Analysis
-
max time kernel
153s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/05/2025, 09:51
Static task
static1
Behavioral task
behavioral1
Sample
Thorium.exe
Resource
win11-20250410-en
General
-
Target
Thorium.exe
-
Size
302KB
-
MD5
4a94c74790129bc41d75fe0c1bf5f351
-
SHA1
a5540af8fbaad2656afb3a7b76c42a50b5bbc366
-
SHA256
1fb147e3aaf58a990e163b1f14d80130a9817f8fcfa53a34ba48e983136b1e50
-
SHA512
9787fe4cffeaf150845cfe989aa6eac504cfa00d4911d7069be5fb3dca6052531b5cfafe1734b288856818e11cd331345f5f884477f566e23aa6ddf94ad8fc07
-
SSDEEP
3072:zKhJM9JdZ5usnvivd9vN3LaRHVbe7ufTxrr++U/e8mmmmmmmmmmmmmmmmmmmmmmR:zKE51nvivXvEVRUdzWE3
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "劮쬝㸸櫒ꨙ롶嘕ꑍ㸍⏋㖔߃皔㶴誣촷夃" Thorium.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "\ue6d0〻铝陚\uf420𥌢滉蔣囙䎱ඳ\uf2a0\uf235赚" Thorium.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Locale = "䝛⺖驱∣䂴磎ܬᤦꤵ澐若\ue9da䊉發낧﹛徬䜃ꇊ磸瓝벢⺬駼" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ComponentID = "\ue102몑\U000cefa7艔ᠮⷈ⟠ڝ\ue707❨꧴秫辭\u2fe5\ue32e⒍\uf63e\uea7b拌" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Enabled = "哼癨\ue9c5厦쯣糉죾◾ጝ䡄\u0d53Ꙧ沟ꔌ쟘螉É쬥앍" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ = "㶂蟰幍䊂こ鸳⧺昪遟ᵖ꼡썖溳㒍㳂襭泮" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "쟁訮뢵ꩲ㯌내㻱畘\uea4d\u242e\U00087fce삾ᘎ\uf183" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ = "䖖\ue0a3\u1b4f⌚큨轧膜\u0ffe轙𒋵ꟸ肠콚뵽ꎛᦉ㒷\ue962濛欤틃盲♴" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\Locale = "䁅涹ᖧ\ueea4럡\U0010dd6b悑⯢꾓⻉驦\ue6e2틌䭨폼쀔簪" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "\uef23쀨\uf7e9Ⱓ永弭⣰쌟ꦙ㽂㖴綠≩័네⊡" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Locale = "쓼䧒鷙쪘쪋\uf138ỹ\ue887涬ᄑ龴鉌" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\ComponentID = "\uf303껇䕍鑞룡䖵\ue08b胛\U00019179ﲥ颟䜡䜹쀓䂎縈\u0bba첩臩莿ힱ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\ComponentID = "謮ꋀ넛Њ뻵Ⴟ⟆\ue355ᶾ\ue4db֖돇ᢧ剗ᔢЙ稐析" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ = "ల볳쁼燧殻틠䄋轆蚓聳乳볫㟵籯踪ꐒ熩⎧োྊ¹詰ꫝ븜" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\IsInstalled = "颗빀殮괸龹㝋雷\ue017䔝ܒ阋\ue509煪빆覹毪椢䎠䕲㰜퇏" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\StubPath = "⥲훤ߓ嗹\ueeb1\U000c1132싲䡢К⥧\ue3f1鳘푱誅턣Ṻ핬" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "含揙㱉睵淠漩伟뺻塄殙⦎腎㝦豈例䡑" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ = "ⴱШ㷎\U00102196诐銋ࣷ㼄汭䍷闠ꨒ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\IsInstalled = "᚜翹癝ꥠ㠅鲰ⴿ㳈ࠀꑝ\uf5e4ꅬ哞贴" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\IsInstalled = "阮Ჰ輾擀슣ర벧桅౿檂" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Version = "誦紌傿ㄸΪꕘ⦑ೋ軾溪\ue9a6䋳뒃铣ˋﴱ诿䝟\uf8fb崌僴颉ʪꭞ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Version = "䘹륕哕嗯㑐\uea3f悦䶦卩捇\ue1a8\ue030洁" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "쟅ﺪ⸭⋜ﹼꕢ┢꾄⓳\ue40b" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\IsInstalled = "猎蹨현說᳸藈唔砘宨⸙ꑢ揹\ueb8f팹ꆓ汘焍⧵\ue8a5몼Ɖ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ComponentID = "㍹\ue2b6鿧犨ﴐ≳뭙뭀⊔꽑䛔䳄➑愃독\u0eee덭" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ = "䗑\ue4fe矧돶\ue32d\U00108c60擳\U000bb60f䣹邁衵㒐館\u0fdbꑎ愠仄\U000e4e4b\ue1d5" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ComponentID = "\ue39c떐齒ꉱ瘂\U000934ae业믔뮐ᑇ䁜" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "\U000370f9䷷벢⥆㊲䬐ꄟᝄ탾ﭯ᷻ἄ뻱㽋͐뻷╁" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "㮋覟宦\U000951f7㞥ύ᧵⪭\ue3d5ꡪ⢴향包蝃䤳ꃵ鑱顿㆟" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ComponentID = "䌓웇ɮ䉇飦⬚\u0b53﹐喪䇗\u0ee5콡\uea44䜢⻊" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ = "舌\uf120ꊰ텮嫲萟\U00063022㐼\uea95\uea07畨\ue6fe茂ṹ﹚蠟仩텗滈" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\IsInstalled = "凃㗢挤姅\u2fdc祮똚諕蘉룷㷼甌돥軀쥧腬\uebbe\ue3aa团\uebd6썜" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "ፌ㫛\ueb46䥵∗♈ሹ兘ᵿ\ue3a9ゾ\U0006e1f1吃晆ꕐ母\U0004fe32餆⑩" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\ = "慊ﺹ앲\ue497\uf1fd䀎낋嘧齧莐" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Locale = "伹누ҝ㷒\U000dde4e㲚ừ㒵癔壤ᒴ㪓\u0ee0銡⑹" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "࢜Ⲏ뱗ꖮ暯滀\ue6eb귱藠譀仼縬邻浿夜" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Version = "杞墠飅\ue075ﴑ\ue3c2뚙蕦鰝疭Ḉ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ComponentID = "꣹\ue11e볬⥿⑂牉\ua7ebṨ杉쏢䘏⾍\U00080d38쎦ꊼ䒝֥斕ꤌ礗䫼\uf094" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Version = "\uef86ꏯ牫撶陝︿\uf3e4諺囃荪辭藴㡹蘯\ue96b㙳扄蹬" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\Locale = "啂ّq鮚\U000f39e9\ufde9앬ᜌ礋ේ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\IsInstalled = "㔏\ue2dc씢鴓굋雁泑헭匹ꍸ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "\ue1e2蜨盅玹傔㝍㴧鍁멺ભ洸桸⌠稽籴끥" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\LocalizedName = "瞭叶鸲躞ꘟ䕳㕊鶼↺沈" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ComponentID = "婄갪躢`溤䧨넱鏾螴\ue44d" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\IsInstalled = "뢗繋湀\uef3b鼡됁拟᧢뒨\u2d9c炅\uea07딡" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Version = "◹ද「⻘풃ᾴ佧꽎㗍뭔뚆⸋짩\uec94" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ = "挍哛듕뫎\ue4ef綴틒휛\uf2fb惧훷㸈夬둋\ue43e瞝灻趲퍮ꏁ\uebbe\ue00a" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Locale = "뿢\ue174물寽\U0003c97f揋蕈熵ꍽ\uf854忔뫺鯴읦⡩쓩\uf1f3ㄴ뗒" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Enabled = "岗䮦宋遱흥ܷ곐৮\ue6da梯" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\StubPath = "ⳓ蘆⬨͏\ue415웥㮜鴰몶虼橱\ue19aည" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "㶁\ue8dd⼧睓盅ૡ띊䩯梞臚쵬龓❠葛脫\ue5f2▜\uf656\u2efd" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Locale = "룹ꪵ륍킿\ue038䀦✄\U0005c287娳陿譤뻘삉ꊤ롞" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ComponentID = "♒쉎ᰶꞨ˕窿\U00034c52䲻ꀲ祌ᥰ㱳㹠쀇╡ࣲ芟긘垴㤊" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "毫ꚉ頕삡丱텪蝏\ud7ad⠯\u1cfb夐ⱊ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ = "䔑벅߰徴職鱿\u0e71㥘姷" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\DontAsk = "\ue4f6큂ȵ䕒䊄廱贘贈豰Ɇ鸜㩠䋇" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\ = "𮋓㘞㧍䦏簭쓙뷲魺ﰉㄉ존蘞셵卟询碋锲ᷜ좸\u0af3즢뙥" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ComponentID = "᪓䜫㦵飭妧謕\U000951a6䰀⥢Ⱐ䨢" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\StubPath = "牧㹴\ue177漌\uf6e1芥颹癬睮峮伅" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\ = "猉尪\uf7b9申\U000c885b验赌㹒ⶤ쬵\uf67e㮢빅㣟㶑ⵤ铴" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "鈋爂惌䉃쾀ᔅ蓝ケ譒뵴밋扔냙Ѽ✹仹\u20f4" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\Locale = "ꘛ\U0007ee83㈮ﲇ髵䣱賜莒㹘基醔贪뫞\uf8b4躅淁ﺿ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Version = "㚜麗輧\ue817粕ꍺ聁쪔텶滔\uefa7ﻥ餎એ\U000aadb2怠䲄썡\U0005615a饉" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Version = "\uf7a9凈⋌䃰Ꜷ룳抝ꫤ澪흛茾\uf4d2ᖉ\U000c0e3c萇销퓡ፎ㑉琂" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\LocalizedName = "힀ग़貙\ue46d鞹풺\u1ade\uf460츷᰻" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\IsInstalled = "㝮䧑鿘돋\ue68b屌ⅆ\uf66c㼛椸耜㐻" Thorium.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\drivers\hostsvc.exe Thorium.exe -
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2002\Dll = "쯇\u05ca\ue7e7钨噕➗庰ꑍὐ⟂⥂鞺歈꺂߅面뿽" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "᳃㜃쁅ꅠቃ䮲ᮿ躵쒠ﴍꏮ콞ꐁ틻\ufff0\U0006033b㙢ั" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "㹝쇂樝\ueb3f\uea5c\u0ffd蚃\ueb6e리ー뇕ꀳ泻" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002\FuncName = "\uf436Ꝧ\uef44\U000e4b4f叙ℙ\ued34歍\u2d2b굼\ueb47略坻옺阄珘邃궿" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{6078065b-8f22-4b13-bd9b-5b762776f386}\$Function = "趧봞䩱\uffff経쎘ᆗ䅽덂ࡅᔱ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "\uf31c킴㵯\uee00陰゛ꪞ䨙Ṭ⒋瀋䖇\U00057919䬎\ue407" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "ķ绢䋬溝뭤\uea1bې㈺錐疸ྩ襕\uf178댮꩗氢ⷊ譫" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name = "\U000f5d03淙盼\ue631玒졝⺛\ued07⨀掿\ueb87㹡樲薘ƨ鼁舟" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "\ue0cc㝨\uea53惹\uf8d7Ⴊぢ䜢嬁舑됓ㅟΉ⫳特들瘸\ue6f7瀺㏸䜏䘿ꑝ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "勍⟚燒Ⅰ멖ᮿ콎\U000c17ad\U000dcc87ꖝ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\FuncName = "푉軦ഊ뭀\uf613\ue6b6븵픶韹\uf794洸賅퉝ㆉ\ue28c㉍㌦돾" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "봙ⱃ̔霱輟뉫溲鳫쭟夼鯏" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "밊鬀㯍𬗘艅럦빶鳐䣊캬쉝≇䳠鳡➍킕鯱灓꾣" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "ꋴ붩橪ⷧ퐹\uf54aଏ㊮㗳ꯏ枔ޡ䆺蝊쨴" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.1\FuncName = "惏禘㏁荳䖼〲鞹⃑戻᠆쪢㖒ΐ컦刐扲" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindLocalizedName\LocalizedNames\TrustedAppRoot = "\uf8d8\ue730ᴕ䳺ꃀ⻮陑错\uf49d\U000389ee붪㓰ꀁ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "쓕䍋頌遫譊ȃ\ue60dᷩ㐗\ueb5d字뜵\uf40f\ueeda딓춶\ue093" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "냴उి㤟ƥ柆璺먚ꤍ⻘뒪\uec6d‾ᓺꠅʳ癊鱌" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "q뤦뚑\U00040760돍䣪\U000a6907ᢼ鹂\ue2ca劐氮ધ\ua9ff" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$DLL = "ᵎ\ufaf3\uf2db咲\ue07dା냼궰䡪㲁傯仲峖" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "\U0010a389㯝㏍纄삊눛鷢䋘ʠ䈝簣씊쮆\U000a2283禙傠넆⨍ܗ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "Ȯﰩ驖愾촧蚦縿ᓓĨ卻흯꾽铤띃ꆅ\ued83鸜\ueff8⛕䂷珴⸕籶䧔" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "✟刟ﶨ\ue392冹䣁︵쐉떀Π⪧" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\Dll = "\uf31f꽄븛캻㒲規ꯥ䞃镺㼏즏橭旐椺찉ꋵ叒峤朵샗" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "冻䌊ᓺᑈ嚖⮱\uec78脒蔂鬁돳嫿酏謎럿좗ﮟ芛췮泧" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "늫꺊ዏ땏\uf536媏ᯤ瑱⛒黚⠗" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "ⷐϿ㝂ﱯ\u0b7c戂蒤ꗭ渵㓮\uabeeჰ\u2d2b怕\ue302" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "릔ସ籮\uf5a0䟿㓣\U0003d33e\ue5b7\U0006ad83ꉬꧪ㳔" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\FuncName = "㤇걑洑䐉\uea9d獛砀\uf757\ue57dઃ\ufff6ⴸ\uf0ce娭끗冂᭮\uf4aa奥琏섌\uf4c4\ue2cf" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\FuncName = "㘋ᦹ捎䖧咂触ය茩ǖ얜" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "┾ᘈラ斞쯲⾴槇蔱킺ꪂ㚉刬䬁㊓㣬캝挦뮩ᕍ䁺몫蜋兎흦" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "窺拥\ued49幰墙摕㎧\U000c363d鼲멎\uef33盇旑瑹ㄘ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "舑쎵䡮봺\ueeb7\ue703泤怰勍䢮ᎀ瓐빡㤠䟄濈頯庇ᙯ\uef0d聿䦪" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32\FuncName = "s埰\ue156ᄢ㫙鐿ᢙ\uee7bぃ\uf11c\ue0e3ᬇ捔佗" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "ⓖ\U0005bd5fሂ\uee2a္죆\ue8e8\U00083ac1䌸罸葬䔵ת\U0006e64c렃ᦏ䶙윃骁阈" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\FuncName = "\u0ef6Ӷﬨ踮끮\u2e64村쫍\U00061844ꝱ䷐\uf87e沲\ue524㲏홧" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.12\FuncName = "コ䈣툢\U000381f2㌝垂䣱砱⨰ᴎꂯ膨칺ᔎ\uf2ea䶞㏧쿉㐬﮿╼" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\FuncName = "ᢌ\ud7c9춽༄ㅤ\ue4c7렗㠄㭎쨤뭎\ue14f㞶楯\u0bc4訒\U0010adf2ffl䇘" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "鏠鄌꿖ᾋ᪺鎈躯鍮쵢伥攷ᩈ\u0be2塞Ξ黮砅" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "㊡몿Ⓨ\U00048bd9띄펣䉏啯壔蚋➐" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "耉Ꮵ㐃響螗ᇊꀆ퇑独茧" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "㉕撦≓\uf220챝\uf54e\U0005d5ccꝝ秛ꬷព賨" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "◞வ䲭픸\ueb80\U000b68c8啉糏䓙" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\FuncName = "謻ﺣ庱좏핶㸏訍晉詊㏠론ꀬ紕㑌" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "擳仯᩺柳㫸㳢둗࣎⸫끩䳱\uf7ce퍑籀ᄉ촀檻\U000616f2៲\uf349猉" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$Function = "튿벾㷾︀몄ၣ\u17ebꙠܦ⩐婒턯⊿ꛗ鈭ໟⴇ퓊耸䇼𧻓" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "딚刨\ue59b\uecd7ᾃ㕦\ue0b3쌐\U000491ac\uea8b\ufadc茢쳱賐\uf554灤⺓穃\ue7c8" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMd5ThirdPartySha256Allow = "齡푘龿\ue06e唔퇪벳쉏褎촸眻粨扞黯냹" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "闍陔芝㦗翪䧧諒ႋ㹑휪ـ蚵\ue294阃蚶\ue151\uea2e⧛\u0c5b룍䫺僜ꅵ\uf5bf" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "࠶⪇\ue78aꈈ㭤ಡ鱘髪랲㛹섍ὧ㳓衚㻅䛪볺᧿ᘒ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "↙\u0bbdꤼ\uf5cc웋ᇴꏵ栦溙Ķ㵦皦\ue0a8惄斑밧\u2d77녤" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "䪋䭄遀\ueec9⤊쒔ꆒ䋄檋ⅵ솑除ᓛ䐮暺鼉ᠧ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "שּׁ\ue8e0廒\U000e6aba\uefd9\ue997縙ઃ媶" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "\uf7a6Ὓ\uf856ᝌ遌蓼ꀮ虄ﭣ⾱聮魚☸챒\ue694⏽熦ᆳ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "齦䦞豷㖬朠Ả昛怎釃腟ᗄ\U0003e718㭗䡶Ꙓ\uf5ac︥㳇쪶면䷤뫬慆" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "\ue226𗽮떔䅜쭊\uf656ポ颍䟜\uea80\ue8dfԮଌ냚蒨셄퉶" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\FuncName = "寨烉X飺퇉秄芅ꦫ鿫➣夺᧸ꪬ㎱厉㸭罍\ue06aセ鏏" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function = "⮽厮ꂑﶋ\uee63鿒̼䰨㷿\U0009fa4c륆䈷臒죧먻嫏Mꑬๅ\uf0e3\ueaab噵괥" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "椅ꡒﲨᕓ缰噤\uf52eṺ쬐쳃ѷ\uf1d0材" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "\ue896\uf486⩌\U00088c9f酣뮿̣꽄랝셱鑪鈙㬈뾵뾃墚\uedbbᳫꃥ㴌㸴螣" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "굞\uf7386皾跳䑹\uf295ꅶ纍縶ᘒณ\uf35e\u17eb\ue517荛" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "ꄤ№柂厰峾饸\ue7b1䕋\ue5f9\ue686舮" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "逻팊톴惲㨑킺ⵍ䑪笧芡謎\uf56f\ue18c➄﹢偃㩔㥳殹" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "붋鏮藫\U000a0fad慺\u1978壶䴄鷗\U0009d8e8ዜ懠⨳ᶪ뎖" Thorium.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate = "䕳\uebee䭔켲秜綬쒄ݒ覔ᅲ\U0009f8e1ⷺ蹷䡏\u2437誥襉莇" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = "믏㸄淣\ue2ab\ue11d껇\U000f5a3fሣ誤ɔ姰㑃㦛烆潺濁ગ详\u0b0d☼" Thorium.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\Geo\Nation = "\uebb0Ⴎ\ue6c2‴̐쎑ꢳ⃞컕쒾" Thorium.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies system executable filetype association 2 TTPs 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended = "\u0a5dᡙჾꦏ뤗\u17fd\U00106a85鏹䂪籒讻潟阻祒돖郌朼\u0bda꺵麽닋" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "쎵섬ﮖ\ue7ee쵾齥ᮏ⏎䩐\uf4d8蓹\uf8ceꁍꞄ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "➐眽邵蕡螄\ue735笳睊炎ꃘ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "壏ꐶ뤑\ue20a頀ﶟⷧ撺\uf144捳芡\ue39a뼈" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "麡竫螧険뢥ﱵꭾ減ꋹ筕⤼៱鳤褪ᒚᬆꙅ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command\ = "צּٽ㛵\uf8b0皅쵏꘤㻚쟭頛샛\ue2ec吸\uef98픻羛蝦" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "\ue275釾륺⯗輵굋\U000b9ea9輰⾡ꋕ怙⊷" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page\ = "릉韟뚼库譖䇾皝駑\uf8c4蜝ž" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "⸕\uf305\uf5e6ᨻ츠毧\ua7eb羺ꭩ滳鰬뉧虁궘켍䳘膣ᄍ峨篓\uf546䑗" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "\U0004a863ﴋ鍢㫻ʘ凨⅄㐎币籍冑" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "⿻ʆ抭倯丩ř矣\ue3a3ﷸ쥦\u2d99煯៵퍁胷踣潇" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command\ = "櫐칾ಡ⽭㫉谼>ᾦ搉虦宮㥬꺻퍡讄鼙缬娕" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler\ = "赋暛ᾦ䫤뼚黯\uf592蟶싈\ue599飺\ued35ꄢ鳁" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\EditFlags = "飆Ի牖莛鏈碞⥔㎌㯼寪\uf1e1" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "ᏹ犠\ufb0f₱溍\ue70e突萩ꏲㆽ蚹燳섶" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield = "ꚗ\ue6a4谿䀶袂ㄽ⢫\ueed7쬴\u07bd㷡붟嶙㕺鵪萲\uefaf瀨緸" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\ = "ﻯ제韹輸\ue767㠽榜귂뗶ꄡᶍ쓏\u0a7f歖" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility\ = "鏩\u1b4dꞁ\ue998쒽⧱훉ꛞ쮝ౡ뱸灖愡﮲ౝᣯ㶉䦼駭" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "隤롌鱌ᕦ綴ᘁ\U000856f1⼻싿\u2fe9蔆捙鉜\u0fec䟨䛑쌕腞唔搓旆㖹ഠ" Thorium.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender Firewall = "C:\\WINDOWS\\system32\\oobe\\images\\" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\uf3f0בֿ\uee2c䨉芩蒊\uef29閥\uf801┡㝉靓۬" Thorium.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Users\Public\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\D: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\WINDOWS\SysWOW64\msmgr.exe Thorium.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\WINDOWS\SysWOW64\svcboot.exe Thorium.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\WallPaper = "䤮\u19cd술豛㴾꾸鮜巧Ûဵ鿴ࡿ햎鯔⍹㈪俦巉됨짗" Thorium.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\System\svcbackup.exe Thorium.exe File opened for modification C:\Program Files\Common Files\System\hostagent.exe Thorium.exe File opened for modification C:\Program Files\Internet Explorer\images\thorium.ico.exe Thorium.exe File opened for modification C:\Program Files\Common Files\System\syswin.exe Thorium.exe File opened for modification C:\Program Files\Windows NT\logsvc.exe Thorium.exe File opened for modification C:\Program Files\Internet Explorer\svcagent.exe Thorium.exe File opened for modification C:\Program Files\Common Files\System\configtool.exe Thorium.exe File opened for modification C:\Program Files\Common Files\System\svchostcache.exe Thorium.exe File opened for modification C:\Program Files\Common Files\Network\netserv.exe Thorium.exe File opened for modification C:\Program Files\Internet Explorer\Connection Wizard\server.exe Thorium.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\WINDOWS\INF\infhost.exe Thorium.exe File opened for modification C:\WINDOWS\INF\driversvc.exe Thorium.exe File opened for modification C:\WINDOWS\Fonts\fontmgr.exe Thorium.exe File opened for modification C:\WINDOWS\bootcfg.dat Thorium.exe File opened for modification C:\WINDOWS\Fonts\fontdrvhost.exe Thorium.exe File opened for modification C:\WINDOWS\SystemApps\winoptimize.exe Thorium.exe File opened for modification C:\WINDOWS\SystemApps\taskfilter.exe Thorium.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 936 744 WerFault.exe 79 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks processor information in registry 2 TTPs 25 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet = "脼\uf54f퍧옢\ue010䔗荍䌻杕\uf6c6뮬隻\uf4eb焫\uf4d2뀟" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz = "桷Ⴏძ髆茲疬閤欂䑯퉦淧ᨦ䫣෬㕗셍핳偭답쳬樹" Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "ꨧዋ\ue357䑩㜹嘝ɿ丶⯀辪\u1f4e徕\uf593" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "ౄ挖\U0003a295헾栖⏉赯獤眠\ufb0e\uebc0\ue0ce鈷" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information = "䑨겟ⶈ巫\ue224ᴏ貧ûㄵڼꢁ鄿1̺涋왉ﳀ烈ㄐ" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier = "ᾰ咍虿㰴콏삍쪪䔇⋑퉦℧\uf53a⺙ो掃㣂峫\uf848" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision = "\uef1d娙ӡ\uf42c៉加禎밎\ue42c씨遥ᗃⰇ" Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information = "㕦访ᤋ魦꽃켢ܡ숪䜹㇓\ue2a3폡\U000c9b80猉㴸ꤹ燰" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "ꙷृ웎웎挒긑压ꬼ\ue413እ醹᪲뚐䝜럭灯퍃ᡸ銼굕뤿⇥" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet = "灥繶ḿ意\uf68a䌠㕿皕刹㴸鯅䅒ꤝ佋탴" Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data = "嬤´䙑㣿\u2da7䈃쒝ㆦ꼨ꈫṏ섷㔹ⴤ颷嘚쏅纇\ue3c3濅更誚" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision = "쮒⮫訲\ue404蓑驑㼘쫠昫滑擎\u2d69瀱굶⾤" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data = "┹ན篰춐뻀ᆲ✈딽똋捰ꇞ༶橆䩥놫⑪쏰곷傔" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "\U000cad97뗔ᜉ鋑麑\ue2ca\ue0f2馄\uf13e撓꾪늦᠏\uf81a儧晻⽪⼈㵱縤" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier = "ﴊ\U0004bf06ؽ\U00100026Ὴ莵䛏\uf79e" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString = "䉃푵櫫쒫\uab1b\ue551\uf0bb\uf365\U001075a3ઈ㢼\u18fb腥○압ᮽ흧\uf7c9뮠溯" Thorium.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data = "ᘻ뭮ő재䄙㦇F€뉃痰\uf47a⤛\uebaf\U0010ee4f洛ꒃր娀" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture = "ꌧ㮌咯䜩쓔짓趖ྡྷ\ue7c5\U000d02bf榩쭭뜵\U000d62c2ꐄ\ue80f\U000ed029祐㪤ꕚ" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information = "鰗즯ྕ䂃ધ\uf595흜䠟钛ן𮗖박\ue64f\ue144︤䟎韚挸캣ꄚ䡼\U000bd613" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data = "둑浽\u197c⒥㘺솅ﱒ\uec35䏹厴邴挿" Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data = "㙏뵯詭¢槒\uf549蹭懨뿌숗橝쐘酕靴䴛滹Ტ侁堓例" Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\ = "惝ܬ썳鵳睃Ự浔䞨ׂ\U000c53cc謌\uedb1弙\u1680➓魿𥳐㔩ﱭ䉑" Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier = "\uf791佒嵅䠉\ue04c\u0d49紭쇂\uaa3f韸ᡥ븪" Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data = "\uf1baT㰫磶㬇훁단㶒໋̫篃ဥ㦯ヲᔒꞁ\uf518瘈榨堓瑟" Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data = "䭇峉\ue462뎈鈃﵄蕬晨ꀇఔヾᢳ\ue3f8枋" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information = "橮䰥듡\U000cfcec⒵鰡宴ꔚ봈" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information = "ࠦ둸Ồ鰆【ᦝ벷秓倮䗡" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information = "㞊ള\u0891┟癛ڸ岽\uef02鳟\uf8e8㟐\uf5c7冱᪽훦ㄥ섀淨콨\ue68cె" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier = "\ued12䟯耰寧쏏鱖騮뺡舘烒濏\U000608f6擩\uf5e8㤟떑" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data = "왗쒀घ哒箣\uf178⸓鞉\U000df4c8䘱" Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information = "労ആ㙥Ǎゴ愽픮\uf722ঐ㚇指\U0004b08e莿ෆ┴" Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier = "尒ꌛ띫䭴ဗ菄罾鼱ㄘﵸ㸳" Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "\ue4c6휷꼫Ҧ곐辛\uf737\ufb0e㈉ᡅ鋅猶䚳䋳꩟" Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Component Information = "䟎ᖇ\ue063ួꟗ࿋팙㗺苹癪濖䛶橉朙屬秹ﶶ鶜廗璸檏" Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier = "⤩堽\uf872䭰㠱\uef31砉銼淛頨䉱嶏뗉\u2065줹듩擔婤벏灓뤿뽯" Thorium.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data = "蓖捞䭣磼䞑\ue95f껹\uee71ƪ楣ね뉠ꆯ쓧Ⓢ" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data = "➉膩簮\ue062\uf1a8Ⴋນ͜\U0005f4dd鿽뱽枌" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Thorium.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile = "ꂕ课\uf0ccꥰᯪ홂\ued2d❨\uf5aeᝩᇍ櫶" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information = "佺ㆍह囂ҕꐙ餬㙓䮭ɽ뎧䐂믥彝᱖䱚Ꚁ萆⃟" Thorium.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information = "ᴚꄶ\ued41啕㺌駶ᚋ\ueb92\ue7c0ꤺ寮᭄鿍강央쀤ᔼ\uf679Ნ沾ₓ膡" Thorium.exe Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier = "\u0a57𑅬柈盩픣욼䟡\uf656\U000c7d24╽踼쵂补搇奐" Thorium.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Thorium.