Malware Analysis Report

2025-08-10 20:49

Sample ID 250502-lvxrvszscy
Target Thorium.exe
SHA256 1fb147e3aaf58a990e163b1f14d80130a9817f8fcfa53a34ba48e983136b1e50
Tags
defense_evasion discovery persistence privilege_escalation ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1fb147e3aaf58a990e163b1f14d80130a9817f8fcfa53a34ba48e983136b1e50

Threat Level: Known bad

The file Thorium.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence privilege_escalation ransomware

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Boot or Logon Autostart Execution: Active Setup

Manipulates Digital Signatures

Drops file in Drivers directory

Checks BIOS information in registry

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Modifies system executable filetype association

Adds Run key to start application

Enumerates connected drives

Checks installed software on the system

Drops desktop.ini file(s)

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops file in Program Files directory

Drops file in Windows directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Modifies Internet Explorer settings

Modifies Internet Explorer start page

Modifies registry class

Modifies Internet Explorer Protected Mode

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-02 09:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-02 09:51

Reported

2025-05-02 09:54

Platform

win11-20250410-en

Max time kernel

153s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Thorium.exe"

Signatures

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "劮쬝㸸櫒ꨙ롶嘕ꑍ㸍⏋㖔߃皔㶴誣촷夃" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "\ue6d0〻铝陚\uf420𥌢滉蔣囙䎱ඳ\uf2a0\uf235赚" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Locale = "䝛⺖驱∣䂴磎ܬᤦꤵ澐若\ue9da䊉發낧﹛徬䜃ꇊ磸瓝벢⺬駼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ComponentID = "\ue102몑\U000cefa7艔ᠮⷈ⟠ڝ\ue707❨꧴秫辭\u2fe5\ue32e⒍\uf63e\uea7b拌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Enabled = "哼癨\ue9c5厦쯣糉죾◾ጝ䡄\u0d53Ꙧ沟ꔌ쟘螉É쬥앍" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ = "㶂蟰幍䊂こ鸳⧺昪遟ᵖ꼡썖溳㒍㳂襭泮" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "쟁訮뢵ꩲ㯌내㻱畘\uea4d\u242e\U00087fce삾ᘎ\uf183" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ = "䖖\ue0a3\u1b4f⌚큨轧膜\u0ffe轙𒋵ꟸ肠콚뵽ꎛᦉ㒷\ue962濛欤틃盲♴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\Locale = "䁅涹ᖧ\ueea4럡\U0010dd6b悑⯢꾓⻉驦\ue6e2틌䭨폼쀔簪" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "\uef23쀨\uf7e9Ⱓ永弭⣰쌟ꦙ㽂㖴綠≩័네⊡" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Locale = "쓼䧒鷙쪘쪋\uf138ỹ\ue887涬ᄑ龴鉌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\ComponentID = "\uf303껇䕍鑞룡䖵\ue08b胛\U00019179ﲥ颟䜡䜹쀓䂎縈\u0bba첩臩莿ힱ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\ComponentID = "謮ꋀ넛Њ뻵Ⴟ⟆\ue355ᶾ\ue4db֖돇ᢧ剗ᔢЙ稐析" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ = "ల볳쁼燧殻틠䄋轆蚓聳乳볫㟵籯踪ꐒ熩⎧োྊ¹詰ꫝ븜" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\IsInstalled = "颗빀殮괸龹㝋雷\ue017䔝ܒ阋\ue509煪빆覹毪椢䎠䕲㰜퇏" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\StubPath = "⥲훤ߓ嗹\ueeb1\U000c1132싲䡢К⥧\ue3f1鳘푱誅턣Ṻ핬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "含揙㱉睵淠漩伟뺻塄殙⦎腎㝦豈例䡑" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ = "ⴱШ㷎\U00102196诐銋ࣷ㼄汭䍷闠ꨒ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\IsInstalled = "᚜翹癝ꥠ㠅鲰ⴿ㳈ࠀꑝ\uf5e4ꅬ哞贴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\IsInstalled = "阮Ჰ輾擀슣ర벧桅౿檂" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Version = "誦紌傿ㄸΪꕘ⦑ೋ軾溪\ue9a6䋳뒃铣ˋﴱ诿䝟\uf8fb崌僴颉ʪꭞ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Version = "䘹륕哕嗯㑐\uea3f悦䶦卩捇\ue1a8\ue030洁" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "쟅ﺪ⸭⋜ﹼꕢ┢꾄⓳\ue40b" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\IsInstalled = "猎蹨현說᳸藈唔砘宨⸙ꑢ揹\ueb8f팹ꆓ汘焍⧵\ue8a5몼Ɖ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ComponentID = "㍹\ue2b6鿧犨ﴐ≳뭙뭀⊔꽑䛔䳄➑愃독\u0eee덭" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ = "䗑\ue4fe矧돶\ue32d\U00108c60擳\U000bb60f䣹邁衵㒐館\u0fdbꑎ愠仄\U000e4e4b\ue1d5" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ComponentID = "\ue39c떐齒ꉱ瘂\U000934ae业믔뮐ᑇ䁜" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "\U000370f9䷷벢⥆㊲䬐ꄟᝄ탾ﭯ᷻ἄ뻱㽋͐뻷╁" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "㮋覟宦\U000951f7㞥ύ᧵⪭\ue3d5ꡪ⢴향包蝃䤳ꃵ鑱顿㆟" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ComponentID = "䌓웇ɮ䉇飦⬚\u0b53﹐喪䇗\u0ee5콡\uea44䜢⻊" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ = "舌\uf120ꊰ텮嫲萟\U00063022㐼\uea95\uea07畨\ue6fe茂ṹ﹚蠟仩텗滈" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\IsInstalled = "凃㗢挤姅\u2fdc祮똚諕蘉룷㷼甌돥軀쥧腬\uebbe\ue3aa团\uebd6썜" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "ፌ㫛\ueb46䥵∗♈ሹ兘ᵿ\ue3a9ゾ\U0006e1f1吃晆ꕐ母\U0004fe32餆⑩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\ = "慊ﺹ앲\ue497\uf1fd䀎낋嘧齧莐" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Locale = "伹누ҝ㷒\U000dde4e㲚ừ㒵癔壤ᒴ㪓\u0ee0銡⑹" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "࢜Ⲏ뱗ꖮ暯滀\ue6eb귱藠譀仼縬邻浿夜" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Version = "杞墠飅\ue075ﴑ\ue3c2뚙蕦鰝疭Ḉ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ComponentID = "꣹\ue11e볬⥿⑂牉\ua7ebṨ杉쏢䘏⾍\U00080d38쎦ꊼ䒝֥斕ꤌ礗䫼\uf094" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Version = "\uef86ꏯ牫撶陝︿\uf3e4諺囃荪辭藴㡹蘯\ue96b㙳扄蹬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\Locale = "啂ّq鮚\U000f39e9\ufde9앬ᜌ礋ේ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\IsInstalled = "㔏\ue2dc씢鴓굋雁泑헭匹ꍸ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "\ue1e2蜨盅玹傔㝍㴧鍁멺ભ洸桸⌠稽籴끥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\LocalizedName = "瞭叶鸲躞ꘟ䕳㕊鶼↺沈" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ComponentID = "婄갪躢`溤䧨넱鏾螴\ue44d" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\IsInstalled = "뢗繋湀\uef3b鼡됁拟᧢뒨\u2d9c炅\uea07딡" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Version = "◹ද「⻘풃ᾴ佧꽎㗍뭔뚆⸋짩\uec94" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ = "挍哛듕뫎\ue4ef綴틒휛\uf2fb惧훷㸈夬둋\ue43e瞝灻趲퍮ꏁ\uebbe\ue00a" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Locale = "뿢\ue174물寽\U0003c97f揋蕈熵ꍽ\uf854忔뫺鯴읦⡩쓩\uf1f3ㄴ뗒" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Enabled = "岗䮦宋遱흥ܷ곐৮\ue6da梯" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\StubPath = "ⳓ蘆⬨͏\ue415웥㮜鴰몶虼橱\ue19aည" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "㶁\ue8dd⼧睓盅ૡ띊䩯梞臚쵬龓❠葛脫\ue5f2▜\uf656\u2efd" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Locale = "룹ꪵ륍킿\ue038䀦✄\U0005c287娳陿譤뻘삉ꊤ롞" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ComponentID = "♒쉎ᰶꞨ˕窿\U00034c52䲻ꀲ祌ᥰ㱳㹠쀇╡ࣲ芟긘垴㤊" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "毫ꚉ頕삡丱텪蝏\ud7ad⠯\u1cfb夐ⱊ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ = "䔑벅߰徴職鱿\u0e71㥘姷" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\DontAsk = "\ue4f6큂ȵ䕒䊄廱贘贈豰Ɇ鸜㩠䋇" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\ = "𮋓㘞㧍䦏簭쓙뷲魺ﰉㄉ존蘞셵卟询碋锲ᷜ좸\u0af3즢뙥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ComponentID = "᪓䜫㦵飭妧謕\U000951a6䰀⥢Ⱐ䨢" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\StubPath = "牧㹴\ue177漌\uf6e1芥颹癬睮峮伅" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\ = "猉尪\uf7b9申\U000c885b验赌㹒ⶤ쬵\uf67e㮢빅㣟㶑ⵤ铴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "鈋爂惌䉃쾀ᔅ蓝ケ譒뵴밋扔냙Ѽ✹仹\u20f4" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\Locale = "ꘛ\U0007ee83㈮ﲇ髵䣱賜莒㹘基醔贪뫞\uf8b4躅淁ﺿ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Version = "㚜麗輧\ue817粕ꍺ聁쪔텶滔\uefa7ﻥ餎એ\U000aadb2怠䲄썡\U0005615a饉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Version = "\uf7a9凈⋌䃰Ꜷ룳抝ꫤ澪흛茾\uf4d2ᖉ\U000c0e3c萇销퓡ፎ㑉琂" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\LocalizedName = "힀ग़貙\ue46d鞹풺\u1ade\uf460츷᰻" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\IsInstalled = "㝮䧑鿘돋\ue68b屌ⅆ\uf66c㼛椸耜㐻" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\SysWOW64\drivers\hostsvc.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2002\Dll = "쯇\u05ca\ue7e7钨噕➗庰ꑍὐ⟂⥂鞺歈꺂߅面뿽" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "᳃㜃쁅ꅠቃ䮲ᮿ躵쒠ﴍꏮ콞ꐁ틻\ufff0\U0006033b㙢ั" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "㹝쇂樝\ueb3f\uea5c\u0ffd蚃\ueb6e리ー뇕ꀳ泻" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002\FuncName = "\uf436Ꝧ\uef44\U000e4b4f叙ℙ\ued34歍\u2d2b굼\ueb47略坻옺阄珘邃궿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{6078065b-8f22-4b13-bd9b-5b762776f386}\$Function = "趧봞䩱\uffff経쎘ᆗ䅽덂ࡅᔱ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "\uf31c킴㵯\uee00陰゛ꪞ䨙Ṭ⒋瀋䖇\U00057919䬎\ue407" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "ķ绢䋬溝뭤\uea1bې㈺錐疸ྩ襕\uf178댮꩗氢ⷊ譫" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name = "\U000f5d03淙盼\ue631玒졝⺛\ued07⨀掿\ueb87㹡樲薘ƨ鼁舟" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "\ue0cc㝨\uea53惹\uf8d7Ⴊぢ䜢嬁舑됓ㅟΉ⫳特들瘸\ue6f7瀺㏸䜏䘿ꑝ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "勍⟚燒Ⅰ멖ᮿ콎\U000c17ad\U000dcc87ꖝ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\FuncName = "푉軦ഊ뭀\uf613\ue6b6븵픶韹\uf794洸賅퉝ㆉ\ue28c㉍㌦돾" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "봙ⱃ̔霱輟뉫溲鳫쭟夼鯏" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "밊鬀㯍𬗘艅럦빶鳐䣊캬쉝≇䳠鳡➍킕鯱灓꾣" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "ꋴ붩橪ⷧ퐹\uf54aଏ㊮㗳ꯏ枔ޡ䆺蝊쨴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.1\FuncName = "惏禘㏁荳䖼〲鞹⃑戻᠆쪢㖒ΐ컦刐扲" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindLocalizedName\LocalizedNames\TrustedAppRoot = "\uf8d8\ue730ᴕ䳺ꃀ⻮陑错\uf49d\U000389ee붪㓰ꀁ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "쓕䍋頌遫譊ȃ\ue60dᷩ㐗\ueb5d字뜵\uf40f\ueeda딓춶\ue093" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "냴उి㤟ƥ柆璺먚ꤍ⻘뒪\uec6d‾ᓺꠅʳ癊鱌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "q뤦뚑\U00040760돍䣪\U000a6907ᢼ鹂\ue2ca劐氮ધ\ua9ff" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$DLL = "ᵎ\ufaf3\uf2db咲\ue07dା냼궰䡪㲁傯仲峖" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "\U0010a389㯝㏍纄삊눛鷢䋘ʠ䈝簣씊쮆\U000a2283禙傠넆⨍ܗ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "Ȯﰩ驖愾촧蚦縿ᓓĨ卻흯꾽铤띃ꆅ\ued83鸜\ueff8⛕䂷珴⸕籶䧔" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "✟刟ﶨ\ue392冹䣁︵쐉떀Π⪧" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\Dll = "\uf31f꽄븛캻㒲規ꯥ䞃镺㼏즏橭旐椺찉ꋵ叒峤朵샗" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "冻䌊ᓺᑈ嚖⮱\uec78脒蔂鬁돳嫿酏謎럿좗ﮟ芛췮泧" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "늫꺊ዏ땏\uf536媏ᯤ瑱⛒黚⠗" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "ⷐϿ㝂ﱯ\u0b7c戂蒤ꗭ渵㓮\uabeeჰ\u2d2b怕\ue302" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "릔ସ籮\uf5a0䟿㓣\U0003d33e\ue5b7\U0006ad83ꉬꧪ㳔" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\FuncName = "㤇걑洑䐉\uea9d獛砀\uf757\ue57dઃ\ufff6ⴸ\uf0ce娭끗冂᭮\uf4aa奥琏섌\uf4c4\ue2cf" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\FuncName = "㘋ᦹ捎䖧咂触ය茩ǖ얜" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "┾ᘈラ斞쯲⾴槇蔱킺ꪂ㚉刬䬁㊓㣬캝挦뮩ᕍ䁺몫蜋兎흦" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "窺拥\ued49幰墙摕㎧\U000c363d鼲멎\uef33盇旑瑹ㄘ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "舑쎵䡮봺\ueeb7\ue703泤怰勍䢮ᎀ瓐빡㤠䟄濈頯庇ᙯ\uef0d聿䦪" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32\FuncName = "s埰\ue156ᄢ㫙鐿ᢙ\uee7bぃ\uf11c\ue0e3ᬇ捔佗" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "ⓖ\U0005bd5fሂ\uee2a္죆\ue8e8\U00083ac1䌸罸葬䔵ת\U0006e64c렃ᦏ䶙윃骁阈" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\FuncName = "\u0ef6Ӷﬨ踮끮\u2e64村쫍\U00061844ꝱ䷐\uf87e沲\ue524㲏홧" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.12\FuncName = "コ䈣툢\U000381f2㌝垂䣱砱⨰ᴎꂯ膨칺ᔎ\uf2ea䶞㏧쿉㐬﮿╼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\FuncName = "ᢌ\ud7c9춽༄ㅤ\ue4c7렗㠄㭎쨤뭎\ue14f㞶楯\u0bc4訒\U0010adf2ffl䇘" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "鏠鄌꿖ᾋ᪺鎈躯鍮쵢伥攷ᩈ\u0be2塞Ξ黮砅" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "㊡몿Ⓨ\U00048bd9띄펣䉏啯壔蚋➐" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "耉Ꮵ㐃響螗ᇊꀆ퇑独茧" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "㉕撦≓\uf220챝\uf54e\U0005d5ccꝝ秛ꬷព賨" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "◞வ䲭픸\ueb80\U000b68c8啉糏䓙" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\FuncName = "謻ﺣ庱좏핶㸏訍晉詊㏠론ꀬ紕㑌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "擳仯᩺柳㫸㳢둗࣎⸫끩䳱\uf7ce퍑籀ᄉ촀檻\U000616f2៲\uf349猉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$Function = "튿벾㷾︀몄ၣ\u17ebꙠܦ⩐婒턯⊿ꛗ鈭ໟⴇ퓊耸䇼𧻓" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "딚刨\ue59b\uecd7ᾃ㕦\ue0b3쌐\U000491ac\uea8b\ufadc茢쳱賐\uf554灤⺓穃\ue7c8" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMd5ThirdPartySha256Allow = "齡푘龿\ue06e唔퇪벳쉏褎촸眻粨扞黯냹" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "闍陔芝㦗翪䧧諒ႋ㹑휪ـ蚵\ue294阃蚶\ue151\uea2e⧛\u0c5b룍䫺僜ꅵ\uf5bf" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "࠶⪇\ue78aꈈ㭤ಡ鱘髪랲㛹섍ὧ㳓衚㻅䛪볺᧿ᘒ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "↙\u0bbdꤼ\uf5cc웋ᇴꏵ栦溙Ķ㵦皦\ue0a8惄斑밧\u2d77녤" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "䪋䭄遀\ueec9⤊쒔ꆒ䋄檋ⅵ솑除ᓛ䐮暺鼉ᠧ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "שּׁ\ue8e0廒\U000e6aba\uefd9\ue997縙ઃ媶" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "\uf7a6Ὓ\uf856ᝌ遌蓼ꀮ虄ﭣ⾱聮魚☸챒\ue694⏽熦ᆳ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "齦䦞豷㖬朠Ả昛怎釃腟ᗄ\U0003e718㭗䡶Ꙓ\uf5ac︥㳇쪶면䷤뫬慆" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "\ue226𗽮떔䅜쭊\uf656ポ颍䟜\uea80\ue8dfԮଌ냚蒨셄퉶" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\FuncName = "寨烉X飺퇉秄芅ꦫ鿫➣夺᧸ꪬ㎱厉㸭罍\ue06aセ鏏" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function = "⮽厮ꂑﶋ\uee63鿒̼䰨㷿\U0009fa4c륆䈷臒죧먻嫏Mꑬๅ\uf0e3\ueaab噵괥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "椅ꡒﲨᕓ缰噤\uf52eṺ쬐쳃ѷ\uf1d0材" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "\ue896\uf486⩌\U00088c9f酣뮿̣꽄랝셱鑪鈙㬈뾵뾃墚\uedbbᳫꃥ㴌㸴螣" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "굞\uf7386皾跳䑹\uf295ꅶ纍縶ᘒณ\uf35e\u17eb\ue517荛" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "ꄤ№柂厰峾饸\ue7b1䕋\ue5f9\ue686舮" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "逻팊톴惲㨑킺ⵍ䑪笧芡謎\uf56f\ue18c➄﹢偃㩔㥳殹" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "붋鏮藫\U000a0fad慺\u1978壶䴄鷗\U0009d8e8ዜ懠⨳ᶪ뎖" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate = "䕳\uebee䭔켲秜綬쒄ݒ覔ᅲ\U0009f8e1ⷺ蹷䡏\u2437誥襉莇" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = "믏㸄淣\ue2ab\ue11d껇\U000f5a3fሣ誤ɔ姰㑃㦛烆潺濁ગ详\u0b0d☼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Checks computer location settings

