0000F875B132}\ = "㕌\U000e8256ॶ뀊틲鋃譅㘯懜\uea04\ueeb1ⶻ돒\ue72e#㩩絰" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.aifc\ = "栔왒밒魫\uf4ea⋄賋鰊濧㯅\ueb26획റ⾓䲂ㅩὩ秹ឝ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Thorium.exe
"C:\Users\Admin\AppData\Local\Temp\Thorium.exe"
C:\Users\Admin\AppData\Local\Temp\Thorium.exe
C:\Users\Admin\AppData\Local\Temp\Thorium.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 2364 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 2364
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\oobe\images\浡挠湡潮⁴敢爠湵椠佄⁓潭敤മ$
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 쓪똔药๚ㄭዉ嬞
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 䲩뿕덽羢徺彼堺
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 멢赇┼⡟앳ኢ熑ﵢꟂ䬢岫⡑镾釢䱂㹶꒫㙷櫴煉
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 鍧┫ﮟ醓뙶ɏ㺙䌝皦䢦
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ܋⦅ꉼ었⦕ꤔ이Ꮷ㋢﵋
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1408 -ip 1408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 948
Network
Files
memory/5576-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp
memory/5576-1-0x00000000053C0000-0x00000000053F6000-memory.dmp
memory/5576-2-0x0000000074D60000-0x0000000075511000-memory.dmp
memory/5576-3-0x0000000005B90000-0x00000000061BA000-memory.dmp
memory/5576-4-0x0000000074D60000-0x0000000075511000-memory.dmp
memory/5576-5-0x0000000005990000-0x00000000059B2000-memory.dmp
memory/5576-7-0x0000000005B10000-0x0000000005B76000-memory.dmp
memory/5576-6-0x0000000005A30000-0x0000000005A96000-memory.dmp
C:\Windows\Temp\__PSScriptPolicyTest_ifa53rhn.0m4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5576-16-0x0000000006380000-0x00000000066D7000-memory.dmp
memory/5576-17-0x0000000006840000-0x000000000685E000-memory.dmp
memory/5576-18-0x0000000006880000-0x00000000068CC000-memory.dmp
memory/5576-19-0x0000000007810000-0x00000000078A6000-memory.dmp
memory/5576-20-0x0000000006D50000-0x0000000006D6A000-memory.dmp
memory/5576-21-0x0000000006DA0000-0x0000000006DC2000-memory.dmp
memory/5576-22-0x0000000007E60000-0x0000000008406000-memory.dmp
memory/5576-25-0x0000000074D60000-0x0000000075511000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | e080d58e6387c9fd87434a502e1a902e |
| SHA1 | ae76ce6a2a39d79226c343cfe4745d48c7c1a91a |
| SHA256 | 6fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425 |
| SHA512 | 6c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede |
memory/5000-27-0x0000000074D60000-0x0000000075511000-memory.dmp
memory/5000-28-0x0000000074D60000-0x0000000075511000-memory.dmp
memory/5000-29-0x0000000074D60000-0x0000000075511000-memory.dmp
memory/5000-38-0x0000000006350000-0x00000000066A7000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f5633b6fdb00af6607ab845c98a2700a |
| SHA1 | b4c15145657093363cb05a36461b2b4162de5bd9 |
| SHA256 | e576cc06446553840c2a97c906e2af8a960fcb8587023d8629b46d50e625d1ad |
| SHA512 | fa15d90442129afd031f86850a99f60d780e5bbb6b5a6ce1cebe96aec7a3f7479cb5c83d894a4fd42f35fdee19c01ed61f68d580a2a98979d4f758cb86b7346a |
memory/5000-41-0x0000000074D60000-0x0000000075511000-memory.dmp
memory/5088-50-0x0000000005D40000-0x0000000006097000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fe35986aca10afeedd70bdc55f526a75 |
| SHA1 | 46029547c2f2ba9deea1eef5aa69c4f99dc866db |
| SHA256 | edd34addb464cc9e79960f292abca14eaea6a9f965ce79705a63ffd00b03230b |
| SHA512 | d8d9c6acde46f7d847dbce1ad022e479910754647c3f7af6dbf7709ad6f4b66f7fd78f693e68a35d5191e68f1f2bfef57c898be63a034cd0748c875f1e7bb837 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c350963d6c4f535ecd978a544c4d2db3 |
| SHA1 | 9d2e290c8338e2e251966d5934a0a471259791df |
| SHA256 | 85c331f73bb3e66b28972caf46c57f4f020173c56b648c7dee5bf7ea9d625108 |
| SHA512 | fc9ba4a53dd6b1c726d96985ebf136e736777095ec71ff12e8122aef4a0712536f62bbce7378c51770b3ac64e178f8abc25f15359adee8d35ac1958c4a648745 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 661a05d253a676b0d34e51cba9eedfaf |
| SHA1 | d818844a8fabd15ba3a860556bfcb8a3e8089ca4 |
| SHA256 | 8275701d65512d15e1ce378e9abab84199f321e778248e736e655120b2cec139 |
| SHA512 | a97d76bc262795cf08d7dc3484d542afb3b1ab6ffb4efb9146807159ac623c63e7bc924b2da2e65af99c1af99f583d24655ebba4dda178dc0bd9e8405a269029 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a87ee6317b3d781c767df70af6540047 |
| SHA1 | 533ee3c7eca19bbbd69c1449ec42f7b37ed0a960 |
| SHA256 | 5abaa2c2f5acd62e8accb93c6741387099d6a39048100054b1d72d0361888010 |
| SHA512 | 3f2b70c710d6646a97293c7d373997e39f646eba9c7192b5467e5bf8407685ae746c4eca419fb39a6500ac0e44f46d39ee6f4ddb5489417bfc4964aa786ac158 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4e1a8bf22a4858a6f39043f5aabf1fac |
| SHA1 | 8e64779e1dbc5ffa61008d0a349da8af23e9201d |
| SHA256 | 1d17e0e927be4debd1970f1747eed86b795d669ae8abe00e76084186a331c769 |
| SHA512 | 7a581e3144f8dd086edba69dca1c0e5ea78b96555599faeab52a862af168aafa94e09784b9683f99c0dbbf9cad46d062653dee56c7678aca93a5d2ed8b9109c9 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 376a78c42dd21c47f04b7ea40478eb98 |
| SHA1 | 83407fd533237032f573e65275fb09c13214c338 |
| SHA256 | e4074ad0a6e28b9e5f3c63710f9e63f232039d9e10196f8097f242b4ad2f3383 |
| SHA512 | adca3d6b089bf02a40ae29c4cb5821c37788d933250265309d4020ed254c6112c8cbd03bddbdcf9c1bbb6ea51e14c1e058f4df0de81d37291fc8cc40a556847a |
memory/5108-102-0x0000000005A80000-0x0000000005DD7000-memory.dmp
memory/5808-112-0x0000000005960000-0x0000000005CB7000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6da6be01fb06ab121838f6ebabff7c30 |
| SHA1 | d56471925f4c20eed6b46cf6ef3ae2ed2090f169 |
| SHA256 | bf300254a69e95a95c485db7f71d6edb84c7c27b3e797d8e801da378e63c91f5 |
| SHA512 | d8caf8fec4eb6c214d09b22a362767ac5fc5025287496f96f84961e73dbd2a4671c9bdf632e7423f08d765d41d99b55fcfe0d3e052cbcde9121a2e9869f727c6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c8f7fc479884ee669045389fe30c52f6 |
| SHA1 | 37db640d09b5dee7be2ad1c6ba9320b0f0b43921 |
| SHA256 | 70d05fd23b8424d01e981d4e9a6eddc840f21c6433e1b689094e447cd9175d6f |
| SHA512 | 2aad67665cc6ad7bcaeb6a892d161d6e6d38ad25e18f14621279f1853bf3ee3f0ad9d8daab6f54296f637c41aa166e8c9bc40bace3f2b0263fb221a06617b537 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb7a8f54ab4c0f9af2732d61c2e476d8 |
| SHA1 | 4e01bb56ae9cc11fbb86e7d8bff7856e654f25c1 |
| SHA256 | 5ca5078ab9ca67d6a4efb40c57102e4b33941919250bb5f710edb6c0e6cf375e |
| SHA512 | 294561af3eb32db05472dd552fab50d3b451f079a89c47200bd5c2b06be39db4c65edf0356beed10d156c972309e75631d9d7b942bce5f52d6b6dc18e4ef62f7 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3bdf2d9264d8ae187116462ad18307a1 |
| SHA1 | bd245a7cdffc045765e793a16f630135e59eea4a |
| SHA256 | c4424dee00cfec62c0ffd3a63807492656b1ab952f3332225d5f8a140f21b2fc |
| SHA512 | da45f7c7be1f7d767bfe6993cda1493dfcf8f4abec64760000a92ef9c440c51887eda8c9d3183cd6ef803757bd6876c33b46c44580d250a99d0c993ee666feac |
memory/2112-153-0x0000000005FC0000-0x0000000006317000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2cd5954215dca550d54c023b971d16c9 |
| SHA1 | fd328c99965fb7598d42e7303b5efa90e249b0bb |
| SHA256 | bc5e245c38aad0eb7b023c4ba2005c6d1f72b6d1d38d3633371257899b6f8378 |
| SHA512 | 0343a98ec69459a0908f3b5513d2515f437a68b28b273717ace5b7deb7ceb96c837b13dc19006777f7977c1935d5b0f32a0cb41ca181b25f4d75162847b44013 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 08c144fb5731dbbd8aebf23a30f349cf |
| SHA1 | d9ae2546a10f9b806262ae61d1c5b3b53bfb1530 |
| SHA256 | 93a6e30716ab0d7a311ffc9ab50e426243ddd55e7768da235c3530e756fa44e8 |
| SHA512 | c35cbdc18891797491a1633deb8eb202624f5b14900840636654c460b9a61be696f0dc5ad7f023309c9edb7fa5b6f69a164680b3ab76c41db68c6f8aa2d984a5 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aadf27a4a49675f35f5af7dff555bfae |
| SHA1 | 4764572b20ac0ee6d4d3a419fd36ef594b444582 |
| SHA256 | 40bcc4a3e8c9ed030c104b0b1b24579ccc76dd8b7d7fa7df9ac7fd32927bfeee |
| SHA512 | 5532395c2b5fff7d6f6067b664be4a5fd9afd61fc2fdcf5dd6e368d4a0fab81420fa2695d1c1bee365c4affc8ff3928443a054de8391c36fed6fca75ed7f66c0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f7eb297e1b37cfbe175b3fab4de87fb8 |
| SHA1 | d7acf2b1c9d0ffe06249e7764cb4b1835a00c29a |
| SHA256 | 6bf4397ed50561ce7a25991a0d2d9da3fd2d875445b4b6c1fdcbea78e6bb7639 |
| SHA512 | bf3befe91021b90caf4e6063f54830c0df3878ad89b77446a3a270d7e17fb87d792b355f4bc897d428e40c807533536883a55ae8efc4ebac05c532997a362704 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d0a6b6e9dd5bed2f2475d66df4fa3ba4 |
| SHA1 | 41d8205cb99ea1a17e70f19520178ba36dce3e99 |
| SHA256 | 9a8489b2f5e809e51f095ea5ed2c2a462d267c655776f4b2ecfb8dd03bbe6318 |
| SHA512 | 076f6ca143bdcbca536177501efc94dc3c84e1848fb634f313e6b7d34b2414e005b2f5037e9a3359306cf22cfd4a0b6a193f7359dc9509b5248a52919abe7191 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8682b2472f84fd3f310c8f75ad61b43e |
| SHA1 | 736f6371b68f945243288cffc8c21ac85aa2edb8 |
| SHA256 | 6ee8028578e1582d9acabcc6bcbeb89b38fba6fe6aefbc780a2babbef702db37 |
| SHA512 | d2ec5fb22e4261cef8faeed9d9898fc79a3d5741627051370971d3f6f3daeffb357ce8e345ef2a3ed38241025c4b276a95e9b2193cb7d74b14ca4185930e42f5 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1f1f8686662d8344bdbee7e7f81e6307 |
| SHA1 | 7bb2b0ce8eef53c26e3f6a75536d565ed784859a |
| SHA256 | 6926dcf9a204a581b4c7d62050b0818a8fac89bf79094183e6c50f53c4bc93fa |
| SHA512 | 2d721309d3e348138c3fa08d3bf7949fecf7dbf177af12503d63a34c436b4823473289c0d62becda7433133c5235e3717446f905eef6bfcdfc9909fdaaf54df5 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a302af9be80aeb7874be2deb0a7444c8 |
| SHA1 | 926b40dc0adec67a7b5b9df15cd87d52db534006 |
| SHA256 | 797ad19a352acf06dfc3b4e018724c186c01ebbc021bb2f54d13d5e585fa0cdf |
| SHA512 | 485b2c3f8f057c70a38fe0dabb228fade12acd5ad8715a9482b0d5085f9322c649000c13710d6131bde46df3c586072c3e11d5cf00b583a0abfee87c4b8ef155 |
memory/1944-234-0x0000000005F20000-0x0000000006277000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3781d35ac290f616dc25ef7ca8174dd2 |
| SHA1 | d697871cc802ff690252b69dbb3bc4b9f51acd89 |
| SHA256 | b117469ff3a3a727247c0a834bb55170eee0260c89f9ece3e71d00ad74c1b324 |
| SHA512 | 40e3af3d40aa3baa3b8764078fb67efc6e244983593359df01a99eb3dd6e29dca3f71c53c74094263bddb733bb56bd2249f4e13fb28cb6accf8bca79216e9626 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 888031cc38b7b722c6e8b59370562c02 |
| SHA1 | c9cd4e50faba3be6d406889430fc2c41b2ac96c9 |
| SHA256 | 2925d11791b3b12f1a99d39d98c6b56a941e2aac86139d0ca0201bb186247a4b |
| SHA512 | 61668e01a482f0a5f712f447a214d3f91af9b93b53276384c57dbfc988e09d6e361a1dbc5cb35b679d8482f72221e6cf6259a932f97ecb1018a02a31ae6657ee |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3c45f724bb40e8f87a7a54046c3dc0 |
| SHA1 | 3083e66d8646ee13bfa1378eb255842802148bf8 |
| SHA256 | a5475b5ff7721e216f9ee94cec287c6041fc654e64527004a0e27afe708195f2 |
| SHA512 | b8b9ead5e1fc92ce21a9620cfc0e08e6d883bc982012a91f9d281133fcaa9433cb1ecf50366b70c7907c57f2189542d36efe798f2e0c10ac5826d3aab0874eef |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | de3e5bcf51659f589a3fb0fbb306c2b7 |
| SHA1 | a28978e45a6c23a81c8780cbc132123e457bacc7 |
| SHA256 | 96e0ffe25061ffc37a6dc918f7aee05f91a4707c3909c10974c37e73a93f2e76 |
| SHA512 | d6040ee0f3d52df8e30e30672993089b593e7dea937ad51d13b3741aa58fca2a2075a823b876f31036cecb6d41461e266422fe5da40584623e2742add5568e2a |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8021a6faf7ca3c41c2a6a818e93f452f |
| SHA1 | 49a261075e7ab3429f0d04e4f9822dff2a66113c |
| SHA256 | 1a034ff0032e03ffb699ee44d19aa8046daa94700fa1d6a248637e9581267eca |
| SHA512 | ea03fab4acea186e58401153dee2a455c851f18604dda9e4d87635d1a13198c8efd341ebeec66e9ae15ed640560c9511a74c63a69e2beb609821b91254a92e4c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b6c2097b89792a51aba8925176e635a7 |
| SHA1 | 8a5ece4e51ffbcd150cd87392e974d8336ac6d97 |
| SHA256 | e35c926fc769469d5fe8e632cfcbdd9bdfa4830c2c950acf49e979e627e8f770 |
| SHA512 | ff51f38ee4602b605a58ad78c2fdb84f28d07755a2d343d36a3f69c77abd68b66a3dd0f8b5679c9cf6ebc4b41c5379cd949d80e273d7faaad7fc01cc4a0954ff |
memory/3336-295-0x0000000005CA0000-0x0000000005FF7000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8cf24c4af42742de34d86b4d60caad7c |
| SHA1 | c55e911f5e628a557ee2e051dc00216d769b29df |
| SHA256 | 0661d85e75d5f152d3c4a7cac1ce26236e7dbac4082a0ed5b65b8e1610e42dbb |
| SHA512 | 1331979275a309c1f9c60858c1d688375c4725348175e99bea489f4a7c9347ac6ec21dd5c26cc9de5307b3cdd9db6d7445ceae89b377405421700b8101007153 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 15fb97dc4473e4f61ee7e5838bb45f81 |