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\WindowMetrics\StatusFont = "\ue270\uef85\ueed0桌댞へ蓬\U0007d0f8䬋ᆯ喚\uf524果ဆ缢" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\SnapSizing = "ᷙ㙉쀐\ue87d⹘壤煐唜ᨗ聉" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Mouse\SmoothMouseYCurve = "魋魍\ue82b鈱⁔퇎꿸⪧㰇夀鍳熜팘썤" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Mouse\SnapToDefaultButton = "臶突Ú罸周롷뇁湜擧錮袴氹悋싛ナ㩆\u17ff" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\PowerCfg\GlobalPowerPolicy\Policies = "紬ᜩ㽵ꋦ\U00071e29㾡ڍ탼率沖䤉驅ဂጽ閔妰ⵉ\U000a4688휮㬘" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\ScreenSaveActive = "銏“Ⲿ啓鴾銁\U000557f9칣럌怑" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000201\Target IME = "𢄶㏶걖캦刻ຟꥬ\u2d9eɗ頽\uf22e\ue2ad℔අ烝꾑៌壦\ue757ꦷ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\StickyKeys\Flags = "퍇\uee72溪ﮄ\ue65c추⎼㡱餺붣ꚻ鮏溶\ue969" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\InfoWindow = "ᒳ즇ࠖꏌ⪢磬ҷ郚齏뜃歋激燡\u088f貁\ue51e✲" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\HilightText = "쥞䤸悍풆艺ᢒ趲\uf89d\ue5cd蕯돳漼\uedf8뗚㴹ꫜ矴傕" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Cursors\SizeAll = "겞嵙ℌᇆ麒鉱碫쓛獉\ue781∧擀׀艬\U000f8f2d⩞濢轼\ueff4됦\uf4cf䨘" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000071\Key Modifiers = "؋\ue77c헟䂿쿷欬짎돂㶥襠\uf46bᾕჁ쏈䇑\uf18b" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\AudioDescription\Locale = "詎䀠檂摶⩀酏鑲붊ᘴ㑡⨌" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000012\Virtual Key = "띊팊↓囦됓釣ⴵ茯帮豝㥊\ueb9cꔊᥳ焇휿右" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\sMonThousandSep = "\U0008b071酜㤿敛葪귯\ue3ba\uedcb\uaa3f璹톪筱酓楐抏鑆⩇鼪\uf30e⎡ꑅ䌾" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value = "࢘\U000f5147㪚晣寧𐀐咲훛⽇" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\ActiveBorder = "贜滌瑲侣꯷\uefa5棩\uf227❾ꦇ庉㵈磜ᬨㆇ鬝䮃" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000071\Target IME = "躖䨡\uee7b㽅\u0de2㔐߿猉帧\U000a371c꩒Ӓ部폦ᐃ阣랇ᔗ曅๓\ue83e" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\NumShape = "ᄿ憏\uf751尨됓菱㸚垮\ue54f𐏑엑\ueb6a䩙妪軀\u09ff" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\iTLZero = "ﯢ븜춑肣Ȥ╋캓\ue83c\uf7c5\ueb5fᅇ瑂莙뒳腌⬇ㇷҒ\uf6eb嚗ꅓ퐂ક" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Appearance\Schemes\@themeui.dll,-850 = "嬀矜釓吹帍Ꞌ煊△荬䅄ﻔ뜹瞗\uf048鸂ㆴ՛㔆" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\ButtonLight = "瓆겔ꊏ궥⧆등萶퐔đﭡ쨑\uf8fcﳷ輾鵆ﵚ藑蓾\uf4c5\uf5d0缊鎹" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\WindowText = "ﱮ໋䁖吪ƫ犓凬薒屮\uf21d⻝カゆ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\ButtonText = "흄\uf66a뻽鰪\u2e63\ua7ef㑀땯獇활儎뎜瓝" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\WindowMetrics\CaptionHeight = "䜠壚삎\ue27aﶄ\ue0fa뜺₊쒀伲\u0d65ᥜ눬봿雅莅\uea20᐀\U000ec298婮" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\WindowMetrics\IconFont = "⽼댍²夻\uf106𢒓褷㲷䥍" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\sGrouping = "撚놙\uf304屏谧攑\uebad鿎漻㟷⣖罰뺿੮튵" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\ClickLockTime = "˗⭆᠘\uf74f䂹㒄ओ\ue5d0鵕㦁唷탡竎ꞔ⳱뺲" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\RightOverlapChars = "퓟핦\ue184麍塶隃紺쮅ᳬᙉc蹂\ue539㕷ﱳ䟮\ue097ᤒ\uf3c7ಙ骿䌑" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\InactiveTitleText = "覣\u008f灜椣⿈Ŀ৴뭅╄ꎗ꺸ദ皵喭\u1f7f뷌盬" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\WindowMetrics\SmCaptionFont = "\ue7a5舆䷦ힶ儺뀪梹േꋦ皸\u171c\ued2f蒘롘琗傺뤿⯫緟닄\ue4d4" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Show Status = "፱ꕆ좞趫冬틩ꓺ빢\U0004c0c8ܵ뎂\ue89d\u0d97\u187c⳾簪蒡" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000010\Target IME = "蠽\uf589摲\uf6bb惝匁ꃆ슝\ueccd⸨貉\U000570c3笊㑐甧鑥\U000acf8d\uf5a6廙ฏꀺ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000070\Target IME = "嘃鎳몪㗻೬㐽穅䖌ꔴ䓦㜩\ue519謧鷙핌Ꝼꮯ\uedd4淣" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\sMonDecimalSep = "뮆\u07fb뒭⻑鷭鎥뼳ٲ괓\ue9b0𩯃╭떖" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\SoundSentry\Flags = "\ue49bཨ洞☣覛⸲먇屚鼃〷႖\uef37죪缉" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Appearance\Schemes\@themeui.dll,-852 = "ᶮ䫣ᝪﺀ됖Y\U00055a54렠𢵎䠫嚦ᜅฆ햁" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\AppWorkspace = "ꑧ껯߇\uf4b4₋晧\u0efc绥ꬹ\uf076獵\uf593皎\uefa4" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\ButtonFace = "\uf25c፻盎걣⸡듌岝鴤蔿\uea5eć̫낦␐ҋ列녨僎嗦㢿붏갺↔" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000011\Key Modifiers = "뇍懮퓊\ue29e딫蠗涉췧㤍㹇퐎ℹ圬ꌬǒ䛚魢" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\iFirstDayOfWeek = "㚾ᙃ㩓黿𗖌ﱊ\ue829붰薫駕Ꮱ䝭뜣喬\ue0bb넱\ue23c" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Cursors\SizeWE = "㪻꜄\u05cf㕮嫁\ue26a륷癷蛩斗ⵋ嵙\ue67cꄩ聑焭" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\AppWorkSpace = "ઞ②벫蜛߸輺吗⩟욌凶醮ᬐ䩚\U000de23b䅘䰠" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\iDate = "찱\ue61f睶㙽膋ᮅ뿷塲柁\u202b냱춥斅" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Keyboard\KeyboardDelay = "턈亡\ued3e\uebbc袦곘\ue382\ueab6⌻抬캙䅏ᨦ捿地\ue106乭\ueac4滆籧悂缾" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\Scrollbar = "┭肋林炢╥遵뻾蔉ꮦ똧텏矴譍\uf68f" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\MenuShowDelay = "\uea38켪큦\ue464鶙굞萅痙㣳줷礕칺良泙䰳毡" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\DpiScalingVer = "\u0a45蠽糆ቤ䢽ヽに훝䔮䘓肉䧄게띃汾\ue00b浸뺝隁\uf058묤\ue95a༌" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Mouse\DoubleClickWidth = "尅\ue6edⶈ薑磿恣렸㎝\uecf0刴䂷斟◊瓳ነ\U0001bb1e" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\PowerCfg\PowerPolicies\4\Name = "墜㦙ẵ᭄稃답舅럖調럡\ueefd쉑\ue6f9ख़㕚Ꝏ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\MouseKeys\Flags = "꣓齪ъ넥\U00050609\U00064cba\uf865釕\uee71쮄릆烝㴐\u1f5c\u0c74ⱨ킏\ue80b꼄㞋" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\MaxMonitorDimension = "\U000fc538踔胥\uf8beቝ뭣\uecb3\uefdc骬솞\ueb7e꺿䄄" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\GradientInactiveTitle = "쩁΅鸬֪ᝩ蔀₱遴᷈ᕙ皺\uf663㟯꾤럑㰦⣹ꤽ焜彋" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\PowerCfg\PowerPolicies\2\Policies = "膚䢤횮\ue415糫툻뷢ỗ薪奧㧝\ue69c\uf2bf䜌潰⼒況\uf19c椭탘樤⮒" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\HighContrast\High Contrast Scheme = "꼣湬䦣犲螈᳀퉰嚯䨖몫\uf6c4谸" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\Keyboard Response\Last Valid Wait = "ਞ蓉\U00074255ꩻ鹞\ue767\uee85\ue763\U00107584\u218d⌨鰋ට㪻皨㙿ꋦ쵆뚹ɋ㼋" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\ActiveTitle = "\u2fdf㵙撬ௐ답ᤘ௵繤쨦\ue84f䌙" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Cursors\Arrow = "롍잙\ue5f3䊮䁹魥揅뎣ᅜ䋳㸹ᭊ癳" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\Window = "➐\uf481ꬋ뉳訁韣\uab1f㍧ㄫ칽孥μ\uf715诵욈" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000011\Virtual Key = "䕩杦ΐ\ue620㱙ꋩꦂ\ue08f툪\ue254浰遈剝檊풠" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\iFirstWeekOfYear = "⾂扽㷁\uf478썠\ue8ce컷愜幚琥\ueed4箛옰\uf5de폪៤" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\User Profile System Backup\en-US\0409:00000409 = "⠔\ue3ee뮡閳爉华쪟蛨渟虆ﰈꎧ\u2d7e\uf77dạ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000203\Key Modifiers = "塆ﱈ噃뵔\ued73暄\ued54뀱뽤䫠左⧻簩\uf1c7䋼怵ﺥ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\sThousand = "䤉퇭㱚\U000ec920⁷贕齲㗄步⩳쏜厭롕" Thorium.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "᫄\U0008be76뱵☽暝뤬ᤓיּꎂ脇\uea30襨ㅥ罳\ua48e雿眴䝱࿑亾" Thorium.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E532-0000-0000-C000-000000000046}\Compatibility Flags = "焠밁吔Ῠќ赕נּ۫\ue1ee睤ᢪ\uf457\U000aa1e1˵筯狼⎥\uf020縻윣\ue961" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BE6-3C52-11D0-9200-848C1D000000}\Compatibility Flags = "⒖橷妩\U00035cf6빱\uebed뛛ꪭ䚯\uf8b2ﲧ\ueede鲉螬㢫" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FA8932FF-E064-4378-901C-69CB94E3A20A}\Compatibility Flags = "랙컀\ue038㢵褴谤⎩몶뤧൝" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER\UncheckedValue = "逸\U00036423뜳燙벑퓨ኑ𱻻ꇳ顑壃" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CACHE_FLUSH\HelpID = "\uf826룦댶즕\U00065bb5ẖ㞮䱏䩪嘋ࣽУ悪ꬆ噫鶤쐍顾筝Ꮕ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A411D7F4-8D11-43EF-BDE4-AA921666388A}\DllName = "谎낺쾴؟봼奣称벹下᱓亜窑䬖쥅矠랲砸嫎ꅺ쪏奸\u18ff墨뗠" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4FA8381C-2705-4DC2-ADF3-347D4D619350}\AppName = "꽳ꢑ㷛믞䉫⢢\uf6efԯ栦块儝\uf604܊ឲ㋸싧盝䬌ꚼ\uf39e셃晤껫㊨" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\svcKBFWLink = "띣ߵ鏳뾲\ue5bf\ue2e2⻫켈뼄휝徭壹⤧" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0270E604-387F-48ED-BB6D-AA51F51D6FC3}\Compatibility Flags = "䨉\ue0ce틑㛹䑤梂ꀀ\ue302梛搫쓹㙙娺줔ᘊ۟\uf383⬜㋛갞戴づ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C1908682-7B2C-4AB0-B98E-183649A0BF84}\Compatibility Flags = "雝쨍鐿퍦\u0b5a㏳∗n㙥궞抽葤곯쮨囸哃\uf632₂봪ꁩ댦쎄℆処" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FB7FE605-A832-11D1-88A8-0000E8D220A6}\Compatibility Flags = "䌀ꁦ굄埒齚囂\U0006cea4⤸笵ᅷऩ䌂\uf856栺ꁍ껸" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SUBMIT\DefaultValue = "䧏ꦞ㘹븸異攓ቆ犍䌹⌋퀐\uf3e1齱懮࿗\uebce\uf71f鐰蔸娩ꋿ㝑渥쒿" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_SHOWPUNY\RegPoliciesPath = "襊쪹쑊ףּ\u2e65‚咈쀍㍼偨謋潘\ue921\U000f940a锁럟癿υ窢炵휇ヮꕠ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\DomainSuggestion\WindowClassesToNotify = "踌엎讚ꃌ\uf0c8˻窱딣蓏煢잣ⅳᘿׄ뀱" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\iexplore.exe = "\U0002fefa╫刮矓롱\U00066623㍘赚諴" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\ALTERNATIVECODEC\UncheckedValue = "狶룓눪ந⠂싎明䲑軚\ue4fe" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "鱭Ἑ\uf50f䌊瘓纫懑咤銸卾ק\U000763b5ሇ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{210DA8A2-7445-11D1-91F7-006097DF5BD4}\Compatibility Flags = "ꜝ줘趠ꙙ鐴䂇庂꿓ऊ鳠ஃ㹢\ueb74ᷳƐ絲뼚紂웺䨹㭶" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B26E6120-DD35-4BEA-B1E3-E75F546EBF2A}\Compatibility Flags = "➨퓪릙\uebc9馟ፉច퉎⎭䗨뫿ᄟ⇂\ue932" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\HIDEOPENWITHEDGE_CONTEXTMENU\UncheckedValue = "賋楇\uf7fb\u0ce4琏鶈䶨홁钫㩢磔뜟ࡠ㞱䡪" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SITECERT\RegPoliciesPath = "崺꜌䪩ꗶヱ⯀孅잊\ue4ed\u1257뇥㴚កॡ㳞Ǔ¶么㒕ﺢ섰" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2\RegPath = "鳪٧䡅⢝玜꽵ꁍ臘ꃽ\ue4bb\u0600힔欉큔" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\DllName = "\ue352梈\uea8b\U00088106ଛƼ㬡ꏘ욍䷞鑚⾥巁폳ﰙ뼪뱲" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Build = "\ued5c徙ﺳ쵄浻ཱུ뛗❛\u169f勋臌\ue549ꙿ\uf247愭𬙷\uf7a5䰲잺蛼ᨶ彥" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8FE85D00-4647-40B9-87E4-5EB8A52F4759}\Compatibility Flags = "澪晢鋖깽܌ɴ䑿ꄰ㎿墉ﱇ묂" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\Text = "쟂欨˰럎\u0893ߢ\u09c9寮໋Ѵﳾ鼡︐䅐綹" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_INTRANET\Text = "叓쬥ᖔ\ue0e2㑶돣喅矖郮\uebeb㯋뻱ହ\ue179켡⦓椭蘖闞\ue6e6䕂ؐ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PICTS\CheckedValue = "ﬗ汖쯇㤰鎤搩氅磖▴䫼ꍙ钕邉久\uee99刊ࢢ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E}\Version = "䆪쫳묰ﯖ購塔啩〦뾰ຫ蚉" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}\BlockType = "㬅ဤ澒ﰹ\u1a8c喿\u0bbb饠峨䎄ङ貽놤" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9}\FWLink = "\ue63bꂺ캷⫲Ἐ\uee5a봈⚍躏첩䓰੶骨\uea30滾鍊릚秡\U00046b04\uec7c괏" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\C80CE4F484A66E40BBA6B0B6F231790128B8A7BE\Policy = "緊㴤㝠蓜⌤閭\uf875✖ම歊" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_SHOWPUNY\HelpID = "砅혋㴈ૌೆ忨\uf29d㖗㋧汳衑閺⚷䅦" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{00020906-0000-0000-c000-000000000046}\CompatibilityFlags = "ꈜ裦摝숹㢽虛郮赹理鲆辋䑵ᰗ渵㽟滙儥" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A202B231-EF71-4A08-BDB9-4CE5AE8BDE0A}\MasterCLSID = "뻳躗သ\uf281\U000d6c0b䋑ꡃ녆╃뀉冇⠀먜ᝪ뫪␄㴽䅯洞ᄪ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{CC7E636D-39AA-49B6-B511-65413DA137A1}\MasterCLSID = "䀉\u12bf拰Ἑ씊⊤橦藦⮔뵠ㅾ㈫\uf261" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D09CFF09-A42A-4EDC-9804-E61224F59CA1}\BlockType = "ᛚフꄇጶ腃\U00016727ힸ∬ᆳ\u2daf㨨礖磼㢈퉇ꔌ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{F98BA7F6-48D8-4CE7-A8D0-39D13FD6F14F}\BlockType = "\ue5ffॢ㎙ꏈ⼔䫚⣹變茞卟ㄙ챭ᢅỼ쭑\uf1c5న\u2d6a䜕" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}\Version = "荼烼븄䟣㝤꽗諅Ꮗ鿍ꐻ싕ᇪ阐\uf69c꺔믘⒯屉筵䮣ৼ\ue8fc" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{f28d867a-ddb1-11d3-b8e8-00a0c981aeeb}\Compatibility Flags = "곯ⶨ劼ѧ啳뭇믽殥漍⻅\u2efc㓍\uee4c嘥峾挩⟓玱쎟\u07bc\ued20Ⅴ漿삄" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS\Bitmap = "吐îῶ딂\U00067a1a\ue956䖴⣠\ue5e9\uea17厥ꮾ벙⾉౦쭬ﯿ䰶퇼ᅃ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\LMZ_LOCKDOWN\RequiresReboot = "⎼⽣늼唛나⽯朡彷࣒楺\u0b78컁鴴蔞ꭅ秥" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{7778AA60-698A-41D9-9BF0-7AB41045AA7F}\CompatibilityFlags = "\U0009a6faᖦᨦ쇩밲邭왢ඕ깣⯍㟂⸳嶸敳괜ᦘ\U000ae23c虁義ࣄ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{DC99E960-6594-45E3-9D5D-141D825B8096}\CompatibilityFlags = "鲀\u1ae5㸮㷁皋虐᭞橙쫂靈ஏ쩎蝔ղ튜쌴ꊿ澈\uecd6幻씕" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ToolTip = "蓜퉸レ\uf6ed㘭燺ӳ꽂貯窰㹊ռ桠\uf2d3\U00088ceb㯢创멧炌椂䠶揯" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppPath = "곞ꛌ홀Ꮊ贑掊\ue35f垨Ꮮ\u05ed沈絲⇑ꂋ찶鼜隁ꊊ\uf0c5ヰ疿" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{283807B5-2C60-11D0-A31D-00AA00B92C03}\Compatibility Flags = "㳾댲ꝑ䉕Ύ텣翢ﬖ鶎鎯䴑瓠뙸\uec85䏲" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4CECCEB2-8359-11D0-A34E-00AA00BDCDFD}\Compatibility Flags = "卲\ue84f璼녎擉䦂䑫餢쯠㴢ꀳ\uf749\U0006c688\ue3e8懽鰎쭷ᐕ渴" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6DDE3061-736C-11D2-A5E8-00A0C967A25F}\Compatibility Flags = "ힿ諬錚stᘎ養썐ᆌᾆ蒄文㔫파辧\uee9a\u0558" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CERTREV\HKeyRoot = "\uedd9섶뛠ﳔ\uf2e1\U0008f80aᰥ\U0010e7b5类挋衖㰳焫뺱" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_INFOBAR\RegPoliciesPath = "셋\U0006f015噣堺ꙅ맄赊俢匎Ԏ컺㒶氰ِ秷詾禛陉" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{724D43A9-0D85-11D4-9908-00400523E39A}\CompatibilityFlags = "煳⤵㒯쎀岎Ԥ⇕扊약韜ꢱ\uf723ﺭ\uf78e隠跺°ུ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{CC962137-2E78-4F94-975E-FC0C07DBD78F}\FWLink = "䥚✱\ueeb0뷈\U000c3b15綯鄙䅙Ὃ썚퇏찕蠔퐧봮戳嵏ȳ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "겜ꖥ崑ᵏ囧녠쵤共ȣ膖" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Internet Explorer\Document Windows\x = "᚛헄Ꙙঌ鯕\U000cf81f\uf2c2첁툤" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ACTIVITIES\ValueName = "ॏ丝巤訝㵇窹\ue98f忮й泙Ç捩캑뀈ꊸ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SUBMIT\CheckedValue = "抏똡籫㦐难雾頱Ꮹꤒ㠜诤߭⛑吧늦" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.3\Text = "祷䘼熛유᭦\ue75e藤\uec94\u31ea詣䊨繛⩪\ue6d3娃뜹襁냍ࡢಒ⛀\U0007953e\uef1e" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN\HelpID = "덦ߑ圦␦ᑏ脧曀ఒ嵄⿵胅ၲ䫠" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\BlockType = "흖곥ﭫ뺩笥㏞㊧﨩苯\uf4a4" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ApplicationTileImmersiveActivation = "ಿ쁲磵衼媣즖袬讪Ꜹॗ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\VSTOInstaller.exe = "㴫횋コ啠癰磕ꠑर憹뼝㎲㇊\ue4fd" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{38AA78B2-B824-4C63-A512-02FD95FBDF4C}\Compatibility Flags = "鴒⎲껡肢쇃\uefac둬鰊ﴫ㽡႑힚吒" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_INTRANET\DefaultValue = "覄阼\uec53ꟗ仛荱烣퀄鶅瞙ⴱ\ue518" Thorium.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "ꤳꂲ玲檡ꀂ㧐쐈箤毻椂횣\uea68摚胑⮂䊔䏊" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "蠽쉽趚䕽⬒앚桹\ue53d撿璬稬멒䱲Ʒ⍤鷓忏煛௶\U000f6158" Thorium.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\pnrpauto.dll,-8002 = "琘壉\u0c57眔䒌ⱨ偄跭腲\u0bbbᷪ賚" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WindowMetrics\IconFont = "ᤜ쓡\ufaf1䙤ꑃ層♤✟좶禩\u0dff윍ዊ屖䳰" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile System Backup\en-US\0409:00000409 = "﮽駼\uf37b㍯ᚸ놺\uf8c5㈇\U00063913\u1add桔뇪Ӎ햋꧹鸩\u05fb퀋쮥殭勁六" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\XboxNetApiSvc.dll,-100 = "ℶ꩗ሦ衹㝇珝\ue805严栈᎑ۚ䃯젫ཿ" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "\uf7a0\uf334쳟\ue3de쐙㷓䆖틎㚙ᓽ" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.System.MiracastReceiver\appType = "懁ゐ\uee11\uf66d庍䓼曍⳿砨Ἡﳠ氋Ո\u0ee9ꪇ퓔" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WindowMetrics\MenuWidth = "퓢得윻牎ᆳ悹⢣\u0fe8阣쌶ᇣꐍ㙐鱑\uf142ﺗᜐ﴿瘣풌ꌏ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\Console\ColorTable00 = "ﺓ쯗䈟㫞䉖榔\ue6e6\uf5e6싩᧟䃥" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\Console\WindowSize = "ⱥ펥谒夭姈猿Ж臾䘩蟱⣫쥩\ue2c1" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\sapisvr\HubSleepSound\.current\ = "¢\uebe0≅骜룷튎\ue37c䄹洴\ue505ꮥ䀒⭲㏧\u193c\ueaf9" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Colors\AppWorkSpace = "륱畿ታ匦Ⴤ⊗ῠ䳜ꀯ寏넞錎鬒굕凝賟틯꥟謇\uf3f1寺॔" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\appinfo.dll,-100 = "쉮砘ٽﳌ庆\ue276쯎\uf88a놯欌铏ᎍퟰ༩롳眓\U000498f3" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Accessibility\StickyKeys\Flags = "쏺鴙搓ᦚ꯵퐧鵜Ζ\uf2bc䳆㛃†놔阹搶ʿभ\uf5d6컖\ue422" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\SensorDataService.exe,-101 = "蚯멂\U00102c98範翏䢑\ue9e4\ue044\U000fc79b㏾\uee6f䞓欉\u177e\ue576ᙤ䄾\ueaeb" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\sThousand = "⒋\uedd1옇\ueb5b嘶\ue88a㧩摩\uffd0\uee03휣붬轉恞㭃鷺ﺉ泥" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = "逿쩤鲕ট嫏\uf47fौ\uedbf㍆\uf5c7ୢꕧ퇣" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "ꏺ썕\uf25c᷃ྑ囼\u0f98迿럼춑瓟욦\ue80d뭮ွ○䨠ꁔ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\PrecisionTouchPad\RightClickZoneEnabled = "ﱱ㰽욫쳛䎗䒝閆ᯢಋ뀰퍆邯㇕貯" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "璈ᚧ삣᧡ꎴൖ혯⺯밣\u0cb4栺稏踮ຑ譪\uf8dbኪ㝩❒䜶詁ፚ텻\uf4d7" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\Windows.SharedPC.AccountManager.dll,-100 = "\ue6e5㵐喔ꞥ颋ᵝ첐\uea98媝蟀躱鱠㶧ٝ\ud7a4嫬╟⭑㍶호쭌؞\u09d1" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\ssdpsrv.dll,-100 = "粥ᬆ㈃ฒ栓띦웄\u09b1\ue276蹦쩤悂덐뼓㤚ࡍ\U0004b99d\ue002\ued6e퐿욓" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\mprmsg.dll,-32001 = "\u0fdb譶餃읬촑뺎\u0e83냑忲퀙䌑ᒫ鍣鉉偤" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Accessibility\ToggleKeys\Flags = "⫧ٖ卓ᙪ宬𰝹왲䞿鋜斶䊠饴訟岔艂塀᪸\uf82a傥ᆲ័珿" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Colors\Window = "ﵷ釒쭋㑤熬䫞\uf8b1䋸ᔺ姊禂\U0009f798閺" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Input Method\Hot Keys\00000010\Target IME = "㉒\ue146෫練綜満㈁陙鱶㻋霠煞" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Mouse\DockTargetMouseSideMoveWidth = "⑸㬤Ⱘ胉㸘薌ㅋ覝濯鿺שּׁ삺" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\nsisvc.dll,-200 = "츧\ue05f䴦ꯓ篛畄害廻艼锻ប菉䒭ꁼᝍﶥ兤쇇봳︎磮丌굿" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "ᚕꭂ\ufdd3\ue906氂孫\u175c띞樂峗" Thorium.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.DeviceEnrollmentActivity\Setting = "㝸\ue316\uf3f4뵛᪻꧗ƿ귫鸕䃐\ue4dc촹㒐" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Accessibility\SlateLaunch\ATapp = "塵굪\ue3a7崔耧ﯲⅠ쵽愀盦㥳\uf785ᨗ曧엩" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Colors\ButtonShadow = "㶸吼地ꢅ\u1739ꑮꝌ\ue233嬵뭿远" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.System.AppInitiatedDownload\appType = "㟟ṽ\ue197ᕎ镣\U000771a4侂ᚍ⢲ᐠ冕枊혧늒騼" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "姣뒰螖✹譗螴䣹鑡鄱궬ⰱ첁" Thorium.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{374DE290-123F-4565-9164-39C4925E467B} = "\ue038编鮐ꐯ꙱껣崒잇៲劄塎滇ᐛ⒮" Thorium.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A2-7548-11CF-A520-0080C77EF58A}\CLSID = "ᄇ䶂䣢㸝ꃷꈻ攃턁䦑쏛仇谂☫\uf37a\u0ad9㨢\uf00e莎\uf087ယ쁃" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\PersistentAddinsRegistered\ = "颮틟拁봝馵澯釪ҡ\uec43馆쬒綧욟ᯤ燓\ue80b远\uebdf㴚捿㧑ꯅ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\MicrosoftWindows.Client.CBS_1000.22000.493.0_x64__cw5n1h2txyewy\ActivatableClassId\CortanaUI.AppXdqzy4rv7kwckn6efgetkddm1xrgzrswg.mca\Dis = "ퟙꂆ֫귈摴汲\uf156䬚缢饑\uece8\U000327e6䋔鄙忏뿆튗钿\ueb64" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mpv2\ = "驏併陎먬훇ᡨ갨竍鸐駌륄䴝겉碏Ꝟඝ⋇" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F580-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "\U000a8b7d큖꽬䢞倚鼾⯉읖穢\U000c3f36鍮\ue658櫀\U00078d6b놐魪瞯褱" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1083666204-94104884-4233206613-1271453470-922726920-1064507403-787610193\Moniker = "爆〭맾ℷ艻曍鬷큁췘༑䴄뀿틘ᯧj⋭" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ppsx\Content Type = "ꬔ彃㽋缌繥겘\uefee\uf7e9ᇋ츿돌욪\U0005a29a\ue92b\U000b0bde萂" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rtf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "淟蟴栜\U0009f5e3ᕵ직魨紅塈此舧" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vtx\ = "풄恽ד\U000fd7ff\uef5b䪄嬗벚锂㮿ܜᐪ鑭䕻蛱뒺" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Behavior.Microsoft.DXTFilterBehavior\ = "\ue281荪鞠뿠ꢟ㉊岭繑ᯏ笞\u181fꕄ䁻낥蚂愆䪳ኺ\u2feb∜\uf8eb\ue5e4" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0997898B-0713-11d2-A4AA-00C04F8EEB3E}\InProcServer32\ = "ಜ혈ㅚ퍍齩\ueb11걛ᝂ൳騂羽鬢ㄠꁖ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.PeopleExperienceHost_10.0.22000.1_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Windows.Networking.ContentPre = "㜘쇱铜ԭ馇ꒋ射菕\ued86搾忙" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{F290BFB2-1864-45B1-8804-2654194A87E7}\ = "䮟앓⒳컉\ue61e〻\uf631\u0ad3\ue6d8ﬣ᭫㭵엎ꜩ蜇" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{F290BFB2-1864-45B1-8804-2654194A87E7}\LaunchPermission = "䖫\uec9b甓ᚗ箚5㇇\u0eea鎬뱷ꪌ㙼\ue210둧榩" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.SystemToast.EnterpriseDataProtection\IconBackgroundColor = "\ue6b9╥작㻡\U000376e7큔풶↕挦ී⊭졠㼐篲竸" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{06587E71-F043-403A-BF49-CB591BA6E103}\MinInputConnections = "\U0010e0ba㊊ࣖ娮嘨\u206f῞슌㬴﮹ﳤ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.EncodeDateArray.1\CLSID\ = "컣觙黤靇ᐻ荄㺸\u1cca瀪\ua95bꀡ諂㢼\uf1fc⻗" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\AppXxfctf2rqj6c7b4wrvys6zq1bskprrn19\Application\ApplicationCompany = "㍋珃隵ㅿ\uf685ᤶ䁽⎏榤잢⨨탵笙\u0e62\ue4bb" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E66F26B-79EE-11D2-8710-00C04F79ED0D}\Server\ = "↓\U00100705紭\u07b9珰D⒃⽸韄붗檓" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\ActivatableClassId\Windows.Networking.BackgroundTransfer.Internal.Bac = "뀕\u0cd2볥ሞ\uedfc\u1759洀뱜㒿鬜똎侙茭ᕪᭌﬦ颕纍๐" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\ = "\ufff6\ue9b9\U000d41f7\U000724ca껈聑㗹ⷐ\U00094852\uf5acᖚ\ueb82삄\u10c8ʝ嫸檼" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1b7778f3-fe54-443c-8729-1e78b0715299}\ = "㥃楳䭈穂\u2e69掺볌ઞ릱딦\uec43센伭렾ᡄ䦂ꟗ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BrowserBroker.BrowserBroker.1\CLSID\ = "枮䟰@㭌\ue4d7\uf044\ueabfﱻ\ue9b8\uf124搖㝫⢱䠷쿚慼㛝䰐㡃\uf7ab" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020819-0000-0000-C000-000000000046}\InprocServer32\Assembly = "쭛蒊篭곳㏚鐢䖄杻闵鬮齇챻彤粗㈚絓₂墟计덅뀱崄Ή꧆" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\CLSID = "\ueffd㚒肩\uee63䏅픯砧𮉕\ue8fbꜾ➊䵨ㄬ\uf8f2瞃\uee96헌" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0b2feecb-1577-4fa6-9a29-bd9022ebcf90}\ = "\uf192\ue539\uf2b5֜䎓㹓䮵ꗍꈌ擼젖ᡸ⭠耗ረ祜쳊" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\.mts\ = "\ue193㈥\U0004a266漯렛요퀕厚鍼\uec1dᔭ\ue4cc봚考\ued99斢铤" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\AppX4jbzrhvphxte25e0gxha6bq555nrgqzy\Shell\open\ContractId = "⅚㤹뽮\U000ee42a\U0006e84eᕉﮀ❇㾉ᜳꤕࡣ哘䱳⺛⇦索硸皟\ue35d" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0565000-9DF4-11D1-A281-00C04FCA0AA7}\ = "⫃臒논▛☬噪檆\ue87b枞\ue577\ue9c2\uec41" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.wtv = "훳턝\uec9e\ue1b4憓橝\u137f䅠语\ue08aヒૺ솵\U00087d2c㈰侥姯僎戠䋳°" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.System.NearShareExperienceReceive\IconUri = "㊪\U0008d3ecӢ趵\uea92踶蹥□쐯냱\ue394" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000304-0000-0000-C000-000000000046}\ = "\ued40兂\ueb76ಮ\uf78b漰掚㠁获镀좴䵎\ue2c2རᓫ嘢靼嗓ꡤ绞꘧ꇪ礸" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B3FFB92-0919-4934-9D5B-619C719D0202}\ = "腐꾸\U000f8f4cꩡ戨ꉲ뫱垞ᴎ䘯汥䥻ꆃ笩噓\ue362瀸⦦寈鶁\uea62硦" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.CapturePicker_10.0.19580.1000_neutral__cw5n1h2txyewy\ActivatableClassId\App.AppX3g7kd1zg4a65n0t2ds4j7hffbf62pp9n = "檎㮫毤恔舁嚌\U00035984\u0c8d屌\uf32b너" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{267DB0B3-55E3-4902-949B-DF8F5CEC0191}\ = "㨁뿌㚿⠢䂮\uf507\uec86ෝ䚖沁⚋峥쾬ꕗ䗨" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\OpenWithoutDiagnostics\Command\ = "\ue8e4\u1cfc㢽䴘癆蒋ꗢᇴટ「ј벬\ue027툫\ue4ae\u1716䭸\uf71cŃ\u0e3c爸\uf7cf" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pwz\ = "慺賢\uf738瘯\U000fd86aᲪ肵堊ﴗต嘛\U000bcc7c䑄擹⪨" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15fc1bac-8d83-4e87-8cc2-a70c9f66f943}\InProcServer32\ = "悧瑲釱㠬敷鬱⸠碝螯耩轥" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B1599F9-E00A-4BBF-AD3E-B3F99FA87779}\InProcServer32\ = "䪌퍬禜姂癃ﵻ闘鈠䈯狸껉㾪\ue4b3㝖㐰⾔楔릵ၪ㔛" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}\InProcServer32\ = "푽ᆭ庑┸턠鐼\uf38f騷䌖셑搇ଖ핫놬㗨栻諦绷ᰢ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4456C5C3-DC01-4FF3-AF4E-06F4EBCC3B09}\InProcServer32\ = "\u0c71錢䏒፵ⷿ◈❎䋫\u1759熝곳\ue2ac\uf4e2⑩\uf87c醾솯\ufae0ή較먦䕫\ue068" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ogx\Content Type = "Ꚕ줶従ጕꌮ◺䰨\uea3c嫭㹉" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\AppXxfctf2rqj6c7b4wrvys6zq1bskprrn19\Application\ApplicationName = "爩\ue60d䃲퀊ᘊ㪧⅖䬸玦䇇㰛\ued19⟞\ueebb疓䯞\ue412룣忀\u0acf\ue7e0륏쉸\uf0c4" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.AccountsControl_10.0.22000.1_neutral__cw5n1h2txyewy\ActivatableClassId\Windows.Networking.ContentPrefetcher.Internal.Con = "堌缳紨ᄃࠆ稇튚ᤈ꺸ᴚ羪" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EF76D68-8661-4843-8B8F-C37163D8C9CE}\ = "솛誨땹\ue78e훿\U000af889ꭧ㣧\uf7d3\uef62\uf1c4누钳鏚慢ݔ\U000c9f47獰趵䦛" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4564b25e-30cd-4787-82ba-39e73a750b14}\ShellFolder\RestrictedAttributes = "嘻簓ō\ue6d4菿뿈빜⇅ᾏ輾痨\U0010f358⡘䔱沬Ų⮔顁㎜㎚觕" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{362cc086-4d81-4824-bbb5-666d34b3197d}\AppIDFlags = "\uf2f3쁲⤸ꣀ홄杯兞\U0003f4c8袅渧嫫煱漫瘹Ֆ휘ᔓ똪\U00071e42ܜ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03837532-098B-11D8-9414-505054503030}\AppID = "ᄂ럙ᣍ䑤뮏왓⸳ࠁ㸢晥ᙏ搑" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.ShellExperienceHost_10.0.22000.71_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\App.AppXgxgm8gs8b9vsjsd9gvhmn = "\uf11d䏯ꎿ뿇꺹\u2fea탧⸐黁\U000b22e3䁬稓ꕃ䐆吝" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D112E22-62B2-11D1-9FEF-00600832DB4A}\VersionIndependentProgID\ = "ꈜ\ue260\U0004ba99笯ǟ蘧\U0008f630謥딏\u3097샰롶뿈뫏果弨䚫孕╀蔅" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CERFile\shell\open\command\ = "哀ᮔꊔ쵖션⼑㥛떟훃\uf2e5特镃" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03837521-098B-11D8-9414-505054503030}\LocalServer32\ = "ꮏ\ue130ꓨ倊髡軇擤\U0007d84d샮ꃏ嵍뀈\ue447\ue0ac⎣嬑̭" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.AAD.BrokerPlugin_1000.19580.1000.0_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Windows.Networking.BackgroundTransfe = "땣ಘ\U000abe3c羪뫴塀剃뱀\ue126㵕⨽ᅂ\uf7d2皺䵑\uf091\uf08a웍އိ꽩ꘀᆧ" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1BA783C1-2A30-4ad3-B928-A9A46C604C28}\InProcServer32\ThreadingModel = "隵꠆꠰烖꯹焁\uee05襨鞲泣笲ꧼ\U00082036ᢖᖶ邅嵝鬛⨪\u0efbꉿ\ue298見" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\ActivatableClassId\App.AppX46rqe0eha6ypqrxvfyqqtwydysxtw8tt.mca\CustomProperties\C = "瓤⥓ἧ鸕詒嬅\u0984仦\ue539쎟ᦪꙊ穡ほ\u0e61쨲哴臹禸ꉽᕰᅝ鯐" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\MicrosoftWindows.Client.CBS_1000.22000.493.0_x64__cw5n1h2txyewy\ActivatableClassId\Windows.Networking.BackgroundTransfer.Internal. = "䷳ꭊꦴ슲\ue33e溣㧌죞᫈ᐴ靚鑢\ue0cb" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A614B00-FB18-46F3-950E-682A46A48B9F}\InProcServer32\ThreadingModel = "☧テ七å笅⼯追៘ᔈ쓿凗㕆鷲짿媜\ue3dc襘ᐳ涋틺涷䉕" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\3\Position = "栎㾶\U001074fc卒\uf508ᆽ熿뿺魖飘\uf791" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\AppXpwc46qrmp0f8q5ysxk6ngj8d32yk22kz\Shell\open\PackageId = "듬㮓靛䓎়禊㢜㉠\uf740\uf045ꤾ몎禞霁䆫퉩苌蒏\U0005afa4\u0e7b킗\ue0a1" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20E6D937-F6A7-4C7F-8E69-7E0AF81795FB}\ = "줻䶷諗ู钙䳇닯ⷔꋯ螏\ue864䄕\ue533鬙鶰뺦嚀㉈⠹ᛏᯭᴻ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\windows.immersivecontrolpanel_10.0.6.1000_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\microsoft.windows.immersivecontrolpanel = "㾜ࡪ袢谧\uebf1蹖\U000b4084\u0b00ࠐ" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib\ = "ᑐ匴즯㵟鵲淕ꉾ켥欒檖\ue2a0筹ப◓" Thorium.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08d5bfbf-fbca-4322-9f70-ca9f66f8ed6a}\InProcServer32\ = "\U000f5fa9뙉ᘎꮎ轍핈茋ꉐ㞸땡뜌썂麅䨖藓㎭抣伦㭼伉" Thorium.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID\ = "篵칝\u2fe5礬\uee81볢ᆲ觥䑏槞悊曱\ue67b߫ꤜ쓗춞" Thorium.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3516 Thorium.exe 3516 Thorium.exe 744 Thorium.exe 744 Thorium.exe 1196 powershell.exe 1196 powershell.exe 1196 powershell.exe 1196 powershell.exe 744 Thorium.exe 744 Thorium.exe 3652 powershell.exe 3652 powershell.exe 3652 powershell.exe 3652 powershell.exe 744 Thorium.exe 744 Thorium.exe 5080 powershell.exe 5080 powershell.exe 5080 powershell.exe 5080 powershell.exe 744 Thorium.exe 744 Thorium.exe 2100 powershell.exe 2100 powershell.exe 2100 powershell.exe 2100 powershell.exe 744 Thorium.exe 744 Thorium.exe 2572 powershell.exe 2572 powershell.exe 2572 powershell.exe 2572 powershell.exe 744 Thorium.exe 744 Thorium.exe 1536 powershell.exe 1536 powershell.exe 1536 powershell.exe 1536 powershell.exe 744 Thorium.exe 744 Thorium.exe 5144 powershell.exe 5144 powershell.exe 5144 powershell.exe 5144 powershell.exe 744 Thorium.exe 744 Thorium.exe 2496 powershell.exe 2496 powershell.exe 2496 powershell.exe 2496 powershell.exe 744 Thorium.exe 744 Thorium.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 4784 powershell.exe 744 Thorium.exe 744 Thorium.exe 4064 powershell.exe 4064 powershell.exe 4064 powershell.exe 4064 powershell.exe 744 Thorium.exe 744 Thorium.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTcbPrivilege 3516 Thorium.exe Token: SeDebugPrivilege 3516 Thorium.exe Token: SeTcbPrivilege 3516 Thorium.exe Token: SeImpersonatePrivilege 3516 Thorium.exe Token: SeDebugPrivilege 1196 powershell.exe Token: SeDebugPrivilege 3652 powershell.exe Token: SeDebugPrivilege 5080 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 1536 powershell.exe Token: SeDebugPrivilege 5144 powershell.exe Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 4784 powershell.exe Token: SeDebugPrivilege 4064 powershell.exe Token: SeDebugPrivilege 3840 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 5312 powershell.exe Token: SeDebugPrivilege 5580 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 4252 powershell.exe Token: SeDebugPrivilege 4604 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 5100 powershell.exe Token: SeDebugPrivilege 4752 powershell.exe Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 3380 powershell.exe Token: SeDebugPrivilege 684 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 3284 powershell.exe Token: SeDebugPrivilege 3300 powershell.exe Token: SeDebugPrivilege 608 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 5312 powershell.exe Token: SeDebugPrivilege 3940 powershell.exe Token: SeDebugPrivilege 4056 powershell.exe Token: SeDebugPrivilege 5532 powershell.exe Token: SeDebugPrivilege 3280 powershell.exe Token: SeDebugPrivilege 4164 powershell.exe Token: SeDebugPrivilege 4800 powershell.exe Token: SeDebugPrivilege 5060 powershell.exe Token: SeDebugPrivilege 636 powershell.exe Token: SeDebugPrivilege 5952 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 248 powershell.exe Token: SeDebugPrivilege 824 powershell.exe Token: SeDebugPrivilege 5504 powershell.exe Token: SeDebugPrivilege 1124 powershell.exe Token: SeDebugPrivilege 4724 powershell.exe Token: SeDebugPrivilege 5916 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 1888 powershell.exe Token: SeDebugPrivilege 1836 powershell.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeDebugPrivilege 4932 powershell.exe Token: SeDebugPrivilege 8 powershell.exe Token: SeDebugPrivilege 5548 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 4084 powershell.