Analysis Overview
SHA256
1fb147e3aaf58a990e163b1f14d80130a9817f8fcfa53a34ba48e983136b1e50
Threat Level: Known bad
The file Thorium.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Modifies visibility of file extensions in Explorer
Boot or Logon Autostart Execution: Active Setup
Manipulates Digital Signatures
Drops file in Drivers directory
Checks BIOS information in registry
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Modifies system executable filetype association
Adds Run key to start application
Enumerates connected drives
Checks installed software on the system
Drops desktop.ini file(s)
Drops file in System32 directory
Sets desktop wallpaper using registry
Drops file in Program Files directory
Drops file in Windows directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Modifies Internet Explorer settings
Modifies Internet Explorer start page
Modifies registry class
Modifies Internet Explorer Protected Mode
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-02 09:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-02 09:51
Reported
2025-05-02 09:54
Platform
win11-20250410-en
Max time kernel
153s
Max time network
152s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "劮쬝㸸櫒ꨙ롶嘕ꑍ㸍⏋㖔߃皔㶴誣촷夃" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "\ue6d0〻铝陚\uf420𥌢滉蔣囙䎱ඳ\uf2a0\uf235赚" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Locale = "䝛⺖驱∣䂴磎ܬᤦꤵ澐若\ue9da䊉發낧﹛徬䜃ꇊ磸瓝벢⺬駼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ComponentID = "\ue102몑\U000cefa7艔ᠮⷈ⟠ڝ\ue707❨꧴秫辭\u2fe5\ue32e⒍\uf63e\uea7b拌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Enabled = "哼癨\ue9c5厦쯣糉죾◾ጝ䡄\u0d53Ꙧ沟ꔌ쟘螉É쬥앍" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ = "㶂蟰幍䊂こ鸳⧺昪遟ᵖ꼡썖溳㒍㳂襭泮" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "쟁訮뢵ꩲ㯌내㻱畘\uea4d\u242e\U00087fce삾ᘎ\uf183" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ = "䖖\ue0a3\u1b4f⌚큨轧膜\u0ffe轙𒋵ꟸ肠콚뵽ꎛᦉ㒷\ue962濛欤틃盲♴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\Locale = "䁅涹ᖧ\ueea4럡\U0010dd6b悑⯢꾓⻉驦\ue6e2틌䭨폼쀔簪" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "\uef23쀨\uf7e9Ⱓ永弭⣰쌟ꦙ㽂㖴綠≩័네⊡" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Locale = "쓼䧒鷙쪘쪋\uf138ỹ\ue887涬ᄑ龴鉌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\ComponentID = "\uf303껇䕍鑞룡䖵\ue08b胛\U00019179ﲥ颟䜡䜹쀓䂎縈\u0bba첩臩莿ힱ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\ComponentID = "謮ꋀ넛Њ뻵Ⴟ⟆\ue355ᶾ\ue4db֖돇ᢧ剗ᔢЙ稐析" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ = "ల볳쁼燧殻틠䄋轆蚓聳乳볫㟵籯踪ꐒ熩⎧োྊ¹詰ꫝ븜" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\IsInstalled = "颗빀殮괸龹㝋雷\ue017䔝ܒ阋\ue509煪빆覹毪椢䎠䕲㰜퇏" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\StubPath = "⥲훤ߓ嗹\ueeb1\U000c1132싲䡢К⥧\ue3f1鳘푱誅턣Ṻ핬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "含揙㱉睵淠漩伟뺻塄殙⦎腎㝦豈例䡑" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ = "ⴱШ㷎\U00102196诐銋ࣷ㼄汭䍷闠ꨒ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\IsInstalled = "᚜翹癝ꥠ㠅鲰ⴿ㳈ࠀꑝ\uf5e4ꅬ哞贴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\IsInstalled = "阮Ჰ輾擀슣ర벧桅౿檂" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Version = "誦紌傿ㄸΪꕘ⦑ೋ軾溪\ue9a6䋳뒃铣ˋﴱ诿䝟\uf8fb崌僴颉ʪꭞ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Version = "䘹륕哕嗯㑐\uea3f悦䶦卩捇\ue1a8\ue030洁" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "쟅ﺪ⸭⋜ﹼꕢ┢꾄⓳\ue40b" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\IsInstalled = "猎蹨현說᳸藈唔砘宨⸙ꑢ揹\ueb8f팹ꆓ汘焍⧵\ue8a5몼Ɖ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ComponentID = "㍹\ue2b6鿧犨ﴐ≳뭙뭀⊔꽑䛔䳄➑愃독\u0eee덭" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ = "䗑\ue4fe矧돶\ue32d\U00108c60擳\U000bb60f䣹邁衵㒐館\u0fdbꑎ愠仄\U000e4e4b\ue1d5" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ComponentID = "\ue39c떐齒ꉱ瘂\U000934ae业믔뮐ᑇ䁜" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "\U000370f9䷷벢⥆㊲䬐ꄟᝄ탾ﭯ᷻ἄ뻱㽋͐뻷╁" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "㮋覟宦\U000951f7㞥ύ᧵⪭\ue3d5ꡪ⢴향包蝃䤳ꃵ鑱顿㆟" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ComponentID = "䌓웇ɮ䉇飦⬚\u0b53﹐喪䇗\u0ee5콡\uea44䜢⻊" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ = "舌\uf120ꊰ텮嫲萟\U00063022㐼\uea95\uea07畨\ue6fe茂ṹ﹚蠟仩텗滈" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\IsInstalled = "凃㗢挤姅\u2fdc祮똚諕蘉룷㷼甌돥軀쥧腬\uebbe\ue3aa团\uebd6썜" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "ፌ㫛\ueb46䥵∗♈ሹ兘ᵿ\ue3a9ゾ\U0006e1f1吃晆ꕐ母\U0004fe32餆⑩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\ = "慊ﺹ앲\ue497\uf1fd䀎낋嘧齧莐" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Locale = "伹누ҝ㷒\U000dde4e㲚ừ㒵癔壤ᒴ㪓\u0ee0銡⑹" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "࢜Ⲏ뱗ꖮ暯滀\ue6eb귱藠譀仼縬邻浿夜" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Version = "杞墠飅\ue075ﴑ\ue3c2뚙蕦鰝疭Ḉ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ComponentID = "꣹\ue11e볬⥿⑂牉\ua7ebṨ杉쏢䘏⾍\U00080d38쎦ꊼ䒝֥斕ꤌ礗䫼\uf094" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Version = "\uef86ꏯ牫撶陝︿\uf3e4諺囃荪辭藴㡹蘯\ue96b㙳扄蹬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\Locale = "啂ّq鮚\U000f39e9\ufde9앬ᜌ礋ේ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\IsInstalled = "㔏\ue2dc씢鴓굋雁泑헭匹ꍸ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "\ue1e2蜨盅玹傔㝍㴧鍁멺ભ洸桸⌠稽籴끥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\LocalizedName = "瞭叶鸲躞ꘟ䕳㕊鶼↺沈" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\ComponentID = "婄갪躢`溤䧨넱鏾螴\ue44d" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\IsInstalled = "뢗繋湀\uef3b鼡됁拟᧢뒨\u2d9c炅\uea07딡" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Version = "◹ද「⻘풃ᾴ佧꽎㗍뭔뚆⸋짩\uec94" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ = "挍哛듕뫎\ue4ef綴틒휛\uf2fb惧훷㸈夬둋\ue43e瞝灻趲퍮ꏁ\uebbe\ue00a" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Locale = "뿢\ue174물寽\U0003c97f揋蕈熵ꍽ\uf854忔뫺鯴읦⡩쓩\uf1f3ㄴ뗒" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Enabled = "岗䮦宋遱흥ܷ곐৮\ue6da梯" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\StubPath = "ⳓ蘆⬨͏\ue415웥㮜鴰몶虼橱\ue19aည" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "㶁\ue8dd⼧睓盅ૡ띊䩯梞臚쵬龓❠葛脫\ue5f2▜\uf656\u2efd" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Locale = "룹ꪵ륍킿\ue038䀦✄\U0005c287娳陿譤뻘삉ꊤ롞" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ComponentID = "♒쉎ᰶꞨ˕窿\U00034c52䲻ꀲ祌ᥰ㱳㹠쀇╡ࣲ芟긘垴㤊" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "毫ꚉ頕삡丱텪蝏\ud7ad⠯\u1cfb夐ⱊ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ = "䔑벅߰徴職鱿\u0e71㥘姷" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\DontAsk = "\ue4f6큂ȵ䕒䊄廱贘贈豰Ɇ鸜㩠䋇" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\ = "𮋓㘞㧍䦏簭쓙뷲魺ﰉㄉ존蘞셵卟询碋锲ᷜ좸\u0af3즢뙥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ComponentID = "᪓䜫㦵飭妧謕\U000951a6䰀⥢Ⱐ䨢" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\StubPath = "牧㹴\ue177漌\uf6e1芥颹癬睮峮伅" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\ = "猉尪\uf7b9申\U000c885b验赌㹒ⶤ쬵\uf67e㮢빅㣟㶑ⵤ铴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Locale = "鈋爂惌䉃쾀ᔅ蓝ケ譒뵴밋扔냙Ѽ✹仹\u20f4" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\Locale = "ꘛ\U0007ee83㈮ﲇ髵䣱賜莒㹘基醔贪뫞\uf8b4躅淁ﺿ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Version = "㚜麗輧\ue817粕ꍺ聁쪔텶滔\uefa7ﻥ餎એ\U000aadb2怠䲄썡\U0005615a饉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Version = "\uf7a9凈⋌䃰Ꜷ룳抝ꫤ澪흛茾\uf4d2ᖉ\U000c0e3c萇销퓡ፎ㑉琂" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\LocalizedName = "힀ग़貙\ue46d鞹풺\u1ade\uf460츷᰻" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\IsInstalled = "㝮䧑鿘돋\ue68b屌ⅆ\uf66c㼛椸耜㐻" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\SysWOW64\drivers\hostsvc.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2002\Dll = "쯇\u05ca\ue7e7钨噕➗庰ꑍὐ⟂⥂鞺歈꺂߅面뿽" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "᳃㜃쁅ꅠቃ䮲ᮿ躵쒠ﴍꏮ콞ꐁ틻\ufff0\U0006033b㙢ั" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "㹝쇂樝\ueb3f\uea5c\u0ffd蚃\ueb6e리ー뇕ꀳ泻" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002\FuncName = "\uf436Ꝧ\uef44\U000e4b4f叙ℙ\ued34歍\u2d2b굼\ueb47略坻옺阄珘邃궿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{6078065b-8f22-4b13-bd9b-5b762776f386}\$Function = "趧봞䩱\uffff経쎘ᆗ䅽덂ࡅᔱ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "\uf31c킴㵯\uee00陰゛ꪞ䨙Ṭ⒋瀋䖇\U00057919䬎\ue407" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackFreeFunction = "ķ绢䋬溝뭤\uea1bې㈺錐疸ྩ襕\uf178댮꩗氢ⷊ譫" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name = "\U000f5d03淙盼\ue631玒졝⺛\ued07⨀掿\ueb87㹡樲薘ƨ鼁舟" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "\ue0cc㝨\uea53惹\uf8d7Ⴊぢ䜢嬁舑됓ㅟΉ⫳特들瘸\ue6f7瀺㏸䜏䘿ꑝ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "勍⟚燒Ⅰ멖ᮿ콎\U000c17ad\U000dcc87ꖝ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\FuncName = "푉軦ഊ뭀\uf613\ue6b6븵픶韹\uf794洸賅퉝ㆉ\ue28c㉍㌦돾" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "봙ⱃ̔霱輟뉫溲鳫쭟夼鯏" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "밊鬀㯍𬗘艅럦빶鳐䣊캬쉝≇䳠鳡➍킕鯱灓꾣" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "ꋴ붩橪ⷧ퐹\uf54aଏ㊮㗳ꯏ枔ޡ䆺蝊쨴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.1\FuncName = "惏禘㏁荳䖼〲鞹⃑戻᠆쪢㖒ΐ컦刐扲" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindLocalizedName\LocalizedNames\TrustedAppRoot = "\uf8d8\ue730ᴕ䳺ꃀ⻮陑错\uf49d\U000389ee붪㓰ꀁ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "쓕䍋頌遫譊ȃ\ue60dᷩ㐗\ueb5d字뜵\uf40f\ueeda딓춶\ue093" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "냴उి㤟ƥ柆璺먚ꤍ⻘뒪\uec6d‾ᓺꠅʳ癊鱌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "q뤦뚑\U00040760돍䣪\U000a6907ᢼ鹂\ue2ca劐氮ધ\ua9ff" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$DLL = "ᵎ\ufaf3\uf2db咲\ue07dା냼궰䡪㲁傯仲峖" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "\U0010a389㯝㏍纄삊눛鷢䋘ʠ䈝簣씊쮆\U000a2283禙傠넆⨍ܗ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "Ȯﰩ驖愾촧蚦縿ᓓĨ卻흯꾽铤띃ꆅ\ued83鸜\ueff8⛕䂷珴⸕籶䧔" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "✟刟ﶨ\ue392冹䣁︵쐉떀Π⪧" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\Dll = "\uf31f꽄븛캻㒲規ꯥ䞃镺㼏즏橭旐椺찉ꋵ叒峤朵샗" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "冻䌊ᓺᑈ嚖⮱\uec78脒蔂鬁돳嫿酏謎럿좗ﮟ芛췮泧" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "늫꺊ዏ땏\uf536媏ᯤ瑱⛒黚⠗" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "ⷐϿ㝂ﱯ\u0b7c戂蒤ꗭ渵㓮\uabeeჰ\u2d2b怕\ue302" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "릔ସ籮\uf5a0䟿㓣\U0003d33e\ue5b7\U0006ad83ꉬꧪ㳔" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\FuncName = "㤇걑洑䐉\uea9d獛砀\uf757\ue57dઃ\ufff6ⴸ\uf0ce娭끗冂᭮\uf4aa奥琏섌\uf4c4\ue2cf" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\FuncName = "㘋ᦹ捎䖧咂触ය茩ǖ얜" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "┾ᘈラ斞쯲⾴槇蔱킺ꪂ㚉刬䬁㊓㣬캝挦뮩ᕍ䁺몫蜋兎흦" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "窺拥\ued49幰墙摕㎧\U000c363d鼲멎\uef33盇旑瑹ㄘ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "舑쎵䡮봺\ueeb7\ue703泤怰勍䢮ᎀ瓐빡㤠䟄濈頯庇ᙯ\uef0d聿䦪" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32\FuncName = "s埰\ue156ᄢ㫙鐿ᢙ\uee7bぃ\uf11c\ue0e3ᬇ捔佗" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "ⓖ\U0005bd5fሂ\uee2a္죆\ue8e8\U00083ac1䌸罸葬䔵ת\U0006e64c렃ᦏ䶙윃骁阈" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010\FuncName = "\u0ef6Ӷﬨ踮끮\u2e64村쫍\U00061844ꝱ䷐\uf87e沲\ue524㲏홧" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.12\FuncName = "コ䈣툢\U000381f2㌝垂䣱砱⨰ᴎꂯ膨칺ᔎ\uf2ea䶞㏧쿉㐬﮿╼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130\FuncName = "ᢌ\ud7c9춽༄ㅤ\ue4c7렗㠄㭎쨤뭎\ue14f㞶楯\u0bc4訒\U0010adf2ffl䇘" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "鏠鄌꿖ᾋ᪺鎈躯鍮쵢伥攷ᩈ\u0be2塞Ξ黮砅" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "㊡몿Ⓨ\U00048bd9띄펣䉏啯壔蚋➐" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "耉Ꮵ㐃響螗ᇊꀆ퇑独茧" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "㉕撦≓\uf220챝\uf54e\U0005d5ccꝝ秛ꬷព賨" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "◞வ䲭픸\ueb80\U000b68c8啉糏䓙" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\FuncName = "謻ﺣ庱좏핶㸏訍晉詊㏠론ꀬ紕㑌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10\FuncName = "擳仯᩺柳㫸㳢둗࣎⸫끩䳱\uf7ce퍑籀ᄉ촀檻\U000616f2៲\uf349猉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$Function = "튿벾㷾︀몄ၣ\u17ebꙠܦ⩐婒턯⊿ꛗ鈭ໟⴇ퓊耸䇼𧻓" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "딚刨\ue59b\uecd7ᾃ㕦\ue0b3쌐\U000491ac\uea8b\ufadc茢쳱賐\uf554灤⺓穃\ue7c8" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMd5ThirdPartySha256Allow = "齡푘龿\ue06e唔퇪벳쉏褎촸眻粨扞黯냹" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "闍陔芝㦗翪䧧諒ႋ㹑휪ـ蚵\ue294阃蚶\ue151\uea2e⧛\u0c5b룍䫺僜ꅵ\uf5bf" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "࠶⪇\ue78aꈈ㭤ಡ鱘髪랲㛹섍ὧ㳓衚㻅䛪볺᧿ᘒ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "↙\u0bbdꤼ\uf5cc웋ᇴꏵ栦溙Ķ㵦皦\ue0a8惄斑밧\u2d77녤" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "䪋䭄遀\ueec9⤊쒔ꆒ䋄檋ⅵ솑除ᓛ䐮暺鼉ᠧ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\FuncName = "שּׁ\ue8e0廒\U000e6aba\uefd9\ue997縙ઃ媶" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "\uf7a6Ὓ\uf856ᝌ遌蓼ꀮ虄ﭣ⾱聮魚☸챒\ue694⏽熦ᆳ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "齦䦞豷㖬朠Ả昛怎釃腟ᗄ\U0003e718㭗䡶Ꙓ\uf5ac︥㳇쪶면䷤뫬慆" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "\ue226𗽮떔䅜쭊\uf656ポ颍䟜\uea80\ue8dfԮଌ냚蒨셄퉶" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\FuncName = "寨烉X飺퇉秄芅ꦫ鿫➣夺᧸ꪬ㎱厉㸭罍\ue06aセ鏏" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function = "⮽厮ꂑﶋ\uee63鿒̼䰨㷿\U0009fa4c륆䈷臒죧먻嫏Mꑬๅ\uf0e3\ueaab噵괥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "椅ꡒﲨᕓ缰噤\uf52eṺ쬐쳃ѷ\uf1d0材" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = "\ue896\uf486⩌\U00088c9f酣뮿̣꽄랝셱鑪鈙㬈뾵뾃墚\uedbbᳫꃥ㴌㸴螣" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "굞\uf7386皾跳䑹\uf295ꅶ纍縶ᘒณ\uf35e\u17eb\ue517荛" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "ꄤ№柂厰峾饸\ue7b1䕋\ue5f9\ue686舮" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\Dll = "逻팊톴惲㨑킺ⵍ䑪笧芡謎\uf56f\ue18c➄﹢偃㩔㥳殹" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "붋鏮藫\U000a0fad慺\u1978壶䴄鷗\U0009d8e8ዜ懠⨳ᶪ뎖" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate = "䕳\uebee䭔켲秜綬쒄ݒ覔ᅲ\U0009f8e1ⷺ蹷䡏\u2437誥襉莇" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = "믏㸄淣\ue2ab\ue11d껇\U000f5a3fሣ誤ɔ姰㑃㦛烆潺濁ગ详\u0b0d☼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\Geo\Nation = "\uebb0Ⴎ\ue6c2‴̐쎑ꢳ⃞컕쒾" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended = "\u0a5dᡙჾꦏ뤗\u17fd\U00106a85鏹䂪籒讻潟阻祒돖郌朼\u0bda꺵麽닋" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "쎵섬ﮖ\ue7ee쵾齥ᮏ⏎䩐\uf4d8蓹\uf8ceꁍꞄ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "➐眽邵蕡螄\ue735笳睊炎ꃘ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "壏ꐶ뤑\ue20a頀ﶟⷧ撺\uf144捳芡\ue39a뼈" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command\ = "麡竫螧険뢥ﱵꭾ減ꋹ筕⤼៱鳤褪ᒚᬆꙅ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command\ = "צּٽ㛵\uf8b0皅쵏꘤㻚쟭頛샛\ue2ec吸\uef98픻羛蝦" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "\ue275釾륺⯗輵굋\U000b9ea9輰⾡ꋕ怙⊷" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page\ = "릉韟뚼库譖䇾皝駑\uf8c4蜝ž" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "⸕\uf305\uf5e6ᨻ츠毧\ua7eb羺ꭩ滳鰬뉧虁궘켍䳘膣ᄍ峨篓\uf546䑗" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "\U0004a863ﴋ鍢㫻ʘ凨⅄㐎币籍冑" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "⿻ʆ抭倯丩ř矣\ue3a3ﷸ쥦\u2d99煯៵퍁胷踣潇" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command\ = "櫐칾ಡ⽭㫉谼>ᾦ搉虦宮㥬꺻퍡讄鼙缬娕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler\ = "赋暛ᾦ䫤뼚黯\uf592蟶싈\ue599飺\ued35ꄢ鳁" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\EditFlags = "飆Ի牖莛鏈碞⥔㎌㯼寪\uf1e1" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "ᏹ犠\ufb0f₱溍\ue70e突萩ꏲㆽ蚹燳섶" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield = "ꚗ\ue6a4谿䀶袂ㄽ⢫\ueed7쬴\u07bd㷡붟嶙㕺鵪萲\uefaf瀨緸" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\ = "ﻯ제韹輸\ue767㠽榜귂뗶ꄡᶍ쓏\u0a7f歖" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility\ = "鏩\u1b4dꞁ\ue998쒽⧱훉ꛞ쮝ౡ뱸灖愡﮲ౝᣯ㶉䦼駭" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "隤롌鱌ᕦ綴ᘁ\U000856f1⼻싿\u2fe9蔆捙鉜\u0fec䟨䛑쌕腞唔搓旆㖹ഠ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender Firewall = "C:\\WINDOWS\\system32\\oobe\\images\\" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\uf3f0בֿ\uee2c䨉芩蒊\uef29閥\uf801┡㝉靓۬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\WINDOWS\SysWOW64\msmgr.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\WINDOWS\SysWOW64\svcboot.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\WallPaper = "䤮\u19cd술豛㴾꾸鮜巧Ûဵ鿴ࡿ햎鯔⍹㈪俦巉됨짗" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\System\svcbackup.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\hostagent.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\images\thorium.ico.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\syswin.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\logsvc.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\svcagent.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\configtool.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\svchostcache.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Network\netserv.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\Connection Wizard\server.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\WINDOWS\INF\infhost.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\INF\driversvc.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\Fonts\fontmgr.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\bootcfg.dat | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\Fonts\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\SystemApps\winoptimize.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| File opened for modification | C:\WINDOWS\SystemApps\taskfilter.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Thorium.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet = "脼\uf54f퍧옢\ue010䔗荍䌻杕\uf6c6뮬隻\uf4eb焫\uf4d2뀟" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz = "桷Ⴏძ髆茲疬閤欂䑯퉦淧ᨦ䫣෬㕗셍핳偭답쳬樹" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "ꨧዋ\ue357䑩㜹嘝ɿ丶⯀辪\u1f4e徕\uf593" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "ౄ挖\U0003a295헾栖⏉赯獤眠\ufb0e\uebc0\ue0ce鈷" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information = "䑨겟ⶈ巫\ue224ᴏ貧ûㄵڼꢁ鄿1̺涋왉ﳀ烈ㄐ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier = "ᾰ咍虿㰴콏삍쪪䔇⋑퉦℧\uf53a⺙ो掃㣂峫\uf848" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision = "\uef1d娙ӡ\uf42c៉加禎밎\ue42c씨遥ᗃⰇ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information = "㕦访ᤋ魦꽃켢ܡ숪䜹㇓\ue2a3폡\U000c9b80猉㴸ꤹ燰" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "ꙷृ웎웎挒긑压ꬼ\ue413እ醹᪲뚐䝜럭灯퍃ᡸ銼굕뤿⇥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet = "灥繶ḿ意\uf68a䌠㕿皕刹㴸鯅䅒ꤝ佋탴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data = "嬤´䙑㣿\u2da7䈃쒝ㆦ꼨ꈫṏ섷㔹ⴤ颷嘚쏅纇\ue3c3濅更誚" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision = "쮒⮫訲\ue404蓑驑㼘쫠昫滑擎\u2d69瀱굶⾤" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data = "┹ན篰춐뻀ᆲ✈딽똋捰ꇞ༶橆䩥놫⑪쏰곷傔" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "\U000cad97뗔ᜉ鋑麑\ue2ca\ue0f2馄\uf13e撓꾪늦᠏\uf81a儧晻⽪⼈㵱縤" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier = "ﴊ\U0004bf06ؽ\U00100026Ὴ莵䛏\uf79e" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString = "䉃푵櫫쒫\uab1b\ue551\uf0bb\uf365\U001075a3ઈ㢼\u18fb腥○압ᮽ흧\uf7c9뮠溯" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data = "ᘻ뭮ő재䄙㦇F€뉃痰\uf47a⤛\uebaf\U0010ee4f洛ꒃր娀" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture = "ꌧ㮌咯䜩쓔짓趖ྡྷ\ue7c5\U000d02bf榩쭭뜵\U000d62c2ꐄ\ue80f\U000ed029祐㪤ꕚ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information = "鰗즯ྕ䂃ધ\uf595흜䠟钛ן𮗖박\ue64f\ue144︤䟎韚挸캣ꄚ䡼\U000bd613" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data = "둑浽\u197c⒥㘺솅ﱒ\uec35䏹厴邴挿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data = "㙏뵯詭¢槒\uf549蹭懨뿌숗橝쐘酕靴䴛滹Ტ侁堓例" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\ = "惝ܬ썳鵳睃Ự浔䞨ׂ\U000c53cc謌\uedb1弙\u1680➓魿𥳐㔩ﱭ䉑" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier = "\uf791佒嵅䠉\ue04c\u0d49紭쇂\uaa3f韸ᡥ븪" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data = "\uf1baT㰫磶㬇훁단㶒໋̫篃ဥ㦯ヲᔒꞁ\uf518瘈榨堓瑟" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data = "䭇峉\ue462뎈鈃﵄蕬晨ꀇఔヾᢳ\ue3f8枋" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information = "橮䰥듡\U000cfcec⒵鰡宴ꔚ봈" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information = "ࠦ둸Ồ鰆【ᦝ벷秓倮䗡" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information = "㞊ള\u0891┟癛ڸ岽\uef02鳟\uf8e8㟐\uf5c7冱᪽훦ㄥ섀淨콨\ue68cె" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier = "\ued12䟯耰寧쏏鱖騮뺡舘烒濏\U000608f6擩\uf5e8㤟떑" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data = "왗쒀घ哒箣\uf178⸓鞉\U000df4c8䘱" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information = "労ആ㙥Ǎゴ愽픮\uf722ঐ㚇指\U0004b08e莿ෆ┴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier = "尒ꌛ띫䭴ဗ菄罾鼱ㄘﵸ㸳" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "\ue4c6휷꼫Ҧ곐辛\uf737\ufb0e㈉ᡅ鋅猶䚳䋳꩟" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Component Information = "䟎ᖇ\ue063ួꟗ࿋팙㗺苹癪濖䛶橉朙屬秹ﶶ鶜廗璸檏" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier = "⤩堽\uf872䭰㠱\uef31砉銼淛頨䉱嶏뗉\u2065줹듩擔婤벏灓뤿뽯" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data = "蓖捞䭣磼䞑\ue95f껹\uee71ƪ楣ね뉠ꆯ쓧Ⓢ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data = "➉膩簮\ue062\uf1a8Ⴋນ͜\U0005f4dd鿽뱽枌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile = "ꂕ课\uf0ccꥰᯪ홂\ued2d❨\uf5aeᝩᇍ櫶" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information = "佺ㆍह囂ҕꐙ餬㙓䮭ɽ뎧䐂믥彝᱖䱚Ꚁ萆⃟" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information = "ᴚꄶ\ued41啕㺌駶ᚋ\ueb92\ue7c0ꤺ寮᭄鿍강央쀤ᔼ\uf679Ნ沾ₓ膡" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier = "\u0a57𑅬柈盩픣욼䟡\uf656\U000c7d24╽踼쵂补搇奐" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\WindowMetrics\StatusFont = "\ue270\uef85\ueed0桌댞へ蓬\U0007d0f8䬋ᆯ喚\uf524果ဆ缢" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\SnapSizing = "ᷙ㙉쀐\ue87d⹘壤煐唜ᨗ聉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Mouse\SmoothMouseYCurve = "魋魍\ue82b鈱⁔퇎꿸⪧㰇夀鍳熜팘썤" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Mouse\SnapToDefaultButton = "臶突Ú罸周롷뇁湜擧錮袴氹悋싛ナ㩆\u17ff" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\PowerCfg\GlobalPowerPolicy\Policies = "紬ᜩ㽵ꋦ\U00071e29㾡ڍ탼率沖䤉驅ဂጽ閔妰ⵉ\U000a4688휮㬘" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\ScreenSaveActive = "銏“Ⲿ啓鴾銁\U000557f9칣럌怑" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000201\Target IME = "𢄶㏶걖캦刻ຟꥬ\u2d9eɗ頽\uf22e\ue2ad℔අ烝꾑៌壦\ue757ꦷ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\StickyKeys\Flags = "퍇\uee72溪ﮄ\ue65c추⎼㡱餺붣ꚻ鮏溶\ue969" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\InfoWindow = "ᒳ즇ࠖꏌ⪢磬ҷ郚齏뜃歋激燡\u088f貁\ue51e✲" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\HilightText = "쥞䤸悍풆艺ᢒ趲\uf89d\ue5cd蕯돳漼\uedf8뗚㴹ꫜ矴傕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Cursors\SizeAll = "겞嵙ℌᇆ麒鉱碫쓛獉\ue781∧擀׀艬\U000f8f2d⩞濢轼\ueff4됦\uf4cf䨘" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000071\Key Modifiers = "؋\ue77c헟䂿쿷欬짎돂㶥襠\uf46bᾕჁ쏈䇑\uf18b" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\AudioDescription\Locale = "詎䀠檂摶⩀酏鑲붊ᘴ㑡⨌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000012\Virtual Key = "띊팊↓囦됓釣ⴵ茯帮豝㥊\ueb9cꔊᥳ焇휿右" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\sMonThousandSep = "\U0008b071酜㤿敛葪귯\ue3ba\uedcb\uaa3f璹톪筱酓楐抏鑆⩇鼪\uf30e⎡ꑅ䌾" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\HighContrast\Previous High Contrast Scheme MUI Value = "࢘\U000f5147㪚晣寧𐀐咲훛⽇" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\ActiveBorder = "贜滌瑲侣꯷\uefa5棩\uf227❾ꦇ庉㵈磜ᬨㆇ鬝䮃" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000071\Target IME = "躖䨡\uee7b㽅\u0de2㔐߿猉帧\U000a371c꩒Ӓ部폦ᐃ阣랇ᔗ曅๓\ue83e" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\NumShape = "ᄿ憏\uf751尨됓菱㸚垮\ue54f𐏑엑\ueb6a䩙妪軀\u09ff" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\iTLZero = "ﯢ븜춑肣Ȥ╋캓\ue83c\uf7c5\ueb5fᅇ瑂莙뒳腌⬇ㇷҒ\uf6eb嚗ꅓ퐂ક" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Appearance\Schemes\@themeui.dll,-850 = "嬀矜釓吹帍Ꞌ煊△荬䅄ﻔ뜹瞗\uf048鸂ㆴ՛㔆" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\ButtonLight = "瓆겔ꊏ궥⧆등萶퐔đﭡ쨑\uf8fcﳷ輾鵆ﵚ藑蓾\uf4c5\uf5d0缊鎹" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\WindowText = "ﱮ໋䁖吪ƫ犓凬薒屮\uf21d⻝カゆ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\ButtonText = "흄\uf66a뻽鰪\u2e63\ua7ef㑀땯獇활儎뎜瓝" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\WindowMetrics\CaptionHeight = "䜠壚삎\ue27aﶄ\ue0fa뜺₊쒀伲\u0d65ᥜ눬봿雅莅\uea20᐀\U000ec298婮" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\WindowMetrics\IconFont = "⽼댍²夻\uf106𢒓褷㲷䥍" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\sGrouping = "撚놙\uf304屏谧攑\uebad鿎漻㟷⣖罰뺿੮튵" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\ClickLockTime = "˗⭆᠘\uf74f䂹㒄ओ\ue5d0鵕㦁唷탡竎ꞔ⳱뺲" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\RightOverlapChars = "퓟핦\ue184麍塶隃紺쮅ᳬᙉc蹂\ue539㕷ﱳ䟮\ue097ᤒ\uf3c7ಙ骿䌑" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\InactiveTitleText = "覣\u008f灜椣⿈Ŀ৴뭅╄ꎗ꺸ദ皵喭\u1f7f뷌盬" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\WindowMetrics\SmCaptionFont = "\ue7a5舆䷦ힶ儺뀪梹േꋦ皸\u171c\ued2f蒘롘琗傺뤿⯫緟닄\ue4d4" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Show Status = "፱ꕆ좞趫冬틩ꓺ빢\U0004c0c8ܵ뎂\ue89d\u0d97\u187c⳾簪蒡" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000010\Target IME = "蠽\uf589摲\uf6bb惝匁ꃆ슝\ueccd⸨貉\U000570c3笊㑐甧鑥\U000acf8d\uf5a6廙ฏꀺ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000070\Target IME = "嘃鎳몪㗻೬㐽穅䖌ꔴ䓦㜩\ue519謧鷙핌Ꝼꮯ\uedd4淣" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\sMonDecimalSep = "뮆\u07fb뒭⻑鷭鎥뼳ٲ괓\ue9b0𩯃╭떖" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\SoundSentry\Flags = "\ue49bཨ洞☣覛⸲먇屚鼃〷႖\uef37죪缉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Appearance\Schemes\@themeui.dll,-852 = "ᶮ䫣ᝪﺀ됖Y\U00055a54렠𢵎䠫嚦ᜅฆ햁" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\AppWorkspace = "ꑧ껯߇\uf4b4₋晧\u0efc绥ꬹ\uf076獵\uf593皎\uefa4" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\ButtonFace = "\uf25c፻盎걣⸡듌岝鴤蔿\uea5eć̫낦␐ҋ列녨僎嗦㢿붏갺↔" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000011\Key Modifiers = "뇍懮퓊\ue29e딫蠗涉췧㤍㹇퐎ℹ圬ꌬǒ䛚魢" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\iFirstDayOfWeek = "㚾ᙃ㩓黿𗖌ﱊ\ue829붰薫駕Ꮱ䝭뜣喬\ue0bb넱\ue23c" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Cursors\SizeWE = "㪻꜄\u05cf㕮嫁\ue26a륷癷蛩斗ⵋ嵙\ue67cꄩ聑焭" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\AppWorkSpace = "ઞ②벫蜛߸輺吗⩟욌凶醮ᬐ䩚\U000de23b䅘䰠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\iDate = "찱\ue61f睶㙽膋ᮅ뿷塲柁\u202b냱춥斅" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Keyboard\KeyboardDelay = "턈亡\ued3e\uebbc袦곘\ue382\ueab6⌻抬캙䅏ᨦ捿地\ue106乭\ueac4滆籧悂缾" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\Scrollbar = "┭肋林炢╥遵뻾蔉ꮦ똧텏矴譍\uf68f" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\MenuShowDelay = "\uea38켪큦\ue464鶙굞萅痙㣳줷礕칺良泙䰳毡" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\DpiScalingVer = "\u0a45蠽糆ቤ䢽ヽに훝䔮䘓肉䧄게띃汾\ue00b浸뺝隁\uf058묤\ue95a༌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Mouse\DoubleClickWidth = "尅\ue6edⶈ薑磿恣렸㎝\uecf0刴䂷斟◊瓳ነ\U0001bb1e" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\PowerCfg\PowerPolicies\4\Name = "墜㦙ẵ᭄稃답舅럖調럡\ueefd쉑\ue6f9ख़㕚Ꝏ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\MouseKeys\Flags = "꣓齪ъ넥\U00050609\U00064cba\uf865釕\uee71쮄릆烝㴐\u1f5c\u0c74ⱨ킏\ue80b꼄㞋" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\MaxMonitorDimension = "\U000fc538踔胥\uf8beቝ뭣\uecb3\uefdc骬솞\ueb7e꺿䄄" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\GradientInactiveTitle = "쩁΅鸬֪ᝩ蔀₱遴᷈ᕙ皺\uf663㟯꾤럑㰦⣹ꤽ焜彋" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\PowerCfg\PowerPolicies\2\Policies = "膚䢤횮\ue415糫툻뷢ỗ薪奧㧝\ue69c\uf2bf䜌潰⼒況\uf19c椭탘樤⮒" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\HighContrast\High Contrast Scheme = "꼣湬䦣犲螈᳀퉰嚯䨖몫\uf6c4谸" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Accessibility\Keyboard Response\Last Valid Wait = "ਞ蓉\U00074255ꩻ鹞\ue767\uee85\ue763\U00107584\u218d⌨鰋ට㪻皨㙿ꋦ쵆뚹ɋ㼋" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Colors\ActiveTitle = "\u2fdf㵙撬ௐ답ᤘ௵繤쨦\ue84f䌙" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Cursors\Arrow = "롍잙\ue5f3䊮䁹魥揅뎣ᅜ䋳㸹ᭊ癳" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Desktop\Colors\Window = "➐\uf481ꬋ뉳訁韣\uab1f㍧ㄫ칽孥μ\uf715诵욈" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000011\Virtual Key = "䕩杦ΐ\ue620㱙ꋩꦂ\ue08f툪\ue254浰遈剝檊풠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\iFirstWeekOfYear = "⾂扽㷁\uf478썠\ue8ce컷愜幚琥\ueed4箛옰\uf5de폪៤" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\User Profile System Backup\en-US\0409:00000409 = "⠔\ue3ee뮡閳爉华쪟蛨渟虆ﰈꎧ\u2d7e\uf77dạ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\Input Method\Hot Keys\00000203\Key Modifiers = "塆ﱈ噃뵔\ued73暄\ued54뀱뽤䫠左⧻簩\uf1c7䋼怵ﺥ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Control Panel\International\sThousand = "䤉퇭㱚\U000ec920⁷贕齲㗄步⩳쏜厭롕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "᫄\U0008be76뱵☽暝뤬ᤓיּꎂ脇\uea30襨ㅥ罳\ua48e雿眴䝱࿑亾" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E532-0000-0000-C000-000000000046}\Compatibility Flags = "焠밁吔Ῠќ赕נּ۫\ue1ee睤ᢪ\uf457\U000aa1e1˵筯狼⎥\uf020縻윣\ue961" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BE6-3C52-11D0-9200-848C1D000000}\Compatibility Flags = "⒖橷妩\U00035cf6빱\uebed뛛ꪭ䚯\uf8b2ﲧ\ueede鲉螬㢫" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FA8932FF-E064-4378-901C-69CB94E3A20A}\Compatibility Flags = "랙컀\ue038㢵褴谤⎩몶뤧൝" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER\UncheckedValue = "逸\U00036423뜳燙벑퓨ኑ𱻻ꇳ顑壃" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CACHE_FLUSH\HelpID = "\uf826룦댶즕\U00065bb5ẖ㞮䱏䩪嘋ࣽУ悪ꬆ噫鶤쐍顾筝Ꮕ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A411D7F4-8D11-43EF-BDE4-AA921666388A}\DllName = "谎낺쾴؟