Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/11/2024, 10:20
Static task
static1
Behavioral task
behavioral1
Sample
ZTS3.exe
Resource
win11-20241007-en
General
-
Target
ZTS3.exe
-
Size
423.3MB
-
MD5
a0caeb6eb607c47f90530895a33bca41
-
SHA1
96899e70acd146d7e5f76fd68dd0e9f27090ac2b
-
SHA256
a71944f5c2523be7d3a93b2b2fe9c145853808d24895e15ebd40a3d5db06a878
-
SHA512
31c5465184c96c01d08ca6022297adae9e19e527d4558c6055a300ed0460aa689d455807f8de2527613dbcc149fcf4f3a1c3b2137387b3c3f7b7892f57cf256b
-
SSDEEP
12582912:GBOBoXWJ4nxRP37z2xZsGyuCOIN/RsX40AUV2O:GBfG2xBz2xZ4OYpzm2O
Malware Config
Signatures
-
Drops file in Drivers directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\znf.sys drvcmd.exe File created C:\Windows\system32\drivers\zsc.sys drvcmd.exe File created C:\Windows\system32\drivers\zef.sys drvcmd.exe File created C:\Windows\system32\drivers\znf.sys drvcmd.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 11 IoCs
pid Process 4460 ZTS3.tmp 4012 MSCMgr.exe 2920 drvcmd.exe 4312 WDReg.exe 3220 ZTSAux.exe 3868 ZTSUpdater.exe 2208 ZTSNet.exe 32 ZTSHips.exe 4628 ZTSCore.exe 3216 ZTS.exe 4692 ZTS.exe -
Loads dropped DLL 41 IoCs
pid Process 2416 MsiExec.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3868 ZTSUpdater.exe 3868 ZTSUpdater.exe 2208 ZTSNet.exe 2208 ZTSNet.exe 32 ZTSHips.exe 32 ZTSHips.exe 32 ZTSHips.exe 32 ZTSHips.exe 32 ZTSHips.exe 4628 ZTSCore.exe 4628 ZTSCore.exe 4628 ZTSCore.exe 4628 ZTSCore.exe 4628 ZTSCore.exe 4628 ZTSCore.exe 4628 ZTSCore.exe 4628 ZTSCore.exe 4628 ZTSCore.exe 4628 ZTSCore.exe 4628 ZTSCore.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 4692 ZTS.exe 4692 ZTS.exe 4692 ZTS.exe 4692 ZTS.exe 4692 ZTS.exe 4692 ZTS.exe 4692 ZTS.exe 4692 ZTS.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Zillya Total Security = "\"C:\\Program Files (x86)\\Zillya Total Security\\ZTS.exe\" /min" msiexec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\h: ZTSCore.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\q: ZTSCore.exe File opened (read-only) \??\r: ZTSCore.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\x: ZTSCore.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\y: ZTSCore.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\s: ZTSCore.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\l: ZTSCore.exe File opened (read-only) \??\n: ZTSCore.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\t: ZTSCore.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\m: ZTSCore.exe File opened (read-only) \??\v: ZTSCore.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\j: ZTSCore.exe File opened (read-only) \??\k: ZTSCore.exe File opened (read-only) \??\w: ZTSCore.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\e: ZTSCore.exe File opened (read-only) \??\z: ZTSCore.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\g: ZTSCore.exe File opened (read-only) \??\p: ZTSCore.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\i: ZTSCore.exe File opened (read-only) \??\u: ZTSCore.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\o: ZTSCore.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Drops file in Program Files directory 44 IoCs
description ioc Process File created C:\Program Files (x86)\Zillya Total Security\icuin54.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\icuuc54.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\libEGL.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\Qt5Widgets.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\Qt5Xml.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\ConScan.exe msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\SystemStatus.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\nss\smime3.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\Drivers\znf\Znf.sys msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\ZCtx64.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\platforms\qwindows.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\ZscLib.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\nss\mozcrt19.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\ZTSNet.exe msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\drvcmd.exe msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\imageformats\qwindows.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\Qt5Network.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\PCBlockedText.dat msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\app.ver msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\MSCMgr.exe msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\nss\plds4.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\Qt5Core.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\icudt54.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\keyboard.exe msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\nss\softokn3.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\WDReg.exe msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\EventsFilterDLL.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\nss\certutil.exe msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\SystemResearchTool.exe msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\libGLESv2.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\nss\nss3.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\Qt5WinExtras.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\WFBlockedText.dat msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\Drivers\zsc\Zsc.sys msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\ZTSHips.exe msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\SettingsLib.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\nss\plc4.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\Qt5Gui.dll msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\Drivers\zef\Zef.sys msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\ZTS.exe msiexec.exe File created C:\Program Files (x86)\Zillya Total Security\nss\nspr4.dll msiexec.exe -