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\Geo\Nation = "\uebb0Ⴎ\ue6c2‴̐쎑ꢳ⃞컕쒾" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended = "\u0a5dᡙჾꦏ뤗\u17fd\U00106a85鏹䂪籒讻潟阻祒돖郌朼\u0bda꺵麽닋" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "쎵섬ﮖ\ue7ee쵾齥ᮏ⏎䩐\uf4d8蓹\uf8ceꁍꞄ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "➐眽邵蕡螄\ue735笳睊炎ꃘ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "壏ꐶ뤑\ue20a頀ﶟⷧ撺\uf144捳芡\ue39a뼈" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "麡竫螧険뢥ﱵꭾ減ꋹ筕⤼៱鳤褪ᒚᬆꙅ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command\ = "צּٽ㛵\uf8b0皅쵏꘤㻚쟭頛샛\ue2ec吸\uef98픻羛蝦" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "\ue275釾륺⯗輵굋\U000b9ea9輰⾡ꋕ怙⊷" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page\ = "릉韟뚼库譖䇾皝駑\uf8c4蜝ž" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "⸕\uf305\uf5e6ᨻ츠毧\ua7eb羺ꭩ滳鰬뉧虁궘켍䳘膣ᄍ峨篓\uf546䑗" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "\U0004a863ﴋ鍢㫻ʘ凨⅄㐎币籍冑" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "⿻ʆ抭倯丩ř矣\ue3a3ﷸ쥦\u2d99煯៵퍁胷踣潇" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command\ = "櫐칾ಡ⽭㫉谼>ᾦ搉虦宮㥬꺻퍡讄鼙缬娕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler\ = "赋暛ᾦ䫤뼚黯\uf592蟶싈\ue599飺\ued35ꄢ鳁" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\EditFlags = "飆Ի牖莛鏈碞⥔㎌㯼寪\uf1e1" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "ᏹ犠\ufb0f₱溍\ue70e突萩ꏲㆽ蚹燳섶" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield = "ꚗ\ue6a4谿䀶袂ㄽ⢫\ueed7쬴\u07bd㷡붟嶙㕺鵪萲\uefaf瀨緸" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\ = "ﻯ제韹輸\ue767㠽榜귂뗶ꄡᶍ쓏\u0a7f歖" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility\ = "鏩\u1b4dꞁ\ue998쒽⧱훉ꛞ쮝ౡ뱸灖愡﮲ౝᣯ㶉䦼駭" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "隤롌鱌ᕦ綴ᘁ\U000856f1⼻싿\u2fe9蔆捙鉜\u0fec䟨䛑쌕腞唔搓旆㖹ഠ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender Firewall = "C:\\WINDOWS\\system32\\oobe\\images\\" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\uf3f0בֿ\uee2c䨉芩蒊\uef29閥\uf801┡㝉靓۬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\D: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\msmgr.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\svcboot.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\WallPaper = "䤮\u19cd술豛㴾꾸鮜巧Ûဵ鿴ࡿ햎鯔⍹㈪俦巉됨짗" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\System\svcbackup.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\System\hostagent.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Internet Explorer\images\thorium.ico.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\System\syswin.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Windows NT\logsvc.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Internet Explorer\svcagent.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\System\configtool.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\System\svchostcache.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Common Files\Network\netserv.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\Program Files\Internet Explorer\Connection Wizard\server.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\WINDOWS\INF\infhost.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\INF\driversvc.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\Fonts\fontmgr.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\bootcfg.dat C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\Fonts\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\SystemApps\winoptimize.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
File opened for modification C:\WINDOWS\SystemApps\taskfilter.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Thorium.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet = "脼\uf54f퍧옢\ue010䔗荍䌻杕\uf6c6뮬隻\uf4eb焫\uf4d2뀟" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz = "桷Ⴏძ髆茲疬閤欂䑯퉦淧ᨦ䫣෬㕗셍핳偭답쳬樹" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "ꨧዋ\ue357䑩㜹嘝ɿ丶⯀辪\u1f4e徕\uf593" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "ౄ挖\U0003a295헾栖⏉赯獤眠\ufb0e\uebc0\ue0ce鈷" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information = "䑨겟ⶈ巫\ue224ᴏ貧ûㄵڼꢁ鄿1̺涋왉ﳀ烈ㄐ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier = "ᾰ咍虿㰴콏삍쪪䔇⋑퉦℧\uf53a⺙ो掃㣂峫\uf848" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision = "\uef1d娙ӡ\uf42c៉加禎밎\ue42c씨遥ᗃⰇ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information = "㕦访ᤋ魦꽃켢ܡ숪䜹㇓\ue2a3폡\U000c9b80猉㴸ꤹ燰" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "ꙷृ웎웎挒긑压ꬼ\ue413እ醹᪲뚐䝜럭灯퍃ᡸ銼굕뤿⇥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet = "灥繶ḿ意\uf68a䌠㕿皕刹㴸鯅䅒ꤝ佋탴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data = "嬤´䙑㣿\u2da7䈃쒝ㆦ꼨ꈫṏ섷㔹ⴤ颷嘚쏅纇\ue3c3濅更誚" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision = "쮒⮫訲\ue404蓑驑㼘쫠昫滑擎\u2d69瀱굶⾤" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data = "┹ན篰춐뻀ᆲ✈딽똋捰ꇞ༶橆䩥놫⑪쏰곷傔" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "\U000cad97뗔ᜉ鋑麑\ue2ca\ue0f2馄\uf13e撓꾪늦᠏\uf81a儧晻⽪⼈㵱縤" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier = "ﴊ\U0004bf06ؽ\U00100026Ὴ莵䛏\uf79e" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString = "䉃푵櫫쒫\uab1b\ue551\uf0bb\uf365\U001075a3ઈ㢼\u18fb腥○압ᮽ흧\uf7c9뮠溯" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data = "ᘻ뭮ő재䄙㦇F€뉃痰\uf47a⤛\uebaf\U0010ee4f洛ꒃր娀" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture = "ꌧ㮌咯䜩쓔짓趖ྡྷ\ue7c5\U000d02bf榩쭭뜵\U000d62c2ꐄ\ue80f\U000ed029祐㪤ꕚ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information = "鰗즯ྕ䂃ધ\uf595흜䠟钛ן𮗖박\ue64f\ue144︤䟎韚挸캣ꄚ䡼\U000bd613" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data = "둑浽\u197c⒥㘺솅ﱒ\uec35䏹厴邴挿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data = "㙏뵯詭¢槒\uf549蹭懨뿌숗橝쐘酕靴䴛滹Ტ侁堓例" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\ = "惝ܬ썳鵳睃Ự浔䞨ׂ\U000c53cc謌\uedb1弙\u1680➓魿𥳐㔩ﱭ䉑" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier = "\uf791佒嵅䠉\ue04c\u0d49紭쇂\uaa3f韸ᡥ븪" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data = "\uf1baT㰫磶㬇훁단㶒໋̫篃ဥ㦯ヲᔒꞁ\uf518瘈榨堓瑟" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data = "䭇峉\ue462뎈鈃﵄蕬晨ꀇఔヾᢳ\ue3f8枋" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information = "橮䰥듡\U000cfcec⒵鰡宴ꔚ봈" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information = "ࠦ둸Ồ鰆【ᦝ벷秓倮䗡" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information = "㞊ള\u0891┟癛ڸ岽\uef02鳟\uf8e8㟐\uf5c7冱᪽훦ㄥ섀淨콨\ue68cె" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier = "\ued12䟯耰寧쏏鱖騮뺡舘烒濏\U000608f6擩\uf5e8㤟떑" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data = "왗쒀घ哒箣\uf178⸓鞉\U000df4c8䘱" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information = "労ആ㙥Ǎゴ愽픮\uf722ঐ㚇指\U0004b08e莿ෆ┴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier = "尒ꌛ띫䭴ဗ菄罾鼱ㄘﵸ㸳" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "\ue4c6휷꼫Ҧ곐辛\uf737\ufb0e㈉ᡅ鋅猶䚳䋳꩟" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Component Information = "䟎ᖇ\ue063ួꟗ࿋팙㗺苹癪濖䛶橉朙屬秹ﶶ鶜廗璸檏" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier = "⤩堽\uf872䭰㠱\uef31砉銼淛頨䉱嶏뗉\u2065줹듩擔婤벏灓뤿뽯" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data = "蓖捞䭣磼䞑\ue95f껹\uee71ƪ楣ね뉠ꆯ쓧Ⓢ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data = "➉膩簮\ue062\uf1a8Ⴋນ͜\U0005f4dd鿽뱽枌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile = "ꂕ课\uf0ccꥰᯪ홂\ued2d❨\uf5aeᝩᇍ櫶" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information = "佺ㆍह囂ҕꐙ餬㙓䮭ɽ뎧䐂믥彝᱖䱚Ꚁ萆⃟" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information = "ᴚꄶ\ued41啕㺌駶ᚋ\ueb92\ue7c0ꤺ寮᭄鿍강央쀤ᔼ\uf679Ნ沾ₓ膡" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier = "\u0a57𑅬柈盩픣욼䟡\uf656\U000c7d24╽踼쵂补搇奐" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\WindowMetrics\StatusFont = "\ue270\uef85\ueed0桌댞へ蓬\U0007d0f8䬋ᆯ喚\uf524果ဆ缢" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\SnapSizing = "ᷙ㙉쀐\ue87d⹘壤煐唜ᨗ聉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Mouse\SmoothMouseYCurve = "魋魍\ue82b鈱⁔퇎꿸⪧㰇夀鍳熜팘썤" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Mouse\SnapToDefaultButton = "臶突Ú罸周롷뇁湜擧錮袴氹悋싛ナ㩆\u17ff" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\PowerCfg\GlobalPowerPolicy\Policies = "紬ᜩ㽵ꋦ\U00071e29㾡ڍ탼率沖䤉驅ဂጽ閔妰ⵉ\U000a4688휮㬘" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\ScreenSaveActive = "銏“Ⲿ啓鴾銁\U000557f9칣럌怑" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000201\Target IME = "𢄶㏶걖캦刻ຟꥬ\u2d9eɗ頽\uf22e\ue2ad℔අ烝꾑៌壦\ue757ꦷ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\StickyKeys\Flags = "퍇\uee72溪ﮄ\ue65c추⎼㡱餺붣ꚻ鮏溶\ue969" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\InfoWindow = "ᒳ즇ࠖꏌ⪢磬ҷ郚齏뜃歋激燡\u088f貁\ue51e✲" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\HilightText = "쥞䤸悍풆艺ᢒ趲\uf89d\ue5cd蕯돳漼\uedf8뗚㴹ꫜ矴傕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Cursors\SizeAll = "겞嵙ℌᇆ麒鉱碫쓛獉\ue781∧擀׀艬\U000f8f2d⩞濢轼\ueff4됦\uf4cf䨘" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000071\Key Modifiers = "؋\ue77c헟䂿쿷欬짎돂㶥襠\uf46bᾕჁ쏈䇑\uf18b" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\AudioDescription\Locale = "詎䀠檂摶⩀酏鑲붊ᘴ㑡⨌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000012\Virtual Key = "띊팊↓囦됓釣ⴵ茯帮豝㥊\ueb9cꔊᥳ焇휿右" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\sMonThousandSep = "\U0008b071酜㤿敛葪귯\ue3ba\uedcb\uaa3f璹톪筱酓楐抏鑆⩇鼪\uf30e⎡ꑅ䌾" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value = "࢘\U000f5147㪚晣寧𐀐咲훛⽇" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\ActiveBorder = "贜滌瑲侣꯷\uefa5棩\uf227❾ꦇ庉㵈磜ᬨㆇ鬝䮃" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000071\Target IME = "躖䨡\uee7b㽅\u0de2㔐߿猉帧\U000a371c꩒Ӓ部폦ᐃ阣랇ᔗ曅๓\ue83e" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\NumShape = "ᄿ憏\uf751尨됓菱㸚垮\ue54f𐏑엑\ueb6a䩙妪軀\u09ff" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\iTLZero = "ﯢ븜춑肣Ȥ╋캓\ue83c\uf7c5\ueb5fᅇ瑂莙뒳腌⬇ㇷҒ\uf6eb嚗ꅓ퐂ક" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Appearance\Schemes\@themeui.dll,-850 = "嬀矜釓吹帍Ꞌ煊△荬䅄ﻔ뜹瞗\uf048鸂ㆴ՛㔆" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\ButtonLight = "瓆겔ꊏ궥⧆등萶퐔đﭡ쨑\uf8fcﳷ輾鵆ﵚ藑蓾\uf4c5\uf5d0缊鎹" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\WindowText = "ﱮ໋䁖吪ƫ犓凬薒屮\uf21d⻝カゆ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\ButtonText = "흄\uf66a뻽鰪\u2e63\ua7ef㑀땯獇활儎뎜瓝" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\WindowMetrics\CaptionHeight = "䜠壚삎\ue27aﶄ\ue0fa뜺₊쒀伲\u0d65ᥜ눬봿雅莅\uea20᐀\U000ec298婮" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\WindowMetrics\IconFont = "⽼댍²夻\uf106𢒓褷㲷䥍" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\sGrouping = "撚놙\uf304屏谧攑\uebad鿎漻㟷⣖罰뺿੮튵" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\ClickLockTime = "˗⭆᠘\uf74f䂹㒄ओ\ue5d0鵕㦁唷탡竎ꞔ⳱뺲" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\RightOverlapChars = "퓟핦\ue184麍塶隃紺쮅ᳬᙉc蹂\ue539㕷ﱳ䟮\ue097ᤒ\uf3c7ಙ骿䌑" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\InactiveTitleText = "覣\u008f灜椣⿈Ŀ৴뭅╄ꎗ꺸ദ皵喭\u1f7f뷌盬" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\WindowMetrics\SmCaptionFont = "\ue7a5舆䷦ힶ儺뀪梹േꋦ皸\u171c\ued2f蒘롘琗傺뤿⯫緟닄\ue4d4" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Show Status = "፱ꕆ좞趫冬틩ꓺ빢\U0004c0c8ܵ뎂\ue89d\u0d97\u187c⳾簪蒡" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000010\Target IME = "蠽\uf589摲\uf6bb惝匁ꃆ슝\ueccd⸨貉\U000570c3笊㑐甧鑥\U000acf8d\uf5a6廙ฏꀺ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000070\Target IME = "嘃鎳몪㗻೬㐽穅䖌ꔴ䓦㜩\ue519謧鷙핌Ꝼꮯ\uedd4淣" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\sMonDecimalSep = "뮆\u07fb뒭⻑鷭鎥뼳ٲ괓\ue9b0𩯃╭떖" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\SoundSentry\Flags = "\ue49bཨ洞☣覛⸲먇屚鼃〷႖\uef37죪缉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Appearance\Schemes\@themeui.dll,-852 = "ᶮ䫣ᝪﺀ됖Y\U00055a54렠𢵎䠫嚦ᜅฆ햁" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\AppWorkspace = "ꑧ껯߇\uf4b4₋晧\u0efc绥ꬹ\uf076獵\uf593皎\uefa4" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\ButtonFace = "\uf25c፻盎걣⸡듌岝鴤蔿\uea5eć̫낦␐ҋ列녨僎嗦㢿붏갺↔" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000011\Key Modifiers = "뇍懮퓊\ue29e딫蠗涉췧㤍㹇퐎ℹ圬ꌬǒ䛚魢" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\iFirstDayOfWeek = "㚾ᙃ㩓黿𗖌ﱊ\ue829붰薫駕Ꮱ䝭뜣喬\ue0bb넱\ue23c" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Cursors\SizeWE = "㪻꜄\u05cf㕮嫁\ue26a륷癷蛩斗ⵋ嵙\ue67cꄩ聑焭" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\AppWorkSpace = "ઞ②벫蜛߸輺吗⩟욌凶醮ᬐ䩚\U000de23b䅘䰠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\iDate = "찱\ue61f睶㙽膋ᮅ뿷塲柁\u202b냱춥斅" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Keyboard\KeyboardDelay = "턈亡\ued3e\uebbc袦곘\ue382\ueab6⌻抬캙䅏ᨦ捿地\ue106乭\ueac4滆籧悂缾" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\Scrollbar = "┭肋林炢╥遵뻾蔉ꮦ똧텏矴譍\uf68f" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\MenuShowDelay = "\uea38켪큦\ue464鶙굞萅痙㣳줷礕칺良泙䰳毡" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\DpiScalingVer = "\u0a45蠽糆ቤ䢽ヽに훝䔮䘓肉䧄게띃汾\ue00b浸뺝隁\uf058묤\ue95a༌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Mouse\DoubleClickWidth = "尅\ue6edⶈ薑磿恣렸㎝\uecf0刴䂷斟◊瓳ነ\U0001bb1e" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\PowerCfg\PowerPolicies\4\Name = "墜㦙ẵ᭄稃답舅럖調럡\ueefd쉑\ue6f9ख़㕚Ꝏ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\MouseKeys\Flags = "꣓齪ъ넥\U00050609\U00064cba\uf865釕\uee71쮄릆烝㴐\u1f5c\u0c74ⱨ킏\ue80b꼄㞋" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\MaxMonitorDimension = "\U000fc538踔胥\uf8beቝ뭣\uecb3\uefdc骬솞\ueb7e꺿䄄" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\GradientInactiveTitle = "쩁΅鸬֪ᝩ蔀₱遴᷈ᕙ皺\uf663㟯꾤럑㰦⣹ꤽ焜彋" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\PowerCfg\PowerPolicies\2\Policies = "膚䢤횮\ue415糫툻뷢ỗ薪奧㧝\ue69c\uf2bf䜌潰⼒況\uf19c椭탘樤⮒" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\HighContrast\High Contrast Scheme = "꼣湬䦣犲螈᳀퉰嚯䨖몫\uf6c4谸" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\Keyboard Response\Last Valid Wait = "ਞ蓉\U00074255ꩻ鹞\ue767\uee85\ue763\U00107584\u218d⌨鰋ට㪻皨㙿ꋦ쵆뚹ɋ㼋" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\ActiveTitle = "\u2fdf㵙撬ௐ답ᤘ௵繤쨦\ue84f䌙" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Cursors\Arrow = "롍잙\ue5f3䊮䁹魥揅뎣ᅜ䋳㸹ᭊ癳" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\Window = "➐\uf481ꬋ뉳訁韣\uab1f㍧ㄫ칽孥μ\uf715诵욈" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000011\Virtual Key = "䕩杦ΐ\ue620㱙ꋩꦂ\ue08f툪\ue254浰遈剝檊풠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\iFirstWeekOfYear = "⾂扽㷁\uf478썠\ue8ce컷愜幚琥\ueed4箛옰\uf5de폪៤" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\User Profile System Backup\en-US\0409:00000409 = "⠔\ue3ee뮡閳爉华쪟蛨渟虆ﰈꎧ\u2d7e\uf77dạ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000203\Key Modifiers = "塆ﱈ噃뵔\ued73暄\ued54뀱뽤䫠左⧻簩\uf1c7䋼怵ﺥ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\sThousand = "䤉퇭㱚\U000ec920⁷贕齲㗄步⩳쏜厭롕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "᫄\U0008be76뱵☽暝뤬ᤓיּꎂ脇\uea30襨ㅥ罳\ua48e雿眴䝱࿑亾" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E532-0000-0000-C000-000000000046}\Compatibility Flags = "焠밁吔Ῠќ赕נּ۫\ue1ee睤ᢪ\uf457\U000aa1e1˵筯狼⎥\uf020縻윣\ue961" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BE6-3C52-11D0-9200-848C1D000000}\Compatibility Flags = "⒖橷妩\U00035cf6빱\uebed뛛ꪭ䚯\uf8b2ﲧ\ueede鲉螬㢫" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FA8932FF-E064-4378-901C-69CB94E3A20A}\Compatibility Flags = "랙컀\ue038㢵褴谤⎩몶뤧൝" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER\UncheckedValue = "逸\U00036423뜳燙벑퓨ኑ𱻻ꇳ顑壃" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CACHE_FLUSH\HelpID = "\uf826룦댶즕\U00065bb5ẖ㞮䱏䩪嘋ࣽУ悪ꬆ噫鶤쐍顾筝Ꮕ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A411D7F4-8D11-43EF-BDE4-AA921666388A}\DllName = "谎낺쾴؟봼奣称벹下᱓亜窑䬖쥅矠랲砸嫎ꅺ쪏奸\u18ff墨뗠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4FA8381C-2705-4DC2-ADF3-347D4D619350}\AppName = "꽳ꢑ㷛믞䉫⢢\uf6efԯ栦块儝\uf604܊ឲ㋸싧盝䬌ꚼ\uf39e셃晤껫㊨" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\svcKBFWLink = "띣ߵ鏳뾲\ue5bf\ue2e2⻫켈뼄휝徭壹⤧" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0270E604-387F-48ED-BB6D-AA51F51D6FC3}\Compatibility Flags = "䨉\ue0ce틑㛹䑤梂ꀀ\ue302梛搫쓹㙙娺줔ᘊ۟\uf383⬜㋛갞戴づ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C1908682-7B2C-4AB0-B98E-183649A0BF84}\Compatibility Flags = "雝쨍鐿퍦\u0b5a㏳∗n㙥궞抽葤곯쮨囸哃\uf632₂봪ꁩ댦쎄℆処" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FB7FE605-A832-11D1-88A8-0000E8D220A6}\Compatibility Flags = "䌀ꁦ굄埒齚囂\U0006cea4⤸笵ᅷऩ䌂\uf856栺ꁍ껸" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SUBMIT\DefaultValue = "䧏ꦞ㘹븸異攓ቆ犍䌹⌋퀐\uf3e1齱懮࿗\uebce\uf71f鐰蔸娩ꋿ㝑渥쒿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_SHOWPUNY\RegPoliciesPath = "襊쪹쑊ףּ\u2e65‚咈쀍㍼偨謋潘\ue921\U000f940a锁럟癿υ窢炵휇ヮꕠ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\DomainSuggestion\WindowClassesToNotify = "踌엎讚ꃌ\uf0c8˻窱딣蓏煢잣ⅳᘿׄ뀱" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\iexplore.exe = "\U0002fefa╫刮矓롱\U00066623㍘赚諴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\ALTERNATIVECODEC\UncheckedValue = "狶룓눪ந⠂싎明䲑軚\ue4fe" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "鱭Ἑ\uf50f䌊瘓纫懑咤銸卾ק\U000763b5ሇ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{210DA8A2-7445-11D1-91F7-006097DF5BD4}\Compatibility Flags = "ꜝ줘趠ꙙ鐴䂇庂꿓ऊ鳠ஃ㹢\ueb74ᷳƐ絲뼚紂웺䨹㭶" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B26E6120-DD35-4BEA-B1E3-E75F546EBF2A}\Compatibility Flags = "➨퓪릙\uebc9馟ፉច퉎⎭䗨뫿ᄟ⇂\ue932" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\HIDEOPENWITHEDGE_CONTEXTMENU\UncheckedValue = "賋楇\uf7fb\u0ce4琏鶈䶨홁钫㩢磔뜟ࡠ㞱䡪" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SITECERT\RegPoliciesPath = "崺꜌䪩ꗶヱ⯀孅잊\ue4ed\u1257뇥㴚កॡ㳞Ǔ¶么㒕ﺢ섰" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2\RegPath = "鳪٧䡅⢝玜꽵ꁍ臘ꃽ\ue4bb\u0600힔欉큔" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\DllName = "\ue352梈\uea8b\U00088106ଛƼ㬡ꏘ욍䷞鑚⾥巁폳ﰙ뼪뱲" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Build = "\ued5c徙ﺳ쵄浻ཱུ뛗❛\u169f勋臌\ue549ꙿ\uf247愭𬙷\uf7a5䰲잺蛼ᨶ彥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8FE85D00-4647-40B9-87E4-5EB8A52F4759}\Compatibility Flags = "澪晢鋖깽܌ɴ䑿ꄰ㎿墉ﱇ묂" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\Text = "쟂欨˰럎\u0893ߢ\u09c9寮໋Ѵﳾ鼡︐䅐綹" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_INTRANET\Text = "叓쬥ᖔ\ue0e2㑶돣喅矖郮\uebeb㯋뻱ହ\ue179켡⦓椭蘖闞\ue6e6䕂ؐ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PICTS\CheckedValue = "ﬗ汖쯇㤰鎤搩氅磖▴䫼ꍙ钕邉久\uee99刊ࢢ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E}\Version = "䆪쫳묰ﯖ購塔啩〦뾰ຫ蚉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}\BlockType = "㬅ဤ澒ﰹ\u1a8c喿\u0bbb饠峨䎄ङ貽놤" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9}\FWLink = "\ue63bꂺ캷⫲Ἐ\uee5a봈⚍躏첩䓰੶骨\uea30滾鍊릚秡\U00046b04\uec7c괏" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\C80CE4F484A66E40BBA6B0B6F231790128B8A7BE\Policy = "緊㴤㝠蓜⌤閭\uf875✖ම歊" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_SHOWPUNY\HelpID = "砅혋㴈ૌೆ忨\uf29d㖗㋧汳衑閺⚷䅦" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{00020906-0000-0000-c000-000000000046}\CompatibilityFlags = "ꈜ裦摝숹㢽虛郮赹理鲆辋䑵ᰗ渵㽟滙儥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A202B231-EF71-4A08-BDB9-4CE5AE8BDE0A}\MasterCLSID = "뻳躗သ\uf281\U000d6c0b䋑ꡃ녆╃뀉冇⠀먜ᝪ뫪␄㴽䅯洞ᄪ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{CC7E636D-39AA-49B6-B511-65413DA137A1}\MasterCLSID = "䀉\u12bf拰Ἑ씊⊤橦藦⮔뵠ㅾ㈫\uf261" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D09CFF09-A42A-4EDC-9804-E61224F59CA1}\BlockType = "ᛚフꄇጶ腃\U00016727ힸ∬ᆳ\u2daf㨨礖磼㢈퉇ꔌ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{F98BA7F6-48D8-4CE7-A8D0-39D13FD6F14F}\BlockType = "\ue5ffॢ㎙ꏈ⼔䫚⣹變茞卟ㄙ챭ᢅỼ쭑\uf1c5న\u2d6a䜕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}\Version = "荼烼븄䟣㝤꽗諅Ꮗ鿍ꐻ싕ᇪ阐\uf69c꺔믘⒯屉筵䮣ৼ\ue8fc" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{f28d867a-ddb1-11d3-b8e8-00a0c981aeeb}\Compatibility Flags = "곯ⶨ劼ѧ啳뭇믽殥漍⻅\u2efc㓍\uee4c嘥峾挩⟓玱쎟\u07bc\ued20Ⅴ漿삄" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS\Bitmap = "吐îῶ딂\U00067a1a\ue956䖴⣠\ue5e9\uea17厥ꮾ벙⾉౦쭬ﯿ䰶퇼ᅃ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\LMZ_LOCKDOWN\RequiresReboot = "⎼⽣늼唛나⽯朡彷࣒楺\u0b78컁鴴蔞ꭅ秥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{7778AA60-698A-41D9-9BF0-7AB41045AA7F}\CompatibilityFlags = "\U0009a6faᖦᨦ쇩밲邭왢ඕ깣⯍㟂⸳嶸敳괜ᦘ\U000ae23c虁義ࣄ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{DC99E960-6594-45E3-9D5D-141D825B8096}\CompatibilityFlags = "鲀\u1ae5㸮㷁皋虐᭞橙쫂靈ஏ쩎蝔ղ튜쌴ꊿ澈\uecd6幻씕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ToolTip = "蓜퉸レ\uf6ed㘭燺ӳ꽂貯窰㹊ռ桠\uf2d3\U00088ceb㯢创멧炌椂䠶揯" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppPath = "곞ꛌ홀Ꮊ贑掊\ue35f垨Ꮮ\u05ed沈絲⇑ꂋ찶鼜隁ꊊ\uf0c5ヰ疿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{283807B5-2C60-11D0-A31D-00AA00B92C03}\Compatibility Flags = "㳾댲ꝑ䉕Ύ텣翢ﬖ鶎鎯䴑瓠뙸\uec85䏲" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4CECCEB2-8359-11D0-A34E-00AA00BDCDFD}\Compatibility Flags = "卲\ue84f璼녎擉䦂䑫餢쯠㴢ꀳ\uf749\U0006c688\ue3e8懽鰎쭷ᐕ渴" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6DDE3061-736C-11D2-A5E8-00A0C967A25F}\Compatibility Flags = "ힿ諬錚stᘎ養썐ᆌᾆ蒄文㔫파辧\uee9a\u0558" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CERTREV\HKeyRoot = "\uedd9섶뛠ﳔ\uf2e1\U0008f80aᰥ\U0010e7b5类挋衖㰳焫뺱" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_INFOBAR\RegPoliciesPath = "셋\U0006f015噣堺ꙅ맄赊俢匎Ԏ컺㒶氰ِ秷詾禛陉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{724D43A9-0D85-11D4-9908-00400523E39A}\CompatibilityFlags = "煳⤵㒯쎀岎Ԥ⇕扊약韜ꢱ\uf723ﺭ\uf78e隠跺°ུ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{CC962137-2E78-4F94-975E-FC0C07DBD78F}\FWLink = "䥚✱\ueeb0뷈\U000c3b15綯鄙䅙Ὃ썚퇏찕蠔퐧봮戳嵏ȳ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "겜ꖥ崑ᵏ囧녠쵤共ȣ膖" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Internet Explorer\Document Windows\x = "᚛헄Ꙙঌ鯕\U000cf81f\uf2c2첁툤" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ACTIVITIES\ValueName = "ॏ丝巤訝㵇窹\ue98f忮й泙Ç捩캑뀈ꊸ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SUBMIT\CheckedValue = "抏똡籫㦐难雾頱Ꮹꤒ㠜诤߭⛑吧늦" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.3\Text = "祷䘼熛유᭦\ue75e藤\uec94\u31ea詣䊨繛⩪\ue6d3娃뜹襁냍ࡢಒ⛀\U0007953e\uef1e" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN\HelpID = "덦ߑ圦␦ᑏ脧曀ఒ嵄⿵胅ၲ䫠" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\BlockType = "흖곥ﭫ뺩笥㏞㊧﨩苯\uf4a4" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ApplicationTileImmersiveActivation = "ಿ쁲磵衼媣즖袬讪Ꜹॗ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\VSTOInstaller.exe = "㴫횋コ啠癰磕ꠑर憹뼝㎲㇊\ue4fd" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{38AA78B2-B824-4C63-A512-02FD95FBDF4C}\Compatibility Flags = "鴒⎲껡肢쇃\uefac둬鰊ﴫ㽡႑힚吒" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_INTRANET\DefaultValue = "覄阼\uec53ꟗ仛荱烣퀄鶅瞙ⴱ\ue518" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "ꤳꂲ玲檡ꀂ㧐쐈箤毻椂횣\uea68摚胑⮂䊔䏊" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "蠽쉽趚䕽⬒앚桹\ue53d撿璬稬멒䱲Ʒ⍤鷓忏煛௶\U000f6158" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\pnrpauto.dll,-8002 = "琘壉\u0c57眔䒌ⱨ偄跭腲\u0bbbᷪ賚" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WindowMetrics\IconFont = "ᤜ쓡\ufaf1䙤ꑃ層♤✟좶禩\u0dff윍ዊ屖䳰" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile System Backup\en-US\0409:00000409 = "﮽駼\uf37b㍯ᚸ놺\uf8c5㈇\U00063913\u1add桔뇪Ӎ햋꧹鸩\u05fb퀋쮥殭勁六" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\XboxNetApiSvc.dll,-100 = "ℶ꩗ሦ衹㝇珝\ue805严栈᎑ۚ䃯젫ཿ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "\uf7a0\uf334쳟\ue3de쐙㷓䆖틎㚙ᓽ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.System.MiracastReceiver\appType = "懁ゐ\uee11\uf66d庍䓼曍⳿砨Ἡﳠ氋Ո\u0ee9ꪇ퓔" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WindowMetrics\MenuWidth = "퓢得윻牎ᆳ悹⢣\u0fe8阣쌶ᇣꐍ㙐鱑\uf142ﺗᜐ﴿瘣풌ꌏ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Console\ColorTable00 = "ﺓ쯗䈟㫞䉖榔\ue6e6\uf5e6싩᧟䃥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Console\WindowSize = "ⱥ펥谒夭姈猿Ж臾䘩蟱⣫쥩\ue2c1" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\sapisvr\HubSleepSound\.current\ = "¢\uebe0≅骜룷튎\ue37c䄹洴\ue505ꮥ䀒⭲㏧\u193c\ueaf9" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Colors\AppWorkSpace = "륱畿ታ匦Ⴤ⊗ῠ䳜ꀯ寏넞錎鬒굕凝賟틯꥟謇\uf3f1寺॔" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\appinfo.dll,-100 = "쉮砘ٽﳌ庆\ue276쯎\uf88a놯欌铏ᎍퟰ༩롳眓\U000498f3" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Accessibility\StickyKeys\Flags = "쏺鴙搓ᦚ꯵퐧鵜Ζ\uf2bc䳆㛃†놔阹搶ʿभ\uf5d6컖\ue422" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\SensorDataService.exe,-101 = "蚯멂\U00102c98範翏䢑\ue9e4\ue044\U000fc79b㏾\uee6f䞓欉\u177e\ue576ᙤ䄾\ueaeb" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\sThousand = "⒋\uedd1옇\ueb5b嘶\ue88a㧩摩\uffd0\uee03휣붬轉恞㭃鷺ﺉ泥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = "逿쩤鲕ট嫏\uf47fौ\uedbf㍆\uf5c7ୢꕧ퇣" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "ꏺ썕\uf25c᷃ྑ囼\u0f98迿럼춑瓟욦\ue80d뭮ွ○䨠ꁔ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\PrecisionTouchPad\RightClickZoneEnabled = "ﱱ㰽욫쳛䎗䒝閆ᯢಋ뀰퍆邯㇕貯" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "璈ᚧ삣᧡ꎴൖ혯⺯밣\u0cb4栺稏踮ຑ譪\uf8dbኪ㝩❒䜶詁ፚ텻\uf4d7" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\Windows.SharedPC.AccountManager.dll,-100 = "\ue6e5㵐喔ꞥ颋ᵝ첐\uea98媝蟀躱鱠㶧ٝ\ud7a4嫬╟⭑㍶호쭌؞\u09d1" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\ssdpsrv.dll,-100 = "粥ᬆ㈃ฒ栓띦웄\u09b1\ue276蹦쩤悂덐뼓㤚ࡍ\U0004b99d\ue002\ued6e퐿욓" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\mprmsg.dll,-32001 = "\u0fdb譶餃읬촑뺎\u0e83냑忲퀙䌑ᒫ鍣鉉偤" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Accessibility\ToggleKeys\Flags = "⫧ٖ卓ᙪ宬𰝹왲䞿鋜斶䊠饴訟岔艂塀᪸\uf82a傥ᆲ័珿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Colors\Window = "ﵷ釒쭋㑤熬䫞\uf8b1䋸ᔺ姊禂\U0009f798閺" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Input Method\Hot Keys\00000010\Target IME = "㉒\ue146෫練綜満㈁陙鱶㻋霠煞" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Mouse\DockTargetMouseSideMoveWidth = "⑸㬤Ⱘ胉㸘薌ㅋ覝濯鿺שּׁ삺" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\nsisvc.dll,-200 = "츧\ue05f䴦ꯓ篛畄害廻艼锻ប菉䒭ꁼᝍﶥ兤쇇봳︎磮丌굿" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "ᚕꭂ\ufdd3\ue906氂孫\u175c띞樂峗" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.DeviceEnrollmentActivity\Setting = "㝸\ue316\uf3f4뵛᪻꧗ƿ귫鸕䃐\ue4dc촹㒐" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\Accessibility\SlateLaunch\ATapp = "塵굪\ue3a7崔耧ﯲⅠ쵽愀盦㥳\uf785ᨗ曧엩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Control Panel\Colors\ButtonShadow = "㶸吼地ꢅ\u1739ꑮꝌ\ue233嬵뭿远" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.System.AppInitiatedDownload\appType = "㟟ṽ\ue197ᕎ镣\U000771a4侂ᚍ⢲ᐠ冕枊혧늒騼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "姣뒰螖✹譗螴䣹鑡鄱궬ⰱ첁" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{374DE290-123F-4565-9164-39C4925E467B} = "\ue038编鮐ꐯ꙱껣崒잇៲劄塎滇ᐛ⒮" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A2-7548-11CF-A520-0080C77EF58A}\CLSID = "ᄇ䶂䣢㸝ꃷꈻ攃턁䦑쏛仇谂☫\uf37a\u0ad9㨢\uf00e莎\uf087ယ쁃" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\PersistentAddinsRegistered\ = "颮틟拁봝馵澯釪ҡ\uec43馆쬒綧욟ᯤ燓\ue80b远\uebdf㴚捿㧑ꯅ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\MicrosoftWindows.Client.CBS_1000.22000.493.0_x64__cw5n1h2txyewy\ActivatableClassId\CortanaUI.AppXdqzy4rv7kwckn6efgetkddm1xrgzrswg.mca\Dis = "ퟙꂆ֫귈摴汲\uf156䬚缢饑\uece8\U000327e6䋔鄙忏뿆튗钿\ueb64" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mpv2\ = "驏併陎먬훇ᡨ갨竍鸐駌륄䴝겉碏Ꝟඝ⋇" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F580-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "\U000a8b7d큖꽬䢞倚鼾⯉읖穢\U000c3f36鍮\ue658櫀\U00078d6b놐魪瞯褱" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1083666204-94104884-4233206613-1271453470-922726920-1064507403-787610193\Moniker = "爆〭맾ℷ艻曍鬷큁췘༑䴄뀿틘ᯧj⋭" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ppsx\Content Type = "ꬔ彃㽋缌繥겘\uefee\uf7e9ᇋ츿돌욪\U0005a29a\ue92b\U000b0bde萂" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rtf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "淟蟴栜\U0009f5e3ᕵ직魨紅塈此舧" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vtx\ = "풄恽ד\U000fd7ff\uef5b䪄嬗벚锂㮿ܜᐪ鑭䕻蛱뒺" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Behavior.Microsoft.DXTFilterBehavior\ = "\ue281荪鞠뿠ꢟ㉊岭繑ᯏ笞\u181fꕄ䁻낥蚂愆䪳ኺ\u2feb∜\uf8eb\ue5e4" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0997898B-0713-11d2-A4AA-00C04F8EEB3E}\InProcServer32\ = "ಜ혈ㅚ퍍齩\ueb11걛ᝂ൳騂羽鬢ㄠꁖ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.PeopleExperienceHost_10.0.22000.1_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Windows.Networking.ContentPre = "㜘쇱铜ԭ馇ꒋ射菕\ued86搾忙" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{F290BFB2-1864-45B1-8804-2654194A87E7}\ = "䮟앓⒳컉\ue61e〻\uf631\u0ad3\ue6d8ﬣ᭫㭵엎ꜩ蜇" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{F290BFB2-1864-45B1-8804-2654194A87E7}\LaunchPermission = "䖫\uec9b甓ᚗ箚5㇇\u0eea鎬뱷ꪌ㙼\ue210둧榩" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.SystemToast.EnterpriseDataProtection\IconBackgroundColor = "\ue6b9╥작㻡\U000376e7큔풶↕挦ී⊭졠㼐篲竸" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{06587E71-F043-403A-BF49-CB591BA6E103}\MinInputConnections = "\U0010e0ba㊊ࣖ娮嘨\u206f῞슌㬴﮹ﳤ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.EncodeDateArray.1\CLSID\ = "컣觙黤靇ᐻ荄㺸\u1cca瀪\ua95bꀡ諂㢼\uf1fc⻗" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\AppXxfctf2rqj6c7b4wrvys6zq1bskprrn19\Application\ApplicationCompany = "㍋珃隵ㅿ\uf685ᤶ䁽⎏榤잢⨨탵笙\u0e62\ue4bb" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E66F26B-79EE-11D2-8710-00C04F79ED0D}\Server\ = "↓\U00100705紭\u07b9珰D⒃⽸韄붗檓" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\ActivatableClassId\Windows.Networking.BackgroundTransfer.Internal.Bac = "뀕\u0cd2볥ሞ\uedfc\u1759洀뱜㒿鬜똎侙茭ᕪᭌﬦ颕纍๐" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\ = "\ufff6\ue9b9\U000d41f7\U000724ca껈聑㗹ⷐ\U00094852\uf5acᖚ\ueb82삄\u10c8ʝ嫸檼" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1b7778f3-fe54-443c-8729-1e78b0715299}\ = "㥃楳䭈穂\u2e69掺볌ઞ릱딦\uec43센伭렾ᡄ䦂ꟗ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BrowserBroker.BrowserBroker.1\CLSID\ = "枮䟰@㭌\ue4d7\uf044\ueabfﱻ\ue9b8\uf124搖㝫⢱䠷쿚慼㛝䰐㡃\uf7ab" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020819-0000-0000-C000-000000000046}\InprocServer32\Assembly = "쭛蒊篭곳㏚鐢䖄杻闵鬮齇챻彤粗㈚絓₂墟计덅뀱崄Ή꧆" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\CLSID = "\ueffd㚒肩\uee63䏅픯砧𮉕\ue8fbꜾ➊䵨ㄬ\uf8f2瞃\uee96헌" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0b2feecb-1577-4fa6-9a29-bd9022ebcf90}\ = "\uf192\ue539\uf2b5֜䎓㹓䮵ꗍꈌ擼젖ᡸ⭠耗ረ祜쳊" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\.mts\ = "\ue193㈥\U0004a266漯렛요퀕厚鍼\uec1dᔭ\ue4cc봚考\ued99斢铤" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\AppX4jbzrhvphxte25e0gxha6bq555nrgqzy\Shell\open\ContractId = "⅚㤹뽮\U000ee42a\U0006e84eᕉﮀ❇㾉ᜳꤕࡣ哘䱳⺛⇦索硸皟\ue35d" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0565000-9DF4-11D1-A281-00C04FCA0AA7}\ = "⫃臒논▛☬噪檆\ue87b枞\ue577\ue9c2\uec41" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.wtv = "훳턝\uec9e\ue1b4憓橝\u137f䅠语\ue08aヒૺ솵\U00087d2c㈰侥姯僎戠䋳°" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.System.NearShareExperienceReceive\IconUri = "㊪\U0008d3ecӢ趵\uea92踶蹥□쐯냱\ue394" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000304-0000-0000-C000-000000000046}\ = "\ued40兂\ueb76ಮ\uf78b漰掚㠁获镀좴䵎\ue2c2རᓫ嘢靼嗓ꡤ绞꘧ꇪ礸" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B3FFB92-0919-4934-9D5B-619C719D0202}\ = "腐꾸\U000f8f4cꩡ戨ꉲ뫱垞ᴎ䘯汥䥻ꆃ笩噓\ue362瀸⦦寈鶁\uea62硦" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.CapturePicker_10.0.19580.1000_neutral__cw5n1h2txyewy\ActivatableClassId\App.AppX3g7kd1zg4a65n0t2ds4j7hffbf62pp9n = "檎㮫毤恔舁嚌\U00035984\u0c8d屌\uf32b너" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{267DB0B3-55E3-4902-949B-DF8F5CEC0191}\ = "㨁뿌㚿⠢䂮\uf507\uec86ෝ䚖沁⚋峥쾬ꕗ䗨" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\OpenWithoutDiagnostics\Command\ = "\ue8e4\u1cfc㢽䴘癆蒋ꗢᇴટ「ј벬\ue027툫\ue4ae\u1716䭸\uf71cŃ\u0e3c爸\uf7cf" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pwz\ = "慺賢\uf738瘯\U000fd86aᲪ肵堊ﴗต嘛\U000bcc7c䑄擹⪨" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15fc1bac-8d83-4e87-8cc2-a70c9f66f943}\InProcServer32\ = "悧瑲釱㠬敷鬱⸠碝螯耩轥" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B1599F9-E00A-4BBF-AD3E-B3F99FA87779}\InProcServer32\ = "䪌퍬禜姂癃ﵻ闘鈠䈯狸껉㾪\ue4b3㝖㐰⾔楔릵ၪ㔛" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}\InProcServer32\ = "푽ᆭ庑┸턠鐼\uf38f騷䌖셑搇ଖ핫놬㗨栻諦绷ᰢ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4456C5C3-DC01-4FF3-AF4E-06F4EBCC3B09}\InProcServer32\ = "\u0c71錢䏒፵ⷿ◈❎䋫\u1759熝곳\ue2ac\uf4e2⑩\uf87c醾솯\ufae0ή較먦䕫\ue068" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ogx\Content Type = "Ꚕ줶従ጕꌮ◺䰨\uea3c嫭㹉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\AppXxfctf2rqj6c7b4wrvys6zq1bskprrn19\Application\ApplicationName = "爩\ue60d䃲퀊ᘊ㪧⅖䬸玦䇇㰛\ued19⟞\ueebb疓䯞\ue412룣忀\u0acf\ue7e0륏쉸\uf0c4" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.AccountsControl_10.0.22000.1_neutral__cw5n1h2txyewy\ActivatableClassId\Windows.Networking.ContentPrefetcher.Internal.Con = "堌缳紨ᄃࠆ稇튚ᤈ꺸ᴚ羪" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EF76D68-8661-4843-8B8F-C37163D8C9CE}\ = "솛誨땹\ue78e훿\U000af889ꭧ㣧\uf7d3\uef62\uf1c4누钳鏚慢ݔ\U000c9f47獰趵䦛" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4564b25e-30cd-4787-82ba-39e73a750b14}\ShellFolder\RestrictedAttributes = "嘻簓ō\ue6d4菿뿈빜⇅ᾏ輾痨\U0010f358⡘䔱沬Ų⮔顁㎜㎚觕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{362cc086-4d81-4824-bbb5-666d34b3197d}\AppIDFlags = "\uf2f3쁲⤸ꣀ홄杯兞\U0003f4c8袅渧嫫煱漫瘹Ֆ휘ᔓ똪\U00071e42ܜ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03837532-098B-11D8-9414-505054503030}\AppID = "ᄂ럙ᣍ䑤뮏왓⸳ࠁ㸢晥ᙏ搑" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.ShellExperienceHost_10.0.22000.71_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\App.AppXgxgm8gs8b9vsjsd9gvhmn = "\uf11d䏯ꎿ뿇꺹\u2fea탧⸐黁\U000b22e3䁬稓ꕃ䐆吝" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D112E22-62B2-11D1-9FEF-00600832DB4A}\VersionIndependentProgID\ = "ꈜ\ue260\U0004ba99笯ǟ蘧\U0008f630謥딏\u3097샰롶뿈뫏果弨䚫孕╀蔅" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CERFile\shell\open\command\ = "哀ᮔꊔ쵖션⼑㥛떟훃\uf2e5特镃" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03837521-098B-11D8-9414-505054503030}\LocalServer32\ = "ꮏ\ue130ꓨ倊髡軇擤\U0007d84d샮ꃏ嵍뀈\ue447\ue0ac⎣嬑̭" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.AAD.BrokerPlugin_1000.19580.1000.0_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Windows.Networking.BackgroundTransfe = "땣ಘ\U000abe3c羪뫴塀剃뱀\ue126㵕⨽ᅂ\uf7d2皺䵑\uf091\uf08a웍އိ꽩ꘀᆧ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1BA783C1-2A30-4ad3-B928-A9A46C604C28}\InProcServer32\ThreadingModel = "隵꠆꠰烖꯹焁\uee05襨鞲泣笲ꧼ\U00082036ᢖᖶ邅嵝鬛⨪\u0efbꉿ\ue298見" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\ActivatableClassId\App.AppX46rqe0eha6ypqrxvfyqqtwydysxtw8tt.mca\CustomProperties\C = "瓤⥓ἧ鸕詒嬅\u0984仦\ue539쎟ᦪꙊ穡ほ\u0e61쨲哴臹禸ꉽᕰᅝ鯐" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\MicrosoftWindows.Client.CBS_1000.22000.493.0_x64__cw5n1h2txyewy\ActivatableClassId\Windows.Networking.BackgroundTransfer.Internal. = "䷳ꭊꦴ슲\ue33e溣㧌죞᫈ᐴ靚鑢\ue0cb" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A614B00-FB18-46F3-950E-682A46A48B9F}\InProcServer32\ThreadingModel = "☧テ七å笅⼯追៘ᔈ쓿凗㕆鷲짿媜\ue3dc襘ᐳ涋틺涷䉕" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\3\Position = "栎㾶\U001074fc卒\uf508ᆽ熿뿺魖飘\uf791" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\AppXpwc46qrmp0f8q5ysxk6ngj8d32yk22kz\Shell\open\PackageId = "듬㮓靛䓎়禊㢜㉠\uf740\uf045ꤾ몎禞霁䆫퉩苌蒏\U0005afa4\u0e7b킗\ue0a1" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20E6D937-F6A7-4C7F-8E69-7E0AF81795FB}\ = "줻䶷諗ู钙䳇닯ⷔꋯ螏\ue864䄕\ue533鬙鶰뺦嚀㉈⠹ᛏᯭᴻ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\windows.immersivecontrolpanel_10.0.6.1000_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\microsoft.windows.immersivecontrolpanel = "㾜ࡪ袢谧\uebf1蹖\U000b4084\u0b00ࠐ" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib\ = "ᑐ匴즯㵟鵲淕ꉾ켥欒檖\ue2a0筹ப◓" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08d5bfbf-fbca-4322-9f70-ca9f66f8ed6a}\InProcServer32\ = "\U000f5fa9뙉ᘎꮎ轍핈茋ꉐ㞸땡뜌썂麅䨖藓㎭抣伦㭼伉" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID\ = "篵칝\u2fe5礬\uee81볢ᆲ觥䑏槞悊曱\ue67b߫ꤜ쓗춞" C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 744 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 5636 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5636 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5636 wrote to memory of 1196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 744 wrote to memory of 6072 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 6072 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 6072 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 6072 wrote to memory of 3652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 6072 wrote to memory of 3652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 6072 wrote to memory of 3652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 744 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 744 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 744 wrote to memory of 5824 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 5824 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 5824 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 5824 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5824 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5824 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 744 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 3520 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 744 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 5144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 5144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 5144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 744 wrote to memory of 5920 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 5920 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 5920 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 5920 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5920 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5920 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 744 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 240 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 240 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 744 wrote to memory of 5928 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 5928 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 5928 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 5928 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5928 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5928 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 744 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\Thorium.exe C:\Windows\SysWOW64\cmd.exe
PID 3164 wrote to memory of 3840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Thorium.exe