봼奣称벹下᱓亜窑䬖쥅矠랲砸嫎ꅺ쪏奸\u18ff墨뗠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4FA8381C-2705-4DC2-ADF3-347D4D619350}\AppName = "꽳ꢑ㷛믞䉫⢢\uf6efԯ栦块儝\uf604܊ឲ㋸싧盝䬌ꚼ\uf39e셃晤껫㊨" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\svcKBFWLink = "띣ߵ鏳뾲\ue5bf\ue2e2⻫켈뼄휝徭壹⤧" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0270E604-387F-48ED-BB6D-AA51F51D6FC3}\Compatibility Flags = "䨉\ue0ce틑㛹䑤梂ꀀ\ue302梛搫쓹㙙娺줔ᘊ۟\uf383⬜㋛갞戴づ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C1908682-7B2C-4AB0-B98E-183649A0BF84}\Compatibility Flags = "雝쨍鐿퍦\u0b5a㏳∗n㙥궞抽葤곯쮨囸哃\uf632₂봪ꁩ댦쎄℆処" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FB7FE605-A832-11D1-88A8-0000E8D220A6}\Compatibility Flags = "䌀ꁦ굄埒齚囂\U0006cea4⤸笵ᅷऩ䌂\uf856栺ꁍ껸" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SUBMIT\DefaultValue = "䧏ꦞ㘹븸異攓ቆ犍䌹⌋퀐\uf3e1齱懮࿗\uebce\uf71f鐰蔸娩ꋿ㝑渥쒿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_SHOWPUNY\RegPoliciesPath = "襊쪹쑊ףּ\u2e65‚咈쀍㍼偨謋潘\ue921\U000f940a锁럟癿υ窢炵휇ヮꕠ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\DomainSuggestion\WindowClassesToNotify = "踌엎讚ꃌ\uf0c8˻窱딣蓏煢잣ⅳᘿׄ뀱" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\iexplore.exe = "\U0002fefa╫刮矓롱\U00066623㍘赚諴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\ALTERNATIVECODEC\UncheckedValue = "狶룓눪ந⠂싎明䲑軚\ue4fe" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "鱭Ἑ\uf50f䌊瘓纫懑咤銸卾ק\U000763b5ሇ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{210DA8A2-7445-11D1-91F7-006097DF5BD4}\Compatibility Flags = "ꜝ줘趠ꙙ鐴䂇庂꿓ऊ鳠ஃ㹢\ueb74ᷳƐ絲뼚紂웺䨹㭶" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B26E6120-DD35-4BEA-B1E3-E75F546EBF2A}\Compatibility Flags = "➨퓪릙\uebc9馟ፉច퉎⎭䗨뫿ᄟ⇂\ue932" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\HIDEOPENWITHEDGE_CONTEXTMENU\UncheckedValue = "賋楇\uf7fb\u0ce4琏鶈䶨홁钫㩢磔뜟ࡠ㞱䡪" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SITECERT\RegPoliciesPath = "崺꜌䪩ꗶヱ⯀孅잊\ue4ed\u1257뇥㴚កॡ㳞Ǔ¶么㒕ﺢ섰" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2\RegPath = "鳪٧䡅⢝玜꽵ꁍ臘ꃽ\ue4bb\u0600힔欉큔" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\DllName = "\ue352梈\uea8b\U00088106ଛƼ㬡ꏘ욍䷞鑚⾥巁폳ﰙ뼪뱲" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Build = "\ued5c徙ﺳ쵄浻ཱུ뛗❛\u169f勋臌\ue549ꙿ\uf247愭𬙷\uf7a5䰲잺蛼ᨶ彥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8FE85D00-4647-40B9-87E4-5EB8A52F4759}\Compatibility Flags = "澪晢鋖깽܌ɴ䑿ꄰ㎿墉ﱇ묂" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\Text = "쟂欨˰럎\u0893ߢ\u09c9寮໋Ѵﳾ鼡︐䅐綹" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_INTRANET\Text = "叓쬥ᖔ\ue0e2㑶돣喅矖郮\uebeb㯋뻱ହ\ue179켡⦓椭蘖闞\ue6e6䕂ؐ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PICTS\CheckedValue = "ﬗ汖쯇㤰鎤搩氅磖▴䫼ꍙ钕邉久\uee99刊ࢢ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E}\Version = "䆪쫳묰ﯖ購塔啩〦뾰ຫ蚉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}\BlockType = "㬅ဤ澒ﰹ\u1a8c喿\u0bbb饠峨䎄ङ貽놤" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9}\FWLink = "\ue63bꂺ캷⫲Ἐ\uee5a봈⚍躏첩䓰੶骨\uea30滾鍊릚秡\U00046b04\uec7c괏" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\C80CE4F484A66E40BBA6B0B6F231790128B8A7BE\Policy = "緊㴤㝠蓜⌤閭\uf875✖ම歊" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_SHOWPUNY\HelpID = "砅혋㴈ૌೆ忨\uf29d㖗㋧汳衑閺⚷䅦" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{00020906-0000-0000-c000-000000000046}\CompatibilityFlags = "ꈜ裦摝숹㢽虛郮赹理鲆辋䑵ᰗ渵㽟滙儥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A202B231-EF71-4A08-BDB9-4CE5AE8BDE0A}\MasterCLSID = "뻳躗သ\uf281\U000d6c0b䋑ꡃ녆╃뀉冇⠀먜ᝪ뫪␄㴽䅯洞ᄪ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{CC7E636D-39AA-49B6-B511-65413DA137A1}\MasterCLSID = "䀉\u12bf拰Ἑ씊⊤橦藦⮔뵠ㅾ㈫\uf261" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{D09CFF09-A42A-4EDC-9804-E61224F59CA1}\BlockType = "ᛚフꄇጶ腃\U00016727ힸ∬ᆳ\u2daf㨨礖磼㢈퉇ꔌ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{F98BA7F6-48D8-4CE7-A8D0-39D13FD6F14F}\BlockType = "\ue5ffॢ㎙ꏈ⼔䫚⣹變茞卟ㄙ챭ᢅỼ쭑\uf1c5న\u2d6a䜕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}\Version = "荼烼븄䟣㝤꽗諅Ꮗ鿍ꐻ싕ᇪ阐\uf69c꺔믘⒯屉筵䮣ৼ\ue8fc" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{f28d867a-ddb1-11d3-b8e8-00a0c981aeeb}\Compatibility Flags = "곯ⶨ劼ѧ啳뭇믽殥漍⻅\u2efc㓍\uee4c嘥峾挩⟓玱쎟\u07bc\ued20Ⅴ漿삄" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS\Bitmap = "吐îῶ딂\U00067a1a\ue956䖴⣠\ue5e9\uea17厥ꮾ벙⾉౦쭬ﯿ䰶퇼ᅃ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\LMZ_LOCKDOWN\RequiresReboot = "⎼⽣늼唛나⽯朡彷࣒楺\u0b78컁鴴蔞ꭅ秥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{7778AA60-698A-41D9-9BF0-7AB41045AA7F}\CompatibilityFlags = "\U0009a6faᖦᨦ쇩밲邭왢ඕ깣⯍㟂⸳嶸敳괜ᦘ\U000ae23c虁義ࣄ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{DC99E960-6594-45E3-9D5D-141D825B8096}\CompatibilityFlags = "鲀\u1ae5㸮㷁皋虐᭞橙쫂靈ஏ쩎蝔ղ튜쌴ꊿ澈\uecd6幻씕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ToolTip = "蓜퉸レ\uf6ed㘭燺ӳ꽂貯窰㹊ռ桠\uf2d3\U00088ceb㯢创멧炌椂䠶揯" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}\AppPath = "곞ꛌ홀Ꮊ贑掊\ue35f垨Ꮮ\u05ed沈絲⇑ꂋ찶鼜隁ꊊ\uf0c5ヰ疿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{283807B5-2C60-11D0-A31D-00AA00B92C03}\Compatibility Flags = "㳾댲ꝑ䉕Ύ텣翢ﬖ鶎鎯䴑瓠뙸\uec85䏲" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4CECCEB2-8359-11D0-A34E-00AA00BDCDFD}\Compatibility Flags = "卲\ue84f璼녎擉䦂䑫餢쯠㴢ꀳ\uf749\U0006c688\ue3e8懽鰎쭷ᐕ渴" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6DDE3061-736C-11D2-A5E8-00A0C967A25F}\Compatibility Flags = "ힿ諬錚stᘎ養썐ᆌᾆ蒄文㔫파辧\uee9a\u0558" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CERTREV\HKeyRoot = "\uedd9섶뛠ﳔ\uf2e1\U0008f80aᰥ\U0010e7b5类挋衖㰳焫뺱" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_INFOBAR\RegPoliciesPath = "셋\U0006f015噣堺ꙅ맄赊俢匎Ԏ컺㒶氰ِ秷詾禛陉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{724D43A9-0D85-11D4-9908-00400523E39A}\CompatibilityFlags = "煳⤵㒯쎀岎Ԥ⇕扊약韜ꢱ\uf723ﺭ\uf78e隠跺°ུ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{CC962137-2E78-4F94-975E-FC0C07DBD78F}\FWLink = "䥚✱\ueeb0뷈\U000c3b15綯鄙䅙Ὃ썚퇏찕蠔퐧봮戳嵏ȳ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "겜ꖥ崑ᵏ囧녠쵤共ȣ膖" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Internet Explorer\Document Windows\x = "᚛헄Ꙙঌ鯕\U000cf81f\uf2c2첁툤" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ACTIVITIES\ValueName = "ॏ丝巤訝㵇窹\ue98f忮й泙Ç捩캑뀈ꊸ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SUBMIT\CheckedValue = "抏똡籫㦐难雾頱Ꮹꤒ㠜诤߭⛑吧늦" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.3\Text = "祷䘼熛유᭦\ue75e藤\uec94\u31ea詣䊨繛⩪\ue6d3娃뜹襁냍ࡢಒ⛀\U0007953e\uef1e" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN\HelpID = "덦ߑ圦␦ᑏ脧曀ఒ嵄⿵胅ၲ䫠" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\BlockType = "흖곥ﭫ뺩笥㏞㊧﨩苯\uf4a4" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\ApplicationTileImmersiveActivation = "ಿ쁲磵衼媣즖袬讪Ꜹॗ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\VSTOInstaller.exe = "㴫횋コ啠癰磕ꠑर憹뼝㎲㇊\ue4fd" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{38AA78B2-B824-4C63-A512-02FD95FBDF4C}\Compatibility Flags = "鴒⎲껡肢쇃\uefac둬鰊ﴫ㽡႑힚吒" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_INTRANET\DefaultValue = "覄阼\uec53ꟗ仛荱烣퀄鶅瞙ⴱ\ue518" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "ꤳꂲ玲檡ꀂ㧐쐈箤毻椂횣\uea68摚胑⮂䊔䏊" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "蠽쉽趚䕽⬒앚桹\ue53d撿璬稬멒䱲Ʒ⍤鷓忏煛௶\U000f6158" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\pnrpauto.dll,-8002 = "琘壉\u0c57眔䒌ⱨ偄跭腲\u0bbbᷪ賚" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WindowMetrics\IconFont = "ᤜ쓡\ufaf1䙤ꑃ層♤✟좶禩\u0dff윍ዊ屖䳰" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile System Backup\en-US\0409:00000409 = "﮽駼\uf37b㍯ᚸ놺\uf8c5㈇\U00063913\u1add桔뇪Ӎ햋꧹鸩\u05fb퀋쮥殭勁六" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\XboxNetApiSvc.dll,-100 = "ℶ꩗ሦ衹㝇珝\ue805严栈᎑ۚ䃯젫ཿ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "\uf7a0\uf334쳟\ue3de쐙㷓䆖틎㚙ᓽ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.System.MiracastReceiver\appType = "懁ゐ\uee11\uf66d庍䓼曍⳿砨Ἡﳠ氋Ո\u0ee9ꪇ퓔" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WindowMetrics\MenuWidth = "퓢得윻牎ᆳ悹⢣\u0fe8阣쌶ᇣꐍ㙐鱑\uf142ﺗᜐ﴿瘣풌ꌏ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Console\ColorTable00 = "ﺓ쯗䈟㫞䉖榔\ue6e6\uf5e6싩᧟䃥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Console\WindowSize = "ⱥ펥谒夭姈猿Ж臾䘩蟱⣫쥩\ue2c1" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\sapisvr\HubSleepSound\.current\ = "¢\uebe0≅骜룷튎\ue37c䄹洴\ue505ꮥ䀒⭲㏧\u193c\ueaf9" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Colors\AppWorkSpace = "륱畿ታ匦Ⴤ⊗ῠ䳜ꀯ寏넞錎鬒굕凝賟틯꥟謇\uf3f1寺॔" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\appinfo.dll,-100 = "쉮砘ٽﳌ庆\ue276쯎\uf88a놯欌铏ᎍퟰ༩롳眓\U000498f3" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Control Panel\Accessibility\StickyKeys\Flags = "쏺鴙搓ᦚ꯵퐧鵜Ζ\uf2bc䳆㛃†놔阹搶ʿभ\uf5d6컖\ue422" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\SensorDataService.exe,-101 = "蚯멂\U00102c98範翏䢑\ue9e4\ue044\U000fc79b㏾\uee6f䞓欉\u177e\ue576ᙤ䄾\ueaeb" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\International\sThousand = "⒋\uedd1옇\ueb5b嘶\ue88a㧩摩\uffd0\uee03휣붬轉恞㭃鷺ﺉ泥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = "逿쩤鲕ট嫏\uf47fौ\uedbf㍆\uf5c7ୢꕧ퇣" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "ꏺ썕\uf25c᷃ྑ囼\u0f98迿럼춑瓟욦\ue80d뭮ွ○䨠ꁔ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\PrecisionTouchPad\RightClickZoneEnabled = "ﱱ㰽욫쳛䎗䒝閆ᯢಋ뀰퍆邯㇕貯" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile\MsaDevice = "璈ᚧ삣᧡ꎴൖ혯⺯밣\u0cb4栺稏踮ຑ譪\uf8dbኪ㝩❒䜶詁ፚ텻\uf4d7" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\Windows.SharedPC.AccountManager.dll,-100 = "\ue6e5㵐喔ꞥ颋ᵝ첐\uea98媝蟀躱鱠㶧ٝ\ud7a4嫬╟⭑㍶호쭌؞\u09d1" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\ssdpsrv.dll,-100 = "粥ᬆ㈃ฒ栓띦웄\u09b1\ue276蹦쩤悂덐뼓㤚ࡍ\U0004b99d\ue002\ued6e퐿욓" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\mprmsg.dll,-32001 = "\u0fdb譶餃읬촑뺎\u0e83냑忲퀙䌑ᒫ鍣鉉偤" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Control Panel\Accessibility\ToggleKeys\Flags = "⫧ٖ卓ᙪ宬𰝹왲䞿鋜斶䊠饴訟岔艂塀᪸\uf82a傥ᆲ័珿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Colors\Window = "ﵷ釒쭋㑤熬䫞\uf8b1䋸ᔺ姊禂\U0009f798閺" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Control Panel\Input Method\Hot Keys\00000010\Target IME = "㉒\ue146෫練綜満㈁陙鱶㻋霠煞" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Mouse\DockTargetMouseSideMoveWidth = "⑸㬤Ⱘ胉㸘薌ㅋ覝濯鿺שּׁ삺" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\nsisvc.dll,-200 = "츧\ue05f䴦ꯓ篛畄害廻艼锻ប菉䒭ꁼᝍﶥ兤쇇봳︎磮丌굿" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "ᚕꭂ\ufdd3\ue906氂孫\u175c띞樂峗" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.DeviceEnrollmentActivity\Setting = "㝸\ue316\uf3f4뵛᪻꧗ƿ귫鸕䃐\ue4dc촹㒐" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Control Panel\Accessibility\SlateLaunch\ATapp = "塵굪\ue3a7崔耧ﯲⅠ쵽愀盦㥳\uf785ᨗ曧엩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Control Panel\Colors\ButtonShadow = "㶸吼地ꢅ\u1739ꑮꝌ\ue233嬵뭿远" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.System.AppInitiatedDownload\appType = "㟟ṽ\ue197ᕎ镣\U000771a4侂ᚍ⢲ᐠ冕枊혧늒騼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "姣뒰螖✹譗螴䣹鑡鄱궬ⰱ첁" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{374DE290-123F-4565-9164-39C4925E467B} = "\ue038编鮐ꐯ꙱껣崒잇៲劄塎滇ᐛ⒮" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A2-7548-11CF-A520-0080C77EF58A}\CLSID = "ᄇ䶂䣢㸝ꃷꈻ攃턁䦑쏛仇谂☫\uf37a\u0ad9㨢\uf00e莎\uf087ယ쁃" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\PersistentAddinsRegistered\ = "颮틟拁봝馵澯釪ҡ\uec43馆쬒綧욟ᯤ燓\ue80b远\uebdf㴚捿㧑ꯅ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\MicrosoftWindows.Client.CBS_1000.22000.493.0_x64__cw5n1h2txyewy\ActivatableClassId\CortanaUI.AppXdqzy4rv7kwckn6efgetkddm1xrgzrswg.mca\Dis = "ퟙꂆ֫귈摴汲\uf156䬚缢饑\uece8\U000327e6䋔鄙忏뿆튗钿\ueb64" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mpv2\ = "驏併陎먬훇ᡨ갨竍鸐駌륄䴝겉碏Ꝟඝ⋇" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F580-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "\U000a8b7d큖꽬䢞倚鼾⯉읖穢\U000c3f36鍮\ue658櫀\U00078d6b놐魪瞯褱" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1083666204-94104884-4233206613-1271453470-922726920-1064507403-787610193\Moniker = "爆〭맾ℷ艻曍鬷큁췘༑䴄뀿틘ᯧj⋭" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ppsx\Content Type = "ꬔ彃㽋缌繥겘\uefee\uf7e9ᇋ츿돌욪\U0005a29a\ue92b\U000b0bde萂" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rtf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "淟蟴栜\U0009f5e3ᕵ직魨紅塈此舧" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.vtx\ = "풄恽ד\U000fd7ff\uef5b䪄嬗벚锂㮿ܜᐪ鑭䕻蛱뒺" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Behavior.Microsoft.DXTFilterBehavior\ = "\ue281荪鞠뿠ꢟ㉊岭繑ᯏ笞\u181fꕄ䁻낥蚂愆䪳ኺ\u2feb∜\uf8eb\ue5e4" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0997898B-0713-11d2-A4AA-00C04F8EEB3E}\InProcServer32\ = "ಜ혈ㅚ퍍齩\ueb11걛ᝂ൳騂羽鬢ㄠꁖ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.PeopleExperienceHost_10.0.22000.1_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Windows.Networking.ContentPre = "㜘쇱铜ԭ馇ꒋ射菕\ued86搾忙" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{F290BFB2-1864-45B1-8804-2654194A87E7}\ = "䮟앓⒳컉\ue61e〻\uf631\u0ad3\ue6d8ﬣ᭫㭵엎ꜩ蜇" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{F290BFB2-1864-45B1-8804-2654194A87E7}\LaunchPermission = "䖫\uec9b甓ᚗ箚5㇇\u0eea鎬뱷ꪌ㙼\ue210둧榩" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.SystemToast.EnterpriseDataProtection\IconBackgroundColor = "\ue6b9╥작㻡\U000376e7큔풶↕挦ී⊭졠㼐篲竸" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{06587E71-F043-403A-BF49-CB591BA6E103}\MinInputConnections = "\U0010e0ba㊊ࣖ娮嘨\u206f῞슌㬴﮹ﳤ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.EncodeDateArray.1\CLSID\ = "컣觙黤靇ᐻ荄㺸\u1cca瀪\ua95bꀡ諂㢼\uf1fc⻗" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\AppXxfctf2rqj6c7b4wrvys6zq1bskprrn19\Application\ApplicationCompany = "㍋珃隵ㅿ\uf685ᤶ䁽⎏榤잢⨨탵笙\u0e62\ue4bb" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E66F26B-79EE-11D2-8710-00C04F79ED0D}\Server\ = "↓\U00100705紭\u07b9珰D⒃⽸韄붗檓" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\ActivatableClassId\Windows.Networking.BackgroundTransfer.Internal.Bac = "뀕\u0cd2볥ሞ\uedfc\u1759洀뱜㒿鬜똎侙茭ᕪᭌﬦ颕纍๐" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\ = "\ufff6\ue9b9\U000d41f7\U000724ca껈聑㗹ⷐ\U00094852\uf5acᖚ\ueb82삄\u10c8ʝ嫸檼" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1b7778f3-fe54-443c-8729-1e78b0715299}\ = "㥃楳䭈穂\u2e69掺볌ઞ릱딦\uec43센伭렾ᡄ䦂ꟗ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BrowserBroker.BrowserBroker.1\CLSID\ = "枮䟰@㭌\ue4d7\uf044\ueabfﱻ\ue9b8\uf124搖㝫⢱䠷쿚慼㛝䰐㡃\uf7ab" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020819-0000-0000-C000-000000000046}\InprocServer32\Assembly = "쭛蒊篭곳㏚鐢䖄杻闵鬮齇챻彤粗㈚絓₂墟计덅뀱崄Ή꧆" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\CLSID = "\ueffd㚒肩\uee63䏅픯砧𮉕\ue8fbꜾ➊䵨ㄬ\uf8f2瞃\uee96헌" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0b2feecb-1577-4fa6-9a29-bd9022ebcf90}\ = "\uf192\ue539\uf2b5֜䎓㹓䮵ꗍꈌ擼젖ᡸ⭠耗ረ祜쳊" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\.mts\ = "\ue193㈥\U0004a266漯렛요퀕厚鍼\uec1dᔭ\ue4cc봚考\ued99斢铤" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\AppX4jbzrhvphxte25e0gxha6bq555nrgqzy\Shell\open\ContractId = "⅚㤹뽮\U000ee42a\U0006e84eᕉﮀ❇㾉ᜳꤕࡣ哘䱳⺛⇦索硸皟\ue35d" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D0565000-9DF4-11D1-A281-00C04FCA0AA7}\ = "⫃臒논▛☬噪檆\ue87b枞\ue577\ue9c2\uec41" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.wtv = "훳턝\uec9e\ue1b4憓橝\u137f䅠语\ue08aヒૺ솵\U00087d2c㈰侥姯僎戠䋳°" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.System.NearShareExperienceReceive\IconUri = "㊪\U0008d3ecӢ趵\uea92踶蹥□쐯냱\ue394" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000304-0000-0000-C000-000000000046}\ = "\ued40兂\ueb76ಮ\uf78b漰掚㠁获镀좴䵎\ue2c2རᓫ嘢靼嗓ꡤ绞꘧ꇪ礸" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B3FFB92-0919-4934-9D5B-619C719D0202}\ = "腐꾸\U000f8f4cꩡ戨ꉲ뫱垞ᴎ䘯汥䥻ꆃ笩噓\ue362瀸⦦寈鶁\uea62硦" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.CapturePicker_10.0.19580.1000_neutral__cw5n1h2txyewy\ActivatableClassId\App.AppX3g7kd1zg4a65n0t2ds4j7hffbf62pp9n = "檎㮫毤恔舁嚌\U00035984\u0c8d屌\uf32b너" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{267DB0B3-55E3-4902-949B-DF8F5CEC0191}\ = "㨁뿌㚿⠢䂮\uf507\uec86ෝ䚖沁⚋峥쾬ꕗ䗨" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}\Shell\OpenWithoutDiagnostics\Command\ = "\ue8e4\u1cfc㢽䴘癆蒋ꗢᇴટ「ј벬\ue027툫\ue4ae\u1716䭸\uf71cŃ\u0e3c爸\uf7cf" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.pwz\ = "慺賢\uf738瘯\U000fd86aᲪ肵堊ﴗต嘛\U000bcc7c䑄擹⪨" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{15fc1bac-8d83-4e87-8cc2-a70c9f66f943}\InProcServer32\ = "悧瑲釱㠬敷鬱⸠碝螯耩轥" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3B1599F9-E00A-4BBF-AD3E-B3F99FA87779}\InProcServer32\ = "䪌퍬禜姂癃ﵻ闘鈠䈯狸껉㾪\ue4b3㝖㐰⾔楔릵ၪ㔛" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}\InProcServer32\ = "푽ᆭ庑┸턠鐼\uf38f騷䌖셑搇ଖ핫놬㗨栻諦绷ᰢ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4456C5C3-DC01-4FF3-AF4E-06F4EBCC3B09}\InProcServer32\ = "\u0c71錢䏒፵ⷿ◈❎䋫\u1759熝곳\ue2ac\uf4e2⑩\uf87c醾솯\ufae0ή較먦䕫\ue068" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ogx\Content Type = "Ꚕ줶従ጕꌮ◺䰨\uea3c嫭㹉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\AppXxfctf2rqj6c7b4wrvys6zq1bskprrn19\Application\ApplicationName = "爩\ue60d䃲퀊ᘊ㪧⅖䬸玦䇇㰛\ued19⟞\ueebb疓䯞\ue412룣忀\u0acf\ue7e0륏쉸\uf0c4" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.AccountsControl_10.0.22000.1_neutral__cw5n1h2txyewy\ActivatableClassId\Windows.Networking.ContentPrefetcher.Internal.Con = "堌缳紨ᄃࠆ稇튚ᤈ꺸ᴚ羪" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EF76D68-8661-4843-8B8F-C37163D8C9CE}\ = "솛誨땹\ue78e훿\U000af889ꭧ㣧\uf7d3\uef62\uf1c4누钳鏚慢ݔ\U000c9f47獰趵䦛" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4564b25e-30cd-4787-82ba-39e73a750b14}\ShellFolder\RestrictedAttributes = "嘻簓ō\ue6d4菿뿈빜⇅ᾏ輾痨\U0010f358⡘䔱沬Ų⮔顁㎜㎚觕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{362cc086-4d81-4824-bbb5-666d34b3197d}\AppIDFlags = "\uf2f3쁲⤸ꣀ홄杯兞\U0003f4c8袅渧嫫煱漫瘹Ֆ휘ᔓ똪\U00071e42ܜ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03837532-098B-11D8-9414-505054503030}\AppID = "ᄂ럙ᣍ䑤뮏왓⸳ࠁ㸢晥ᙏ搑" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.ShellExperienceHost_10.0.22000.71_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\App.AppXgxgm8gs8b9vsjsd9gvhmn = "\uf11d䏯ꎿ뿇꺹\u2fea탧⸐黁\U000b22e3䁬稓ꕃ䐆吝" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D112E22-62B2-11D1-9FEF-00600832DB4A}\VersionIndependentProgID\ = "ꈜ\ue260\U0004ba99笯ǟ蘧\U0008f630謥딏\u3097샰롶뿈뫏果弨䚫孕╀蔅" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CERFile\shell\open\command\ = "哀ᮔꊔ쵖션⼑㥛떟훃\uf2e5特镃" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03837521-098B-11D8-9414-505054503030}\LocalServer32\ = "ꮏ\ue130ꓨ倊髡軇擤\U0007d84d샮ꃏ嵍뀈\ue447\ue0ac⎣嬑̭" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.AAD.BrokerPlugin_1000.19580.1000.0_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Windows.Networking.BackgroundTransfe = "땣ಘ\U000abe3c羪뫴塀剃뱀\ue126㵕⨽ᅂ\uf7d2皺䵑\uf091\uf08a웍އိ꽩ꘀᆧ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1BA783C1-2A30-4ad3-B928-A9A46C604C28}\InProcServer32\ThreadingModel = "隵꠆꠰烖꯹焁\uee05襨鞲泣笲ꧼ\U00082036ᢖᖶ邅嵝鬛⨪\u0efbꉿ\ue298見" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\ActivatableClassId\App.AppX46rqe0eha6ypqrxvfyqqtwydysxtw8tt.mca\CustomProperties\C = "瓤⥓ἧ鸕詒嬅\u0984仦\ue539쎟ᦪꙊ穡ほ\u0e61쨲哴臹禸ꉽᕰᅝ鯐" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\MicrosoftWindows.Client.CBS_1000.22000.493.0_x64__cw5n1h2txyewy\ActivatableClassId\Windows.Networking.BackgroundTransfer.Internal. = "䷳ꭊꦴ슲\ue33e溣㧌죞᫈ᐴ靚鑢\ue0cb" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A614B00-FB18-46F3-950E-682A46A48B9F}\InProcServer32\ThreadingModel = "☧テ七å笅⼯追៘ᔈ쓿凗㕆鷲짿媜\ue3dc襘ᐳ涋틺涷䉕" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\3\Position = "栎㾶\U001074fc卒\uf508ᆽ熿뿺魖飘\uf791" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\AppXpwc46qrmp0f8q5ysxk6ngj8d32yk22kz\Shell\open\PackageId = "듬㮓靛䓎়禊㢜㉠\uf740\uf045ꤾ몎禞霁䆫퉩苌蒏\U0005afa4\u0e7b킗\ue0a1" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20E6D937-F6A7-4C7F-8E69-7E0AF81795FB}\ = "줻䶷諗ู钙䳇닯ⷔꋯ螏\ue864䄕\ue533鬙鶰뺦嚀㉈⠹ᛏᯭᴻ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\windows.immersivecontrolpanel_10.0.6.1000_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\microsoft.windows.immersivecontrolpanel = "㾜ࡪ袢谧\uebf1蹖\U000b4084\u0b00ࠐ" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib\ = "ᑐ匴즯㵟鵲淕ꉾ켥欒檖\ue2a0筹ப◓" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08d5bfbf-fbca-4322-9f70-ca9f66f8ed6a}\InProcServer32\ = "\U000f5fa9뙉ᘎꮎ轍핈茋ꉐ㞸땡뜌썂麅䨖藓㎭抣伦㭼伉" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID\ = "篵칝\u2fe5礬\uee81볢ᆲ觥䑏槞悊曱\ue67b߫ꤜ쓗춞" | C:\Users\Admin\AppData\Local\Temp\Thorium.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Thorium.exe
"C:\Users\Admin\AppData\Local\Temp\Thorium.exe"
C:\Users\Admin\AppData\Local\Temp\Thorium.exe
C:\Users\Admin\AppData\Local\Temp\Thorium.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Get-Process -Id 3516 | Select-Object -ExpandProperty Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Process -Id 3516
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\oobe\images\浡挠湡潮⁴敢爠湵椠佄⁓潭敤മ$
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 燸ᯌؐヱ⋆蔬㉌饵䟑䁠턏錇₭療瞞䔤줚ᙕ剫倅맪
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 넺ᖡ㣖ꞻ妝㏥ࣺ留狮鵟泹㯼험僾ꓕ븯㳱骽
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c בֿ䨉芩蒊閥┡㝉靓۬
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ⼬㪕䢙륝蕉硫ᶄ뻚ﶻ䷫⎍땅枉ᭇ䄈ꢜ
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 픅ﴀ东桟㣃遾ꤊ謫
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 744 -ip 744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 888
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\UnlockDeny.pot"
Network
| Country | Destination | Domain | Proto |
| GB | 92.123.128.150:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
memory/1196-0-0x0000000074B5E000-0x0000000074B5F000-memory.dmp
memory/1196-1-0x0000000002AC0000-0x0000000002AF6000-memory.dmp
memory/1196-2-0x0000000074B50000-0x0000000075301000-memory.dmp
memory/1196-3-0x0000000005600000-0x0000000005C2A000-memory.dmp
memory/1196-4-0x0000000074B50000-0x0000000075301000-memory.dmp
memory/1196-5-0x0000000005320000-0x0000000005342000-memory.dmp
memory/1196-6-0x0000000005C30000-0x0000000005C96000-memory.dmp
memory/1196-7-0x0000000005CA0000-0x0000000005D06000-memory.dmp
C:\Windows\Temp\__PSScriptPolicyTest_dudpna3z.b5m.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1196-16-0x0000000005D10000-0x0000000006067000-memory.dmp
memory/1196-17-0x00000000062C0000-0x00000000062DE000-memory.dmp
memory/1196-18-0x00000000062F0000-0x000000000633C000-memory.dmp
memory/1196-19-0x00000000072C0000-0x0000000007356000-memory.dmp
memory/1196-20-0x00000000067D0000-0x00000000067EA000-memory.dmp
memory/1196-21-0x0000000006820000-0x0000000006842000-memory.dmp
memory/1196-22-0x0000000007910000-0x0000000007EB6000-memory.dmp
memory/1196-25-0x0000000074B50000-0x0000000075301000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | e080d58e6387c9fd87434a502e1a902e |
| SHA1 | ae76ce6a2a39d79226c343cfe4745d48c7c1a91a |
| SHA256 | 6fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425 |
| SHA512 | 6c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede |
memory/3652-27-0x0000000074B50000-0x0000000075301000-memory.dmp
memory/3652-28-0x0000000074B50000-0x0000000075301000-memory.dmp
memory/3652-29-0x0000000074B50000-0x0000000075301000-memory.dmp
memory/3652-30-0x0000000006400000-0x0000000006757000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b69c4a4d420bbbff67b0252630a6956f |
| SHA1 | b8e8104c2febc63f48f3a926d84678550ae78ca6 |
| SHA256 | 3685d92aa52510c2f0ceb9e35e0b7a09eb0fbdeca8cd27be2505fd97563c71f8 |
| SHA512 | fe0543afc67575e967b8a1e08aa08a35cb047643c33f0235b35d6437d421cff720a4dc5c823bb925f57570a28aa21b14ebb8d5c19afb7778d99c77fc86147f4f |
memory/3652-41-0x0000000074B50000-0x0000000075301000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f141ff57d143b277c6e349fa78b2f3db |
| SHA1 | e1f59889af67bb03e5e71b14bf70f1f6655f077a |
| SHA256 | 01362a756f18385acdb24a658704dc32b4feaff8fbdb26c52d874d4eba383c9b |
| SHA512 | 71af0e02879a6edbf8d4e1eb9e51cb161e85b227d275c4dfc76aa41cdf9dd156e47187b75f96ccd368ca6258a9734839c2cd23e92da073a0621f8be1a521c72f |
memory/2100-60-0x0000000005F30000-0x0000000006287000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a05f3d358baeb6bd325571316c1b00fc |
| SHA1 | a9ee9123d79d0c59660125a8edbee739b4e819eb |
| SHA256 | 670006f57d57284970df1e94ef83d75f2c1bd266e4aead949fddc443bc1b03f6 |
| SHA512 | ac3492e972229f0f5cf009281fcc5ae0e84a8e87aad29b8d74c5d381b7de2b8672e3089a84ecb358bda7f687a12910b5a3531806e1bc448355a79006536edaac |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f2228b433bbfc1ac315aa60448847302 |
| SHA1 | 8a220dc5c237e65a5dbd42751f3b6d001802f8aa |
| SHA256 | b4658cd6e9db33d4c086bc1a2a79f436875501ed927d6a4b6ee8e90a7b6b7927 |
| SHA512 | 3bdb5261f1c9fc8b2799e945b65d2200c268301ca59e508c232f8145e8d0d936fdf84176f8905ccaa49b39bcb0170727f35afd003052065f3fb808606b9e83ad |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b28fecf6addb7ed4a630ce079d8dc40a |
| SHA1 | eac82b00d590dc8ee1ca0c6fe205f9a79caaa038 |
| SHA256 | 2997fb4e7d73da444bb9dc67c460c8554aba1d00972541794342ba8a664f610d |
| SHA512 | dca751666f47dc367fe18e96e19f90fc409cbd013e5fc33d445daf012813cef072e503468ae3438c98ba6c4b40fbbd2d09b884cb73aa30547000292b1eab5ae5 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7f0ec688427aff2b6ff46bdfefc0b2e7 |
| SHA1 | 7d11266c6dba976bbeaafa43acbfb7876bddaa22 |
| SHA256 | ebbab8fa8ca39b13269f2061f37d73ca6c88a93a06e29f58b87635fadd3b1590 |
| SHA512 | cfe3e059110906ed07c78289ebd36800e3da8ef059c738a3cb9eac09c1ca46a8026edee1c152be5d246f42b3089dce422dd958b45f808b3ce3993e76a3e3aba6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a6370ed9ad234bbcc75d623067d8a36 |
| SHA1 | 7ac1092cfc1fd21bb7c64b39e95591991961ae5d |
| SHA256 | 2cd613b6f1fb577a5715600fb7d3a7f94ebc9592b07ae0c098f0292deb967fb8 |
| SHA512 | 01f5dc712a4aae19a91aa11ac11e77b9a2ceb43bd4c7a6c2ce6b30eb2f26e7b1aa1e8ff78ce6e47f0e507fcbe964d4f5e35cb096e0552c9d973856a3269b8a05 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 56e693d1c637a073283ba4b66d7ee3a2 |
| SHA1 | 5e94d586c7fbc49dc5868a5f5945e0d7fd7a1648 |
| SHA256 | e3fa8a92ccf173cda53d8f61e7404dcdafe2136e83ec8ec1eba927fb72c4dd73 |
| SHA512 | cfe3d1eb8ba3909f2fab0cb9375509790498c26143c3f6e3a010062856be0c4246ff3cdbe4edf694a927badf56187c8338318aab2491f02d2fce033bd5e1468c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 81b38baaf135b8424441ac76b7f19d7b |
| SHA1 | a117fac7d7787c0bfce3c219c98c81e89619c6a2 |
| SHA256 | ae7f3a05b4b1deac8d7eae7587105ad8be9b7e619c59c1559bae6a0498e88798 |
| SHA512 | 8f9383bc877f5aa26aa37c221cdf6dc5ac74fcb85413e19eb3ed6046e993b45cd3c4f00b8640db0d612682a286e5151cf8f9aae68f2e558e9c47d48e0646827e |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9ea976a540393399ca4e9a8a368af019 |
| SHA1 | f4538873b03d9ca6a6bca24b5222b4049ee95bdd |
| SHA256 | 4fcfecea38d68038d5a122545159480ab2fd639af786bf4e60640d36e8fe83c5 |
| SHA512 | d530790fc60427dacd4f10f0b8172dd66253d7075b4463711f375221a1b5ffab2a34b21a7200ca211c9a62bef09a015b05a30832a5ef6c6806ca8ac0bc71fcce |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e5d5f6f4934760dd2e1282d166e45ac0 |
| SHA1 | 71d5debc4c036fcf54f5aae2bb62b6dd2fd41cb6 |
| SHA256 | 936fcb6ce398b005b9a3c5047e7643215800f6e9244c31ecce9e47a2a0ea1067 |
| SHA512 | 29e1664f2625672a964990e8c080b5484195a8bafda438c97081da6f9cb3d454a3d18aec26e69f4b21000105de62c41d428d4cda2fe2d9dad13d0429a72ce2eb |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 141d06dc422c12435a4c0291c3bc637b |
| SHA1 | 322c89e59b8dbfa3486a39a03fe3f3b5421619cb |
| SHA256 | c5070cf65d71d0e93934b0b65660dc957ac051f195de782e386dd6d232a81830 |
| SHA512 | 041f6a0506dd2cecc94756ec450a43d10da4e9ea725587aed0afe9acd0d2181c9e46e754b1230f5670beee1b3ffdbaf0384ab6f07b7561edcab42c3595b4cf37 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c723819743dccf3d7c5f406b24b64511 |