| SHA1 | 3764da53da5a3e59ec5cd4675acb36a5bacc8046 |
| SHA256 | db81e9da12b8982733b53c398e015bf67ca1ea023f22cc05fcb43d7ab922e081 |
| SHA512 | 15671fc026590e460c434fcc7e414fd6ab2afb4b0d7b68929602f3b7492978e0caf234f12bcd6e086f9d71dd80039b99a3c300cbfe08533976cb12a90a3fa5a6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e8753d0e521e02e125c9a35a99823431 |
| SHA1 | 00b0b302099c9de64ec484457c573c6d079dbfad |
| SHA256 | 5cb24b6864f8f38fbb46265e85206ce16e3512b12f3d45898e783fb093ce6309 |
| SHA512 | a665d86c4b98e9a01e6111887687a12e3e644484813d85125c3811b43d42ba54b935c5d8dcd7f94ae840cf7119d9483d4ffaf773193e11fcea49f03a325df458 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 16a0cdfe31a7a2fa15462f170dd1a79b |
| SHA1 | b5050fbd2002ab5d5b0d962c082d0cc6ae08f49b |
| SHA256 | c32c5d7cff30d3329b7aa123d38a0f6969279e7a70b0b1603ea0d72ab0713f28 |
| SHA512 | 09136418c3a777bc68f93c3bd75892a8c364cd84eaa55e7eb77bd6841cb679d78e11f80914fa0dadcce01167ac284515d73706e758e0a202b2dacee2025ba49c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5478eb4d645ce6cf8c34be223269d40d |
| SHA1 | 5f6e1ff77edf84667bb5f4b238dd78df66aec12f |
| SHA256 | aeb28fd54de53e323e30d4c087164eb39855035c8b6daf296682dfd805f5404b |
| SHA512 | 4618192f91c3a6f9c62f025cd4fbe8168270f7a56931a204aa344162347ddef369bbc14d440154436ae26e4e8d10ab8bb4e778477a197fa53e51bdeeda0e7e1f |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6c9afda6e856e08433097d56a85683e2 |
| SHA1 | 587331a64f0aee7ddf395ce07440cbeab2cca549 |
| SHA256 | 704b40cc2c8f863fb6de709176679b8bb66d944c5acf86be21eb538ca501be9f |
| SHA512 | d4da70690f9a2e2f2de0224da03e51bf79480a6431bda23c07dab06c3653913e5d64f44577c3bf95100eb61b15e3a08cba82924b86d9cfb09876b3c0c0a0f5fc |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ee512969fd8d047322923d1455d777a3 |
| SHA1 | bb184520f63d6196fafb7424f8fea428bccb1ac3 |
| SHA256 | f280bd3822c9d87b07e13086057d0d407f135f9ebbfbc78f63df6d15fe7183a7 |
| SHA512 | c4931bdf05c3c903c9f18db4cdd6b1382b48ced778e41924fc7c9e9ab74c3858039a49d6ff2fd722e3462bb3e9c18c789e7ea83443f38fa7764bdf62083d8821 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 98047991bb6242110afec81c2c80849a |
| SHA1 | a9155681abcfc0473f1b1cca1368307ad07b698e |
| SHA256 | 609819daa6dbac554a87fb2c14f3037a7e72c64189ba6c7ba69a6de7a4a1e611 |
| SHA512 | 2b3488a7f42a74db233b4249b60521fde60d6eb84b1b6e8ca29da1fb49c488bfcf608ee992060a0eaf75f6c1aee55f76ab3e7096b08fe35b9ed635df8c1fb75b |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 191dd4839ea254e770cd74d23ce21b0c |
| SHA1 | a379de171ac9955e7aaff3004f97a7ec05ba07b4 |
| SHA256 | dc6a65bace739ddd5d35af8d9f0c6566debdc7335f22540d27f08b374499bed4 |
| SHA512 | 011250f58d614ad163052f717042fc9bca27f193cee2eb289b87a192c690f5566db5d53dbf7af34ad39f51bd4c79a8a5dd2a451fa4ef9b60c8e2e9eaadc28e05 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fd4e48335a8f3b630181c64decadcf0c |
| SHA1 | 58e9fd9fa9b1f35bc43b824772fcc3cbbc989976 |
| SHA256 | 2efcf7cf330ca919707b6bfd9abe107e95cf85454be4908b96d77fcdc26d3b56 |
| SHA512 | 3cd5d66fb992050cbad6ecd0314735f6e067eac795d71a240b6ae7564e477eb50601669812b8a1bfc382868f8aa450709c26365308a91179afbadb3385a94abc |
memory/4888-396-0x0000000006310000-0x0000000006667000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cd43fd50d4b7af2b3b2383b81369c5ff |
| SHA1 | 9775da426390fbd883f3baa52a3876903f442f75 |
| SHA256 | 6ec2aaccc0b4c5ba0ff3ae73cf0d2499e53640c44767bf58dfd56b299d8e1a90 |
| SHA512 | e684d00785e544ea39fb92dca2162f59ea884ec3899281c976227c228bfa40b0ea6343b182b1b98db48ec0f078f36823544d6c635438d6b103686defe4d55990 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2fa00569edf70b81eb773f5c3df2eca6 |
| SHA1 | ddcc2bd57673896d8e7e5904d59d8ff88d93f6fa |
| SHA256 | 3c5db275f79d29f9922ad12ccafbe866f7449841de1576608ef1516f0704488b |
| SHA512 | e6d01a91971b2a25f48357a44316a88e1de6f4262cebb4c472a2d18d5b3c7d7286563fc13b5834522776ab27014bfba95092467942ab965c42585c9c73f42a7a |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d7170b4be3fd15ddc8f45ae0785f7a2d |
| SHA1 | 2b047fb3556e28cb32587b9eb38f8b9d6b8fb75d |
| SHA256 | 96d587c37b8902e9c39443b0f3f21c867322e608a6ef5694aede49bd58e7dd4c |
| SHA512 | f68d6643fae6da4f776962a2da7bb334dfb49ea05323b195fb05c494577e6bc8bf4223c199bc6fff11493d37f2a7ff935ad56547786ece77022b7b96a77e69e8 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d75e594b0dd0ca74affadf1109691a72 |
| SHA1 | 8398d3c67c039646d4f1984515320fe1dddf82d4 |
| SHA256 | 82e5f60bca568b0fc438120881ee0a726cb09386fec4818b87bf429f9ef6559b |
| SHA512 | 6fc0617517e2956a96d9c4efb4061a701d10bedcdabfd439e802f4fb3cbcb6a7c74fc429870cb2bf37a908a4229873d3e946f0eafb6e22f2c5555e4474c34009 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 90806d556573e2c869ed4321d2bd14c3 |
| SHA1 | 115ee0fe557bd27e1f280dabe103f340a5b4af46 |
| SHA256 | f0cced39bb42777170ebe03ee6407ac88a228252a9d6fcfc4d9677540788c90d |
| SHA512 | 48d35d034f8f6ce25ef9152a3998d52756eb0c94932e2e829aa2a141d36407dff2aa50a9c41048cd1f548e948980a1c7e5e853ce58e4ef51fda0440f1d3f6081 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dc9034a7b108c693c6e3ba3c619eaf90 |
| SHA1 | 7944e99264a97b72ce10136f64ab4e6d362c4643 |
| SHA256 | 7df9e6ab28023f592fa537fdd2dd05b7fe7a8b6d1b874819554048569c0de12b |
| SHA512 | 0df494694cf7d3d6093328581b89709057eab12ed2d2abf22c6bb1916c218d25b61609e8c1b61fe0259b562cecdd66a08b520bb2d5f720ef3ce4ae843bc70272 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a2787069d8c0d3fc368f46cba78e036 |
| SHA1 | 3e98fde45ae59256ce19c83cc23e27de5eba4be1 |
| SHA256 | 97bdaec935c6e50e7f2616dc923f7e7dc9f43a52204360c39a2d8bb9fa4ed60c |
| SHA512 | 21ea5b411a92bab2a9394f7648d8ee18f611d10d58d722a250e3009bc2b7659ac2b837f994a803f77931d3643a01ed030e4f03cfc7606ab62fff9a11b3bb7489 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 71f9f9014626ad76d8b3fbd1af20d976 |
| SHA1 | a7295d3250053d8fce0c3f714a8a1a9318e87189 |
| SHA256 | d54d97788691060aabe8f259df0aa6250d6e110eea446a8f5f460aec2ddee693 |
| SHA512 | d5ba746f3bfb445efb9df50c8885072d9dfe278d0d42c7ceb3ea7e75daebbffb7967a18f1d2011c4976311fcde82b6a00ab9b9c04900abc739f725cd5474744f |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4e192307cdc099a2010d15314ab96a54 |
| SHA1 | 84ba86aeeab4a00b59c520d0ec69649a5fce7495 |
| SHA256 | 9596ed362ca7bbc9deafa37111a18d0bed367cd74b155f4ee382d53cd3216bd1 |
| SHA512 | cbbdafa8f93c134ec11147b708b40489acb78f4ede9ae54e5cce8521971fa8710636f81c8d5f278e881f48a776c0ccd74ee38cefe4bd2762167de5213ecf5f61 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d7eefc731ac53119bdfd20594eb45eeb |
| SHA1 | 536b25c81b914cdd9e8e3198a7433d649d13856f |
| SHA256 | e1fa0db1f0a7edc648d8355ca0b40c24ed41fc36012ab132218bee7a62eb9970 |
| SHA512 | cf8585734ca75c65253294c317001ffa70b474e8abe204aed68a10826f311f806ee25ae795ea9ca119156618d833b7b163fec9fd443af953c18ed6752da8ec6a |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b7abcba3d8003e65c69cfbbe3dee403e |
| SHA1 | f478781b41f7cdbdd0cefb17d91d0b89ec3e47fe |
| SHA256 | d296ef09fa0938e16e7a5d29870c3b3be8a7454d649822f1457ea10e2e70ab34 |
| SHA512 | 33e31839567279a36513d6acf46101a63d119ec980d199a528aa746bfd441d2afb6f2bbc61ecb97c2c9e24565f35c41c5b2cb242b52c18569092b3456f70c5b6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 14eb9bf1fdfbbc3e49d7676f3e92c805 |
| SHA1 | e1b6555106c580842423683d4b43148cf8b9f228 |
| SHA256 | fd2b74e95cb9600832a3922153214377adedc2b298c275e334fd8af71545ab9d |
| SHA512 | f38a8a4eefaa8b236da463dc0536ddfafc4746c2e6efabdd3f4960f61100fca1dabed3f04b733f88fd3bb8f3caf2aaccb45d364cbc3389942cfca446e9f2cc84 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3804f9a1f10bcbcb89fd36b9626a7be2 |
| SHA1 | 9a7ecb8cb4876057eb2136c85b9729c4ae22a9a0 |
| SHA256 | 78c9e49d306be3338d3264dc7348cecda2a1f615b499875bf1a136796a86fdda |
| SHA512 | 2e987793b1ba6cb11a98580660cfbd46dba76960eeed5a5f3d9be5c3fe179a8207448f1f6c7752fd5a545000eb9da976516bd754302e0e69a4789104782726d6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a2d18051f0467b7cd743e489d18cb778 |
| SHA1 | 6f43eb1adbcfc806a054b82b1766fdc213e9dd10 |
| SHA256 | 04bebe07b963b75531bba957debadb0575ccbce52b1f7d0e2f666c0bb27af3f9 |
| SHA512 | b50c4cd60c2b78dca20cd5e58a34f6d172eb37e599ed301594d7f3a7cde6375a6301e46d4af84cf3c39cd5597badf50acfac5bf92ef834f5d80c50bb1cbd8bb6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5525342486822cc09a128362f2f41e4c |
| SHA1 | 84d33ec73f2150a3dec9b01ac7c9b51c79133031 |
| SHA256 | 425a6d8ba6c01845abf17357f97ff7894e59ddc8b5a78cd700f21f49f6e10bb6 |
| SHA512 | ecc0a71477d4526c38546aaea3b13d8f017ea60ce78422f418c07bd17ff8fe448981f2c40b49e48b523f77fede6949c82ceb11c57c1b9e5aab681ebb8671f396 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5c853dede02e31fe243872eabfe7732f |
| SHA1 | 5af79f1d946bb09454b148795eacde6fc7a47a93 |
| SHA256 | 9e15f6ff0a1bb3cfad97027f7c6ebe4eb99d7a763432533c27b81b6574ff83d7 |
| SHA512 | 55d5a7140a0f2c5a02b348de3859a028f7bd2ea27e5e7563d4815aad2f1b0088a4bd95058e0aece81a89301d6650ac7d3b9d5d766defd12d2203135390586f03 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b482a886820030024e05b9a718127e5b |
| SHA1 | 9c0aec1acbcacf8ad04816059e9f261b33a7bacd |
| SHA256 | 9648f3852b4a9944bc16a69724966fb451099f6e1507b65d0a4786dfad878c99 |
| SHA512 | 1fa4870d1da63123027ce3f0ec1d64c056da7e1a2827870a596254a37b8390c79bd4caf8ffa9d37b486720ec4832ef59b8632e0105e69f70c1ebeef7c69bff44 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ea1c50f99c1ee3ed5dd8f0f7b8183d4b |
| SHA1 | 9cce273401da24dbea685c1c719aa4fb974f8ae7 |
| SHA256 | b0f7c5a34dd2ed5c9fbd56b590905bd4b8e1512f51d86eb03ba471256c83ff15 |
| SHA512 | c797a16257ac0efdf8000d80f35fd66d7e4b75d1c4006b4d68b78b0f77d740a61e1d0366511218fea0c0b134505475d2094ea367cf80e38f5d1844747919beb0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2127564631c6c6e2daac6df274bf15df |
| SHA1 | 40c9710c98e0ca9bc4be59f0354d8049d1245389 |
| SHA256 | 3a4f2c0c6b654607acd1d05eb9a0cb1f7692dc69fea39cd35c413178fa362d8f |
| SHA512 | 8c0208fb5121ca98093acd919d7b7e442eacb1187f574df68499d763ee76353434bed4654b497e0015b20e34563147d5cf092ce20b6f891f42d97aad6af8a1d1 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e3e28d53dd984326d0709abcd2aebebb |
| SHA1 | 66bca500f154edd6b97313f469e2555811baf1df |
| SHA256 | d6e7c68e6bad7b1c7daebfed6c573d0260c911a166d8e62ff014878a5d1b2b9b |
| SHA512 | d4623bc6d820f0ce5aef3081ef646746af60b49c24e5077ec714dd76984b550d0d4deb5ff88b03b2bfb79e0d0898dc5a65eabdc643eeeedc5123f83b3c009ab6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 44b970f405aa77b3b78ad861648112b6 |
| SHA1 | 16ee6b26afdb807246bd53b4cb62dd373ce539ec |
| SHA256 | eddf2045216a4057d4da872aea42924f35145342960f7322394cb0c6c5cc4dce |
| SHA512 | a47ac42daa69c559f17ef69c5e446adaee9caf12e998ac1feb7a7775d287d804a08721bb4e62f8f4ac9a16126a0abc13dfefaa737c3d5e3f61f509a59a22c922 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 210ea3c7c95db3c810d5736d85c503c5 |
| SHA1 | 4b91e8e37bf3bb98f669103035d29c9869edbcd0 |
| SHA256 | 6ff585357db8f3221860020b445bc19fb19bdf2090105a125ac7a98f087e99f2 |
| SHA512 | 3955beec9d56571787f146d23f3f1663459ba788e245bd832e85dd89609be47a3511c56d76e7556b5735be190c14764193b085c8b47bb690fff151a404d0e1c1 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 25f074131d29e563dd387fc6033aa2b7 |
| SHA1 | 69714a53fa1ec7f688deb276180aabb17d6a44c3 |
| SHA256 | 3daba0f869f1a3c9e9ddeb2786fc1fe2a0b19ce20e792c8d7c19000e9d8f00e0 |
| SHA512 | d0d1410127dd40c4404b183c982763c85a39c6341b96aa36d3b08207a7c934a86df697e216cf26fb327cf1f27d9bff59dc0d20d22b54d4a61a2dcb44991c897e |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3220c2456bd6fb19e93ec3fb3dd69803 |
| SHA1 | b1ee1c385715f858e042a99c6119f3adc6e05d8f |
| SHA256 | fb8707d9ef913b45965ca72ad6ee551efc9257d5427fe0cb9f9f39381e2b83d5 |
| SHA512 | 4a5e21dafdddf64312a953b8eb6d0b894e81cf3723c958756c6cf42d9faf00448021b23ebbdbff462c0305c37e3e9aa530c3df5cd0b7e1857ce19b9cae33fca9 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aea89d53ee131637f6c200220721ba68 |
| SHA1 | a283aaf8736fe9e3fe9d04a3f0b2f1bfe6587792 |
| SHA256 | 0bb01da8881fcd770a8c2f95cd1cdede636187dbd0a3544b54e5bf3b2d362cd1 |
| SHA512 | 7858752359e5895c57d82002a0d3f1cc09bdbd7e8ef0b1365aa45c6974baa54bf930b22f2f124621d9a7c7d2a48d103bbacbd52d0f0b04c8acd7e26543302c07 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7bb150ff0d1889b423aaf2ca45cb1478 |
| SHA1 | 30086d0884bd6ec1905ad0454a9b0bda866e7a63 |
| SHA256 | 9f528a9d8b2cd41a2c201fac2931851b834c3d287dd8281fb7e8d173b7dd964e |