"C:\Users\Admin\AppData\Local\Temp\Thorium.exe"

C:\Users\Admin\AppData\Local\Temp\Thorium.exe

C:\Users\Admin\AppData\Local\Temp\Thorium.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Process -Id 3516

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\oobe\images\浡挠湡潮⁴敢爠湵椠佄⁓潭敤മ਍$

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 燸ᯌؐヱ⋆蔬㉌饵䟑䁠턏錇₭療瞞䔤줚ᙕ剫௓᭎倅맪

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ᳎넺ᖡ㣖ꞻ妝㏥ࣺ留狮鵟泹㯼೽험僾ꓕ븯㳱୥骽

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c בֿ䨉芩蒊閥┡㝉靓۬

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ⼬㪕䢙륝蕉硫ᶄ뻚ﶻ䷫⎍땅枉ᭇ䄈ꢜ

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 픅ﴀ东桟㣃遾ꤊ謫

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 744 -ip 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 888

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\UnlockDeny.pot"

Network

Country Destination Domain Proto
GB 92.123.128.150:443 tcp
N/A 224.0.0.251:5353 udp

Files

memory/1196-0-0x0000000074B5E000-0x0000000074B5F000-memory.dmp

memory/1196-1-0x0000000002AC0000-0x0000000002AF6000-memory.dmp

memory/1196-2-0x0000000074B50000-0x0000000075301000-memory.dmp

memory/1196-3-0x0000000005600000-0x0000000005C2A000-memory.dmp

memory/1196-4-0x0000000074B50000-0x0000000075301000-memory.dmp

memory/1196-5-0x0000000005320000-0x0000000005342000-memory.dmp

memory/1196-6-0x0000000005C30000-0x0000000005C96000-memory.dmp

memory/1196-7-0x0000000005CA0000-0x0000000005D06000-memory.dmp

C:\Windows\Temp\__PSScriptPolicyTest_dudpna3z.b5m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1196-16-0x0000000005D10000-0x0000000006067000-memory.dmp

memory/1196-17-0x00000000062C0000-0x00000000062DE000-memory.dmp

memory/1196-18-0x00000000062F0000-0x000000000633C000-memory.dmp

memory/1196-19-0x00000000072C0000-0x0000000007356000-memory.dmp

memory/1196-20-0x00000000067D0000-0x00000000067EA000-memory.dmp

memory/1196-21-0x0000000006820000-0x0000000006842000-memory.dmp

memory/1196-22-0x0000000007910000-0x0000000007EB6000-memory.dmp

memory/1196-25-0x0000000074B50000-0x0000000075301000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 e080d58e6387c9fd87434a502e1a902e
SHA1 ae76ce6a2a39d79226c343cfe4745d48c7c1a91a
SHA256 6fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425
SHA512 6c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede

memory/3652-27-0x0000000074B50000-0x0000000075301000-memory.dmp

memory/3652-28-0x0000000074B50000-0x0000000075301000-memory.dmp

memory/3652-29-0x0000000074B50000-0x0000000075301000-memory.dmp

memory/3652-30-0x0000000006400000-0x0000000006757000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b69c4a4d420bbbff67b0252630a6956f
SHA1 b8e8104c2febc63f48f3a926d84678550ae78ca6
SHA256 3685d92aa52510c2f0ceb9e35e0b7a09eb0fbdeca8cd27be2505fd97563c71f8
SHA512 fe0543afc67575e967b8a1e08aa08a35cb047643c33f0235b35d6437d421cff720a4dc5c823bb925f57570a28aa21b14ebb8d5c19afb7778d99c77fc86147f4f

memory/3652-41-0x0000000074B50000-0x0000000075301000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f141ff57d143b277c6e349fa78b2f3db
SHA1 e1f59889af67bb03e5e71b14bf70f1f6655f077a
SHA256 01362a756f18385acdb24a658704dc32b4feaff8fbdb26c52d874d4eba383c9b
SHA512 71af0e02879a6edbf8d4e1eb9e51cb161e85b227d275c4dfc76aa41cdf9dd156e47187b75f96ccd368ca6258a9734839c2cd23e92da073a0621f8be1a521c72f

memory/2100-60-0x0000000005F30000-0x0000000006287000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a05f3d358baeb6bd325571316c1b00fc
SHA1 a9ee9123d79d0c59660125a8edbee739b4e819eb
SHA256 670006f57d57284970df1e94ef83d75f2c1bd266e4aead949fddc443bc1b03f6
SHA512 ac3492e972229f0f5cf009281fcc5ae0e84a8e87aad29b8d74c5d381b7de2b8672e3089a84ecb358bda7f687a12910b5a3531806e1bc448355a79006536edaac

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f2228b433bbfc1ac315aa60448847302
SHA1 8a220dc5c237e65a5dbd42751f3b6d001802f8aa
SHA256 b4658cd6e9db33d4c086bc1a2a79f436875501ed927d6a4b6ee8e90a7b6b7927
SHA512 3bdb5261f1c9fc8b2799e945b65d2200c268301ca59e508c232f8145e8d0d936fdf84176f8905ccaa49b39bcb0170727f35afd003052065f3fb808606b9e83ad

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b28fecf6addb7ed4a630ce079d8dc40a
SHA1 eac82b00d590dc8ee1ca0c6fe205f9a79caaa038
SHA256 2997fb4e7d73da444bb9dc67c460c8554aba1d00972541794342ba8a664f610d
SHA512 dca751666f47dc367fe18e96e19f90fc409cbd013e5fc33d445daf012813cef072e503468ae3438c98ba6c4b40fbbd2d09b884cb73aa30547000292b1eab5ae5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7f0ec688427aff2b6ff46bdfefc0b2e7
SHA1 7d11266c6dba976bbeaafa43acbfb7876bddaa22
SHA256 ebbab8fa8ca39b13269f2061f37d73ca6c88a93a06e29f58b87635fadd3b1590
SHA512 cfe3e059110906ed07c78289ebd36800e3da8ef059c738a3cb9eac09c1ca46a8026edee1c152be5d246f42b3089dce422dd958b45f808b3ce3993e76a3e3aba6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a6370ed9ad234bbcc75d623067d8a36
SHA1 7ac1092cfc1fd21bb7c64b39e95591991961ae5d
SHA256 2cd613b6f1fb577a5715600fb7d3a7f94ebc9592b07ae0c098f0292deb967fb8
SHA512 01f5dc712a4aae19a91aa11ac11e77b9a2ceb43bd4c7a6c2ce6b30eb2f26e7b1aa1e8ff78ce6e47f0e507fcbe964d4f5e35cb096e0552c9d973856a3269b8a05

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 56e693d1c637a073283ba4b66d7ee3a2
SHA1 5e94d586c7fbc49dc5868a5f5945e0d7fd7a1648
SHA256 e3fa8a92ccf173cda53d8f61e7404dcdafe2136e83ec8ec1eba927fb72c4dd73
SHA512 cfe3d1eb8ba3909f2fab0cb9375509790498c26143c3f6e3a010062856be0c4246ff3cdbe4edf694a927badf56187c8338318aab2491f02d2fce033bd5e1468c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 81b38baaf135b8424441ac76b7f19d7b
SHA1 a117fac7d7787c0bfce3c219c98c81e89619c6a2
SHA256 ae7f3a05b4b1deac8d7eae7587105ad8be9b7e619c59c1559bae6a0498e88798
SHA512 8f9383bc877f5aa26aa37c221cdf6dc5ac74fcb85413e19eb3ed6046e993b45cd3c4f00b8640db0d612682a286e5151cf8f9aae68f2e558e9c47d48e0646827e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9ea976a540393399ca4e9a8a368af019
SHA1 f4538873b03d9ca6a6bca24b5222b4049ee95bdd
SHA256 4fcfecea38d68038d5a122545159480ab2fd639af786bf4e60640d36e8fe83c5
SHA512 d530790fc60427dacd4f10f0b8172dd66253d7075b4463711f375221a1b5ffab2a34b21a7200ca211c9a62bef09a015b05a30832a5ef6c6806ca8ac0bc71fcce