Drops file in Windows directory 30 IoCs
description ioc Process File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_mfc120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA msiexec.exe File created C:\Windows\Installer\SourceHash{4FD7CE15-D84A-4F02-83DC-A1052470631B} msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_mfc120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_msvcp120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA msiexec.exe File created C:\Windows\Installer\{4FD7CE15-D84A-4F02-83DC-A1052470631B}\ProductIcon msiexec.exe File created C:\Windows\SystemTemp\~DFC3D1AC480CFA7C0F.TMP msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_mfc120u_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA msiexec.exe File created C:\Windows\SystemTemp\~DFC48BFB548BD57E51.TMP msiexec.exe File created C:\Windows\Installer\e58654f.msi msiexec.exe File created C:\Windows\SystemTemp\~DF5820F87A68F7F1D3.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFACB48B7A5F7D3E5D.TMP msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_mfcm120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_mfcm120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_mfcm120u_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1 msiexec.exe File created C:\Windows\Installer\e58654d.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\e58654d.msi msiexec.exe File opened for modification C:\Windows\Installer\{4FD7CE15-D84A-4F02-83DC-A1052470631B}\ProductIcon msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_mfc120u_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_mfcm120u_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_msvcp120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA msiexec.exe File opened for modification C:\Windows\Installer\MSI6F7E.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZTSAux.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZTS3.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSCMgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZTS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZTS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drvcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZTSCore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZTSNet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZTSHips.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZTS3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WDReg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZTSUpdater.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000097e32746e391c5270000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000097e327460000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090097e32746000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d97e32746000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000097e3274600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies data under HKEY_USERS 12 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Zillya Total Security\Proxy ZTSUpdater.exe Key created \REGISTRY\USER\.DEFAULT\Software ZTSUpdater.exe Key created \REGISTRY\USER\.DEFAULT\Software\Zillya Total Security ZTSUpdater.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Zillya Total Security\Proxy\SettingsFrom = "0" ZTSUpdater.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ZTSUpdater.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ZTSUpdater.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ZTSUpdater.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ZTSUpdater.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ZTSUpdater.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe -
Modifies registry class 45 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\ProductIcon = "C:\\Windows\\Installer\\{4FD7CE15-D84A-4F02-83DC-A1052470631B}\\ProductIcon" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\is-SJDD6.tmp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C14F7681-33D8-11D3-A09B-00500402F30B}\ = "ZContextMenu" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C14F7681-33D8-11D3-A09B-00500402F30B}\InProcServer32\ = "C:\\Program Files (x86)\\Zillya Total Security\\ZCtx64.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZContextMenu MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\ProductName = "Zillya Total Security" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24D7CA01-FB95-4556-9D54-A6486794E071}\InprocServer32\ = "ole32.dll" ZTSAux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24D7CA01-FB95-4556-9D54-A6486794E071}\Data = "EC8679CD058C5A83A6F646CA39580890" ZTSAux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C1926438604375A40B71B3314667C76F msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C14F7681-33D8-11D3-A09B-00500402F30B}\InProcServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\ZContextMenu MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZContextMenu\ = "{C14F7681-33D8-11D3-A09B-00500402F30B}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\SourceList\PackageName = "ZTS3Setup_3.0.2377.0_en.