| SHA512 | 4348e34a942c3aba6903be70034f41d5c534f207dae78db51f542ae5418a40ab4e20b719f55a8b1ba15987e2e0f5ea12eb64ee7e760df369ef0f42b658e489c8 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a881a411d67014c1df9d601b9eca56dd |
| SHA1 | cdaaba1836877af0e6cb7be544d0c7e5ecd0e93b |
| SHA256 | b44730c8c0f95124878523a2f972df90f8c872a8e40bf19c02bd38a7be9fb372 |
| SHA512 | a21739193c337890ff68e93311b39c0cba1000b3372e55d6a10e50274f096d525b3b2dd4977798501c1a51005735ac467d5efeb5b000a3013f380c3b48a6cf31 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 61174b8c52739b81126a7f1d8aee366f |
| SHA1 | 0af1b5f011ce9fc77779549882028b88866848e3 |
| SHA256 | 4b8e47070b02d9601d0656447febb5c03b935e0ac844dd687667e64ccb3f6644 |
| SHA512 | 96c05dd9464e0ee8706193d0e952181260b868240c50967a3b2bf43cf4fbab16e52224877024de7f59318b97202d4d41ed61423f7f16760f41d3a0d01516bb9d |
memory/3776-804-0x0000000006100000-0x0000000006457000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-02 10:00
Reported
2025-05-02 10:03
Platform
win10v2004-20250410-en
Max time kernel
129s
Max time network
136s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "፸\ueb9d妓ﺻ谥𤱸൸\ue299\ue37e亖ꮤ裀枅똨믬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "莥\U000abd63\uee3d겶䟤휬틲ꛧ믢퐰劑ꏊ뎶풨뚠탊ꐭ喊⑭" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "菤ㆼ픕뢅鴙ꞧꯁ䎘╄뱌䊟ꙗ轌≗堺\U00049498" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "繼폼\u17fc࿚鬤嘸\U0010309e嫀֘欜驟\U00052159ꎭ濟둎킐" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ComponentID = "⻄᮷䕤蟵궧履뗞箲鳦ᄔ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ComponentID = "컶聑疆聝靫媨\uee25㾮鴬囨娐諠鸟ꡗ袵ृ盡瓙෮㨅\ue7ae" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ComponentID = "碌梒\uf85fḪ㽳私烃垅㞨墧5롛壇馭峤轐" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ = "䛍᳠石鍈커齦眢瞨赧㊷銸\uf7acᅓ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\IsInstalled = "ꘌ▜\ue80d䌥봺\u1978\uaad0땓ⴅ꼐\uec63虪\uedbdͻ샕䦼쩛逰뢑喤馃⻤ꊈ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\IsInstalled = "퍊㓈糢駥숷\ufde5落鄂⩞\ue52bⳗ勶䚌ԧ놦𫮟꠰刯\uee2a" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Version = "䏷穼\ueef3\ue701暘臉罹옋툦䵀뗖鵌ꁯ佺姳㓥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Version = "朅둺鴶궽퍎酥⋨췁ㆃ\U000dae73ꔋ\u0e3d떻炊" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Version = "鏧\U00015e91̛쿄\uedaa\ue10c\ue0f1撧⽔剌㼨皒炾\U00036530杴䷡ඛ揜럹Ⱬ\uf78aꟲ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\IsInstalled = "⏩澪㖈釬層䀴讵▔〣迭㯮㵟ᕔ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\ComponentID = "玝\uf812\uf3bc\U00016ff2ﭣ먪侄킝Ԓ僘婖̒" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Locale = "ﯨ\ue13d遙証㉤鳮爌韔퇖㶸靍偣뜡픈宪뻀刼\uf6cd\ue00f" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Version = "﮹矰\ue3a7㒀틀通㞿갉ꌃ᱅冀氵ۧ臟\uf8d6\ue8c0\ueacfΆ⸖㔀᠋숮嗜촔" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "冀騬\ue43a\u0bbb犏麦\ue7c0ͽﯯ봂" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Version = "㛽댖䁽鲦\ue491\uab6e餘⼕飞᧞藉漤䔻픪姝\ue4c1栫䠵펯䉙춻\u0e6e⪙ⶔ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "㏱臦웿\u0c5e큶\U00055ff4呔\U00067116ꢅ꧟鷿淰▔䱚㭅釔鐲" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\ComponentID = "⼋瀽酠ﲆ珻颫쐖\uf0e0袲뫄Ꝗ\u1ccb뛜" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "鞔룖\ue7b5\ue71e몊냿瑪쨹⋻\ue6d7෩钁덑ꢕ㠤\uf80d\ue8c3\uf656문" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\Version = "\uea1e椌ᆚᗇㄲ걥캑罽싖\ue116\ue308﵎嘗ⵍ裄矏" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "\u0ef3놼盋⑀\uef9d荹ᘿ⒀뇀瞾㧹鋝嶥狔ꎆ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "䨣偦ȣ䒣☥麈䋨ꇗ\uf89a䈘靶毀鈡Ⴋ썔㒉懛뭶→㍖" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Locale = "㭲\u0b53㓱뷡\U00061c41췣釰牗ᨶ냘瓟Ը䒨镞" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Locale = "緣냵㛕渡墰侈ꚺ폻枌踐̓ర鯁㽘㡖ﯥ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ = "쐞륤귃ݣ甅廜荁팊\ue62b\ueba9\ue178聎䳦罜\uf511\ue88c⬂큂옝댅㑸놛༩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ComponentID = "\uef64そ伭軯锒칗곉痾绁訖靈" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\StubPath = "邘쵯褫颿駱屋䚤\ued9e\uf325칩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\ = "\uf0a1죿깋Ẕᵦ匤⦘觋ꎷ淆" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Locale = "\ue26f廊┓髏喡鱄짰聄릍늦鱤ﱠ\uf8b1" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\IsInstalled = "驄铰嬟캌䶑쥳훠鷧톍䚔ⳅ\ufadaℚ腤늶엨⡪" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\StubPath = "㏿끔䡯穱羀孋ཹꁷ\uee26柶㵔䶱\ued15" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\ = "\ue173ប翫敦酷\u1a8cᇱ䓔筽⯦렸琝壺" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\ = "湿ꇺ扄熳뾆\u175d啶䔯흛䌺陎\uf325ඌ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\Locale = "ꛫ迼쌏搬⁺∄짔\U00083b3eⳗ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "榹魈䌋鵅洣摂酿餳濠੍ٹ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ = "时\ue41f艏耺ꄕᛟ雂\ue3fe䯢쿮鷚벋늋" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ComponentID = "\u245f\uef5fẈ⊲쒁㿇ț爴䴆䈽딬醳㺩퇶麝\U00052517" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "料盹ࣇ敺⇰\u1b4f褨屬닐猙궛覑鱤ᎥἌ鋿䃰薭" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\IsInstalled = "\uef64猛\uab08﨑䊑\ueba4\ue8c5倵Ἶ㤭ṓ湈묁잘ꭚ䤷ꬆ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13}\Version = "讉ュ뀴\ue300톶䆕㌅㫲呾쨜뀘" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\Version = "㙑\U0005c2fcﹰ\ua87b━営鞎걕ꛒ㕘" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13}\Locale = "╱ー⡵ᡠ䫤\u0893\uf69c챾\uf7b7\uf4f9扫ꭔ룹ꈕ訾\ua7e0\ueaea騃῝\ue85d" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "䦏\ue1d1鼷졲摋䵮・䱜榭摚㿋⍴\ue382퐍抎킁銛ﬞ雒ࡹ厨렷趵" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\ComponentID = "ථ⧛蛦៸褟ꉧ夾뵦풆뒧쩊⻃숺幫爮ৠ깩鄜숍逎" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\IsInstalled = "ﭛ舙lR뤚외鼇隩㐲皿\uf1d0鯁∹㎟뢊큂㚁⨋" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\DontAsk = "辶\uee7c駘鏿\ue97b无䗢揳휩县㞗⋇\U000379aa\u20c8푿\ue42d蕜檀荫ꘕ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\IsInstalled = "龟鍘읚揦沥ྰ≗\U000bc067卐磎ᒫ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\DontAsk = "㝋⥓脮ǭ\u128e티甆몛ᚲ앖\uecea箙턶傞憳" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "⁌ꩵ\ue136Ꮟᱵ黓磭憆숃\uee09彺鵜盥ቁ州\ueda4掤䁹" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ = "坁\U000b9ef4䉾啯栋㪜㌢沭뢟" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "ꎵ䞊㕸킱卡ꐫ滑䋡矨ﭮвꡭ⊥\uf469ᑑ\uf350佄\uf5b7㠘\ue506䱳" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13}\ComponentID = "뗀ۊ仺Ɩ똕\U000efccf冔왜폾\U0001c3e9恈ẻ㷭㟈跕쯓" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Enabled = "쟛㵝ᇪꝸﳚ\u177c篙ୁṑ\U000d4082\uee4a㯊君擄⚪웪F\ue768\uf0eaꗶ\u124f햙" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "룿픑ﳺ뽁椌\U000911a0䵍鐃x邁ω묱꼬暸螁" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\KeyFileName = "ꩂꕐ\ue0f4爻\ued2d쉖㘴𝄑꽾贠ᶝෂ專꜉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Locale = "䶕궷㼃먀ᨀ峡俀龝誾飡\uf646" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Version = "榔琢룸\uec46ꭉ䃏낉쒿\uf629䳙阨㆑௲⩫ᴌ걕軫\uecbc鐹쎁" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ = "嬥帊뗜\uf5bb뼡⢧䎧\U00053577턘" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\IsInstalled = "숀\u0c3a譖先\U0008992bꍂ믤田鯨⮰瀾▃\ue029冾₫鱓駋겎\uebb2쫽" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Locale = "뒆朋햯ヰ\uece8∙㳍羅焷糙爚ᥙ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\IsInstalled = "。븛퍘ꃙ緅㟴閸裵檨\U000e518b쇣\ued4b垇䦡⾘珲T" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ = "쇙␦굉晿䑁뇕ꈬ၁「꧈죰\ueb41얡ඥ扝" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\Version = "\uf046\uf2bc玉䍮瑉牘껐묄滵\ue274◿唬㭜雼槧킜\uee9aṍ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\SysWOW64\drivers\hostsvc.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "趔雾ࢼ䷢甼镆꼮ꤛﳂ⢍" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\Dll = "슠吡䖼㰂ꠌ\uf221ⷰ췭仠ꊘ︃\uf3f9釈苅텠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\Dll = "妘螛핿\u2ef8쀜錶ጙ㡉⦓㖶촰蓘䠐缒ﳞ美獠⤅纷籔\U0009029c" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "쩀䁋ꠓޝ縞\uf822틭=奠ⳅ쇀鏥绋\uf7c2\uea88輵褎" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\Dll = "\uf73d\uf10a椯榿ᰄ\uf8a6停牙䌡ય뇖丫Ⱀ\ue21b\ued9f梈훏ᣡꠟ۪粅" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "\uead0Фꁻ澱\uf8ac⇊沥뙯弭껨簾셂" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\FuncName = "쑠\u0fe1Ⱄ\u2067\ue310앷\uf4c4綟ᅴ벲ᴢ\U000a47ab\uf503\ueb85ϣ䯑銍糁逌帖㚤" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\Dll = "톖턙䟲\uea4b᭖蕃䘏텮滷ⳌΞꨃ뎋\ue2a3绱喜봔㡉礔櫶鿄\ue260" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "ݷґ歄ඛ箞솢ǽ\ueca1嗊෬睼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "\uf56b㛞옑漤\ueedf궣Ⱪ㑮잗濧᛫\uf5bfɁ殿\u09de婫ϳ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "餄\u19af煗볽\ue0b6싙䝅擅㺛ᝆ\u0ef2䞼ア醂䟮崞忀\ue3fe䷚\U000ed3cf윴樱쐢" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "\uf161Ỹ鶵뻸왟턚ᴌ恲遬蓔婣" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "酻㎈휄웮거ퟻ葕履ㇳ⅓" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.27\Dll = "읕㔀\u242a𗋠徫ᑙꅀ\U0010d80e덉폡꒵ᭅ\u1aae䴊㡡㕯꾈\uf2ee쯅⃒䭄" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16\Dll = "齉엉豑⾎䨰⾓䍂\U00072935桲햂뿨倜⧂㲟" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2221\FuncName = "듔襦ꆁ봼䳆\ue27a븰瘩\uf468帻縯ỵ崶㵃恳㻬睳ྵ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "등\u0e7a价\uf484烮\U000b023a\U000dee54\ue279ⓘ\ue730𪿸튆䛮\u008f" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllLogMismatchPinRules\DEFAULT\Dll = "\uf380\uf75c\uec49㹕긏\ue14c䝮䖼銴욥ᇝଢﰏ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "ᛪ곈\U0008d783箢㑗꣪㒅ફ涐ᆬ枡㼤\uf456ೄ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\Dll = "䍅\uf00f椠﹫族\U00049d2aઃ仐ᢆ릫黖\u2433쭿\uf6c0騨厝瞴ঊ휥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.2\FuncName = "ĕ먒킽⅌䦟\ufb0dΓ㱖\ue9a4㝼ﴜཾㅌ騛幞퀟텽죝૭ੇ组蓮퓦◊" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "匰ꐤ넻솂玬\ue9c0➯娋込\U00033d8d鴔⃘ယ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "〥ཞ앣姖듼ꗮ\uf026鐱\uf43b㷮词鷦蔸" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "宪ハ溈냬ቌ瞿棗ꆴ˚옹瞫틾跕韥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26\Dll = "\uec37쀵纛ࠔ킡퉺ൿ㓲㾟듵店ಇ掯爀믌ꓴ燑簜" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "ﳛꌁ튝ζ웴桀웍欄匿럘㳸" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\Dll = "퀁韥놊\u1cbcルৄ鄑닮ꁸ涓엢꺌뉛︂뭏鵙欍㗀\ue4ddⅶ\ue2e5⽌염讪" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\FuncName = "藽ቘ齟ⷄ쏔㵃\U0001b7d9휖ᙜ뭝촌\uefd9\uf3b1\U00043da3" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\FuncName = "ꇫ\ueeb3㴾㌂㟃醦\ue944⤯\uf615㘡\ua62c虒뾓㠍湨ꕔ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "㡺걕她ⱶ\uea65떗涃㖲謌㱋㴤\uf400鏌Ū\ue09c\uf8b9ⱟ쳞劮碼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "ᘒ餍簎ൌ憇멹뼲鵊짥ᣵ䶳ᬱ᫁\U0007ed99뚻챱弶剝" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "㵔\U0001e381黫\uaad0鹏\ue1eb簷뀵戺㿗忎䮦㢇ξᨿ經\U0005db4e\ue167맧" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "\ueae5視֧쨜㡚ࠄ헃십ܡ拊" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "ࣲ㡎黚\ue306웵쳌\ufff1\ue6a2\uf5ab쀗軾뵬綐\ue97e瀱ሚ녚鰚Ŝ䀬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "䁕ಠগ鹫Ẁ幜䁔拺鮢琄罎膴ෳᏳ藈ອ࢞౮" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function = "궤덽ሊ뙵蔿㱒馛ͬ\uf71c栰㘵" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\Dll = "갅ᒙ榇畘䤢ℙ虾쎅ᣘ鄓徑璱ח휰沊媭ꚡ丶쬤痆쬃" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{06C9E010-38CE-11D4-A2A3-00104BD35090}\FuncName = "壻佼땏ﭑ\ue84b\U00074b7d\u0df7ች螺ﺎ⊖熰쯶ꊆ쫵䰇恌ⳅ럧䳝" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\FuncName = "蚯\u09d2눬愄蕭藇ڍ\ue72d챣᱑ꐈ⭲뤾湫缢赨蒌䱢蘨" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "䬜えꨶ큝น冥뱧趻മ\uf227ⶖ鉷兰\u0dc7㌑횘\uef39湗妘ໃ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMd5ThirdPartySha256Allow = "䁛珫\ue11a竿\U000da057ꆆ㶛\ue70b屃鍃먱惶煄\U000bc80e쓫쥪" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}\FuncName = "瓓銙갫\U000488b2͵ꈓ搆\u12c7㐨眀꾲볟\ue8b4ຨ镾\ueba0\U000d9777꺔﹟Έ응⟌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "𧷛⹃챢ᑠ톳்塈骦鐧\u0e64\ue365\U0010f5b0Ԅ\U0010ebf6䂗" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "걇텂븈พ謕\uf009⦛\U000498df蟤\ued6c녑θ갹轓\ueae5跀β\ue95e횯쏡ఄ㳙" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "糰㲅昩\U00085caa蓿脘⺦眔䌈葫\U000c2e1a㪧颸ৎ먹\U000c3eb6膗ጿ唚" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap\Dll = "讻খ쿖岸餇┃⮪뻞៝촾⹃匕\uf7f1뺜쎰ᄶ肗垏" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "ꁠⶸ焚露\ueecd랡︳䅯ฒଚᯩ\uf70aẠ\ue5c5∸\uecec" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "\ufff7鈜㯗\uee75䶠\U000ee731\ueeb2\u18fd习≃漭绂閺篿粽텴倷" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3\DefaultId = "瞧Ὦ䰒꩑摄蟡蟕㤉짮씥ꚟ宬Ԝ\uf795㣬쳗輗⸀ꃘⴔ鼶\U000ee89f" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "ꆡጅ앰䤂푧\ue690ᇚ\uea7c䕆\uf658ꮐ髯俍鞽汻們簖" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2005\FuncName = "묜\U00012e15䛴\U000d922eᾖㄆ섄挭傛宦" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2010\Dll = "绪옎疌꣖⚓ꊸ㴣\uf00e㺏芽澣즎慒䬹稸៣\ue325ꈬ\uf670䃙" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222\FuncName = "㋥䠘呐𪠙崜ꏮӛỿ悂騹쟧\u1c4c䦁樄뇨ㄚꗨ課Ᾱ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "ɍ挆뱯䂦酪᧩\uef18趕얧\uf8b9ດ酠啝꾮簬\ued40㶔元\u1257뙾囡᪈ᖇ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\Dll = "볊撳ᰤ㷛餯舼蝣耻綧ᴇ蝭" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008\FuncName = "\ue5f5鵭Ⳗ쟮ꙛἚ瑿튚酪𭴱旳͏뫕묅ᛎ︿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{06C9E010-38CE-11D4-A2A3-00104BD35090}\FuncName = "杲휣៳鋋४嘠\u1311婤䛇զ䌯걸" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "绮ᦍ境㘎㬢㺅黗䰿빴誑\U000eb0af斉ᡚ쓍ꂖ鐋揭躲䔤璖젳" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9F3053C5-439D-4BF7-8A77-04F0450A1D9F}\FuncName = "þᩋ뼀찶᧲Ꙝ驢曽\uf695ᵌ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008\Dll = "潼ㅩ≰⨼⩴鷛雋躙\uf42f膝⺙犉㌮掖" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.1\Dll = "㼜햀쇿ౝ㑻퓣Dž鏬캪⎇㘡騼\U0007c023" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}\FuncName = "⧋䭊癿民륾\uea1b\U000e72e1녎㿛閵鐭킠◁봒㧈嗎禺" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "섗㎐㏍྇ᇝ싸䦴ᑨﱅ㧘說羓쌰硏茂믳捽\U000c9d1d鳝廲" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "맟刡袕台轥\ue261\ue8df沋鐺焹힚毮\ue2c4ௐ䍛涉熨\uebb8\U00060adb䪈ᛸ蚳" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate = "뷺싍ꛅ騐甜爚颓軚ை偤ⴒ⒄\u0bd5﹣\U00062770爹頢ꅢ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = "ㄸ詜\ue116̛띦左쟷ᐗᰣ䅢㜠졮\uf3d2\u13f6⓫\ua7e6袾䷡\uebcf" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation = "ᬢ原ꂩǿ얉\ufae4\u2e6c굥찆說枫幨ꖋ╡紀跮쳽ūཤ\U0005fbcf篁≪\uf328" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler\ = "\U0004010cѧ\ue60b틦ྎ넦\uefaa\U0004ac68\uf07a宓뇖鉹衫픵ꇽ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command\ = "ೞ㗏凹詜ᇁ婎\ueae7暀媙㭰ቺᏒ鬑锫㽢Ἑ㙩殗떬൷⁘ཥ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command\ = "濨\uefa3洜몈\ue57d\uf4df꤀헼㈰충" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "띄ꕣ㎼䒑妪㯔ㅕ갾왦㮸焧ݫ桘ꖮ矦颗袦숵" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "ꎰȶ紗玼㌖㌞䂨륨㳺볬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\EditFlags = "梠\ue9a4糧\ue052\uf66cϼ\ue1e6ñ҄ᙡ듾\uf4be䤚ຮ\uf295䪁Һ䇉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "魏䁒㖽껵Ź᭡ྶ韀䑴剎₇벙ꝡ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page\ = "솽픽쟁粟봯\U00088d3e蔀牢࿐⑺촛驕抒㔔边콋㽋䆳\ue28a" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "勣➙洨⟴\ue98f䆚ꓱ辔尪⫿\uea76" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "縯蝑荜⊭\u1979诶ʠᯮ揽篾ﻅʸ讕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended = "䗉犟䕉倗즪\ue222躄ⵀ빪乱ヴ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "\uefcc臣쏝ᯭ\u0df8飰㓽\uea75⊥ꖤ霏莿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility\ = "쯷线퓦곊앟샑쮃慑ᡂ㦇⇣ꕻ\ue9fe硫\U000fc655졅" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "\uec40誉婧੮ꏑ鱜㼊㯚㕷ᾱ눇\uf6c4臘簵氡㽪\uf2c8\uaa5a䜹ﮪ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "ㆄ\ue756渭귷汛ࣤ\ued65悫\ue65b豊勤譶" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "쉏㖫ﳱꜲ燝砕쓼ڴⵠ\uee12⩮,\uf41cﻒ諝\uf0e2Ȕ粤헷Ⴢﻃ醑\uec65" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "롄俳ආ禇\uf687杄\ue243톦䷝\U0005aa90戠볏\U000da79cব笪壅" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield = "쒣妿哲珘㰎鬭뺧\ue29a\uf8f5䘹ᐁ틓댁\ua9ff뿏Ⰱ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\ = "꩷쯋䬮ᑳ始絥엕贵旫Ҽ䤈\ue98d焻⃝⋦䨿嚸" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender Firewall = "C:\\WINDOWS\\system32\\oobe\\images\\" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "腠쥲\uf54bⲸ\ued7a伳틸厜\u1cfd愫쩶扖ᑘ퉐⅓ณ쎝䤗嗭" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "볏躤䃡怙\ue791䀎ꭡ췬쾜妞졨芼繊䐟՞車畟\U000d5727컡" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "杣ᆣ䆡欥迩呞撫Ꮉ竣㳘핟坻ꡏ\U000d0e0c𗿒\uecb8鴽ⷹ\U00039583䮿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer = "\ue4f2ˏ椯똊\u1cff詿⣊㐫寛뽭\ue11b䲉ノ⫲앒ﯟ㨚닶⁅ҽ䝾ꢮ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "浂웄ⓩ\U0005ddd6\u0ba7䢼\ue033潤簋" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\WINDOWS\SysWOW64\msmgr.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\WINDOWS\SysWOW64\svcboot.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WallPaper = "\ue05b請\ue76b\uf387\uec1f炬♃\ue20d㜘쌪찆ᝊ\uf085" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Internet Explorer\Connection Wizard\server.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\images\thorium.ico.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\syswin.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\logsvc.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\svcagent.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\svcbackup.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\configtool.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\svchostcache.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Network\netserv.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\hostagent.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\INF\driversvc.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\Fonts\fontmgr.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\bootcfg.dat | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\Fonts\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\SystemApps\winoptimize.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\SystemApps\taskfilter.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\INF\infhost.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information = "\ud7aaꗏ䟸\uf3d8䛃턚朖⛜쭽𤲷邭⢰" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "쮹饍甃뗞湏讼ಒ퇶譸썠尭\u200b꺍狽\u2e71許\u0ba1뀅뿕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision = "뵿\uf7bbᇧŎ\uf3e4ᨚ䩜㵑\uec39棒笤\uf790쀔ⵙ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier = "༤샀\uf85f᧽퇣鐕沆ᡄ쯏Ⲝ蘨헓槒㶟奔㌍蒇舿靶" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data = "ᑑ傗ꚿᦈ袤떔鈼釷蛾搑" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier = "혍⎨괞ค뼺䷨⏻圩㣲\U0007a31e嬸嬟\uab1d峸杖얳\ue9bdࣦ띩僓" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet = "湹뇟ꋲ৻᥉₍Ƃኳ궑跲꘢䌙솯፴엌拮둚쎩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "\ue525⃔妭궇찱啈핃䍣삦䠼돧\ue629吡䃮ᤅ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString = "ꘀ淸຺꪿䖳ⰾ좩Փ뀙\ued3e驯憱ꟲ쬅京ᡣ俀寜쮬脣뎏℀" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz = "韄ꦘ눫샇\ue4ec禍ᤗ섟ꛛ塳쁫\uf056㿺ᥱʳᅧ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision = "\ue275쏢㍩腦溸囨깵謹殻𩆹턯⻠㻧Ὅ\ueb48ꄡ㍇訐᧸웚" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "ၑ⎂ᓸ啓\uf4afꀄ\ue629惟誢\ue5f8ᕶ땾褭랂\ue2e2嬎ƃᓛ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data = "꺈랁ᑐ擰脍ᔑ䗒듶究澮ⰹ\uee45㊭ఆ驔ሟ瞾㠖ꄛ늭禱಼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet = "ꏗ\uf59a醟\uf0d8雎번쀒♯샤땨蛫曊䔃" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information = "팥朹\ue137糢뽙ꕻ챋⨣缶삞襒⺳쳌縘篏뙍蚘ﳶ뢻꙼㖜婇䘮" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "⋸ꂷ䬢竬禘앟觼ᶎ鴏仮뭤\U000dadca骰ຢ炁쮨摠䧭〹迣" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Component Information = "玥\ue3b0\U00067018\uee72\u0bdc\ue1ba뒳텈\u0b84ꞅ𥱒ꖤ廔꼿\U000a0df6ᅲ︮\uf5f2" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information = "针土㞶\ue71aᯓ这\U000cacfb\uf558傺ሂᨑ穟馮䧜" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\ = "\U000850c4祜䔓ퟚ\ue9a8㯏쐈㊶歆萶떌躎\u2d2a䲗}豎\ue456蜙脒퉈˘" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000\ = "ﻻ뇨鴪К坧樭퐽擓嵔倥限\uf7d9眑מּᒙ죺彏ᣖ줃癌\ue223" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture = "權\ue6a9窬꜔樲ꞯ\ue380\uf4f3䐑︗뛴줹\uf106Ӄ狐\u1fb5⬰엞⧻ꑱ⚙" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data = "ਞᮑﲘﶀ䚼쫴㡅먩⯑⺗躡⢨" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information = "ᾲ\ue025ᢡ\ueead\uf233圬\uec19\u074b啉\U0009f9a6ﳬ⦣瑚⢌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier = "焛社䡉ሆ\uf801⏰ꮛꠟ箩濗鍡橏ࢀ肊\u2e65슰ᰪ쟎⺐" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data = "튝㓜炔\U00012971㡛뼘\U000c01fc靬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information = "佽샛踘ⰸ\uf73cꏗﲑṎᰜ湯鱄⑵啔탧" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier = "쑘䇵䗏셖⢫桻\uaaff撃ڽ⥧杵韄\u0d84ᦁ鵨旟쾸鴢\uf1d7匍ᴩ泤戮즂" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data = "蝜뉎⊣㚹\ue47f勘㆐\ue94d渋筲훯\ue93fﭺ쿺ϑ\ue71f\uea9e" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information = "ᗹ覱磗ὦ뜵惕ၴ瓞衡ꡑ駾餖ᮯ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier = "\u0a31퓐灠됣尛\ud7aa㦤\uf72e횿쨎䟖咔릯ዴ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier = "谵谌㼟셓峩埔ෙ팲ﰬﺓ\ued4f넱ڭ\ue3b3鏕ᠢ륣瘼ᆲ嬪癒┙" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data = "퓷춑鬋\U00083327餠쀺潦\ue7e5\uf330\uf2f5賛뫞૨䇟" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier = "α㴦❻\uf8b1봧숦瞬㩔緁덫ⳏↇ㦍繿緦寓쒭╭Ҕす\ueccd" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information = "\uaad0ꁅ᫇㚐凥ₚ彔क़⁶⊀뿡\ue444ྲྀ鿴혻獭ꯪ룻ﻀ匈" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information = "ꘖ曍⍐돱▥뛪銧턭羭福穜\u1c4b" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data = "櫖\u0ad3\uab27\uf1ea၆榅\uf4f5师䧁僼炐\uf85f㘗㊽幅脯ퟚ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile = "𗒂춠糢输疷䩇ﲲꤔ젒ѳሳ䨋년㩊Ꟁšꥋ됤\ueca6\ue0be⚐콖" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier = "赝鹚紦滩냿᪰쇈襊쌣\uf24d﹁⸨֨⒔ả塆ᒅ宩죓꺌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information = "藀♴륥镴⨃כ\uf5f8嬀吲\ue64e" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information = "䫜흋\uf796⭂謾蜻ᣘえ璙쥟ᰩ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data = "㧤剟੯௯캙ຖ䈑↺쇤铍罦" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information = "짦슟扭蘣㋪ꦪ䠩꼓鮅볬羐䙸`딱脘뛜ᛄ㕤\uf08c㥺ᙱ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\ButtonText = "䌑稍堪艷]ħា\u0ef8引꽥Ӊᑲꠠ뇧䊙" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\ForegroundLockTimeout = "㏣휅擔쮩릞\ue781읥흇㩉阎砉顗ⲣ⟏䵿艿鹉\ue534돑\uee82" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sLanguage = "뻬甍ॅ뙌锠\ue5eaﴗ\uf040猷訕꽴\uf2a6堓薁딝࠹\ueaa3됛窏" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sLongDate = "춴흹辖뛁绗黴葙淋骛爗輸뵃ቃ蘡\U0009253bᄞከ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sMonDecimalSep = "뎄끑ᘉ宊㫸ɷ䁰橽狨\u0a0cﰰ뺦\uf121⤋濼凜\ue91d둅⛑" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sNativeDigits = "묞쩓幜絙㔉免擥ꍟ\u0fddᴿఴ倏\uea49跩᭟働嶏\uf1d2㖫꽞" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\iCurrency = "奢ꀿሑ⫹奯뾎놎鞚\ue14c싘觗众웹Þ忲⊬\uec1b" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Accessibility\Keyboard Response\Last Valid Repeat = "谢\ued4a摭鐖ྞ烙೦妰䝵⸦㊁诼퇻窝啛쵸" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Appearance\Current = "\uf268╱斋岹놄㚈붗⨌핕쪈釉萞壽\U000afd05웷" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\InfoText = "鏿銅ો兖埙艏맾쫺ꀱ摨驃\U000f2c34⨘\u1ae0" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Cursors\UpArrow = "覫猨䍂㜣凹緛蚼젎㽇↧뷘砺\u05fd뇄₭傯⠳" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\FontSmoothingGamma = "侭Ḱ\u1f46ó臭獫ﰶᑤی懿ᵚ軳섈栀ﮔ\uedb8\uf65b镇Ƌመ㡾纰" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Keyboard\InitialKeyboardIndicators = "廅灢쒸ᑦ庪ꔜ⊘。훛긽킴걨浻矵ഁᢕԤ硫㧘" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Keyboard\KeyboardDelay = "\uf65d3ꊲ䑉籈㤦频ᒟ嗶◨\uf8bf\uef2a䅜쁋須ಸ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Cursors\SizeNS = "髨ঘ\ue7d4\uead8溓ⶶ䝀윍笄\uf401¼⇊惶賗\ue748﹂⃢╱" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\ActiveBorder = "趯衋褪ꍅ薴켶뱠\uf5dc阯ᄞƌ㤑뢾\U00035030ἥ鞡䵒ᱲ䍢" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\ButtonShadow = "ⷔ㰢篡뢟⋏얄\ue62a㻘廬\ue0c5땈" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\CaretWidth = "\ue3e1똼尊兟\U000c3236䁩섲\U000de999擵悑珃栘\uea85\ueee5\uefcf㏓裋力ᛤ䏡餇" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\MenuText = "ꡂ檲鐱炳滏\u086d믌⦴ꥡ틌\U0008bbca\U000c8ad3鱮꿮揧슸ᔺ兕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\WindowText = "\U00092300ጼ熷៓\uee65ᓜ坩믴ͯ桎홸ͤᡸ鮹ᖥ☷ᴩꨀ⋓廖饟\u2fec" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Input Method\Hot Keys\00000201\Key Modifiers = "펨㤋\U000dae35ホႊ翇짱\uedd7\uf528\ueefa멻♲樀幺홇䵑㿫䕗懈" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sTimeFormat = "쾂頿튌Ϲ㤓࠺魚狚炩瑩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\InactiveBorder = "ೕ养쯀⡐⎦씫\U000a97af䭵\uf73a泲⳹ᶵ\uf55fꪇ\uf8c4쵈죕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Mouse\DoubleClickWidth = "\ue6d1杆沓捛Ꚉ踕ﺗ\ue8aaਘ쭼\uf8fb熉ꢷ彟ퟆᡙ肨왦" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\PowerCfg\PowerPolicies\0\Description = "\ue6e5\ue126\ue5ee䩖첖緲얽ꆍ釢쌈⑴呿付孱袕腤簄簂犇昔櫈\ue5bd輾哯" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\PowerCfg\PowerPolicies\3\Policies = "乆ꅥ뺪晴⽐纄\u0efcᚐᙇꢰᣗ睵̌㻢ᐪ꽝" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Accessibility\SoundSentry\TextEffect = "撁꩞꤁实選ة矜梊胝쏬频푸⟅ᖹ뢓굟\ufaf4\ueb7e㴛" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\Hilight = "볕빗㛚ᡊ䶰뺯䳐둋훃헧\ue058堤䠜덮빡" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WallpaperStyle = "厉말…ﳢ뷀ⷭ澒醔쥅쵰∾윕⨢鑖" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WheelScrollLines = "微\u2d29밄\uffe7谪慖⁝\uecc4Ꟗ\ue5c1" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\LastUpdated = "ᓂ䷆㣑笵뎧△ꃈᅂⴀ覩럔磹\U00105a72䢖" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\ButtonLight = "瞕㢊햦䢯졬\U0009914b播\ue5e3棙韊㷞迨ቇ筅飝ڽὤᥦ\ue220宝昱" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\InfoText = "ꍸ횋虉⣎猖\ued99臉돣纘\uf8fb㢓搉Ꞟꄤ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Cursors\CursorBaseSize = "\uea72묄㗒ꩼ飶\uea18ᬋ홗閐獝甀廙" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\DragFromMaximize = "恣ꦟ虦㷻굎潠搶\uf101꽮㾘\ue767讱" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WindowMetrics\StatusFont = "\uee2b裪ڭㇹᰜ샹ꑻ푞逧髯\uf773틽줿䱣̀辨쏈\U000afee5瀠狯ᇬ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\sGrouping = "㪏邢쌦꩝襑\U000e342c\ue050Ż্耺\U000aaa4d㭘糜\uf1ac" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\User Profile System Backup\en-US\0409:00000409 = "鉟脷鵊⋇樸禒ᗃ䟞礃銁푕䣃蔅弓ꔮ胟ꆬ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Mouse\SmoothMouseYCurve = "얎䫦⽰ຉ断ࣟ髱盉鲡寷ꃈ蒳㗈┓\ue8b9⟷둩澶" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\ActiveTitle = "\uea52\uf1b8\U000b01fa朅ᐮᕋ焘Ⱓラ瑚⁄◜쟻蛦㺽집\U0010c0ae鰏ᒫ辎Ԯ劳" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Appearance\Schemes\@themeui.dll,-854 = "㙉胴⯊䟃枃卍倹닃彚\uf078\uf3da梖嚢য়콺ጋỢ萶ᳺ\U0010c475荋\uee94︡" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WindowMetrics\CaptionWidth = "\ue105퀰ꐖ慠䄃\uf857ꔇ㎱᪳\ueaf8㡹" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WindowMetrics\ScrollWidth = "줪ᛸ䛥䶘Ꜵ\ue5cc岅쯝K\uf45eꝙ\ua8c6⫺ø뱗\u08e2囀ႋ✵" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\User Profile\ShowTextPrediction = "凓\U0007e99a癎偂\ue218鏠\U000b8891ඵ㋰뜎曗\ue8c0" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Mouse\Beep = "\ua87dܘ\ue9ca逩输⤝槐\uea3c蝷귇㋈烡醓⑭匟瓡褎뢸⚨ⴶ\U000c6788ꁽ鶉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Input Method\Hot Keys\00000072\Virtual Key = "菅ꫨ\U000f829c\uefd5贫\uf603朲꾨譭٢諐း餵祼垫牾㻌剛휏\ue8a8蛮놕礧" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Input Method\Hot Keys\00000104\Virtual Key = "ׅ김烏ꭑᑖ∱\uab6c\U000d222c譌纍ᛛ昤䃼潪붿\u0590" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\User Profile\ShowAutoCorrection = "萜흇ڰ趾𢶫\ue4d9枴➲㩧霽鄸형➦烤悚岼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\PowerCfg\CurrentPowerPolicy = "킔誐\u2d7dຍ嘫𢕗㥉\uf194᎓\U00084d0d廒錾" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Accessibility\MinimumHitRadius = "壄僇玑福䗦卾튜습춐*剹觘볥\ue61eủ龒焔" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\Menu = "䄅愲킄\u0e63讽\uea77횜븷\ueb90﹅젳Ⴤᑿ⦉貴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\TitleText = "〺ᅥ\uf002ꣷ苫泥\U0005c9a3幭鯠\uf091萂\uf297\u2ffc" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Cursors\IBeam = "鯁ᭉ⺲や丣奡榄곜࿚僩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Colors\GrayText = "貀\U00093781❙䩗\ue690鱍箪\uf2e7䈼ꡔ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Input Method\Hot Keys\00000010\Key Modifiers = "\uf177擤㨿俱뵢\U0005cf27䬈ퟂ奶ᅨవ䕟ⓝ絕ᄂ♚\uf72e䨼㬖䈱ﵹ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Input Method\Hot Keys\00000203\Target IME = "㞹\U000af193ᦎ즈屫돈\u0efe젲ﺃ\uf4e6ﴴ絜ᆜ麝蓒" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Mouse\ActiveWindowTracking = "𪗬墽듈獃䐚\uf1a8\u244bὪ簯ḃ쩌ᔁ폓阗⡂" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Accessibility\HighContrast\High Contrast Scheme = "玓㌛ꛎ쿥㊒姻Ṥ\uec8eᲰ䧅괰Ȏ\ueb55倓걇撡뜫놝詞ᔍꓲ\uf205" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WindowMetrics\AppliedDPI = "㹨䗗섿쑑\uebfbᅬ葃롍\U000a69a6୵䍊룸ப煳ⲥĊ蓗욵\ueccc" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\iNegCurr = "練ἄ蜄槄툵\U000394eb\u1aaf﮿㴔鯸辖ྣ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Mouse\MouseSensitivity = "榃\ue0b5ᲆⴴ\U00016bb5阄뢚阔\ue9d0呢⚑䌋럀翄" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Accessibility\SoundSentry\Flags = "䦧ﲍ·ﭲ\uf2ff牸ⴸꅉ笍\uf24a柵舭\ue3f5" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Colors\GradientInactiveTitle = "探瓖欼荫\ue966ٸ\ue8fc渤帑삱奜龶틴\uee71\u2d9a쀡㭁" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\WheelScrollChars = "\uebeb\ud7a8ڰ⚠覭袄蜁蘱ꂑ\ue1ce蔧\ue049\U000646a3" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "依牔ꋻꀤ\uf711屧\uf4ca\ufbd1\uaa39\U000c97c4鎂ᦖ命봣Ḅᅩ泇\uf208瀏컁➃懍" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\Compatibility Flags = "諽㗜\U000dca51萦灉밳瑔欞\ue3b1䪷氋빨⽔앤ϟ\ufbcb沓擞" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{285CAE3C-F16A-4A84-9A80-FF23D6E56D68}\Compatibility Flags = "⋥\ue8bb︼ᛢ뱚㚤倵༂椎창ⴶ폧Ꜧ┶" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6E5E167B-1566-4316-B27F-0DDAB3484CF7}\Compatibility Flags = "ȓ葫㑆\ueda0㬲堨梁\U000c7b1cᐕᴗ\uf1b3뗥邠⚹諰ಖ㳩칕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E673DCF2-C316-4C6F-AA96-4E4DC6DC291E}\Compatibility Flags = "뽮ꋠ\ue01d螲ڷ郑\uf085\U000a2c00㿿\u2e6b蛕刪睘븈橊瀗坻ᓻ胹ꔔ\ue4e3奖崼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SECURE\CheckedValue = "Œ숫ﺂϕៜ϶身렶춐옒쳓" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{759D9886-0C6F-4498-BAB6-4A5F47C6C72F}\BlockType = "裩畣\U0006bc42酤츌溶섈暅꒼⨀\ue7c9猱ᐣ𗼩帞赫ᥴ軒" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}\CompatibilityFlags = "浌䶼磪싔憩貼\ueda8ష㩖뉩ꕲᵤ熝\ueb45\ue340\ue11f" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "㖏\U000a44b3쒃领\u1af0쩤夵⭶欁ਚ伮꼉ᓵᢍ\uee79\ued20" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A9A7297E-969C-43F1-A1EF-51EBEA36F850}\Compatibility Flags = "擓迓𠐚લ辐ᠷ킞ꪑ손騠垻䣚" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F198A89A-5042-4294-ADF1-CB163E549798}\Compatibility Flags = "㦸ँ梀禨滤ffi儶蜴\u2d26᧩\U000792cc暹럔煷㥸簒\ue026" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\USEBHO\PlugUIText = "寪돓\ue179믹ೳ囱Ӳガ\uf185쑥ᅖ\u2fddꎳ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}\BlockType = "㩡\ue729쉯\U0003a4e7黙⼷埰쬟છꥩ輒鹔남\U000ff43e茫睓" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\HTTP2ENABLE\RegPoliciesPath = "ⶩ谦㗷〉讏\ue062䞣␌况瀺䚶ꅠ\u1943셅亠㶤\ufaec" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\MOVSYSCARET\CheckedValue = "\U0009a5c6劯⩤䟱洘侃⠛뚪䣚헎㍳냵䋝\uf0fb⎇\ueaac哇퓗迟ꀣ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\MOVSYSCARET\HKeyRoot = "䵜좻慼甞瑒麪㼱䟬墍ﷆ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\AUTOAPPENDIE\ValueName = "ሞⴈ槩ၦ雝搠ꥥᨘ𬬇繩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_INTRANET\ValueName = "㴼诼\ue97e솹建桘ꅹ뇩\ue4a7웜" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_REPURPOSEDETECTION\PresentationHost.exe = "ᖓ⍈莐䣳\ue043鴆泋鮁ᒮ倿\ua87f鯠폝" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7584c670-2274-4efb-b00b-d6aaba6d3850}\AlternateCLSID = "\ue4fc귺㈙\ueda5\ueba4飓丷僯ꁹ᳢窵结ŗ캷鼾탶̷谹끣\uf808隒己" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1\RegPoliciesPath = "\ue2f4誣−굝괅獂ຫ䍏攣彭㟷ጮ鋞㵟선ம\U0010ad60睕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{472734EA-242A-422B-ADF8-83D1E48CC825}\FWLink = "ᠲ吢퍤惶䪪뢛荹꼽\uf859ꈠ撤袊띪᪭✛\ue9d8䮑\ue9ff" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D09CFF09-A42A-4EDC-9804-E61224F59CA1}\BlockType = "ゾ䈕◛⤃ﬖ\uf416⅄\uf412ᕊ冂⚪當\uf024ꗮ羞刞䗏ኍ鱣켔䯁竵" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{261F6572-578B-40A7-B72E-61B7261D9F0C}\Compatibility Flags = "ׄ妙䉣軈曩䅂鞅甬앾➕驥᭡䥈ュ흄ꥲ焆" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5A20858B-000D-11D0-8C01-444553540000}\Compatibility Flags = "\ue09d颇묊吝ଜ誨≈\ue0d7ଅ\ue9bfێ㶫䤓웡器袻굴돞" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "餞랅撖錜\ue515Ɐᐄ엮൏娶諻ቍិ脙藫婨" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FD351EA1-4173-4AF4-821D-80D4AE979048}\Compatibility Flags = "맆帉ཀྵ\u0cdf駢战⟙\ufade蓜뼎ፅ⽇\ue753\uee85뎬㥁" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CHECK_SIG\CheckedValue = "虪|\uf6be놐ꏄḉ⫳퉩鍉㔹쳛\u18af儽鹃଼禶❑\uec28䱳\uea86癟ᶱ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\Version = "眗톼\ue077纗ࢂ\ue951휒癩\u187f赙鰒ᮿ氿㉧ҳ嫑ﶘὗ笗䌚\U00080528" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{48FFE35F-36D9-44bd-A6CC-1D34414EAC0D}\FWLink = "\uef50\uf140눴ꫀ珆\U001081d4猴Ⳋ缋⭩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG\HelpPane.exe = "\uf82f㍄賒\uea6c㜳属ᆜ橎쯼㎔黧六颼㝥\ued9f㉥縏" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8DBC7A04-B478-41D5-BE05-5545D565B59C}\Compatibility Flags = "櫛㕯\u0a7b\ue9d4㪧ᎀ\ueaff\U000e7012℩§䯰ᕜꥰ껭" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9B8E377B-7291-491A-B611-BB3E1D5F99F0}\Compatibility Flags = "㥀ꮣа蜁Ѽ輏줉༜꘥Ⴑ处࿀頱ᮑ䭛㡎" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\CTRLTABMRU\PlugUIText = "犃쫂魎ﴈ봊襀걋⼝\ue9a4炷" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{43D9E6F0-1776-4897-AE14-ECEDECBAFEC0}\DllName = "ີ៍\uf287籂콵괤\u124e벫揃캆Ꞿᄀ\uee95폲ᗷ仼\ue4b9큃࿀魙㶓ȃᔝ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8DCB7100-DF86-4384-8842-8FA844297B3F}\DllName = "\u20c1ؑ悱曾쏫ⶓ榃恏ᄰ騜躘̐₠肴쌔춒젇쳄忛\uf0ad\u0cf5叆" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\DllName = "푂\U000bf54c娽\uee31럫焚牶⇗㑲⌎\U000a6722ᛖ魏" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DLCONTROL_BEHAVIORS\wlmail.exe = "宝\uf129퉞ῂ늠숕̜⑁戳祴ᆲꇄ婀" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Internet Explorer\Main\SearchBandMigrationVersion = "\ue92e橙გᇮ핖经䵬Ⴭ愓뗉鑢욯ᮛ㒝䡪쩌\ue7fa詞ⴽ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\074FF50D0FBF0CCEC37F65E137C91EE48442FE4C\Policy = "≊ㄊ貭땸눤먪윞踂턉睡족㛫➦泥\ue2bc뽝袧\u0c29슱饑㯁\U000a5af4" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\5F3EF8894394826345EB838C8C72F3A40B521893\Policy = "哄㑞\u1737ꁳ꙯あᲔ𮘀彅໕颏䩷嵺鱦匋楮" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE\Text = "䩛쑞刲ᣁ㔟膌ᕫ豓ꇽ⏡" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_INFOBAR\RegPoliciesPath = "\U001047dc榴褹\ued38兕ඌ㺴藒긍ɐ伩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{054aae20-4bea-4347-8a35-64a533254a9d}\AppPath = "沐\ue9e2穱腺땑쨗⯙ꠢ\uf56f櫈퐑瓾띵㥁떚\ued0a" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\AutoHide = "\U0001aed9撹͖┧⩈׃፳砌闚\uf686嗋ॅ筎" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AD8E510D-217F-409B-8076-29C5E73B98E8}\Compatibility Flags = "\ufdcd氤\ue6c1堳擃焒줷\ue19a䡉\U000a3196Ꞁ︣ꐽ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\WinInet\InitialApplyCommandLine = "\uf2db\uf396贊缥說串챻辋횦﹉ㄡ䴞\U00080293뺊놱" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}\Version = "璉\ue813啳ꧥ깨쨼勶၁ꩭ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4A5BE5EE-CFAD-11D9-8FAD-0007E9AA247E}\BlockType = "춍䬃炧\ue231\ue690ꎡ饿ిꃊ奄ゴ瘗琤뮽\uef11գ☢ꮾ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{79CEEA4E-C231-4614-9E3B-53B2A02F39B7}\FWLink = "ꖄ㘇舒ᗺ赪끠\uf1ed鏰ꆶỜ\ue0e4熝ꅳ⥄" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Placeholder_Height = "햝硖札ᕟⰜ莞駟\uede9ꑆ騎䝤ﵒﭏ\ufdd2ꭒ\uf827\U0001a295錃" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "\U00064192\uf46c奫畄脤胼\U000e6d98덵⡥숞졑ṋ熚윴앭\u09a9᷐" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39A2C2A6-4778-11D2-9BDB-204C4F4F5020}\Compatibility Flags = "眥፝\ueeb2⚰ࠈ픛쇧\U0004fb19䟠\uee0c닇ㆇ긱ר⧜យ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{68BBCA71-E1F6-47B2-87D3-369E1349D990}\Compatibility Flags = "㫟ཅ癷ᷣݵ뚍\U0004c6be娉盍뢏\uf150䓏ꡡ숬欢ʜ㢚甪ូ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{991DA7E5-953F-435B-BE5E-B92A05EDFC42}\Compatibility Flags = "餼祠ﳸ溱숤狙ງⱅﷱ⊡훋猦懣뽕\u0a46时" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E38FD381-6404-4041-B5E9-B2739258941F}\Compatibility Flags = "麬⺳\uf174繠撹鶭ḃ︮\ue89d䷰児龏䐝㋑䢬᧟扸셃" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CACHE_PAGES\ValueName = "점⅞\uec97\uf33d継\uf596릾䂥皲賓Ꞗ熝ሷ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SITECERT\RequiresReboot = "\ue980幖빎㮯䆧홋括㾍ބ챊Ꮘ埦\u0c50㊒" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN\CheckedValue = "뻱㊀쇨뢚蘿\uf36d憏䩧竿ﺯ퍁饖\uf26eۈ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS\NEVER\ValueName = "冝\ue8ed醙䧝\u31ec\uf225\ue4b2狊鲡ꤱ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\GENABLE\Type = "諒쪍鯵\ue728僉簜磑䂢↋釷䭬힅\ue572䒀蔷䙨갟\uefd3땕儘캃墻" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PLACEHOLDERS\PlugUIText = "\ue1f2휻ꙙ㔛䧂⸸寭\uf355ࠓ\u0c4e졿䬸ɼ㕪긌\uebd2㷓튰쨺颩\ue4bd" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{179E4A98-A3C4-407D-8C66-E63B67BB6F4A}\Version = "멫쀘免ꌌ⇔厠ᔰ䮗Э啡Ⴘ싻䗴丬□\uea07㲱ꏏ葑걕\u2008\uf0f4칉群" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{724D43A0-0D85-11D4-9908-00400523E39A}\DllName = "ɜ磸⢗༵瓡⡃즛醓릹\uee86쀽ូ䛴楫㧠䬤ⱞ\u2fe4斆î炙\U000d96b2矌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\ms-settings-displays-topology\WarnOnOpen = "┣ᾠ牷擴蔐ꚱ᷵춋⯿搅燡鴛數䘐" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "뻜\u0ce5\uf034髿虯갪৯\u2eff傏暾ҡ\ue644甈ފ亍ࡷ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "ด惈沵丐\U000a4208閐ꗳ픁⟺⣠㴊\U00050eab載⋀\u173e\uebad횈Ჰ\uef28" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Cursors\SizeNWSE = "靣켣ㆂ얤摆䇢衶\ueaa3\uf8d6勐\uf46d\uec3b\u009b犫邼頬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\DragFullWindows = "壹蛖㽮掎詏ぷ䎤䟄얞ᬩ䔐㞜⫝䮿똢យ\ue093叺刄" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.XGpuEjectDialog_cw5n1h2txyewy%5Cresources.pri\1d7e536746cabe0\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\re = "⸕绢멼鐊痷㋖웶\U000ac16bꭴ\uee20\u0bd3ᕷ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\drivers\filetrace.sys,-10001 = "\uf292㐬䮢鷹ᯋ♴ࢀ硫䍑籗" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Control Panel\Accessibility\SoundSentry\Flags = "쥟頜禐㖓㖋넓\u1ae8欂嬆왾쐇궐\uf4f2\ue6c6癹ჽ狳" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.MobilityExperience\Capabilities = "붿齄鷡钏泷亙ૣ䗔欲谋¬\uf16e鍡┸ű哻熍ᵊ䚚Ȇ졜" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\Notification.Looping.Alarm9\ = "遀ᅛ쾆夣㌆ﳸ\uedae䥬陒땣\ue8b4ꌇ澞\uedaa䩠럣㩁" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\lfsvc.dll,-1 = "⮼띩肅㝔蘭蓝\uef19Ϭ翇欭ﰅ뢟髵\uf102蕃ޒ儁玛侐廅힒皆ꖱ孍" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\Notification.Looping.Alarm6\.Default\ = "㳱緦ૉ竂䌕愁ᭊ찷≻켾\U000e35a0ʼn\ue85f最⥶釾瑵\ue534巰\uf583팉劉杞" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.CloudExperienceHostLauncher\PackageMoniker = "샨㺉☛༲뚍\U0001476b跒袇塰鈰ꄭ릿暂≈\ued80怋燸㲈䟼䫇鈠੫捺" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "㕙ᔬ꧙ᆮᲭ㚾ꊸ\U000848dbâ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\BthAvctpSvc.dll,-101 = "័䝳䆾埥떪枷䲗ﻒ꾚剴䍹備ꍓ\ufde2䖍\ue3d6沺\uec76虉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "ꡀ劊珧䊰蚄ᢱꠛ㍮睃쟯瓶ꢰ䍿\uf5ea娄" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Control Panel\Desktop\FontSmoothingGamma = "祏샻뗯뇻敶ᾳ꒟ꂉ數闀派븓㷼\ue696㋒" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000010\Target IME = "ᕞ踀唋䕹\ue667⊄譞삏አ਼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Control Panel\International\iFirstDayOfWeek = "蜫䩸ᡨ\uf1a9뀷\uf5eb砰㊫\ue30dﹺ纾顅魁Ϟ\uf800똙鋿ﭭ憪⬼㑹액" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\Notification.Looping.Alarm3\ = "弁ू襞\uef46剁쫺퐮짴퀺롑侜炷ᵖ䟺ੑ쨏≔쨭ꕳ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace4cf7b9220\a37dfe62\@{C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906. = "犸꾉笙讎\ue0da䰖㌴콖涄攜칱眆諙ꢵ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Console\InsertMode = "ꇇꥡꩪ換捹뉱ﰲ꿦왠Ꝓ㻾㌏닀絣" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Control Panel\Appearance\Schemes\@themeui.dll,-851 = "ᡥꗎq\ue3ee\uec48\ue933㰷盕钵\ued5e慥\U000c5423厙쉯ꆤ뉜滐赲区伩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Control Panel\PowerCfg\PowerPolicies\5\Description = "ꕉꟁ鵋예\U0008a2ceꇯ쏎蝙緎뽔禧唡\ued7c듛㔤ꓣὥ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands\upRight = "ฆ包ꇑ昤⡖ᛙ矿\U000681eaﺓ\ue29bㄧ켾ᕍㄴ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\fdrespub.dll,-100 = "焇\ue985\ue2a1𗰇嚫\ue66d錶\ue545街큲ಣ壒뢿䥌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri\1d5acdded540f4d\a37dfe62\@{C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8b = "苼젯ᣏℸ岍\ue9b3ꎗⷰ៙\u1f4f\uf320" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Console\EnableColorSelection = "\uf8ee뼉솹岌떋軩ꅳ톔釴䬶쥚逃鎦" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\drivers\http.sys,-1 = "ୠ룑\ue246᷆除ﻛ⥄씊\U000ef1b8閸嫊ᓾᝋ\ue672\uf6a9鳮틝筢薨" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ = "톼㍻\ue47a\uf79a媛\uecf9ꐳ\U000e8f06뤳妕穧쀅" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\SnapSizing = "軾蘼㞑狶團橬윫蜧\uec18\uef78꾞蘀ﮉ例ܻӲ瓶迂禈嚎锨䪜뷍ꁀ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\PrintComplete\ = "ꝲ謅ꄂ傁筴\ue055\uee56意덃豥ffi뇉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Control Panel\International\User Profile\ShowAutoCorrection = "ഀ놙ਏ룯ᨑ쯷껜僪맊ᴛ\u03a2䱳哶冽섇\ue633禨ĭ髬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70\SharedEudp = "ꧼꂾ㢧\U000ee47a䌈鄚繍𪏰\u1a1d櫳\ue91f榖藼ᴰ豹脣즹5\uf1ebῂ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\Notification.Looping.Call7\ = "턏\U000a6744⏄蔒彔啥ꟼ떠몬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wbcat\ = "쀋烴崥䟤苹뷠呎⼒岚\ue191\uf0ee\u0cba圮襸ꁗ뛥൘" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wma\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}\ = "㛅䣿島盺̈麽ਈ䨑佞\ue8f5髗꘠岾럻ೊ⎼⟳䇐渑\uf442剖\uf7d6" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BDATuner.SystemTuningSpaces\CurVer\ = "ᥱ\ue409趁틋➍じ櫱̠랩\ue50cꏛ降蝘ꈆ禺\ue815\uf782\u2d71쭿甍捻ค" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01C6CA30-792B-404B-A5C2-0A34434B3AA4}\ = "剄ᳯ\U0001523d汕鷖套妥亶岡ቹ捧Ϧ뼘鮠䍃耶䳗\ue80d骈慑縣㷈\uf34a" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\.mp4v\VLC.backup = "ޮ䄿\U000c939b樒฿爼姫䨙Ꭽ킠\uedd9塩폺틋풔濅\uf69a\u0e3d헻⺌璋ኚ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{274fae1f-3626-11d1-a3a4-00c04fb950dc}\InprocServer32\ThreadingModel = "П퇊⊈ꉵ⏷숃燇೭횚겨㗽\U000aa828㦶鲼℅ꙋ\ue81e쌼ႃ≁" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C3A70A7-A468-49B9-8ADA-28E11FCCAD5D}\LocalServer32\ = "⽮팺䍇欪ֽ豉敦都༙ᛛ顭ᆅ溚厲抝ㆸ狇\u09d8㐰" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{51571744-7FE4-4FF2-A498-2DC34FF74F1B}\InProcServer32\ThreadingModel = "\uf68d؋꒛\ue3cf瘃ꢴꐍ塘ຒ\U000d28cd倴ਭ犮䖠㩑" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xlam\Content Type = "欂\ue46b쵓ޢ펫惍蒭\ueea5ᶍ\uf3f4߮퓕憫扵劂黊렒ඪ䣢" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CfgComp.CfgComp.1\ = "㢇鑅Ǻ\ue32a鎢총얄띻뤰ㇳ\u1c39甅勾嗉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00022602-0000-0000-C000-000000000046}\TreatAs\ = "\ue065橚곿觧\uf3e4ꁀ굉쎝㙳⟚\uf790뵆" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\MicrosoftWindows.Client.CBS_120.2212.3920.0_x64__cw5n1h2txyewy\ActivatableClassId\ScreenClipping\Description = "\uf780\ue8afᄻ\uf28c变殴ꁩ蜖\U0008fdc0찆ꬨ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7071EC33-663B-4bc1-A1FA-B97F3B917C55}\InProcServer32\ThreadingModel = "䗈嘹뎁\ue1d7燗㛻\ue057攗ニ숚\ue7c0吝锭\ua879ઓ䇣ꃑ칵" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{778DE47F-7ADC-4C4D-974D-771BD1675DC5}\InProcServer32\ThreadingModel = "\ue600奡\ueffdꏐ걻ꢲƋ畦郄粍䔵橦\uf1d3" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A9D77BD-5403-11d2-8785-2E0420524153}\InfoTip = "䏴鳾ܵ㴌㷆ǎ\U00099f8d嘬爏ꓹ戹" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{80A09B21-11E7-462B-844A-1EB3415BB4A8}\ = "ꊵ뜽该뿙⎛悲㧿矼꙱褦⢟뒶脏ᵀ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E54333B-2A00-11d1-8198-0000F87557DB}\ProgID\ = "㳷쁲⁸≡끤回㙝ᨛ엣ᆧ衔醕讶\ued40襤》" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F391-98B5-11CF-BB82-00AA00BDCE0B}\InProcServer32\7.0.3300.0\Assembly = "ⶾ潨襪隽籐徜𫩘\u05f8艋\U0010bc56" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46080CA7-7CB8-3A55-A72E-8E50ECA4D4FC}\InprocServer32\Assembly = "⣬亖径痚䟺콉鼆⦨彆茿괸영ꮔ\uec9f\uebcc痡脵\uf595ꂫ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5210f8e4-b0bb-47c3-a8d9-7b2282cc79ed}\InprocServer32\ = "攋脖愻䳡⇰\uefbc뱍㶉쥲濡͓삲\ue66e憚ᐛ殐墩쟎럥驍" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54d38bf7-b1ef-4479-9674-1bd6ea465258}\TypeLib\ = "Ꭸ\ue975寂⠮쿗씪뙰\ue236പ㲊趀탅建캥堷ᘅ끲篋迗괬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F681803-2900-4C43-A1CC-CF405404A676}\ProgID\ = "坳လ踸\uf00e풱鲡曼բ\u1717헻䷌瞨啰ﴽ瓐칞饓毦" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FA29220-36A1-40f9-89C6-F4B384B7642E}\OverrideFileSystemProperties\System.ItemPathDisplayNarrow = "偻뵷骃\ue259̑鞚⯵伓▃趕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.prc\PersistentHandler\ = "뢰\u187c\uea94㞕沁빧⨘׆㯈赽䑥ኽ炾Ԍ邕댮㾇" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{12DD4DBB-532B-4FCE-8653-74CDB9C8FE5A}\MaxOutputConnections = "\uf364皗䛆뫶盙灰\ue00cꁤ⨟芹ꊑ㭛嘿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}\FriendlyName = "\ueb8a䙱㉏蔏戟ꩰ⭰\u008c峯㦠寲腮팀딏玑\ued15괌瓷" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32624F4B-F1D5-4877-989E-555640109D2B}\InprocServer32\ = "氒ⰻ\uf790거鋕Ɏ\ueb59魿\U0001a743めᤑ㹲䀯⅟˂庨⧿\ue873欞韕ᚳ퀭" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86d5eb8a-859f-4c7b-a76b-2bd819b7a850}\AppId = "\ue2ad䬄銮⤳鮏衣䌋షⁿ凸⠂۽" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8973b4ef-7da5-4031-a333-f65609a4dcf4}\ = "⥱➮뵖멨\ueda9≈Ꮟ⿈煣ꐢ궸䵨𗺴捒䢛" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.hxt\ = "\ufdeb晅ھ\uf390柊\ued7b段ꐙᡱ偡\ue05e왖ᙟ覺㗗瓾鿠毮Ⱒ埊큍ḉ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1B162A5B-B67A-4468-9613-C3F9765B353B}\AccessPermission = "⼡ၣ\u2002핹伃⯁\u0a63\ueb02ꨯ퐧퍠筞鈿鬲ႎ姟澴矂쯵" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LoadUserSettings = "ꪆ僩≌䀌⒐\ueec4멷ꊏ喩絁\uf1d9\ue535ㇲ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{02844640-E37C-4322-A3B8-4C61A2E58879}\InProcServer32\ThreadingModel = "䝷㹣伍嫵줠櫱\U000af8ac閨溕\uf732奛뒈鵓" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}\DefaultIcon\ = "䝀蓰꿊\U0002ee0b倁\uf608쵃Ꝑ斺齔訜ⳣḅ㮟䌟鸕굕ᑢ潯첞ᜲ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89F2B8EB-AEDA-4057-A05B-A7D6181B63C6}\InProcServer32\ThreadingModel = "錶괯㣰้賕덁뻖뇔唐뻚豜웠\ue62a㵦숋寊リ螋ﲙ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B918B82-7985-4C24-89DF-C33AD2BBFBCD}\VersionIndependentProgID\ = "뛽Ӭꍼ텚闦넄廋᧧햄렕ケꄳ旜" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.getstarted_8wekyb3d8bbwe\ResourcesConfig\ManifestLanguagesList = "欼\uece5船\U00041838ㅙ읟⃫㽺蔛༷诫䮞罞况沼컚춚뒝䟪Ώみ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E}\LaunchPermission = "ꫭ嚞ᣦ皇닐냲컱ﻰ碁瀤娧抔" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CATFile\shell\open\command\ = "媦웹筳袣嶘Á獰㝾\u0cf5タცཐ법\uef789ᣑ䘚襡懵" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30d49246-d217-465f-b00b-ac9ddd652eb7}\ = "붨鹤쎗慍\u0b98쫍䋾୫ܢ稃♕潄諏" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5BD95610-9434-43C2-886C-57852CC8A120}\ = "譞\U00065f3a죍뢳䶹웰\uec13촍\uf6f4顨ꈭ軒魙턺\uf0fc鄥렳臥ⴎ\ue9b5鴼\uf789隗" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{777BA87C-2498-4875-933A-3067DE883070}\InProcServer32\ThreadingModel = "\uf7f1⇱蓳橥☶鸓暷娠롛鈑嗒\U0009f055ꅊ怼왏帉坆꿙\uf446룠쳼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.msc\ = "\u2d7a떫률讠ಒၰ簩ɞ\u20c2렴떩㮠렮\uecd3᱀㕼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F4DD15E-F431-4536-AEE8-AF20BA847A33}\Version\ = "ᴠ戭⹖剦\uec89䱎᷎谜㪳ὕⰍ\ue013酅섴ԧ藽뎃ⷽ賔隻味䗥蹺駢" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6BC09899-0CE6-11D1-BAAE-00C04FC2E20D}\InprocServer32\ThreadingModel = "룤㯜岬啲禪\uf883莝艧垑᷃牮접袯奛嬚䀡䷒ꮂ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B544C22-FD0B-11CE-8C63-00AA0044B51E}\InprocServer32\ThreadingModel = "Ⅼ秭㜒덀魈鍅뀖睽\u192eɄ뺯劄鿫楶" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1d16438c-54dc-404f-83a9-c041e77a32dd}\InprocServer32\ = "\uaad3\ue198窽Ũ쾕牝⁽䔪䏩ꣾ쩠开" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Windows.Networking.Backg = "澲\u0a11槝⣟餞芑ᰭఄ\u0fed\ue424읳됭\U000c72fb臄" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2050-217d-11da-b2a4-000e7bbb2b09}\Elevation\Enabled = "뙬ᚁ\uee98녲㜩纻僖齗髣꯸첌풜麱䋐ⲳ﨣\ue0c8⁔뜱欂짇뛎ᤡ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a0e-f192-11d4-a65f-0040963251e5}\ProgID\ = "웪槁ℹ縂秞畡瓛綳桾瞚ⲓ\U000a6ab2휐簫ࡶ젎" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\UpdateEncryptionSettingsWork\ImpliedSelectionModel = "蠘ꤱ䩉忯爲鯷阚ዱ粳瀛볽醴窗㜖駳⅛딊" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13EE36D8-2EFD-44F6-AF3B-75FF35E6C691}\ = "\uebf3苕誱ᕝ\ue4ec⓶쒈府\u1fd5蟪\uec7a빋ᘃ\ue01d᯿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2af6bcaa-f526-4803-aeb8-5777ce386647}\InprocServer32\ThreadingModel = "棺\uf549ӑ刻춍䮛紾鎻鯣戶藡텶\uf2fb䠝쮝ᙗ\U000ab642鼗愀\U0009817c讶␠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}\System.IsPinnedToNameSpaceTree = "題\U000cfa5b낙縞ع뻈\ue4d8Ⲉ샺㉭娦惴䅖呧࿗뽄饖쎏它" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{487af411-1d5e-4f7f-b4f4-4721fe1e95d9}\ = "꒿놌땨\u0ad8⤃㙫瀄扜㈂\u06dd됐\uee3e捔䷈辐唛烩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83C25742-A9F7-49FB-9138-434302C88D07}\InprocServer32\ = "ಮ鐟䱈쀍烵\U00056cfcᘱ靀ﶈ՝\uf584" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B6C292BC-7C88-41EE-8B54-8EC92617E599}\ = "拀ፏ줱樣㨁\uee26\uf0fb諸\u12b7콥炒Ẫꚅ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20cd9315-87d0-40b4-b925-0a8f208e1f8d}\InprocServer32\ = "鱧콙ܶ\ue1d3김刂冡\ueaff\uaa3a풖ట㱛䯧ምለጎ黛欹" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\Elevation\Enabled = "䟺麠㆙窠귖雃带↷괣枇㇌둡雍䦈잛ᆝ핸螧\uf18b溫制잨䵎" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6C1C243A-2146-3342-8078-AC4BFB9DB4E9}\InprocServer32\Assembly = "ₒ縡凨쑊뀘圕ᕵ\ue3ddꂵ깦\ue893츝ɐ␥阥蚞" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73257e95-0378-49d6-a954-44aabc841eab}\InprocServer32\ThreadingModel = "Ή䙭䗥䆸⫖瘝榹ᢢ냏黌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84589833-40D7-36E2-8545-67A92B97C408}\InprocServer32\ = "ㅁﺢ臿ᣂᰚꆂྦྷ刼\ue19bྈ⚵毋삪ꀼ\ufae0ྀ뿺䠟㪙ཛྷ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "႐Ꮊጂ큸椬픒\uf194오␉ᨚூ\uf03f儛傛" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E6D2639-4C23-4325-B8DB-6E373F20C733}\InprocServer32\ = "䚚⁷\ue37dᗁ⣌絥삫દ⟔ᣟ汆綵⠴绨" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Thorium.exe
"C:\Users\Admin\AppData\Local\Temp\Thorium.exe"
C:\Users\Admin\AppData\Local\Temp\Thorium.exe
C:\Users\Admin\AppData\Local\Temp\Thorium.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 5972 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 5972
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\oobe\images\浡挠湡潮⁴敢爠湵椠佄⁓潭敤മ$
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 䁢ꭧ뼀蚬쮷⭋婓馺㶞闧똹젼楰ͷ蝯鶗
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ᪆䜕鋮퍄退詍룿鹡잛૿럱堯湋愠喬쿿⭏湩
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 腠쥲Ⲹ伳틸厜愫쩶扖ᑘ퉐⅓ณ쎝䤗嗭
C:\Windows\System32\InputMethod\CHT\ChtIME.exe
C:\Windows\System32\InputMethod\CHT\ChtIME.exe -Embedding
C:\Windows\System32\InputMethod\CHS\ChsIME.exe
C:\Windows\System32\InputMethod\CHS\ChsIME.exe -Embedding
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 956 -ip 956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 980
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 88.221.135.2:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| DE | 142.250.185.131:80 | c.pki.goog | tcp |
Files