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5d5f6f4934760dd2e1282d166e45ac0
SHA1 71d5debc4c036fcf54f5aae2bb62b6dd2fd41cb6
SHA256 936fcb6ce398b005b9a3c5047e7643215800f6e9244c31ecce9e47a2a0ea1067
SHA512 29e1664f2625672a964990e8c080b5484195a8bafda438c97081da6f9cb3d454a3d18aec26e69f4b21000105de62c41d428d4cda2fe2d9dad13d0429a72ce2eb

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 141d06dc422c12435a4c0291c3bc637b
SHA1 322c89e59b8dbfa3486a39a03fe3f3b5421619cb
SHA256 c5070cf65d71d0e93934b0b65660dc957ac051f195de782e386dd6d232a81830
SHA512 041f6a0506dd2cecc94756ec450a43d10da4e9ea725587aed0afe9acd0d2181c9e46e754b1230f5670beee1b3ffdbaf0384ab6f07b7561edcab42c3595b4cf37

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c723819743dccf3d7c5f406b24b64511
SHA1 3ef92efac549a3a1607c26cc51e5cf1f559272ed
SHA256 d310ebff3a65dcfac4978d403d0627de379a90ae6a1dea8a50e7ef74c174d22d
SHA512 d33dc1d92f65894962708efcdc0b9e66916e4cedbb9477286624c1aa00a77a1df66202252d9ac6c3454fd0a3320af0b2f2432eed2ac6905ef83bdef2f5193008

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d4cac4c47fd5355ae356d48ab13b5463
SHA1 be75f80672e76cd63b9dac1981a7d18b5435446c
SHA256 0b5c567bcca2c68e1c8f842afb5a13b1b46e1edb154a29f1de1d41492fed1ef7
SHA512 5c04a6af61fdee12a252bb631ad52cc8c102531cd427f5a7382c6bb422e90741b8f10a19ecf61f0b0fbcb408c7e891d5a464d09630dd3447dc6b273cf1ebef45

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3fe941a7c748a56bcdcbb194b188f7a1
SHA1 632ea42ed2eb2534170365ff96c527ac68ebe4f2
SHA256 7e8352d5487c43a8f2994f9f46fb2ad48d469c5e7fc698423901c1e451732047
SHA512 f62528741327beda0310849dae2912519a4825169bb3cf646518199c58ff42f76cf0c081f35dee4dcd2155244f5be19342e8d8e9793ae5e79a05e937a307afda

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e0bb7f8662a7cb88a3988ec6a414d816
SHA1 0db805b67154a632737d9ee61d936495fc5613ab
SHA256 bd1b34802c1cc03d736577b5aadc5cf752a9ddce585a2cc988e3056114fed1c9
SHA512 a35241ce1bb0c58c6b8f364e6fd589649fb47f58ad051c1b45593ef844043e392984342db3756edb1fa75460102ecb8fad464218dd1e29039602f62f2cf93297

memory/2652-198-0x0000000005FA0000-0x00000000062F7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 73dbafed94e570fae6bd84730398f1ed
SHA1 dfc98ef52d077eef880887f896aadc8e61bae235
SHA256 a9a8b94445bedfbde8d671a9f4aa063c3b7929b69a38c8409a7586458ffc6504
SHA512 27651a79529f544f0b591a2ad7d8b29a67d3214bcc47dc94532bc1ce2e0a598c641212834ed73ea42a2789a2b352b78336abc2ddb14310972df2e15fff0f9a85

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c00423ee67fcd19de052f56fd09ab4ac
SHA1 082583a0d634e18e8bf188968de799e84e64cdd7
SHA256 e198bf82fa002454cc929cf89096c42427b315081f6215d2e1474451b82fc4c1
SHA512 d06f78c57109c8fdfa8465bf5fbe8ad9d42bbde0b2c2094afb754b77d2bfeb196933171cd73872df18cb1e1a3cb3afbf08b61fe716dfaa798f16c294e541b32d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c5f0638370ad5544a8800afbbe4fa8f1
SHA1 dd6f683b3c51cb012769cc5b55ee142bdf8afbe0
SHA256 58138274c51635675a9819844c62733226181e544f74740958f515bb1c79f6b5
SHA512 c11e6870734ca94d6df3d3bfaf7a1ffc7d63c784692fa8455fc951e5a1e512b54fb816259612f4a69f3b9c2bf1b1e31a1eb29aaad9ca7565d78b47ce71abf0b6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22012c8e1d894510f79ffef652bc1733
SHA1 7d30a59413eeda9f6b86915e4a2fbe3b5e68a8b5
SHA256 6d5b967590d24803dc7bc4c040699d26837a2107131a011c7d5362ae0e4f140f
SHA512 a30d4f6ac186109acf2239aa358a8f3a3daa426e9a4a69e0399f56dd4a423f1d309eab23c8f66cc337f8592ee855931a467b625b016a2eae52d47ad3a1444226

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1e2f7afef09b9384d9e9b27fdbaf35ff
SHA1 baa75df90ba2a1fb2a1ed14264aed971fd532151
SHA256 8256e75bfc37294a8ed8379bc6f333be14b947e84437a0f15b35f34a5fe51461
SHA512 23bc33b9eab89f91bff75b6277b9c122cd98fa8eabe907c62db9e323c9324a505335b8d3a5214b32c93c2e399da67ab9233caabf293a27385d32b83d1c23389d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4f3a176be1b592c128eb2f1d3f8c9f43
SHA1 b458ec990a1c35514437e78f9ed49544f171d913
SHA256 155f474164e041235933205211482c59c6ea8ae5264568f6ac9368f02c770f28
SHA512 399b640793d8dccb8c55280d6a2c95614c5ee61bdcf111bd29cef8b4000833681077704915b5b9faa8adf12b7e258a6df6e5db356b132f12ecfabf0786cf0615

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8f3de175a38450e013f17a0a5d7c0422
SHA1 295620796ad8d5d6f94c2958e09522d685384f97
SHA256 4b1837ee4d341a1d86f56c5591838647dbd43191e75b8025b56a13c4c6596e49
SHA512 b67183225ef5390f56c045f101e2fc54216168e442cd679336b0367ab55fe1505e2d485ce0cc5b396c920dba17375a9d86217a85855f7b3eef314c554ef953da

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8fd705b5c6a21854feaba88c2925f3b9
SHA1 5058ca5fcd9a6413cf8d6c554498a94fd567b724
SHA256 9ba395b6d05e1306cc15d05acc15d295ab2a23204d59f409e4b9ba5f0994a347
SHA512 80d14aa1e1227379b1805e9b27971e920d05e5a3a8ea58fc22541fa2d73c8aa565b7d213ad85d8eef7fb8b5b39fcef521d5459e6575284ef8361ec00c665676c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fe7ec7fca8f1d8559155e602bfa39663
SHA1 fa68447eda37f2d9b5450c9b6b9f96cb7efbc671
SHA256 1f5b5a796d4f222bc4ca5d65ddf94792b0ee5ac6eb2e9ba2f26b08968eaa92aa
SHA512 8c2faa176a0c80da24b1bd6124744837fcdbdf1b4b5c900fd97f3b8e82d774154a1731e66054d097cefc7fe9141bcbaedaad0153f8dd08f36ab0a5050c90e817

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2390f1fc9b36b94c66342a89ea115328
SHA1 e8d14ed5db93434f41e9e94f18008ea1a3d6acf2
SHA256 1471403a32b49466e63c1dd65c5c40d2b9fb110d38458d259bf9ee7b8dcccd0b
SHA512 5d08dbfe9c5ce63dd3a84f9d6e251f158b03211157a90d76ad3992743fae5f601e489e4909c3a6f0bfb7398b219f4ad678fdd4ede80dffdc7f63a542e820b4c3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 29a047c1cd7685a658c33ceff2c4725d
SHA1 16310a9fb3defa8c263940ce4921d92e9c56ac45
SHA256 53187e713a19ab51e529d6963939970774284a76b4b882f316c1005f1eba385d
SHA512 bd659e92d85bbb270d1a6772e984de735e0ab9cd96caf0d2f387c22c7adaace2667aa8edf5125d3c3cc2900ffea536db32de50ed2c59f7ff5ef7408a2a7cc94b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aea07e71a659006b0c5471affe365e84
SHA1 f429b326b08e582c5a2d2d15d50ab732a5272358
SHA256 b7feb4c2fafe86f14e7a09a7f46065aca051011fefae72f5b4935b9491643752
SHA512 1917fc1f9213cd8c881e4c0c82f893df5de6c47ab50cc39909a7cf6dbba1df1632250e827423ce861b3b7e9f29de53b70262f65b10a7160b43da13c5e9a0cff0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d1a0c624ef249bbd9ffe67edb9667080
SHA1 d2cc9d8b310530b1ade6d70030da5f895d97618c
SHA256 74b6402bd6bbcab62b07e8f7cb715d2abbd3446914107ab918c23512122aa5c8
SHA512 963586c34accfcfb5aae05d00ceba48387670da08f3cc24e885a747a761bb09a03f49a03bc1ec56db72ee0511e14a1315d3971c223b004585341ddfb59868371

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8c1ea37922e2ed4a66fd7ef1c8e1aee5
SHA1 a3aee87d488f9980b103e6b8dfc563de9d6ad45c
SHA256 a2bcef1bf06836a2beec9c9475759d79fcfc8416f78cec6988fe4908d818ecf5
SHA512 2dba370608edbd9acdeff7bfd375e49e017f24b16eec5fd8bebd0c859d66161395a8e26aa3f302c8e5e865aab7a8ab259df80b3833b763d48ae47f052d348244

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 992f08163c39a0c62580334a3bfca69f
SHA1 80101ef22d4930e3c4c9ad69e59baa85d9d8d3e2
SHA256 7f14f6e4372aa739121f5666ccf5ac8e71c181d067a883bc5ffe7c89ca0c522a
SHA512 1fc532ddc944f88d99cb6035c25f77c43e92eb15dd6405cd94b2733f96b6f544d1b02a164037d93a5c1b7b448b3db88ad4b6c932312a4764c9a7a4b60dc0bee5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d265e34c94e4210a539707ffce62b87d
SHA1 5006489d4f66aa1cd40db7cc84c808c69cd874c5
SHA256 dc27960e7ebaca6a6b317e56165ac36e4b0baa11c9108b2f612e1b6e854f4395
SHA512 3a087356a1f2d06c107a08a328b09c5e81a010c530b15ec4ec761827d409e4b499ffd9a422f4526b30dd5b5ea3ead0974f26bcaf16637c6f5712c81a5671224f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 28fbc89aefc726a9e32dd116e6aa7363
SHA1 0a8b63f5dd818c12292d7aa0816e557e46b9ce7d
SHA256 30bf98b5b7e672c313d832b63779ba06a31c7673687c3e5764f06d52aa5db4f2
SHA512 cad70a4569b8e29d7c9efb5e6380015eeb66a79012242628717a8cb403aed41aee18aa86b74456a41c27d97e100b8b58e321c9eb45c3a8ca4ac0e52fbcacd304