| SHA1 | 3ef92efac549a3a1607c26cc51e5cf1f559272ed |
| SHA256 | d310ebff3a65dcfac4978d403d0627de379a90ae6a1dea8a50e7ef74c174d22d |
| SHA512 | d33dc1d92f65894962708efcdc0b9e66916e4cedbb9477286624c1aa00a77a1df66202252d9ac6c3454fd0a3320af0b2f2432eed2ac6905ef83bdef2f5193008 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d4cac4c47fd5355ae356d48ab13b5463 |
| SHA1 | be75f80672e76cd63b9dac1981a7d18b5435446c |
| SHA256 | 0b5c567bcca2c68e1c8f842afb5a13b1b46e1edb154a29f1de1d41492fed1ef7 |
| SHA512 | 5c04a6af61fdee12a252bb631ad52cc8c102531cd427f5a7382c6bb422e90741b8f10a19ecf61f0b0fbcb408c7e891d5a464d09630dd3447dc6b273cf1ebef45 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3fe941a7c748a56bcdcbb194b188f7a1 |
| SHA1 | 632ea42ed2eb2534170365ff96c527ac68ebe4f2 |
| SHA256 | 7e8352d5487c43a8f2994f9f46fb2ad48d469c5e7fc698423901c1e451732047 |
| SHA512 | f62528741327beda0310849dae2912519a4825169bb3cf646518199c58ff42f76cf0c081f35dee4dcd2155244f5be19342e8d8e9793ae5e79a05e937a307afda |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e0bb7f8662a7cb88a3988ec6a414d816 |
| SHA1 | 0db805b67154a632737d9ee61d936495fc5613ab |
| SHA256 | bd1b34802c1cc03d736577b5aadc5cf752a9ddce585a2cc988e3056114fed1c9 |
| SHA512 | a35241ce1bb0c58c6b8f364e6fd589649fb47f58ad051c1b45593ef844043e392984342db3756edb1fa75460102ecb8fad464218dd1e29039602f62f2cf93297 |
memory/2652-198-0x0000000005FA0000-0x00000000062F7000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 73dbafed94e570fae6bd84730398f1ed |
| SHA1 | dfc98ef52d077eef880887f896aadc8e61bae235 |
| SHA256 | a9a8b94445bedfbde8d671a9f4aa063c3b7929b69a38c8409a7586458ffc6504 |
| SHA512 | 27651a79529f544f0b591a2ad7d8b29a67d3214bcc47dc94532bc1ce2e0a598c641212834ed73ea42a2789a2b352b78336abc2ddb14310972df2e15fff0f9a85 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c00423ee67fcd19de052f56fd09ab4ac |
| SHA1 | 082583a0d634e18e8bf188968de799e84e64cdd7 |
| SHA256 | e198bf82fa002454cc929cf89096c42427b315081f6215d2e1474451b82fc4c1 |
| SHA512 | d06f78c57109c8fdfa8465bf5fbe8ad9d42bbde0b2c2094afb754b77d2bfeb196933171cd73872df18cb1e1a3cb3afbf08b61fe716dfaa798f16c294e541b32d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c5f0638370ad5544a8800afbbe4fa8f1 |
| SHA1 | dd6f683b3c51cb012769cc5b55ee142bdf8afbe0 |
| SHA256 | 58138274c51635675a9819844c62733226181e544f74740958f515bb1c79f6b5 |
| SHA512 | c11e6870734ca94d6df3d3bfaf7a1ffc7d63c784692fa8455fc951e5a1e512b54fb816259612f4a69f3b9c2bf1b1e31a1eb29aaad9ca7565d78b47ce71abf0b6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 22012c8e1d894510f79ffef652bc1733 |
| SHA1 | 7d30a59413eeda9f6b86915e4a2fbe3b5e68a8b5 |
| SHA256 | 6d5b967590d24803dc7bc4c040699d26837a2107131a011c7d5362ae0e4f140f |
| SHA512 | a30d4f6ac186109acf2239aa358a8f3a3daa426e9a4a69e0399f56dd4a423f1d309eab23c8f66cc337f8592ee855931a467b625b016a2eae52d47ad3a1444226 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1e2f7afef09b9384d9e9b27fdbaf35ff |
| SHA1 | baa75df90ba2a1fb2a1ed14264aed971fd532151 |
| SHA256 | 8256e75bfc37294a8ed8379bc6f333be14b947e84437a0f15b35f34a5fe51461 |
| SHA512 | 23bc33b9eab89f91bff75b6277b9c122cd98fa8eabe907c62db9e323c9324a505335b8d3a5214b32c93c2e399da67ab9233caabf293a27385d32b83d1c23389d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4f3a176be1b592c128eb2f1d3f8c9f43 |
| SHA1 | b458ec990a1c35514437e78f9ed49544f171d913 |
| SHA256 | 155f474164e041235933205211482c59c6ea8ae5264568f6ac9368f02c770f28 |
| SHA512 | 399b640793d8dccb8c55280d6a2c95614c5ee61bdcf111bd29cef8b4000833681077704915b5b9faa8adf12b7e258a6df6e5db356b132f12ecfabf0786cf0615 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8f3de175a38450e013f17a0a5d7c0422 |
| SHA1 | 295620796ad8d5d6f94c2958e09522d685384f97 |
| SHA256 | 4b1837ee4d341a1d86f56c5591838647dbd43191e75b8025b56a13c4c6596e49 |
| SHA512 | b67183225ef5390f56c045f101e2fc54216168e442cd679336b0367ab55fe1505e2d485ce0cc5b396c920dba17375a9d86217a85855f7b3eef314c554ef953da |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8fd705b5c6a21854feaba88c2925f3b9 |
| SHA1 | 5058ca5fcd9a6413cf8d6c554498a94fd567b724 |
| SHA256 | 9ba395b6d05e1306cc15d05acc15d295ab2a23204d59f409e4b9ba5f0994a347 |
| SHA512 | 80d14aa1e1227379b1805e9b27971e920d05e5a3a8ea58fc22541fa2d73c8aa565b7d213ad85d8eef7fb8b5b39fcef521d5459e6575284ef8361ec00c665676c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fe7ec7fca8f1d8559155e602bfa39663 |
| SHA1 | fa68447eda37f2d9b5450c9b6b9f96cb7efbc671 |
| SHA256 | 1f5b5a796d4f222bc4ca5d65ddf94792b0ee5ac6eb2e9ba2f26b08968eaa92aa |
| SHA512 | 8c2faa176a0c80da24b1bd6124744837fcdbdf1b4b5c900fd97f3b8e82d774154a1731e66054d097cefc7fe9141bcbaedaad0153f8dd08f36ab0a5050c90e817 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2390f1fc9b36b94c66342a89ea115328 |
| SHA1 | e8d14ed5db93434f41e9e94f18008ea1a3d6acf2 |
| SHA256 | 1471403a32b49466e63c1dd65c5c40d2b9fb110d38458d259bf9ee7b8dcccd0b |
| SHA512 | 5d08dbfe9c5ce63dd3a84f9d6e251f158b03211157a90d76ad3992743fae5f601e489e4909c3a6f0bfb7398b219f4ad678fdd4ede80dffdc7f63a542e820b4c3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 29a047c1cd7685a658c33ceff2c4725d |
| SHA1 | 16310a9fb3defa8c263940ce4921d92e9c56ac45 |
| SHA256 | 53187e713a19ab51e529d6963939970774284a76b4b882f316c1005f1eba385d |
| SHA512 | bd659e92d85bbb270d1a6772e984de735e0ab9cd96caf0d2f387c22c7adaace2667aa8edf5125d3c3cc2900ffea536db32de50ed2c59f7ff5ef7408a2a7cc94b |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aea07e71a659006b0c5471affe365e84 |
| SHA1 | f429b326b08e582c5a2d2d15d50ab732a5272358 |
| SHA256 | b7feb4c2fafe86f14e7a09a7f46065aca051011fefae72f5b4935b9491643752 |
| SHA512 | 1917fc1f9213cd8c881e4c0c82f893df5de6c47ab50cc39909a7cf6dbba1df1632250e827423ce861b3b7e9f29de53b70262f65b10a7160b43da13c5e9a0cff0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d1a0c624ef249bbd9ffe67edb9667080 |
| SHA1 | d2cc9d8b310530b1ade6d70030da5f895d97618c |
| SHA256 | 74b6402bd6bbcab62b07e8f7cb715d2abbd3446914107ab918c23512122aa5c8 |
| SHA512 | 963586c34accfcfb5aae05d00ceba48387670da08f3cc24e885a747a761bb09a03f49a03bc1ec56db72ee0511e14a1315d3971c223b004585341ddfb59868371 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8c1ea37922e2ed4a66fd7ef1c8e1aee5 |
| SHA1 | a3aee87d488f9980b103e6b8dfc563de9d6ad45c |
| SHA256 | a2bcef1bf06836a2beec9c9475759d79fcfc8416f78cec6988fe4908d818ecf5 |
| SHA512 | 2dba370608edbd9acdeff7bfd375e49e017f24b16eec5fd8bebd0c859d66161395a8e26aa3f302c8e5e865aab7a8ab259df80b3833b763d48ae47f052d348244 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 992f08163c39a0c62580334a3bfca69f |
| SHA1 | 80101ef22d4930e3c4c9ad69e59baa85d9d8d3e2 |
| SHA256 | 7f14f6e4372aa739121f5666ccf5ac8e71c181d067a883bc5ffe7c89ca0c522a |
| SHA512 | 1fc532ddc944f88d99cb6035c25f77c43e92eb15dd6405cd94b2733f96b6f544d1b02a164037d93a5c1b7b448b3db88ad4b6c932312a4764c9a7a4b60dc0bee5 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d265e34c94e4210a539707ffce62b87d |
| SHA1 | 5006489d4f66aa1cd40db7cc84c808c69cd874c5 |
| SHA256 | dc27960e7ebaca6a6b317e56165ac36e4b0baa11c9108b2f612e1b6e854f4395 |
| SHA512 | 3a087356a1f2d06c107a08a328b09c5e81a010c530b15ec4ec761827d409e4b499ffd9a422f4526b30dd5b5ea3ead0974f26bcaf16637c6f5712c81a5671224f |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 28fbc89aefc726a9e32dd116e6aa7363 |
| SHA1 | 0a8b63f5dd818c12292d7aa0816e557e46b9ce7d |
| SHA256 | 30bf98b5b7e672c313d832b63779ba06a31c7673687c3e5764f06d52aa5db4f2 |
| SHA512 | cad70a4569b8e29d7c9efb5e6380015eeb66a79012242628717a8cb403aed41aee18aa86b74456a41c27d97e100b8b58e321c9eb45c3a8ca4ac0e52fbcacd304 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fd054f7cc7cba1b01e7f22731ebfa6d3 |
| SHA1 | 7d3e73af9c7c1cdaecefc618c5a0f62821f39558 |
| SHA256 | 1015b85e3663b167115509b60874b53c26b15eef6d289472e13004e42245af85 |
| SHA512 | 5896df3c47c56b756a6e26f24f23e9cd7a7fd30a895def7d7b05ced36aa34d466112665d2e33988b5455aedc32d1f86782dcb107978ab48ee34116a8c8b087b4 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1c5f2c4a98999351187bb0dc2960adff |
| SHA1 | 84f320aaff7d24221e0986e99d15b271f4048563 |
| SHA256 | 880a3a0166770f5624343a5981ee6e9b4a578956a55d21d50702c05fbce69e65 |
| SHA512 | 61c7ffa38d5353c7681bc1a056941eeb1c4236616e25dfa5a603ce34f953d20918a174b1cc4e8ed87dc6e0a0ad3f75db55a61f62d3eb37e552e6d50339d408d4 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 73d7c8736382c628fc9d896de64567c6 |
| SHA1 | 4f4911d3afe5e9824783dd248249739408387ee6 |
| SHA256 | d865161de22999e1e5e25ce0506a9511e44c2461eed361c61b20755e64cad37d |
| SHA512 | 293f14d268ed57dc594452631216f9c15d2c890c8246a42a314b56a043350a19c8c084c98b703d4b8495d3bfd6ccda9534ae68c4edd7dac3975ab844d6d44c1a |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8d1bd5a03cc28f3fd5356163525ceea3 |
| SHA1 | 12a4e6705ffac0721b562ae3104aff33e59c479d |
| SHA256 | eeb11ad30d54266aeb82d23e67ae0dcad7af0132457f5bb3730afc2516101ef3 |
| SHA512 | b902a0dc87d05eb97d7a81f4df0a025fcc55700fb3404534c2d98798aa091ec1017fe2a268a43bab1056c9b979928f88ead1d0d1c7e5852b29baa3d3a0551dd2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ae025fb8d42897493a10d3735a0b65c9 |
| SHA1 | c84254401de091e731dc3e480d9e93e5feccdab2 |
| SHA256 | 510bc6d8ac78a8eefbf0ec2a9c754dacf8ceff534b1f3fbae9b48ade419a35a1 |