memory/1420-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp
memory/1420-1-0x0000000002190000-0x00000000021C6000-memory.dmp
memory/1420-3-0x0000000004BE0000-0x0000000005208000-memory.dmp
memory/1420-2-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/1420-4-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/1420-5-0x00000000049C0000-0x00000000049E2000-memory.dmp
memory/1420-6-0x0000000004B60000-0x0000000004BC6000-memory.dmp
memory/1420-7-0x0000000005210000-0x0000000005276000-memory.dmp
C:\Windows\Temp\__PSScriptPolicyTest_ofz3gcty.1yz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1420-13-0x0000000005440000-0x0000000005794000-memory.dmp
memory/1420-18-0x0000000005AA0000-0x0000000005ABE000-memory.dmp
memory/1420-19-0x0000000005AD0000-0x0000000005B1C000-memory.dmp
memory/1420-20-0x0000000006000000-0x0000000006096000-memory.dmp
memory/1420-21-0x0000000005F70000-0x0000000005F8A000-memory.dmp
memory/1420-22-0x0000000005FC0000-0x0000000005FE2000-memory.dmp
memory/1420-23-0x0000000007040000-0x00000000075E4000-memory.dmp
memory/1420-26-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/4076-28-0x0000000074A90000-0x0000000075240000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | def65711d78669d7f8e69313be4acf2e |
| SHA1 | 6522ebf1de09eeb981e270bd95114bc69a49cda6 |
| SHA256 | aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c |
| SHA512 | 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7 |
memory/4076-29-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/4076-30-0x0000000074A90000-0x0000000075240000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c2e640c515efae2b4a054e0751f03094 |
| SHA1 | 9341fea3961560d1dff019a16926beec1a2c2a2b |
| SHA256 | d9a7385dd677e0720aa3f97de4449bf816cebfa0cdf06985518ea177c2336f41 |
| SHA512 | 53d16fe272b5cd67e90bcc95337ea90740a98890ca712745723bc1694b7bc174e23af983b2d1a4635b39038c96468e650bc4cba8c37a8618b73273fe6ecebc38 |
memory/4076-42-0x0000000074A90000-0x0000000075240000-memory.dmp
memory/5276-52-0x0000000005ED0000-0x0000000006224000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d430dfdd72ae3fbbbe44e4e88d65f125 |
| SHA1 | 106d8837416fc91b72da082cee43dd1f4065bd04 |
| SHA256 | dd266ff21cfe51cf65696d540c0ee40325ad2867b875df76045fb0dd5ece2912 |
| SHA512 | a7777e58b67e1773902e9e785374c88e0b081dda3a323c0773a2f4a5c29b99473e556094111095eba8f362726e283003e1141f497f31815f19292dc2c93bb7ca |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 56de59a062626874921f7d6218d65b73 |
| SHA1 | 1e3850bb2c2f479453c45412a2eea8964e36a05a |
| SHA256 | b0aea833412737beb7ed7d4a7be99abddd0c8ebe852de0cc08e0ace48cac20db |
| SHA512 | fcdf831e544665d849c9069ea73e2b763d5dae656383b1df30de1dabcf47385a16bc07b8b1862b0a7b88b7ad19bc2f8382998aa5ac5eee7d2ff591cd16111127 |
memory/1528-65-0x0000000006350000-0x00000000066A4000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e255959712d32a38ded6d29fed6f4795 |
| SHA1 | fbb31c3faf34e73fd3ea1484f63694c194cbe9cb |
| SHA256 | 314f9741e71b09e9e7a7720b793c8e938dd7856f443a0df56c2c1452ec713d45 |
| SHA512 | ca20abdc480984904012374ceb329754ed3587cbd3445b2bbe5702143884553feea2b6b58f8374479c8ed49ff3505c57907d199e288e86b3e6f4c60a4a2134c5 |
memory/1468-87-0x0000000005540000-0x0000000005894000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 083f12355ff3660474136c8c49bdfe76 |
| SHA1 | 62c98b1eee8c1fb83424968b05076f05dc92ab52 |
| SHA256 | 1a29577c6c2056609259708285d778a71b4332c9e236af9487b21df7b666f9f0 |
| SHA512 | 650d0e34bf7356539c2f08cbb84f3ada580f03f2aa07bcacf3ef63139e5d39210aa2c79178c92b7fffd70bbe6dafb90b9a967802635bc463ba8d7b2d759d5ae0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 07bb70d56edc1bcb049e4699bcc115f9 |
| SHA1 | 9b08c74731f25e20b11972ed2177ae77e629e7c5 |
| SHA256 | 53a6aa9eac8c13d5f57de21f5eab24e6235f5178aaa329fb649c225dd5b02bf6 |
| SHA512 | da8b85c5642e68dd88682e6b59b96e790dbcc890e8afdce4f28b16c91c86d69fee5a5e66dfda1a5a034ba921189025560cab009c1fe88bcc34f50938127c8529 |
memory/1524-110-0x00000000057A0000-0x0000000005AF4000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 74740893ba71f21bafb6eaa1f4e73c99 |
| SHA1 | 63d0f89e396778187ddf6af571b99baa547ffc8b |
| SHA256 | 2637549dbe957a19e194d52f7bd102694ef0d1fc4e4521100d1f6341680bcf75 |
| SHA512 | 13c693ded94c44bdb0122926d3117ec65f4b37f4956de6ca36530540ae7df55e3b15a1dd4b9ad57323ddacfc10e3e3f1d0349ecc82aac9a0853b136cfa41f8a3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8f954fc35b468a73a17c45400fb33acc |
| SHA1 | 35e4d03170b98f1b39a9fc6b113d4ec240baeb8f |
| SHA256 | 011d5ca75b61295bb3f15ab17ac6a5b5d6148d367b78000393d7827dfada0eeb |
| SHA512 | 7c2ae5e678432eb718eb6bba70bc698561cd3254bec0bdcf08652b4c6097b2a82d0033fb837b096ae91665ef036e38386d36f1fb5183d4dbe7cef1f46928add0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1e6db2657e6fc0d0c76c1df4e0441733 |
| SHA1 | dc9485897f8322df23c2174369f45889ad5abdb9 |
| SHA256 | 4a8faf74404fc4163dd3a140eec6a0463f3e95a4c98e4b73909b37f9ff899153 |
| SHA512 | edb8141d3756b31e87166f8609827feeedb60ed42241f495687cad9fbd904c7ea02317905955fa76a50e3bcd14c4e23f21f74d675777d9a5e092f7894ad8bcd8 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f408e25401a3e87754f8711f57e949e8 |
| SHA1 | ac762462e0d1153ca347539abd58e8d77f32880d |
| SHA256 | d1c88ca06bd48a30886ee55746aa719dd864d4b2c43941961ecc2fbf15500326 |
| SHA512 | 77d164d8bd6dd990b5551ba9ce049dad5c20f5e15165cf74aa9c6f176f5c8da9bf45627be81b950fabe07eafcdc12708093fb5b707be5527f5a9dfc17d2dff6e |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8caa827646e155ff425ddfc5adcd865c |
| SHA1 | 3454539e7cbf0a6e5b45243ac06507991848bb55 |
| SHA256 | 8450a31dc35784d0809de1c4599ed6f1c372e0a1299b707591cb950e34cac952 |
| SHA512 | 2041c858a3ac27c554262ba4a83df5930cde4fa9b367664b6ed7dbdcb030693e75b5b5d2bbac3bc6f80dc824e631176bafe9b25df726e66002409aba52823035 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a025948c4776e8ee9a3b2f90fdeeb9d4 |
| SHA1 | 895c94f28bf1fbebb94934a9e321763968976b2b |
| SHA256 | 59e224dfbd20a4ce6e5be781cc3a1697dca88aac3cd829704ca8e763640e324c |
| SHA512 | bfbe397441059f7412a399c887940ccc5bb6c3929aef4c100a099b060046ab0bdbf53ed2dfb1e89f6fdb13f022d18b0b57044bd95f7fe634bb97ef244ae18215 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6fb02560ccfa87ce881263c8656ba6ca |
| SHA1 | 32b2ef4197f3e1ed5df392b944a86c039961b2e9 |
| SHA256 | e574b308201d588d502ed6fcfea5f3a97d08afe2eb7dbf6e92c30cf2ddc9297d |
| SHA512 | 6e81231f8c42ad439c3d28a77af142df23714d4d18971370568fe3a1104637b480448434ab593b811e975cfa8db6dc2442d5608862aaef63331c82570bb1410b |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b4af06b97759ab598be39a07a19017d6 |
| SHA1 | 70234b21ac83964c6db103aa18f46df2894fc635 |
| SHA256 | b6598a0607bb5fbb3762c431684aa28781cd2e5974c44b42676db07c42ea472b |
| SHA512 | 212fc42fe9eac113b77b6a47ad1d8ca8e4210cb420db9997f0bbe9927d41529de019c1f949040d23d860afbf011f107da3ed78ac9a41dd409cb070e87393ccfd |
memory/5900-199-0x0000000006020000-0x0000000006374000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5cbb9fe6da9993fce9f7eee244cdbc2a |
| SHA1 | ddd0351e73097fa85de7ade05cf5a273ce879a09 |
| SHA256 | 4892b101cff81e371b821bed3636906b32f9c12ce25143bc4417c0c0fda01481 |
| SHA512 | 381df35dc34255ef37976da67f421726e1b37eb01bd24975d1b70e6134b77f5a4eab4316adf2529430e0180b2e6ef246ee9b2d63ef32e091cde779a8cb1195dc |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aa0f81f9caceb100a5f28300267f2a4d |
| SHA1 | 6d28b93293eb587ab12f6535d33a532a62227204 |
| SHA256 | 866d3ff31f19faeb57789f673ae7e01177d45db3837fea46412a048a26d53d33 |
| SHA512 | 42554e71f8363a6dd7cc76be98f36e869f95dfae19c925b70bffeeb6b5fb7d749747194a5246f834a3fd95590d2321fdbc9cc84e1be38b3138c5ca6d78bd805d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb0c1c93990647c585655493ce89ac9b |
| SHA1 | 687144d5ab9badc2272e39c47749b1c6002887e6 |
| SHA256 | ae49cf643feb363780c50f3d8590f2f70671961bbc853d26187c9e07c21db164 |
| SHA512 | d87de862d7c8ddaf02c4b525a6d1e2567db7c02e02aa57b61a9b0c6d28889ee3dbe5c05df47d40dac96ad5591a81d59b81473ac4fa1568c37cd1e9bb306590b9 |
memory/2756-233-0x0000000005E70000-0x00000000061C4000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fe0e9d3e00d3f0ac14788b124d4247a0 |
| SHA1 | d25beef87a217be03ebbbe3ba322954ad3720167 |
| SHA256 | 4e730008d92bed5f7cf99896a5f1e42bc7ca23157eb9168530c83b15cec6d8c5 |
| SHA512 | d3166cca79d8eda54b451c53b824293d3d6bfb29d46c8b19c0afbdbf7bccc6a2d29c5a790b51a1cb5a9843e242f795943564fe21c5ecd5fb719f3f1e677d48cf |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 79abf9677bef38520efb207ad9d14524 |
| SHA1 | a013341b56ce03a0e75e874f086b861b0c8490df |
| SHA256 | 2dad17a6dd00ceb8520e319c138907a4a2515ac6cb1034798f851b407f13aef8 |
| SHA512 | e77f0ef5ed591ae46f497ce99597a7fd0d775051eee7dfe2742d8e764a9b2c64f97752daee35b2cb5539938782016497fdf1c0e4bb10f8d72e789ee6f197e13d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | be299099de44aa6575795915e3fee167 |
| SHA1 | 2874cbaaf66babb494b1e7bddce7eee8960a2b22 |
| SHA256 | 11b9e93f7f0b7b478033feb43f15b9fb06e94818263e026ab980ff18afedb7c4 |
| SHA512 | 43c2051bd31b119b4a0571dbc797cd18b3932bd68ce25086f1c869af2eceba9d7b3671d5cf36a37d11b33ea1a13ebb09be2597b9308c246e5ea12e545210c4d9 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 49e9f81d3933ba2a6c1b9a06ab76d427 |
| SHA1 | f9b1699069160d03eaf56a457e325afe145188d0 |
| SHA256 | 98afb793edaf5f1b85162b7d3f46e49b0549754d8cc6c3e3a050354c6a7c5ef9 |
| SHA512 | 7ac25ea99a782a66ce59528265d22fd6d17b5080bc53c0dd5cdca7dc44ab1f23959218cada7e1395c52ea4261b391d4ac1b2a1739d63670b4e4ac667ce602406 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 83aeff5af0ee9d3770fabcbec231d1bf |
| SHA1 | 141a41f4e784557a7815bc4588e29ba26b2b4ffc |
| SHA256 | 907bf15b98596c53f8535f146f9a2ed681565a2cdc11973842be9db6391b64e8 |
| SHA512 | 4cb3610edf4de20f4046fc07b1449f303c2081b2ef9da39964d2e28cf5e31b26307f50485cf2a869f8abaa370ebcb9d4c99cc50f720955c29e402475379e09d0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cd1f872f8943414edba790230d15dc34 |
| SHA1 | 15b70f9e988e9d85478f09a8b3c7a0846892d62e |
| SHA256 | a679d3ad725a034354bd8ea557b2fc61b45069657ef0e1e52006fbeab40d3558 |
| SHA512 | 8a3756b36eea878763797fef29cb096b6d2596bbf87a497d98de2de6bb9a7f4afbc1321be8524b7a392e6734cf2fd0dcd20f68f7677a135f6b4d94c67b3db3f7 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 76d5cdfea135f591e1df44b7d5f0ef01 |
| SHA1 | d28ba2da8857650bd2b8693f7d54c6bd2d255d7d |
| SHA256 | 8b60e9e83cc5ea0876e6587bb5f300d629dc7a3858a7c8cadf9e56e45cb756a2 |
| SHA512 | 6210f08e6620bb134b86b78facdb78396b7e921697c2cdd2fc9f5822b770067c1702126e56f08cc4282ec032c317893f8658e13f25b6de1850f157d9af2a1709 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0dfccc52ec66ad40558b5f2d1154d35d |
| SHA1 | 67eeb47a6b8c68a61c0346607448395723222634 |
| SHA256 | b072dc254be00b8ed46f67159b4cac672c7eaa13455a52a9a76b1ed60e8eb803 |
| SHA512 | 8de338e73fd063ec2266d2c44e88557ebc7e8ee08f794055ee7f73c1577a9a9a8bbdb966f5214650b681222f5eecf8fda9d9a2d2b064d63c39e718f922891c13 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d5e8c52d2c9cd55576df7d3695c5c425 |
| SHA1 | af6cc5e1007e44f230a9ef9e78c664ce583f69da |
| SHA256 | 49aab17e92d981b7e55e61ff34a30d0e7d78858b9463885c8ad4b9393793df91 |
| SHA512 | e5dd7e0f30d86c0a8f45ec0a2c8502adb03d641b0f72aca8fc937d14968840def0a68e327777881e79a2d5c8c2331bfbdc5cb3a4d5e5c01960669bc3ca589088 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 043f11fe506c2c03c2edfacdf1230608 |
| SHA1 | 748450b4b90de37a65888cc11c80de6be033e541 |
| SHA256 | 5e453363002b8b204abab6c1465a75c6ee39533ac2f5cb34d2d54846cf817c63 |
| SHA512 | 277a502828d113a754a22f50390ceb6225b592d2fd1385d3ba399a0a7ab848f151113f688e63e8ed298a8c81082acf29fa51356792388b71bcd4f65a50a50c17 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c980b6777d07ce52aca6820c62a8c37f |
| SHA1 | a07ca8a2660c77fa051b26988c2ade636585b939 |
| SHA256 | e0a828ee878dd4aa3b100e39efdf2be2ca72908ac4011c307955e6213f36761d |
| SHA512 | a02593f9340f03f9dfd7807083ded997c93f88ee09e57045ed1d8358d36fc034880a9c6d18dc804d990335d1ca2400b3438d18c2ccec4b55f14e44b516d2e2c2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 42ccd6d0f61a262a9166d99e07dfe625 |
| SHA1 | e4bc4c0d98bf578dd8db9d50f7abecc11bba97f0 |
| SHA256 | d167a935ea9480025ed17881eb38eae2e1af8d980b01a81e7a4e51fa5fd56ea6 |
| SHA512 | 0831426603bb9bc222df576c9ab4cb8fde15bdf797e7ead94382eaa0f9ecb31537fe01918fbb5d9e4314f4f6160fcbc09f7f8524c28f87882e2d8b86f3528ca1 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6397e3be021fe9591ce143438d8ecf33 |
| SHA1 | aba0214acfef47799f52828677bb9ed56c6bc241 |