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fd054f7cc7cba1b01e7f22731ebfa6d3
SHA1 7d3e73af9c7c1cdaecefc618c5a0f62821f39558
SHA256 1015b85e3663b167115509b60874b53c26b15eef6d289472e13004e42245af85
SHA512 5896df3c47c56b756a6e26f24f23e9cd7a7fd30a895def7d7b05ced36aa34d466112665d2e33988b5455aedc32d1f86782dcb107978ab48ee34116a8c8b087b4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1c5f2c4a98999351187bb0dc2960adff
SHA1 84f320aaff7d24221e0986e99d15b271f4048563
SHA256 880a3a0166770f5624343a5981ee6e9b4a578956a55d21d50702c05fbce69e65
SHA512 61c7ffa38d5353c7681bc1a056941eeb1c4236616e25dfa5a603ce34f953d20918a174b1cc4e8ed87dc6e0a0ad3f75db55a61f62d3eb37e552e6d50339d408d4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 73d7c8736382c628fc9d896de64567c6
SHA1 4f4911d3afe5e9824783dd248249739408387ee6
SHA256 d865161de22999e1e5e25ce0506a9511e44c2461eed361c61b20755e64cad37d
SHA512 293f14d268ed57dc594452631216f9c15d2c890c8246a42a314b56a043350a19c8c084c98b703d4b8495d3bfd6ccda9534ae68c4edd7dac3975ab844d6d44c1a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8d1bd5a03cc28f3fd5356163525ceea3
SHA1 12a4e6705ffac0721b562ae3104aff33e59c479d
SHA256 eeb11ad30d54266aeb82d23e67ae0dcad7af0132457f5bb3730afc2516101ef3
SHA512 b902a0dc87d05eb97d7a81f4df0a025fcc55700fb3404534c2d98798aa091ec1017fe2a268a43bab1056c9b979928f88ead1d0d1c7e5852b29baa3d3a0551dd2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ae025fb8d42897493a10d3735a0b65c9
SHA1 c84254401de091e731dc3e480d9e93e5feccdab2
SHA256 510bc6d8ac78a8eefbf0ec2a9c754dacf8ceff534b1f3fbae9b48ade419a35a1
SHA512 08d6185bdbe3b01f3f17ee3fdedc35cbdc3264629044275aeac644a1bd5e60a4ee7e83d758fe3bf42732b3e5d49ea6ede96bdb4e367646bcc9376178e285381b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d50c2d969ffbb94d48026eb2186604e0
SHA1 fdf0c570a8043a87a658ded8b0909429baa38402
SHA256 f1341151b51fd4df27e2a12ebfe7d2f5b4d03673a7bb2b31ea0aabfd13c308b0
SHA512 b9c3505813b58750f028addfe9bd7b9ff3da9a13e027f81db48523b748c45157d925d40e5bfe2a8b13facd422fb8fa145657508361f509a2363fbdc729c0add3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 32cde18079a05b0fb32014293834299a
SHA1 f39ce74de0f894ad9a906ccf39dac65118260b84
SHA256 d310a7528b79628f5bcdadbebfd1dca527d972322c28f6a2da38d0cde7575453
SHA512 6ed15658e32b61af52e69825e5967322bd8e0c62bfd7852cea1a98fcb629eaa974d58ddfa2a4703300feba50a6e000799d0caa82378a3584a3d1105f620d9895

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a50eda2028ac1d3fc35a12354dd75032
SHA1 9e7277958aba7fb13cd3530876991ad15d686670
SHA256 a871fc0cb68f4d2a43c553a3d14c5f815d6c34b39ecbe314eee5bca86b64c3e0
SHA512 aca19ab016660395b100aa7dac8501b6ae82980d374bef85c9eed67601dc42d7ed1a2dc2f19c36bff2f861447742de96755aef6cdb47667dacc94a09267089f3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e51411a93c35c4e08ff4b6a684241afc
SHA1 04ecf36008caf028940cab9cfbff5a01b89bb406
SHA256 f123cc9a3e5c4f5f66b8d655b85441f70aa26c6b0c4993b619a274a702bc7749
SHA512 51ebe9e1eba7f7c8a1db502508367f746c748b24c271ac80ca62751f38c0069cdddb930c2463196e860ec9c810d6c869f5fb63233e51e32887fa7745e7952ff1

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4b675fcdfa0752b1067ab43d7657c4ae
SHA1 1d587f337fb73277c1a83815074e197fd0f48b06
SHA256 b6fa1a9537b1c5dab324f1e8b33a53612554fee1db82912be2c91f84c53def81
SHA512 d05a87bfbacd06a47987273e7af9afda5080b6e47cce72305e3aba2fd6a192b48190044f8800c0fc1bbe2c192b09bfc7711d467d75993549b317c04c78fb6382

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 09eae4ea65f3c962e46f428ca7bcf95e
SHA1 8054e233e9d73bc8a53746fb6f048ec9639431c0
SHA256 994fe15cda38550370b4b458f15c5bf86c4c4f74b907bca3d37b16b81c1a582f
SHA512 5889013392fc9c5ca396fffc309a59159d427faab240281edfc8705006a9fbbd7072620d637d18bc44b41daa60b765edacd4f330c5f0196a2fdeabcd8d9cef08

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 869a8b2be83749865ffbc6312cc6b025
SHA1 9ad7862f4b645c69eecae4c447a5a1cebb9930ac
SHA256 aa6c500078b6b3908c691e6c09639e8f1a49898725fe183a0d69f1f715ded56d
SHA512 20e9c590f6cf507d1ca82d64c7efe51be3f3bed1383496b380220fb1a89f9d6e123a9b164b7de9505a4b5965efdf3d1183e8948ff0ff3ee68aa6aeb9b37bec3e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6ccdd9ed6d1f2c626baa0e4e6aa2ec22
SHA1 56de476e750aeae616d9f6a3f1f7bfc39e4e4982
SHA256 2e05fd6136b4310d620265f374f271ca42b7bb5faedb5e438d638b02470a3a69
SHA512 d84688d49b08f51724cfe4b0de16c20a4048aa710e8f37b0b5465d3d9d3025a86a7a1d8dfe289a6bd3a09c21bc5c3d7ed50adcfb120af7107e80029c19f42531

memory/5916-502-0x0000000005960000-0x0000000005CB7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 925a30664e1875bd2cb7d0202f1ff574
SHA1 85af7651bb1f1e63718d7c069f20d6af8efab0aa
SHA256 5598f48490a8a89d231f6e96a702431becdf2ae34de37c2471a8e784d26f465d
SHA512 195f90f6e51c91be420d3476b203959d52942b45e82fcfe8015cf45e471e6ee942a29268e4b2f460a626a45277b9049efa0aac1fdd28cc5117458b714b6296d0

memory/2616-513-0x00000000058B0000-0x0000000005C07000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9ccb89f5652631dc89129416dd9c1f86
SHA1 9962a840d86abf0dbaf9723e1006e1a959621ac9
SHA256 0792be9dd6f84f6cc152bd031b91de6b8b9c1f3ceac4db918013b1431ec5d2bf
SHA512 459f74638c9d94f27e8ec3e15f264838fff113ddf4fd9fa6852cb949f25635bbbd561f54151430e2e3928df7af30d76108abcb834ace9af3a14f8b877b69c406

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c0144b495598470b7c4456364bc5b26f
SHA1 736429b737ec1dcb8ee2d4499d539390dc668906
SHA256 f7d62f7bca77d0c5d1d395c76ac95d8dba80773293f575667171b291cf820e8b
SHA512 589d68c4c2b79976d7668d943d5ded71a25a71f11590e9b55f0236599daaa2048b2e58bf0eee7ce3ab13f16ff05f6406f563a74f68b108a04c69fd448ddcaa5e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c8e3dedc15a6ecae99b98a329a925ea
SHA1 73fa580d0f25fbb4515ef631f42a317d63dd1e1d
SHA256 682128af8fcfa1fc3b0dc16c0c01f1c198efd261162813a432edfa441b8300bb
SHA512 d911274952640feb95e85fce3dcc84d5367b35d35b2afd966ea032e50cbf71a2a13247db954cc0df1c6c26c20ae1340736f1c47048f06c19e3a5f81235906ecc

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e96d59faf87316675252330e1738a352
SHA1 9e3d8279b15cc744769a3dc72b27de24f4e89bbf
SHA256 69b00a55e92b1c43dddcf300bcc60e1ebf934c0b15b5046e4033ccd9cd58e0fd
SHA512 96dca95f8c456aad0faeaa7456fcd7d09ffe93610d0fedd0afc64e32d0f510258bd3ce2498c4c846a76a4778739680bf448e34d28888951af7ea0e91de5b5a15

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 03bf1b0882aff80a2b24a6ac8225520a
SHA1 d5e286877131d0c4e62885ecfbd8491cdcd29fbf
SHA256 e01d5397c8cb1ebf6415b2e97adabb8c48656616ba48f048c39931a71a19979b
SHA512 dfcf40b33cf3f56a1338c153b29e5c24640edc333dce8adca3b723c8a7f1a4d3275dae93881b51bddcb8f0ced358961783bd10fabad0e13d0dff738b247ae163

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d0126d56b9693a1d82c8bcd2c6812426
SHA1 dc7f4717a53fc08423a8a9b07aad5df32be564f7
SHA256 39e95dfa569ff1467c4bfae79f589e203e3965b7f0cf57cab0a6ed0d75668a31
SHA512 b58a2bb798c439a98ab4f010b142b0954080d49543e28897882a4ec3a6898e1a829fac623321fedcafb04476c4f5e91961ca6baecbb9a80ccb640951047b12b5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 374d3b04f17dbf1919a7542fbd4db8b8
SHA1 062adb5e4422e09e76e1a239cd6fadce99934e28
SHA256 4b1323bff58db3ee3961dac53e08643c5080197c8203fb1070128c9a9b45c9ec
SHA512 ee451c994ebf4e70444efa81608909f9bf5a7a2f242ef45e03a72ea58a9c9b7170985c9800e83afe2bcf8b2fd6f4ae8a5c700367e5a9c969137f2f5d2dbbf8ee

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3777709e3cd9e1ea9982bdc819c498ae
SHA1 ac4a896aee678b1dd2d081e0664790a42f80e2af
SHA256 7b028904aaeee711259b395e786b2d5234c107184eee036c870b17eb08601567
SHA512 c5f3e4db56843283494e84c6d167cba2ad735dbc401062dad1ce2ffef87226c3cd606963e3745659a2c1b28d6ac87f03244202650dc0676213d3c0ec9b212c08

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 30c80231826f6b724fc58597e576bd1d
SHA1 57b78ded1a2f0a6221ed0b53d360d134a85a0538
SHA256 a7abadf6f7a48bd279400b97a32e012f8065a142730443d366e583f463104c13
SHA512 557557b703a810270aa5e5d78c09750569b32fda7da3e9c8b3490cf19c375686806f12a3ab7d82c68b6f933d9b95649dbd8305b9642441900d40d1f0222a8c3a

memory/4084-604-0x00000000064A0000-0x00000000067F7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 154c8c3c46ee7a9230867abd060ef0e6
SHA1 ff05a3e60583f0b1edcffe0400cbe8c471785480
SHA256 6409ee70a90aab80a0fb120d11fcb33083b08c7610ce64a5ce5c900e96f371a9
SHA512 2b1494fd032f097526953a0c23f91b0e4d54a16f0b96c86e869980bdcdb63665a0b4d723ee785ec07330d6194dbd3f8aebfda4cc830004148acb4e4148f1b6e6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 008bb5a3be6d5a529e7d8893db08343e
SHA1 5244285431940dc194d4138ab51593a69a91ca70
SHA256 189ba2b90709092688eb8da74d920d4366221a34794b84ead807f4abcc672123
SHA512 08d84223bb9a72c414b9c059a842e4d0407e40c7be95635c0af99f56d7234dbbe91c6cfd6022e7c73963fb00fb1a5e2315bd7b405e3bac7e30ff6cdec8aa74bc

memory/228-622-0x00000000061C0000-0x0000000006517000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d89b8e55ac7cdd29a53daa6e35644a3e
SHA1 5cf3608c1cde1e073b22766f85faab3e81d94399
SHA256 8c71dc3e5641351fa7cd5e4351dc420f556b2649a07a77e0ed4deb65039b7b1d
SHA512 ee128fe475fa19337cc8ff2689066cd9e16f46daa8627e73ef0a4f17ac337542b29f85186f0c623b01d901bb91388c28a451ad54f0a1140221987d17d0150a39

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b18d77bbe08208c9fe4965dfb478807c
SHA1 22ece2b30a8bf1229f7329cc7600314941cf0efb
SHA256 d448a4ea45cf0f9f322f338e81259487d1b3653bca3d8d8d755bb9eddb19e19c
SHA512 022b99dca7b53dd41c159ddf085b0f00ef519cfe4d38ea0426067037344c92ddb5194c55a1a262f0a2bb96600ee130b3095b7672b81467ab95d75afbb16fc1e4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a624b51bc449a849f19e703535c5bb7
SHA1 c29c1e270eabb9e9d5e088de29ac3c0451d6f5c0
SHA256 927031b3554f7df9e815c6ad66955ab4d9c87bc2bfd15d8125abf67897868e4a
SHA512 f47cf96ed8363d31f3fc3e4041a4dbce9039ce53399d63c502a4f0f85fe2d5f281e68281cdc883b3fad640128d42906ee70d49a10446c3ed8863bb70ac766e98

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 16bd993eec5fab838bf2140d012bc269
SHA1 509b4ecb7ce5d8a882bfa290a7623a0def28d2f4
SHA256 f8c8ef74b24f2da540c423628c0ff35e765d71b82dc23a125f23396b8b049050
SHA512 88c94cd4c130770246d5281cd06a8691991d1974b6255ecf343459a47a59e4385ae1decf65f7addcf827cc3bca35ad6fcd5a5daf9ba325c46998f162ddfdf172

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2b7c267cc480ff8bf8da2d964912682a
SHA1 ec923f0cd38b880243db3b8ad603a412d2bb99af
SHA256 a79fceac5ecf1c3bc63f6793d77044ed1876b67e1f5de79f9c7871886d2fcc9f
SHA512 c9f509f5e8fa0a16d3877ceb91c0238d954a53af36a51d28efe4684c77aecedfdfab3099a60217bf1ee1e1826c1edc4ecf4c472e78741a6161dbd7aa5541eed4

memory/4964-829-0x00000000057A0000-0x0000000005AF7000-memory.dmp