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeDebugPrivilege 228 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4280 wmplayer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 744 wrote to memory of 5636 744 Thorium.exe 80 PID 744 wrote to memory of 5636 744 Thorium.exe 80 PID 744 wrote to memory of 5636 744 Thorium.exe 80 PID 5636 wrote to memory of 1196 5636 cmd.exe 82 PID 5636 wrote to memory of 1196 5636 cmd.exe 82 PID 5636 wrote to memory of 1196 5636 cmd.exe 82 PID 744 wrote to memory of 6072 744 Thorium.exe 83 PID 744 wrote to memory of 6072 744 Thorium.exe 83 PID 744 wrote to memory of 6072 744 Thorium.exe 83 PID 6072 wrote to memory of 3652 6072 cmd.exe 85 PID 6072 wrote to memory of 3652 6072 cmd.exe 85 PID 6072 wrote to memory of 3652 6072 cmd.exe 85 PID 744 wrote to memory of 4924 744 Thorium.exe 86 PID 744 wrote to memory of 4924 744 Thorium.exe 86 PID 744 wrote to memory of 4924 744 Thorium.exe 86 PID 4924 wrote to memory of 5080 4924 cmd.exe 88 PID 4924 wrote to memory of 5080 4924 cmd.exe 88 PID 4924 wrote to memory of 5080 4924 cmd.exe 88 PID 744 wrote to memory of 4624 744 Thorium.exe 89 PID 744 wrote to memory of 4624 744 Thorium.exe 89 PID 744 wrote to memory of 4624 744 Thorium.exe 89 PID 4624 wrote to memory of 2100 4624 cmd.exe 91 PID 4624 wrote to memory of 2100 4624 cmd.exe 91 PID 4624 wrote to memory of 2100 4624 cmd.exe 91 PID 744 wrote to memory of 5824 744 Thorium.exe 92 PID 744 wrote to memory of 5824 744 Thorium.exe 92 PID 744 wrote to memory of 5824 744 Thorium.exe 92 PID 5824 wrote to memory of 2572 5824 cmd.exe 94 PID 5824 wrote to memory of 2572 5824 cmd.exe 94 PID 5824 wrote to memory of 2572 5824 cmd.exe 94 PID 744 wrote to memory of 3520 744 Thorium.exe 95 PID 744 wrote to memory of 3520 744 Thorium.exe 95 PID 744 wrote to memory of 3520 744 Thorium.exe 95 PID 3520 wrote to memory of 1536 3520 cmd.exe 97 PID 3520 wrote to memory of 1536 3520 cmd.exe 97 PID 3520 wrote to memory of 1536 3520 cmd.exe 97 PID 744 wrote to memory of 4520 744 Thorium.exe 98 PID 744 wrote to memory of 4520 744 Thorium.exe 98 PID 744 wrote to memory of 4520 744 Thorium.exe 98 PID 4520 wrote to memory of 5144 4520 cmd.exe 100 PID 4520 wrote to memory of 5144 4520 cmd.exe 100 PID 4520 wrote to memory of 5144 4520 cmd.exe 100 PID 744 wrote to memory of 5920 744 Thorium.exe 101 PID 744 wrote to memory of 5920 744 Thorium.exe 101 PID 744 wrote to memory of 5920 744 Thorium.exe 101 PID 5920 wrote to memory of 2496 5920 cmd.exe 103 PID 5920 wrote to memory of 2496 5920 cmd.exe 103 PID 5920 wrote to memory of 2496 5920 cmd.exe 103 PID 744 wrote to memory of 240 744 Thorium.exe 104 PID 744 wrote to memory of 240 744 Thorium.exe 104 PID 744 wrote to memory of 240 744 Thorium.exe 104 PID 240 wrote to memory of 4784 240 cmd.exe 106 PID 240 wrote to memory of 4784 240 cmd.exe 106 PID 240 wrote to memory of 4784 240 cmd.exe 106 PID 744 wrote to memory of 5928 744 Thorium.exe 107 PID 744 wrote to memory of 5928 744 Thorium.exe 107 PID 744 wrote to memory of 5928 744 Thorium.exe 107 PID 5928 wrote to memory of 4064 5928 cmd.exe 109 PID 5928 wrote to memory of 4064 5928 cmd.exe 109 PID 5928 wrote to memory of 4064 5928 cmd.exe 109 PID 744 wrote to memory of 3164 744 Thorium.exe 110 PID 744 wrote to memory of 3164 744 Thorium.exe 110 PID 744 wrote to memory of 3164 744 Thorium.exe 110 PID 3164 wrote to memory of 3840 3164 cmd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\Thorium.exe"C:\Users\Admin\AppData\Local\Temp\Thorium.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\Thorium.exeC:\Users\Admin\AppData\Local\Temp\Thorium.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks BIOS information in registry
- Checks computer location settings
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Control Panel
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5824 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5144
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:5920 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:5928 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5348 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Suspicious use of AdjustPrivilegeToken
PID:5312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:1664
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Suspicious use of AdjustPrivilegeToken
PID:4604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:1068
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3464 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:4516
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:6116
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:4016
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:5536
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:1460
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3508 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:3484
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Suspicious use of AdjustPrivilegeToken
PID:3300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:3840
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:1292
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:3476
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:5680
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:4308 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:4776
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:4384 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:3260
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:532
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Suspicious use of AdjustPrivilegeToken
PID:636
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:716 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Suspicious use of AdjustPrivilegeToken
PID:5952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:4796 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:476 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:124 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:2288
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:2980
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:3336
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:452 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:1840
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:3768
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:5744
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:5112
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:4884
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:4892
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:2724
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3408 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:2776
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:1080
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5664 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:1496
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:3316
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
PID:3328
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:1152
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵PID:6044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:5808
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
PID:1056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:3296
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3404
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:5428
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵PID:3880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:2368
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
PID:1208
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:1488
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:4552
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3060
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:4228 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:4304
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵PID:3828
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5932 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:4456
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
PID:1384
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:3708
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵PID:2236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:2172
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:2588
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵PID:5016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:1492
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:4004
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
PID:5376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3152 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:3460 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵PID:1116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
PID:4964
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:3420
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
PID:3016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:4056 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- System Location Discovery: System Language Discovery
PID:3940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:4972
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:3932
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:4920
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- System Location Discovery: System Language Discovery
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:2448
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵PID:3304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:3756
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5760
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:5600
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Modifies data under HKEY_USERS
PID:2620
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:4140
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:5016
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
PID:1868
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:4332
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5484 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
PID:2256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:752 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
PID:2864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:1116
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Modifies data under HKEY_USERS
PID:5740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵
- System Location Discovery: System Language Discovery
PID:5916 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:2116
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:1836
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- System Location Discovery: System Language Discovery
PID:2976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path3⤵PID:3064
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Process -Id 35164⤵
- Drops file in System32 directory
PID:4548
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 8883⤵
- Program crash
PID:936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\oobe\images\浡挠湡潮⁴敢爠湵椠佄⁓潭敤മ$1⤵PID:1900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 燸ᯌؐヱ⋆蔬㉌饵䟑䁠턏錇₭療瞞䔤줚ᙕ剫倅맪1⤵PID:2304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 넺ᖡ㣖ꞻ妝㏥ࣺ留狮鵟泹㯼험僾ꓕ븯㳱骽1⤵PID:4716
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c בֿ䨉芩蒊閥┡㝉靓۬1⤵PID:5872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ⼬㪕䢙륝蕉硫ᶄ뻚ﶻ䷫⎍땅枉ᭇ䄈ꢜ1⤵PID:4276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 픅ﴀ东桟㣃遾ꤊ謫1⤵PID:3304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 744 -ip 7441⤵PID:5892
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:4280
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5564
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:2380
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:3136
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\UnlockDeny.pot"1⤵PID:1908
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize1KB
MD5e080d58e6387c9fd87434a502e1a902e
SHA1ae76ce6a2a39d79226c343cfe4745d48c7c1a91a