| SHA512 | 08d6185bdbe3b01f3f17ee3fdedc35cbdc3264629044275aeac644a1bd5e60a4ee7e83d758fe3bf42732b3e5d49ea6ede96bdb4e367646bcc9376178e285381b |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d50c2d969ffbb94d48026eb2186604e0 |
| SHA1 | fdf0c570a8043a87a658ded8b0909429baa38402 |
| SHA256 | f1341151b51fd4df27e2a12ebfe7d2f5b4d03673a7bb2b31ea0aabfd13c308b0 |
| SHA512 | b9c3505813b58750f028addfe9bd7b9ff3da9a13e027f81db48523b748c45157d925d40e5bfe2a8b13facd422fb8fa145657508361f509a2363fbdc729c0add3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 32cde18079a05b0fb32014293834299a |
| SHA1 | f39ce74de0f894ad9a906ccf39dac65118260b84 |
| SHA256 | d310a7528b79628f5bcdadbebfd1dca527d972322c28f6a2da38d0cde7575453 |
| SHA512 | 6ed15658e32b61af52e69825e5967322bd8e0c62bfd7852cea1a98fcb629eaa974d58ddfa2a4703300feba50a6e000799d0caa82378a3584a3d1105f620d9895 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a50eda2028ac1d3fc35a12354dd75032 |
| SHA1 | 9e7277958aba7fb13cd3530876991ad15d686670 |
| SHA256 | a871fc0cb68f4d2a43c553a3d14c5f815d6c34b39ecbe314eee5bca86b64c3e0 |
| SHA512 | aca19ab016660395b100aa7dac8501b6ae82980d374bef85c9eed67601dc42d7ed1a2dc2f19c36bff2f861447742de96755aef6cdb47667dacc94a09267089f3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e51411a93c35c4e08ff4b6a684241afc |
| SHA1 | 04ecf36008caf028940cab9cfbff5a01b89bb406 |
| SHA256 | f123cc9a3e5c4f5f66b8d655b85441f70aa26c6b0c4993b619a274a702bc7749 |
| SHA512 | 51ebe9e1eba7f7c8a1db502508367f746c748b24c271ac80ca62751f38c0069cdddb930c2463196e860ec9c810d6c869f5fb63233e51e32887fa7745e7952ff1 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4b675fcdfa0752b1067ab43d7657c4ae |
| SHA1 | 1d587f337fb73277c1a83815074e197fd0f48b06 |
| SHA256 | b6fa1a9537b1c5dab324f1e8b33a53612554fee1db82912be2c91f84c53def81 |
| SHA512 | d05a87bfbacd06a47987273e7af9afda5080b6e47cce72305e3aba2fd6a192b48190044f8800c0fc1bbe2c192b09bfc7711d467d75993549b317c04c78fb6382 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 09eae4ea65f3c962e46f428ca7bcf95e |
| SHA1 | 8054e233e9d73bc8a53746fb6f048ec9639431c0 |
| SHA256 | 994fe15cda38550370b4b458f15c5bf86c4c4f74b907bca3d37b16b81c1a582f |
| SHA512 | 5889013392fc9c5ca396fffc309a59159d427faab240281edfc8705006a9fbbd7072620d637d18bc44b41daa60b765edacd4f330c5f0196a2fdeabcd8d9cef08 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 869a8b2be83749865ffbc6312cc6b025 |
| SHA1 | 9ad7862f4b645c69eecae4c447a5a1cebb9930ac |
| SHA256 | aa6c500078b6b3908c691e6c09639e8f1a49898725fe183a0d69f1f715ded56d |
| SHA512 | 20e9c590f6cf507d1ca82d64c7efe51be3f3bed1383496b380220fb1a89f9d6e123a9b164b7de9505a4b5965efdf3d1183e8948ff0ff3ee68aa6aeb9b37bec3e |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6ccdd9ed6d1f2c626baa0e4e6aa2ec22 |
| SHA1 | 56de476e750aeae616d9f6a3f1f7bfc39e4e4982 |
| SHA256 | 2e05fd6136b4310d620265f374f271ca42b7bb5faedb5e438d638b02470a3a69 |
| SHA512 | d84688d49b08f51724cfe4b0de16c20a4048aa710e8f37b0b5465d3d9d3025a86a7a1d8dfe289a6bd3a09c21bc5c3d7ed50adcfb120af7107e80029c19f42531 |
memory/5916-502-0x0000000005960000-0x0000000005CB7000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 925a30664e1875bd2cb7d0202f1ff574 |
| SHA1 | 85af7651bb1f1e63718d7c069f20d6af8efab0aa |
| SHA256 | 5598f48490a8a89d231f6e96a702431becdf2ae34de37c2471a8e784d26f465d |
| SHA512 | 195f90f6e51c91be420d3476b203959d52942b45e82fcfe8015cf45e471e6ee942a29268e4b2f460a626a45277b9049efa0aac1fdd28cc5117458b714b6296d0 |
memory/2616-513-0x00000000058B0000-0x0000000005C07000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9ccb89f5652631dc89129416dd9c1f86 |
| SHA1 | 9962a840d86abf0dbaf9723e1006e1a959621ac9 |
| SHA256 | 0792be9dd6f84f6cc152bd031b91de6b8b9c1f3ceac4db918013b1431ec5d2bf |
| SHA512 | 459f74638c9d94f27e8ec3e15f264838fff113ddf4fd9fa6852cb949f25635bbbd561f54151430e2e3928df7af30d76108abcb834ace9af3a14f8b877b69c406 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c0144b495598470b7c4456364bc5b26f |
| SHA1 | 736429b737ec1dcb8ee2d4499d539390dc668906 |
| SHA256 | f7d62f7bca77d0c5d1d395c76ac95d8dba80773293f575667171b291cf820e8b |
| SHA512 | 589d68c4c2b79976d7668d943d5ded71a25a71f11590e9b55f0236599daaa2048b2e58bf0eee7ce3ab13f16ff05f6406f563a74f68b108a04c69fd448ddcaa5e |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6c8e3dedc15a6ecae99b98a329a925ea |
| SHA1 | 73fa580d0f25fbb4515ef631f42a317d63dd1e1d |
| SHA256 | 682128af8fcfa1fc3b0dc16c0c01f1c198efd261162813a432edfa441b8300bb |
| SHA512 | d911274952640feb95e85fce3dcc84d5367b35d35b2afd966ea032e50cbf71a2a13247db954cc0df1c6c26c20ae1340736f1c47048f06c19e3a5f81235906ecc |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e96d59faf87316675252330e1738a352 |
| SHA1 | 9e3d8279b15cc744769a3dc72b27de24f4e89bbf |
| SHA256 | 69b00a55e92b1c43dddcf300bcc60e1ebf934c0b15b5046e4033ccd9cd58e0fd |
| SHA512 | 96dca95f8c456aad0faeaa7456fcd7d09ffe93610d0fedd0afc64e32d0f510258bd3ce2498c4c846a76a4778739680bf448e34d28888951af7ea0e91de5b5a15 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 03bf1b0882aff80a2b24a6ac8225520a |
| SHA1 | d5e286877131d0c4e62885ecfbd8491cdcd29fbf |
| SHA256 | e01d5397c8cb1ebf6415b2e97adabb8c48656616ba48f048c39931a71a19979b |
| SHA512 | dfcf40b33cf3f56a1338c153b29e5c24640edc333dce8adca3b723c8a7f1a4d3275dae93881b51bddcb8f0ced358961783bd10fabad0e13d0dff738b247ae163 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d0126d56b9693a1d82c8bcd2c6812426 |
| SHA1 | dc7f4717a53fc08423a8a9b07aad5df32be564f7 |
| SHA256 | 39e95dfa569ff1467c4bfae79f589e203e3965b7f0cf57cab0a6ed0d75668a31 |
| SHA512 | b58a2bb798c439a98ab4f010b142b0954080d49543e28897882a4ec3a6898e1a829fac623321fedcafb04476c4f5e91961ca6baecbb9a80ccb640951047b12b5 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 374d3b04f17dbf1919a7542fbd4db8b8 |
| SHA1 | 062adb5e4422e09e76e1a239cd6fadce99934e28 |
| SHA256 | 4b1323bff58db3ee3961dac53e08643c5080197c8203fb1070128c9a9b45c9ec |
| SHA512 | ee451c994ebf4e70444efa81608909f9bf5a7a2f242ef45e03a72ea58a9c9b7170985c9800e83afe2bcf8b2fd6f4ae8a5c700367e5a9c969137f2f5d2dbbf8ee |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3777709e3cd9e1ea9982bdc819c498ae |
| SHA1 | ac4a896aee678b1dd2d081e0664790a42f80e2af |
| SHA256 | 7b028904aaeee711259b395e786b2d5234c107184eee036c870b17eb08601567 |
| SHA512 | c5f3e4db56843283494e84c6d167cba2ad735dbc401062dad1ce2ffef87226c3cd606963e3745659a2c1b28d6ac87f03244202650dc0676213d3c0ec9b212c08 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 30c80231826f6b724fc58597e576bd1d |
| SHA1 | 57b78ded1a2f0a6221ed0b53d360d134a85a0538 |
| SHA256 | a7abadf6f7a48bd279400b97a32e012f8065a142730443d366e583f463104c13 |
| SHA512 | 557557b703a810270aa5e5d78c09750569b32fda7da3e9c8b3490cf19c375686806f12a3ab7d82c68b6f933d9b95649dbd8305b9642441900d40d1f0222a8c3a |
memory/4084-604-0x00000000064A0000-0x00000000067F7000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 154c8c3c46ee7a9230867abd060ef0e6 |
| SHA1 | ff05a3e60583f0b1edcffe0400cbe8c471785480 |
| SHA256 | 6409ee70a90aab80a0fb120d11fcb33083b08c7610ce64a5ce5c900e96f371a9 |
| SHA512 | 2b1494fd032f097526953a0c23f91b0e4d54a16f0b96c86e869980bdcdb63665a0b4d723ee785ec07330d6194dbd3f8aebfda4cc830004148acb4e4148f1b6e6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 008bb5a3be6d5a529e7d8893db08343e |
| SHA1 | 5244285431940dc194d4138ab51593a69a91ca70 |
| SHA256 | 189ba2b90709092688eb8da74d920d4366221a34794b84ead807f4abcc672123 |
| SHA512 | 08d84223bb9a72c414b9c059a842e4d0407e40c7be95635c0af99f56d7234dbbe91c6cfd6022e7c73963fb00fb1a5e2315bd7b405e3bac7e30ff6cdec8aa74bc |
memory/228-622-0x00000000061C0000-0x0000000006517000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d89b8e55ac7cdd29a53daa6e35644a3e |
| SHA1 | 5cf3608c1cde1e073b22766f85faab3e81d94399 |
| SHA256 | 8c71dc3e5641351fa7cd5e4351dc420f556b2649a07a77e0ed4deb65039b7b1d |
| SHA512 | ee128fe475fa19337cc8ff2689066cd9e16f46daa8627e73ef0a4f17ac337542b29f85186f0c623b01d901bb91388c28a451ad54f0a1140221987d17d0150a39 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b18d77bbe08208c9fe4965dfb478807c |
| SHA1 | 22ece2b30a8bf1229f7329cc7600314941cf0efb |
| SHA256 | d448a4ea45cf0f9f322f338e81259487d1b3653bca3d8d8d755bb9eddb19e19c |
| SHA512 | 022b99dca7b53dd41c159ddf085b0f00ef519cfe4d38ea0426067037344c92ddb5194c55a1a262f0a2bb96600ee130b3095b7672b81467ab95d75afbb16fc1e4 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a624b51bc449a849f19e703535c5bb7 |
| SHA1 | c29c1e270eabb9e9d5e088de29ac3c0451d6f5c0 |
| SHA256 | 927031b3554f7df9e815c6ad66955ab4d9c87bc2bfd15d8125abf67897868e4a |
| SHA512 | f47cf96ed8363d31f3fc3e4041a4dbce9039ce53399d63c502a4f0f85fe2d5f281e68281cdc883b3fad640128d42906ee70d49a10446c3ed8863bb70ac766e98 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 16bd993eec5fab838bf2140d012bc269 |
| SHA1 | 509b4ecb7ce5d8a882bfa290a7623a0def28d2f4 |
| SHA256 | f8c8ef74b24f2da540c423628c0ff35e765d71b82dc23a125f23396b8b049050 |
| SHA512 | 88c94cd4c130770246d5281cd06a8691991d1974b6255ecf343459a47a59e4385ae1decf65f7addcf827cc3bca35ad6fcd5a5daf9ba325c46998f162ddfdf172 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2b7c267cc480ff8bf8da2d964912682a |
| SHA1 | ec923f0cd38b880243db3b8ad603a412d2bb99af |
| SHA256 | a79fceac5ecf1c3bc63f6793d77044ed1876b67e1f5de79f9c7871886d2fcc9f |
| SHA512 | c9f509f5e8fa0a16d3877ceb91c0238d954a53af36a51d28efe4684c77aecedfdfab3099a60217bf1ee1e1826c1edc4ecf4c472e78741a6161dbd7aa5541eed4 |
memory/4964-829-0x00000000057A0000-0x0000000005AF7000-memory.dmp