| SHA256 | 540417d038bbc3a0b7c5d2e9ca14871daedc6c94b4727bae1bd185d0fcb34031 |
| SHA512 | 18d7b1474dd88bcbc3b4142d5912244d9aa4a6645181cb3f5c3fed89dd4ee0c70961bd37eeae52ae660c9e8d6b1cfbc90f2f867991922aba0ad43db79a0e0439 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 93bcd10dc8319202f4559ebb22433ab0 |
| SHA1 | c3daebca4511aa258a15c21d5d46d07fef9060fd |
| SHA256 | 55a32d95f91eec0bb1bc070b992c9d0f54e0fb1629d5c0f3d9f403123a268f6a |
| SHA512 | 54430a3003fce46b1c73b4e350f192e58fdc34b3228810426f6c99293c47ebde540eeec3a9cfe27768bab1f681c4038d21e588eaafbcba335d408705888504fa |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f785fbb539d4f7b544603ac8a786d345 |
| SHA1 | 42a06251f06103c208760b1212dca71e63f716ff |
| SHA256 | 3be20b50265fcc62606e313cf55d41403c15d2e34cfd38448635007f58865546 |
| SHA512 | 4749426c8881ca7867e086541c3e558a691814a581dae5b611738c5def8aee610a82cbe1751f55a318fe39fc7faa02b395b2a4f10efe098b482771c9c82cc6dc |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b2fcd6e871af03a1e3e1abe1c4b9c248 |
| SHA1 | 448bef75f085779f70ad92d88b95f146161fcf7e |
| SHA256 | 7e029d749cac9c9f754c8c7d8bce35a2587dc44cefa4cc6c98fe34be635379e2 |
| SHA512 | 9478a3487292b0f3e1958c1af6c759971e1df38a81786ef7a9bd917cccd21fca9dee3e5c69fff625aca7cdf52df0c342cb9f232159b541f5dc1518606dcfdf34 |
memory/5652-410-0x0000000005F10000-0x0000000006264000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d060cee6aeb98c82cb18645e4ee888b4 |
| SHA1 | f065640b4cf7cb722265c1e71d484d675496c93a |
| SHA256 | 7c932d52b708809ab0d77a721516e8e34aa6974e8b7e4ba88d202ca6d3466aac |
| SHA512 | 4df5bf70901f01630437b0d6f6b74f83a8acd12cf0109df5a1ad3f57771b2bfaaf9693b6720ccf9da7490a2b9e93e7c032ba47f15b6cb7acc6344373877769d1 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4c70e7f1360afa9c5f0fe178574a1bbe |
| SHA1 | e81923519515b6e1eee2c37fbef173dc7d880197 |
| SHA256 | 4f7c8a4b9258f44adbf548a8f3331cd9da1a8e2aecdbf927cf90b46dcbe8eac1 |
| SHA512 | 94e590460d6f88316fa0991af4b418bd906591a73b724944ca48c4ace1293415179735b7a0278e035da845c49566ceb49af28d74569fca31e24ea0c775e4f3fa |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6910f1a3a09b3b1a3edf079ac4d8dce9 |
| SHA1 | 4f2000fc04fc3a4967fe4395be1cd8cac2951394 |
| SHA256 | 76519f36fa6200896f17622a278d87b3a006f2bf3f5ebe3e2fe2b81317277a21 |
| SHA512 | 0ac219b4c0f862fb43535ed26886c1c6d2ece5792c1a55274319901d25c15fb8237818c871f41d92205aeaff9314cbe146509db71269f15f51ceda0d1c66dced |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f6a82579f2f88b8aba38cf24fe1a60a5 |
| SHA1 | 63264b02c03212236f29ca5ad0a2df3b812e2fd1 |
| SHA256 | 705786b6f158769987f4446563b2d6154d4b722c240d422b5fe0c1d6bb9b3f9f |
| SHA512 | 470038de2de4619949b67803a90a430e36138b95c7b523aeabaa6d88619942ff7a5f87a84c759483a95d7b08e944a5c39beabbc91c4fa4839e836ca85d3e021f |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a832fa5fc92bf3491d80671724032cdb |
| SHA1 | f6bafffda0f2db04425d655b6c558fc64e030844 |
| SHA256 | b30fa654b07290ca53576021ba03901bdf7aac4788880dd57a1744838ee29b8a |
| SHA512 | 5a13b9bc73e7e142c877c629c197cc021221e1b1eb081bf0f5b338da8e778d7af140f387823a056099a1f0078559a14221167ce3dd000a01e0faa3c76bfe0a5a |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c567d8132c515b1c4f7103e51f764558 |
| SHA1 | 789e4a3294f49caac8089f2ac5565f1b71a5b6bf |
| SHA256 | e8cc99a5194d720430a19c911fb748d0cb64a437a86765dca9371c7cfd5655d9 |
| SHA512 | 3444dab15aa9455d2f34e5b71ffa11b6eeaeedb93c081386d890dd9941ad2a91ca3353357d67a850c50d4de7c8aaf5501506fbc29e2dbb9143f938a488da2392 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 13c13c9805f4ab4ab5fb23b864ad4fad |
| SHA1 | 631325eda0c3e87097a6521f424b4a1da42f470e |
| SHA256 | 397705eb1ec7b2fee7290f47513b8ea2b2c5cccce351de2907b890b385c63f96 |
| SHA512 | e909e7d2fbdb2e4f3572fe84c24e36b52da39e2284af180310a7593f2f794c657c621a0a99ba06d6a77e75bba759707c747eabfa91d1c6088c6847e76dc29d16 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c6b2c4ebc7d93b018582102628c2863d |
| SHA1 | b384aa00a1e8a4668f361b99f530e4414b8c39e6 |
| SHA256 | acc4afd8203ae04fd04115094c7212954e20b1e07dfa2bc9acc849efa7a0bae8 |
| SHA512 | 546b354b9ea21a51d2302bb428db64c83ea03e93d3d7a3f610682510c490c45188650ece140f30cbb9f72b76a7f2d7b403b59166f44f8557870dafcded1771e1 |
memory/4372-499-0x0000000005CB0000-0x0000000006004000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2b5965aca3e3bd5b779be21dd350be76 |
| SHA1 | 3af6f2e68545462f28c982453347880a8192145a |
| SHA256 | 0186d025b3afc35f6e1df416c97a64ab8f8b3d6400158d10a5422b24c47922bd |
| SHA512 | c23149f1a03bca11585fd348df3fc3a02c1a9814e64ebc495b612171e229c88292ceca9e2e84b7ca141847e6c1063550a772191d71e5e513bd3a50ed88ec39b8 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 41da95ba6790b91c84a7ae9f495c35c6 |
| SHA1 | 55a3e6e5376a3d70972951afa80f2b328ef796eb |
| SHA256 | 54d0c04dd60d6e5ba908048af1f9feab57d337cae4682f2d86c38394b6c600bc |
| SHA512 | f0c81821506c53c7945db5cd0acaee7f4bd4a2077e6a37f9ed74d50c39cdba43f6f3dbaeb6bb1c8501a342376d0d1ce1a61f4e20e0199bd8d18f9f98c4a2acf1 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd4e1fa3de159c454d7d29c169863b25 |
| SHA1 | 650db7ac714569249b12e762d96ace4703516dfa |
| SHA256 | 984373c74e74195bb995b0a719777660d71c4726d4b79a505796d00969af327f |
| SHA512 | 3036975b5fd2a051dc8052e5c6a26e2aac177ec0ee3aaebd2b9d2753297ba347cdd6ffd3a0225b73dec43f7fc01131cd804d0994057e20dc52df5978946aa63d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 566c9da595f3b9275ec4f13f720323b1 |
| SHA1 | a85d5cb0a856739bb1b012e4ed130ffeb448788d |
| SHA256 | f63f42bd93e43884022e6d25dcab64feb63c1ab1830f5d7192440fd1fa90c08f |
| SHA512 | febef9222ebaeaff57c3263b0f1204fac94e0f84b04e19de6874ad3aa75a36094663f0b8b6bab73494b8f44a15f1631a3ca5f9da7f29b37a7c47c2ccc1227e6a |
memory/4244-540-0x0000000005710000-0x0000000005A64000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 39b398ea8d424faa1231265209699a8a |
| SHA1 | 4cd4db48a117c457d175e2ae11635d4fc313daf1 |
| SHA256 | 59f23cdfde769adaffba7cd77dc519fd6743138b62b4b6780241949eb8b2fe5c |
| SHA512 | 8d422fbb8eb5a2e4990c06a118e336266376360cd84c21a52b6713cd323b3b52360aca9146a247676c68bdd4ba0943e6b774b38404975a06372e30d6972074f2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 05aa18cce9a6b25eb72ca3eea0253e32 |
| SHA1 | 787d15e7efdde59fcc40b6f5d8b1c31efa9a890c |
| SHA256 | 34bbddcf7c42ac002d6d446cc45145609a5a636effe726f7b5f0cb83128b4d72 |
| SHA512 | bbb5e14b86b9633d3d9a46c26d465c2aaedc3ce36f98a06f065a3c53206529179c952f2d525c32f9e4a1704ba96a88f36225547ada91902f30a9df4195e0112f |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4cabb80773c945d4698097f3da7efe34 |
| SHA1 | 13c163fb73d31f046a2fce4b28cf2531e52f0875 |
| SHA256 | f78fcbb700a2f18eefde2d6c482f5438d4ea4195de00bee532d2478468ad988d |
| SHA512 | 574ca26775a28e28139547708664aae544de6814dec4e7fa0f96bea793efd67f7a19c57106316787745bb282e4fe020c139a1165f0b515f8b2aefd6daec5d6cf |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 58fb71dce168ccba355b17dd542dc8d0 |
| SHA1 | bddbd6ffbd912d058f05781901e6a3d98350d17e |
| SHA256 | b00ff013ec43e606ab7466264946f06104db53b0cff1d018f5f0ecf268f333d1 |
| SHA512 | 925d42cf247e9ad05bfbed340889d4514923de95c66a6075802a173d5fe54a04e689dafef243766240ed742c81d5091c07067835922a1928494ff7a2027527f9 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6ae6ea5970cfe714560ca216df70541c |
| SHA1 | e8674c05859444a351472e49e37f7a3dab9ca335 |
| SHA256 | 642deb3af12182aba27f68146b45c4e3f44ddbcfbe9e45172f256396760425bf |
| SHA512 | 2ac8932774dccfea804e7c552c64abf9f6ea3543534bd613cc1d586cbf25b05b6aed9923a68582b172bf338dbcf664fb84f5bd063c398b76bc12472ff0f70ae2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cd7f2cfbe72d6c9bc4db0212f882c4a5 |
| SHA1 | fe1e61a1186a387ff4a8413e57a15db56c7cf0bc |
| SHA256 | 7db5b968483590e7d2b9c3d9e242d6262118435d8ad15d5d200a35c31bc56640 |
| SHA512 | 0cecf5a3a00ba3107c5879db6875da6b0189b069054ef897025ea4a0289d8a2dc4f2b93710caf80b4290099594def737ac95f74514902d4114ebf09a2fe908a1 |
memory/4704-611-0x0000000005A80000-0x0000000005DD4000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | abaaeabfa6fb72fe635977bc8047289d |
| SHA1 | 817ee0e6d5a4d23339f0b0bc83fe182718c5cf7c |
| SHA256 | a27b39b3af04102a7e49836ee7b0470cd50bca64d2bedff1c224af284565a4cd |
| SHA512 | 764f5a5695fb7f2f2dd1aecd771c4efddd05accbf5a08d85d29f830e849208591dafc4cec38f4bf8970059f2320cb86d6016a1fe492f999159202310e1f46bcb |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 15ebceeb08118b927fc40e5980381cd6 |
| SHA1 | 0b5fa05b38b1f82a1c654e87361a7334aa1b6619 |
| SHA256 | 9cf1856fe235694eade0fe4ccceaf16d8fcabfbecec530bf1879238687bc8a52 |
| SHA512 | a03da3e2e0a16ed477a33775d7fc4b3259a3894a33a1e1275d5034995bc8862dc4ffa20457f481477474f4dd61123d564304d0a9a5ac58a219fb6d51a91df608 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bb4a8be3431c7a20f09afda78cd388e7 |
| SHA1 | 3e48235f4be4b4066c8f2e07a92ff0b717c4a75a |
| SHA256 | 8b7c8337567ef4d90f29d68909f4653133bb1c1aad731585150065c29fff5732 |
| SHA512 | 6212d29eafaf514af7687dcc3a32995f8792df0b9a3c61fb4d7da8711d9ef8f857e49cf7162383050e6516e8bfc058f372b059681a040dc0e85e04bea841681d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 67b09fcd5db00771cbf3b669eda11bfe |
| SHA1 | a4821b5d56cb4447ecfea28ceb7e1d3f9232b50c |
| SHA256 | 3f76310559acabfb8e62804096445d3e3b8dd977174c135e65ff0855e0f87ecf |
| SHA512 | 9022e38b8857db3d2cc5557b1d7e712263590d5eca86d77282a1fc26cdafc335349fa333664d045997ce0b6cb52f2dc2f37f24f678ba5b452762d135c49906d4 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 991517ece1e5d99551542019ef359c4d |
| SHA1 | 832235f3c6a3298f128aa75944b40078d7a5b378 |
| SHA256 | da98483adb830585c97671c7f44465a64b60a2f97c0277d8629f830524cf55cc |
| SHA512 | 95145f954641cc943e7aebb35ff5fcd1a9a66e4dcaead270dae751c35669ecd78d9394a0f358bbbf0c07db2c792b79e40c25c26c916369938e7bbd09f3240574 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7256bb3a8d77976ec41859841fb858ba |
| SHA1 | 1f590981a5129d2c646711afc246f9bdf827fac2 |
| SHA256 | bd5a7f90e6277931e3ba2feeed44799d81c159a07e8199adf8dac1ae61f6c8fd |
| SHA512 | 3f7c8b5705037450b6bb052f64feb48f36156390ce93b7b77ea3aac7d6414af9c7361b1a43cf6e9d9e427af581990aaee5d4d14b32bed5d45f52bec05cecfe4c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5574edeb47c46f702532dd10b3afce37 |
| SHA1 | 1d9c208b104713961d26bd63f881b819519c2af4 |
| SHA256 | 0a27d935461744d3ae952b242c9ea39690218370d63565da2e2bdee43f15daef |
| SHA512 | b79db601a669ffadcb4f62f0e269661339953a131763fe3fefa09b378ce2541207fa80818cd1eac1bdaf0070aeecf974904b1f250755d4fc23e5b9dfbb63e164 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a1b382ea200d6627395f9dbeec3b69e8 |
| SHA1 | 625f05ef91c4ebef8cb177a26f168ad83ca471f9 |
| SHA256 | 5e1f8400c2194c798b2b726a6f8cd16aa0644e5c52eb2f57a618ecab96330eed |
| SHA512 | 63d1e0880f946f4accd3f555667feae588e36941ece1a8466bfc06d880354c09c23e4084d333e402bcbc9ba6c292a35462d103a3dc5ad2cc6b79470428c8f9be |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 45b0da4bfb5dd4c6f2a0986c2d7e06b6 |
| SHA1 | 0f092350af8ef42d33b4c6338db8fb1d1588d3fc |
| SHA256 | 979185cbb1b9199a5190338820d9c5fee522b502ac85fb328d4114f49de0b4e5 |
| SHA512 | a4c2c5cdde04f93cbcd969edc64b2ecb5ce17f8f14cb55f1e80c46fb2f0e9f6e6f6cc38adda9a2c14d183c0c6e1548a29e84182fe76141f45f909c79b43193a5 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c92e4ecf499fc1d23025dbf7ef7d86d5 |
| SHA1 | f4844982d200da72f08213e85d0da1a5a6caa040 |
| SHA256 | 54ea61ee9ddcb1934cddd488da6a3beade9ea59aba06de630780a86723987d23 |
| SHA512 | 88b80e34c5883b0fd2b7f017acffb98f8c413234587c62f230106f1a1ee9b1b822d891ff64549b170d1097c5d7a94b1fe705f35f7124b20d7613aa91ace13bab |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d9e89a77a5334302bd58b9d52d2e6a0d |
| SHA1 | c24d5bbf08fc172cf78539672d87fe8a94961853 |
| SHA256 | 6b286d17c6af7ce01525d8c8cd7a9ecc44a315ca969dc93f84f9bfe0ecb98920 |
| SHA512 | fb373db135a98c9bb59771d72d94bb86d2d298993a4217e339bfc33c4c40374a0211129bcd081830f8878c4f7bde87aaa5528e25cf2890b2609062a0011710ea |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aac880e804538aea6bb250bb6e319e92 |
| SHA1 | 17a0c3c228cb9722e9b506837890f46ab7a6b58a |
| SHA256 | c4e0b831fa2128bcf4f2f1894c994f3be597c044e34e1ceea8ca5ab62e647309 |
| SHA512 | bc3dbb8ae85225e4cc383379ce42a5df5eb3700d25bf97858034211418a7636c0ff5a0a381f820b8b3b143bf0a043e22d255f07329319f605014bb5a15a03aca |
memory/5248-784-0x0000000006020000-0x0000000006374000-memory.dmp
memory/852-881-0x0000000005520000-0x0000000005874000-memory.dmp