SHA2566fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425
SHA5126c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD54a6370ed9ad234bbcc75d623067d8a36
SHA17ac1092cfc1fd21bb7c64b39e95591991961ae5d
SHA2562cd613b6f1fb577a5715600fb7d3a7f94ebc9592b07ae0c098f0292deb967fb8
SHA51201f5dc712a4aae19a91aa11ac11e77b9a2ceb43bd4c7a6c2ce6b30eb2f26e7b1aa1e8ff78ce6e47f0e507fcbe964d4f5e35cb096e0552c9d973856a3269b8a05
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD556e693d1c637a073283ba4b66d7ee3a2
SHA15e94d586c7fbc49dc5868a5f5945e0d7fd7a1648
SHA256e3fa8a92ccf173cda53d8f61e7404dcdafe2136e83ec8ec1eba927fb72c4dd73
SHA512cfe3d1eb8ba3909f2fab0cb9375509790498c26143c3f6e3a010062856be0c4246ff3cdbe4edf694a927badf56187c8338318aab2491f02d2fce033bd5e1468c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD581b38baaf135b8424441ac76b7f19d7b
SHA1a117fac7d7787c0bfce3c219c98c81e89619c6a2
SHA256ae7f3a05b4b1deac8d7eae7587105ad8be9b7e619c59c1559bae6a0498e88798
SHA5128f9383bc877f5aa26aa37c221cdf6dc5ac74fcb85413e19eb3ed6046e993b45cd3c4f00b8640db0d612682a286e5151cf8f9aae68f2e558e9c47d48e0646827e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD59ea976a540393399ca4e9a8a368af019
SHA1f4538873b03d9ca6a6bca24b5222b4049ee95bdd
SHA2564fcfecea38d68038d5a122545159480ab2fd639af786bf4e60640d36e8fe83c5
SHA512d530790fc60427dacd4f10f0b8172dd66253d7075b4463711f375221a1b5ffab2a34b21a7200ca211c9a62bef09a015b05a30832a5ef6c6806ca8ac0bc71fcce
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5e5d5f6f4934760dd2e1282d166e45ac0
SHA171d5debc4c036fcf54f5aae2bb62b6dd2fd41cb6
SHA256936fcb6ce398b005b9a3c5047e7643215800f6e9244c31ecce9e47a2a0ea1067
SHA51229e1664f2625672a964990e8c080b5484195a8bafda438c97081da6f9cb3d454a3d18aec26e69f4b21000105de62c41d428d4cda2fe2d9dad13d0429a72ce2eb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5141d06dc422c12435a4c0291c3bc637b
SHA1322c89e59b8dbfa3486a39a03fe3f3b5421619cb
SHA256c5070cf65d71d0e93934b0b65660dc957ac051f195de782e386dd6d232a81830
SHA512041f6a0506dd2cecc94756ec450a43d10da4e9ea725587aed0afe9acd0d2181c9e46e754b1230f5670beee1b3ffdbaf0384ab6f07b7561edcab42c3595b4cf37
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5c723819743dccf3d7c5f406b24b64511
SHA13ef92efac549a3a1607c26cc51e5cf1f559272ed
SHA256d310ebff3a65dcfac4978d403d0627de379a90ae6a1dea8a50e7ef74c174d22d
SHA512d33dc1d92f65894962708efcdc0b9e66916e4cedbb9477286624c1aa00a77a1df66202252d9ac6c3454fd0a3320af0b2f2432eed2ac6905ef83bdef2f5193008
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5d4cac4c47fd5355ae356d48ab13b5463
SHA1be75f80672e76cd63b9dac1981a7d18b5435446c
SHA2560b5c567bcca2c68e1c8f842afb5a13b1b46e1edb154a29f1de1d41492fed1ef7
SHA5125c04a6af61fdee12a252bb631ad52cc8c102531cd427f5a7382c6bb422e90741b8f10a19ecf61f0b0fbcb408c7e891d5a464d09630dd3447dc6b273cf1ebef45
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD53fe941a7c748a56bcdcbb194b188f7a1
SHA1632ea42ed2eb2534170365ff96c527ac68ebe4f2
SHA2567e8352d5487c43a8f2994f9f46fb2ad48d469c5e7fc698423901c1e451732047
SHA512f62528741327beda0310849dae2912519a4825169bb3cf646518199c58ff42f76cf0c081f35dee4dcd2155244f5be19342e8d8e9793ae5e79a05e937a307afda
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5e0bb7f8662a7cb88a3988ec6a414d816
SHA10db805b67154a632737d9ee61d936495fc5613ab
SHA256bd1b34802c1cc03d736577b5aadc5cf752a9ddce585a2cc988e3056114fed1c9
SHA512a35241ce1bb0c58c6b8f364e6fd589649fb47f58ad051c1b45593ef844043e392984342db3756edb1fa75460102ecb8fad464218dd1e29039602f62f2cf93297
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD573dbafed94e570fae6bd84730398f1ed
SHA1dfc98ef52d077eef880887f896aadc8e61bae235
SHA256a9a8b94445bedfbde8d671a9f4aa063c3b7929b69a38c8409a7586458ffc6504
SHA51227651a79529f544f0b591a2ad7d8b29a67d3214bcc47dc94532bc1ce2e0a598c641212834ed73ea42a2789a2b352b78336abc2ddb14310972df2e15fff0f9a85
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5c00423ee67fcd19de052f56fd09ab4ac
SHA1082583a0d634e18e8bf188968de799e84e64cdd7
SHA256e198bf82fa002454cc929cf89096c42427b315081f6215d2e1474451b82fc4c1
SHA512d06f78c57109c8fdfa8465bf5fbe8ad9d42bbde0b2c2094afb754b77d2bfeb196933171cd73872df18cb1e1a3cb3afbf08b61fe716dfaa798f16c294e541b32d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5c5f0638370ad5544a8800afbbe4fa8f1
SHA1dd6f683b3c51cb012769cc5b55ee142bdf8afbe0
SHA25658138274c51635675a9819844c62733226181e544f74740958f515bb1c79f6b5
SHA512c11e6870734ca94d6df3d3bfaf7a1ffc7d63c784692fa8455fc951e5a1e512b54fb816259612f4a69f3b9c2bf1b1e31a1eb29aaad9ca7565d78b47ce71abf0b6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD522012c8e1d894510f79ffef652bc1733
SHA17d30a59413eeda9f6b86915e4a2fbe3b5e68a8b5
SHA2566d5b967590d24803dc7bc4c040699d26837a2107131a011c7d5362ae0e4f140f
SHA512a30d4f6ac186109acf2239aa358a8f3a3daa426e9a4a69e0399f56dd4a423f1d309eab23c8f66cc337f8592ee855931a467b625b016a2eae52d47ad3a1444226
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD51e2f7afef09b9384d9e9b27fdbaf35ff
SHA1baa75df90ba2a1fb2a1ed14264aed971fd532151
SHA2568256e75bfc37294a8ed8379bc6f333be14b947e84437a0f15b35f34a5fe51461
SHA51223bc33b9eab89f91bff75b6277b9c122cd98fa8eabe907c62db9e323c9324a505335b8d3a5214b32c93c2e399da67ab9233caabf293a27385d32b83d1c23389d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD54f3a176be1b592c128eb2f1d3f8c9f43
SHA1b458ec990a1c35514437e78f9ed49544f171d913
SHA256155f474164e041235933205211482c59c6ea8ae5264568f6ac9368f02c770f28
SHA512399b640793d8dccb8c55280d6a2c95614c5ee61bdcf111bd29cef8b4000833681077704915b5b9faa8adf12b7e258a6df6e5db356b132f12ecfabf0786cf0615
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD58f3de175a38450e013f17a0a5d7c0422
SHA1295620796ad8d5d6f94c2958e09522d685384f97
SHA2564b1837ee4d341a1d86f56c5591838647dbd43191e75b8025b56a13c4c6596e49
SHA512b67183225ef5390f56c045f101e2fc54216168e442cd679336b0367ab55fe1505e2d485ce0cc5b396c920dba17375a9d86217a85855f7b3eef314c554ef953da
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD58fd705b5c6a21854feaba88c2925f3b9
SHA15058ca5fcd9a6413cf8d6c554498a94fd567b724
SHA2569ba395b6d05e1306cc15d05acc15d295ab2a23204d59f409e4b9ba5f0994a347
SHA51280d14aa1e1227379b1805e9b27971e920d05e5a3a8ea58fc22541fa2d73c8aa565b7d213ad85d8eef7fb8b5b39fcef521d5459e6575284ef8361ec00c665676c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5fe7ec7fca8f1d8559155e602bfa39663
SHA1fa68447eda37f2d9b5450c9b6b9f96cb7efbc671
SHA2561f5b5a796d4f222bc4ca5d65ddf94792b0ee5ac6eb2e9ba2f26b08968eaa92aa
SHA5128c2faa176a0c80da24b1bd6124744837fcdbdf1b4b5c900fd97f3b8e82d774154a1731e66054d097cefc7fe9141bcbaedaad0153f8dd08f36ab0a5050c90e817
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD52390f1fc9b36b94c66342a89ea115328
SHA1e8d14ed5db93434f41e9e94f18008ea1a3d6acf2
SHA2561471403a32b49466e63c1dd65c5c40d2b9fb110d38458d259bf9ee7b8dcccd0b
SHA5125d08dbfe9c5ce63dd3a84f9d6e251f158b03211157a90d76ad3992743fae5f601e489e4909c3a6f0bfb7398b219f4ad678fdd4ede80dffdc7f63a542e820b4c3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD529a047c1cd7685a658c33ceff2c4725d
SHA116310a9fb3defa8c263940ce4921d92e9c56ac45
SHA25653187e713a19ab51e529d6963939970774284a76b4b882f316c1005f1eba385d
SHA512bd659e92d85bbb270d1a6772e984de735e0ab9cd96caf0d2f387c22c7adaace2667aa8edf5125d3c3cc2900ffea536db32de50ed2c59f7ff5ef7408a2a7cc94b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5aea07e71a659006b0c5471affe365e84
SHA1f429b326b08e582c5a2d2d15d50ab732a5272358
SHA256b7feb4c2fafe86f14e7a09a7f46065aca051011fefae72f5b4935b9491643752
SHA5121917fc1f9213cd8c881e4c0c82f893df5de6c47ab50cc39909a7cf6dbba1df1632250e827423ce861b3b7e9f29de53b70262f65b10a7160b43da13c5e9a0cff0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5d1a0c624ef249bbd9ffe67edb9667080
SHA1d2cc9d8b310530b1ade6d70030da5f895d97618c
SHA25674b6402bd6bbcab62b07e8f7cb715d2abbd3446914107ab918c23512122aa5c8
SHA512963586c34accfcfb5aae05d00ceba48387670da08f3cc24e885a747a761bb09a03f49a03bc1ec56db72ee0511e14a1315d3971c223b004585341ddfb59868371
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD58c1ea37922e2ed4a66fd7ef1c8e1aee5
SHA1a3aee87d488f9980b103e6b8dfc563de9d6ad45c
SHA256a2bcef1bf06836a2beec9c9475759d79fcfc8416f78cec6988fe4908d818ecf5
SHA5122dba370608edbd9acdeff7bfd375e49e017f24b16eec5fd8bebd0c859d66161395a8e26aa3f302c8e5e865aab7a8ab259df80b3833b763d48ae47f052d348244
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5992f08163c39a0c62580334a3bfca69f
SHA180101ef22d4930e3c4c9ad69e59baa85d9d8d3e2
SHA2567f14f6e4372aa739121f5666ccf5ac8e71c181d067a883bc5ffe7c89ca0c522a
SHA5121fc532ddc944f88d99cb6035c25f77c43e92eb15dd6405cd94b2733f96b6f544d1b02a164037d93a5c1b7b448b3db88ad4b6c932312a4764c9a7a4b60dc0bee5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5d265e34c94e4210a539707ffce62b87d
SHA15006489d4f66aa1cd40db7cc84c808c69cd874c5
SHA256dc27960e7ebaca6a6b317e56165ac36e4b0baa11c9108b2f612e1b6e854f4395
SHA5123a087356a1f2d06c107a08a328b09c5e81a010c530b15ec4ec761827d409e4b499ffd9a422f4526b30dd5b5ea3ead0974f26bcaf16637c6f5712c81a5671224f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD528fbc89aefc726a9e32dd116e6aa7363
SHA10a8b63f5dd818c12292d7aa0816e557e46b9ce7d
SHA25630bf98b5b7e672c313d832b63779ba06a31c7673687c3e5764f06d52aa5db4f2
SHA512cad70a4569b8e29d7c9efb5e6380015eeb66a79012242628717a8cb403aed41aee18aa86b74456a41c27d97e100b8b58e321c9eb45c3a8ca4ac0e52fbcacd304
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5fd054f7cc7cba1b01e7f22731ebfa6d3
SHA17d3e73af9c7c1cdaecefc618c5a0f62821f39558
SHA2561015b85e3663b167115509b60874b53c26b15eef6d289472e13004e42245af85
SHA5125896df3c47c56b756a6e26f24f23e9cd7a7fd30a895def7d7b05ced36aa34d466112665d2e33988b5455aedc32d1f86782dcb107978ab48ee34116a8c8b087b4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD51c5f2c4a98999351187bb0dc2960adff
SHA184f320aaff7d24221e0986e99d15b271f4048563
SHA256880a3a0166770f5624343a5981ee6e9b4a578956a55d21d50702c05fbce69e65
SHA51261c7ffa38d5353c7681bc1a056941eeb1c4236616e25dfa5a603ce34f953d20918a174b1cc4e8ed87dc6e0a0ad3f75db55a61f62d3eb37e552e6d50339d408d4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5b69c4a4d420bbbff67b0252630a6956f
SHA1b8e8104c2febc63f48f3a926d84678550ae78ca6
SHA2563685d92aa52510c2f0ceb9e35e0b7a09eb0fbdeca8cd27be2505fd97563c71f8
SHA512fe0543afc67575e967b8a1e08aa08a35cb047643c33f0235b35d6437d421cff720a4dc5c823bb925f57570a28aa21b14ebb8d5c19afb7778d99c77fc86147f4f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD573d7c8736382c628fc9d896de64567c6
SHA14f4911d3afe5e9824783dd248249739408387ee6
SHA256d865161de22999e1e5e25ce0506a9511e44c2461eed361c61b20755e64cad37d
SHA512293f14d268ed57dc594452631216f9c15d2c890c8246a42a314b56a043350a19c8c084c98b703d4b8495d3bfd6ccda9534ae68c4edd7dac3975ab844d6d44c1a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD58d1bd5a03cc28f3fd5356163525ceea3
SHA112a4e6705ffac0721b562ae3104aff33e59c479d
SHA256eeb11ad30d54266aeb82d23e67ae0dcad7af0132457f5bb3730afc2516101ef3
SHA512b902a0dc87d05eb97d7a81f4df0a025fcc55700fb3404534c2d98798aa091ec1017fe2a268a43bab1056c9b979928f88ead1d0d1c7e5852b29baa3d3a0551dd2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5ae025fb8d42897493a10d3735a0b65c9
SHA1c84254401de091e731dc3e480d9e93e5feccdab2
SHA256510bc6d8ac78a8eefbf0ec2a9c754dacf8ceff534b1f3fbae9b48ade419a35a1
SHA51208d6185bdbe3b01f3f17ee3fdedc35cbdc3264629044275aeac644a1bd5e60a4ee7e83d758fe3bf42732b3e5d49ea6ede96bdb4e367646bcc9376178e285381b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5d50c2d969ffbb94d48026eb2186604e0
SHA1fdf0c570a8043a87a658ded8b0909429baa38402
SHA256f1341151b51fd4df27e2a12ebfe7d2f5b4d03673a7bb2b31ea0aabfd13c308b0
SHA512b9c3505813b58750f028addfe9bd7b9ff3da9a13e027f81db48523b748c45157d925d40e5bfe2a8b13facd422fb8fa145657508361f509a2363fbdc729c0add3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD532cde18079a05b0fb32014293834299a
SHA1f39ce74de0f894ad9a906ccf39dac65118260b84
SHA256d310a7528b79628f5bcdadbebfd1dca527d972322c28f6a2da38d0cde7575453
SHA5126ed15658e32b61af52e69825e5967322bd8e0c62bfd7852cea1a98fcb629eaa974d58ddfa2a4703300feba50a6e000799d0caa82378a3584a3d1105f620d9895
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5a50eda2028ac1d3fc35a12354dd75032
SHA19e7277958aba7fb13cd3530876991ad15d686670
SHA256a871fc0cb68f4d2a43c553a3d14c5f815d6c34b39ecbe314eee5bca86b64c3e0
SHA512aca19ab016660395b100aa7dac8501b6ae82980d374bef85c9eed67601dc42d7ed1a2dc2f19c36bff2f861447742de96755aef6cdb47667dacc94a09267089f3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5e51411a93c35c4e08ff4b6a684241afc
SHA104ecf36008caf028940cab9cfbff5a01b89bb406
SHA256f123cc9a3e5c4f5f66b8d655b85441f70aa26c6b0c4993b619a274a702bc7749
SHA51251ebe9e1eba7f7c8a1db502508367f746c748b24c271ac80ca62751f38c0069cdddb930c2463196e860ec9c810d6c869f5fb63233e51e32887fa7745e7952ff1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD54b675fcdfa0752b1067ab43d7657c4ae
SHA11d587f337fb73277c1a83815074e197fd0f48b06
SHA256b6fa1a9537b1c5dab324f1e8b33a53612554fee1db82912be2c91f84c53def81
SHA512d05a87bfbacd06a47987273e7af9afda5080b6e47cce72305e3aba2fd6a192b48190044f8800c0fc1bbe2c192b09bfc7711d467d75993549b317c04c78fb6382
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD509eae4ea65f3c962e46f428ca7bcf95e
SHA18054e233e9d73bc8a53746fb6f048ec9639431c0
SHA256994fe15cda38550370b4b458f15c5bf86c4c4f74b907bca3d37b16b81c1a582f
SHA5125889013392fc9c5ca396fffc309a59159d427faab240281edfc8705006a9fbbd7072620d637d18bc44b41daa60b765edacd4f330c5f0196a2fdeabcd8d9cef08
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5869a8b2be83749865ffbc6312cc6b025
SHA19ad7862f4b645c69eecae4c447a5a1cebb9930ac
SHA256aa6c500078b6b3908c691e6c09639e8f1a49898725fe183a0d69f1f715ded56d
SHA51220e9c590f6cf507d1ca82d64c7efe51be3f3bed1383496b380220fb1a89f9d6e123a9b164b7de9505a4b5965efdf3d1183e8948ff0ff3ee68aa6aeb9b37bec3e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD56ccdd9ed6d1f2c626baa0e4e6aa2ec22
SHA156de476e750aeae616d9f6a3f1f7bfc39e4e4982
SHA2562e05fd6136b4310d620265f374f271ca42b7bb5faedb5e438d638b02470a3a69
SHA512d84688d49b08f51724cfe4b0de16c20a4048aa710e8f37b0b5465d3d9d3025a86a7a1d8dfe289a6bd3a09c21bc5c3d7ed50adcfb120af7107e80029c19f42531
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5f141ff57d143b277c6e349fa78b2f3db
SHA1e1f59889af67bb03e5e71b14bf70f1f6655f077a
SHA25601362a756f18385acdb24a658704dc32b4feaff8fbdb26c52d874d4eba383c9b
SHA51271af0e02879a6edbf8d4e1eb9e51cb161e85b227d275c4dfc76aa41cdf9dd156e47187b75f96ccd368ca6258a9734839c2cd23e92da073a0621f8be1a521c72f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5925a30664e1875bd2cb7d0202f1ff574
SHA185af7651bb1f1e63718d7c069f20d6af8efab0aa
SHA2565598f48490a8a89d231f6e96a702431becdf2ae34de37c2471a8e784d26f465d
SHA512195f90f6e51c91be420d3476b203959d52942b45e82fcfe8015cf45e471e6ee942a29268e4b2f460a626a45277b9049efa0aac1fdd28cc5117458b714b6296d0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD59ccb89f5652631dc89129416dd9c1f86
SHA19962a840d86abf0dbaf9723e1006e1a959621ac9
SHA2560792be9dd6f84f6cc152bd031b91de6b8b9c1f3ceac4db918013b1431ec5d2bf
SHA512459f74638c9d94f27e8ec3e15f264838fff113ddf4fd9fa6852cb949f25635bbbd561f54151430e2e3928df7af30d76108abcb834ace9af3a14f8b877b69c406
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5c0144b495598470b7c4456364bc5b26f
SHA1736429b737ec1dcb8ee2d4499d539390dc668906
SHA256f7d62f7bca77d0c5d1d395c76ac95d8dba80773293f575667171b291cf820e8b
SHA512589d68c4c2b79976d7668d943d5ded71a25a71f11590e9b55f0236599daaa2048b2e58bf0eee7ce3ab13f16ff05f6406f563a74f68b108a04c69fd448ddcaa5e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD56c8e3dedc15a6ecae99b98a329a925ea
SHA173fa580d0f25fbb4515ef631f42a317d63dd1e1d
SHA256682128af8fcfa1fc3b0dc16c0c01f1c198efd261162813a432edfa441b8300bb
SHA512d911274952640feb95e85fce3dcc84d5367b35d35b2afd966ea032e50cbf71a2a13247db954cc0df1c6c26c20ae1340736f1c47048f06c19e3a5f81235906ecc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5e96d59faf87316675252330e1738a352
SHA19e3d8279b15cc744769a3dc72b27de24f4e89bbf
SHA25669b00a55e92b1c43dddcf300bcc60e1ebf934c0b15b5046e4033ccd9cd58e0fd
SHA51296dca95f8c456aad0faeaa7456fcd7d09ffe93610d0fedd0afc64e32d0f510258bd3ce2498c4c846a76a4778739680bf448e34d28888951af7ea0e91de5b5a15
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD503bf1b0882aff80a2b24a6ac8225520a
SHA1d5e286877131d0c4e62885ecfbd8491cdcd29fbf
SHA256e01d5397c8cb1ebf6415b2e97adabb8c48656616ba48f048c39931a71a19979b
SHA512dfcf40b33cf3f56a1338c153b29e5c24640edc333dce8adca3b723c8a7f1a4d3275dae93881b51bddcb8f0ced358961783bd10fabad0e13d0dff738b247ae163
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5d0126d56b9693a1d82c8bcd2c6812426
SHA1dc7f4717a53fc08423a8a9b07aad5df32be564f7
SHA25639e95dfa569ff1467c4bfae79f589e203e3965b7f0cf57cab0a6ed0d75668a31
SHA512b58a2bb798c439a98ab4f010b142b0954080d49543e28897882a4ec3a6898e1a829fac623321fedcafb04476c4f5e91961ca6baecbb9a80ccb640951047b12b5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5374d3b04f17dbf1919a7542fbd4db8b8
SHA1062adb5e4422e09e76e1a239cd6fadce99934e28
SHA2564b1323bff58db3ee3961dac53e08643c5080197c8203fb1070128c9a9b45c9ec
SHA512ee451c994ebf4e70444efa81608909f9bf5a7a2f242ef45e03a72ea58a9c9b7170985c9800e83afe2bcf8b2fd6f4ae8a5c700367e5a9c969137f2f5d2dbbf8ee
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD53777709e3cd9e1ea9982bdc819c498ae
SHA1ac4a896aee678b1dd2d081e0664790a42f80e2af
SHA2567b028904aaeee711259b395e786b2d5234c107184eee036c870b17eb08601567
SHA512c5f3e4db56843283494e84c6d167cba2ad735dbc401062dad1ce2ffef87226c3cd606963e3745659a2c1b28d6ac87f03244202650dc0676213d3c0ec9b212c08
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD530c80231826f6b724fc58597e576bd1d
SHA157b78ded1a2f0a6221ed0b53d360d134a85a0538
SHA256a7abadf6f7a48bd279400b97a32e012f8065a142730443d366e583f463104c13
SHA512557557b703a810270aa5e5d78c09750569b32fda7da3e9c8b3490cf19c375686806f12a3ab7d82c68b6f933d9b95649dbd8305b9642441900d40d1f0222a8c3a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5154c8c3c46ee7a9230867abd060ef0e6
SHA1ff05a3e60583f0b1edcffe0400cbe8c471785480
SHA2566409ee70a90aab80a0fb120d11fcb33083b08c7610ce64a5ce5c900e96f371a9
SHA5122b1494fd032f097526953a0c23f91b0e4d54a16f0b96c86e869980bdcdb63665a0b4d723ee785ec07330d6194dbd3f8aebfda4cc830004148acb4e4148f1b6e6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5a05f3d358baeb6bd325571316c1b00fc
SHA1a9ee9123d79d0c59660125a8edbee739b4e819eb
SHA256670006f57d57284970df1e94ef83d75f2c1bd266e4aead949fddc443bc1b03f6
SHA512ac3492e972229f0f5cf009281fcc5ae0e84a8e87aad29b8d74c5d381b7de2b8672e3089a84ecb358bda7f687a12910b5a3531806e1bc448355a79006536edaac
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5008bb5a3be6d5a529e7d8893db08343e
SHA15244285431940dc194d4138ab51593a69a91ca70
SHA256189ba2b90709092688eb8da74d920d4366221a34794b84ead807f4abcc672123
SHA51208d84223bb9a72c414b9c059a842e4d0407e40c7be95635c0af99f56d7234dbbe91c6cfd6022e7c73963fb00fb1a5e2315bd7b405e3bac7e30ff6cdec8aa74bc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5d89b8e55ac7cdd29a53daa6e35644a3e
SHA15cf3608c1cde1e073b22766f85faab3e81d94399
SHA2568c71dc3e5641351fa7cd5e4351dc420f556b2649a07a77e0ed4deb65039b7b1d
SHA512ee128fe475fa19337cc8ff2689066cd9e16f46daa8627e73ef0a4f17ac337542b29f85186f0c623b01d901bb91388c28a451ad54f0a1140221987d17d0150a39
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5b18d77bbe08208c9fe4965dfb478807c
SHA122ece2b30a8bf1229f7329cc7600314941cf0efb
SHA256d448a4ea45cf0f9f322f338e81259487d1b3653bca3d8d8d755bb9eddb19e19c
SHA512022b99dca7b53dd41c159ddf085b0f00ef519cfe4d38ea0426067037344c92ddb5194c55a1a262f0a2bb96600ee130b3095b7672b81467ab95d75afbb16fc1e4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD51a624b51bc449a849f19e703535c5bb7
SHA1c29c1e270eabb9e9d5e088de29ac3c0451d6f5c0
SHA256927031b3554f7df9e815c6ad66955ab4d9c87bc2bfd15d8125abf67897868e4a
SHA512f47cf96ed8363d31f3fc3e4041a4dbce9039ce53399d63c502a4f0f85fe2d5f281e68281cdc883b3fad640128d42906ee70d49a10446c3ed8863bb70ac766e98
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD516bd993eec5fab838bf2140d012bc269
SHA1509b4ecb7ce5d8a882bfa290a7623a0def28d2f4
SHA256f8c8ef74b24f2da540c423628c0ff35e765d71b82dc23a125f23396b8b049050
SHA51288c94cd4c130770246d5281cd06a8691991d1974b6255ecf343459a47a59e4385ae1decf65f7addcf827cc3bca35ad6fcd5a5daf9ba325c46998f162ddfdf172
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD52b7c267cc480ff8bf8da2d964912682a
SHA1ec923f0cd38b880243db3b8ad603a412d2bb99af
SHA256a79fceac5ecf1c3bc63f6793d77044ed1876b67e1f5de79f9c7871886d2fcc9f
SHA512c9f509f5e8fa0a16d3877ceb91c0238d954a53af36a51d28efe4684c77aecedfdfab3099a60217bf1ee1e1826c1edc4ecf4c472e78741a6161dbd7aa5541eed4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5f2228b433bbfc1ac315aa60448847302
SHA18a220dc5c237e65a5dbd42751f3b6d001802f8aa
SHA256b4658cd6e9db33d4c086bc1a2a79f436875501ed927d6a4b6ee8e90a7b6b7927
SHA5123bdb5261f1c9fc8b2799e945b65d2200c268301ca59e508c232f8145e8d0d936fdf84176f8905ccaa49b39bcb0170727f35afd003052065f3fb808606b9e83ad
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD5b28fecf6addb7ed4a630ce079d8dc40a
SHA1eac82b00d590dc8ee1ca0c6fe205f9a79caaa038
SHA2562997fb4e7d73da444bb9dc67c460c8554aba1d00972541794342ba8a664f610d
SHA512dca751666f47dc367fe18e96e19f90fc409cbd013e5fc33d445daf012813cef072e503468ae3438c98ba6c4b40fbbd2d09b884cb73aa30547000292b1eab5ae5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize17KB
MD57f0ec688427aff2b6ff46bdfefc0b2e7
SHA17d11266c6dba976bbeaafa43acbfb7876bddaa22
SHA256ebbab8fa8ca39b13269f2061f37d73ca6c88a93a06e29f58b87635fadd3b1590
SHA512cfe3e059110906ed07c78289ebd36800e3da8ef059c738a3cb9eac09c1ca46a8026edee1c152be5d246f42b3089dce422dd958b45f808b3ce3993e76a3e3aba6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82