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C14F7681-33D8-11D3-A09B-00500402F30B}\InProcServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\PackageCode = "7308DF65F86037D4A8BE479436C17686" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\Version = "50334025" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\is-SJDD6.tmp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ZContextMenu MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\ZContextMenu\ = "{C14F7681-33D8-11D3-A09B-00500402F30B}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\51EC7DF4A48D20F438CD1A50420736B1 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1 msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C14F7681-33D8-11D3-A09B-00500402F30B} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24D7CA01-FB95-4556-9D54-A6486794E071}\InprocServer32 ZTSAux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\InstanceType = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ZContextMenu MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ZContextMenu MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ZContextMenu\ = "{C14F7681-33D8-11D3-A09B-00500402F30B}" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\ZContextMenu\ = "{C14F7681-33D8-11D3-A09B-00500402F30B}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24D7CA01-FB95-4556-9D54-A6486794E071} ZTSAux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ZContextMenu\ = "{C14F7681-33D8-11D3-A09B-00500402F30B}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\51EC7DF4A48D20F438CD1A50420736B1\ProductFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C1926438604375A40B71B3314667C76F\51EC7DF4A48D20F438CD1A50420736B1 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\SourceList msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3216 ZTS.exe 4692 ZTS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4364 msiexec.exe 4364 msiexec.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe 3220 ZTSAux.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3216 ZTS.exe -
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 676 Process not Found 676 Process not Found 676 Process not Found 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3720 msiexec.exe Token: SeIncreaseQuotaPrivilege 3720 msiexec.exe Token: SeSecurityPrivilege 4364 msiexec.exe Token: SeCreateTokenPrivilege 3720 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3720 msiexec.exe Token: SeLockMemoryPrivilege 3720 msiexec.exe Token: SeIncreaseQuotaPrivilege 3720 msiexec.exe Token: SeMachineAccountPrivilege 3720 msiexec.exe Token: SeTcbPrivilege 3720 msiexec.exe Token: SeSecurityPrivilege 3720 msiexec.exe Token: SeTakeOwnershipPrivilege 3720 msiexec.exe Token: SeLoadDriverPrivilege 3720 msiexec.exe Token: SeSystemProfilePrivilege 3720 msiexec.exe Token: SeSystemtimePrivilege 3720 msiexec.exe Token: SeProfSingleProcessPrivilege 3720 msiexec.exe Token: SeIncBasePriorityPrivilege 3720 msiexec.exe Token: SeCreatePagefilePrivilege 3720 msiexec.exe Token: SeCreatePermanentPrivilege 3720 msiexec.exe Token: SeBackupPrivilege 3720 msiexec.exe Token: SeRestorePrivilege 3720 msiexec.exe Token: SeShutdownPrivilege 3720 msiexec.exe Token: SeDebugPrivilege 3720 msiexec.exe Token: SeAuditPrivilege 3720 msiexec.exe Token: SeSystemEnvironmentPrivilege 3720 msiexec.exe Token: SeChangeNotifyPrivilege 3720 msiexec.exe Token: SeRemoteShutdownPrivilege 3720 msiexec.exe Token: SeUndockPrivilege 3720 msiexec.exe Token: SeSyncAgentPrivilege 3720 msiexec.exe Token: SeEnableDelegationPrivilege 3720 msiexec.exe Token: SeManageVolumePrivilege 3720 msiexec.exe Token: SeImpersonatePrivilege 3720 msiexec.exe Token: SeCreateGlobalPrivilege 3720 msiexec.exe Token: SeBackupPrivilege 1676 vssvc.exe Token: SeRestorePrivilege 1676 vssvc.exe Token: SeAuditPrivilege 1676 vssvc.exe Token: SeBackupPrivilege 4364 msiexec.exe Token: SeRestorePrivilege 4364 msiexec.exe Token: SeRestorePrivilege 4364 msiexec.exe Token: SeTakeOwnershipPrivilege 4364 msiexec.exe Token: SeRestorePrivilege 4364 msiexec.exe Token: SeTakeOwnershipPrivilege 4364 msiexec.exe Token: SeRestorePrivilege 4364 msiexec.exe Token: SeTakeOwnershipPrivilege 4364 msiexec.exe Token: SeRestorePrivilege 4364 msiexec.exe Token: SeTakeOwnershipPrivilege 4364 msiexec.exe Token: SeBackupPrivilege 1868 srtasks.exe Token: SeRestorePrivilege 1868 srtasks.exe Token: SeSecurityPrivilege 1868 srtasks.exe Token: SeTakeOwnershipPrivilege 1868 srtasks.exe Token: SeBackupPrivilege 1868 srtasks.exe Token: SeRestorePrivilege 1868 srtasks.exe Token: SeSecurityPrivilege 1868 srtasks.exe Token: SeTakeOwnershipPrivilege 1868 srtasks.exe Token: SeAssignPrimaryTokenPrivilege 3216 WMIC.exe Token: SeIncreaseQuotaPrivilege 3216 WMIC.exe Token: SeSecurityPrivilege 3216 WMIC.exe Token: SeTakeOwnershipPrivilege 3216 WMIC.exe Token: SeLoadDriverPrivilege 3216 WMIC.exe Token: SeSystemtimePrivilege 3216 WMIC.exe Token: SeBackupPrivilege 3216 WMIC.exe Token: SeRestorePrivilege 3216 WMIC.exe Token: SeShutdownPrivilege 3216 WMIC.exe Token: SeSystemEnvironmentPrivilege 3216 WMIC.exe Token: SeUndockPrivilege 3216 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3720 msiexec.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3720 msiexec.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3216 ZTS.exe 3216 ZTS.exe 3216 ZTS.exe 4692 ZTS.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 2712 wrote to memory of 4460 2712 ZTS3.exe 77 PID 2712 wrote to memory of 4460 2712 ZTS3.exe 77 PID 2712 wrote to memory of 4460 2712 ZTS3.exe 77 PID 4460 wrote to memory of 3720 4460 ZTS3.tmp 84 PID 4460 wrote to memory of 3720 4460 ZTS3.tmp 84 PID 4460 wrote to memory of 3720 4460 ZTS3.tmp 84 PID 4364 wrote to memory of 1868 4364 msiexec.exe 92 PID 4364 wrote to memory of 1868 4364 msiexec.exe 92 PID 4364 wrote to memory of 4012 4364 msiexec.exe 94 PID 4364 wrote to memory of 4012 4364 msiexec.exe 94 PID 4364 wrote to memory of 4012 4364 msiexec.exe 94 PID 4364 wrote to memory of 2920 4364 msiexec.exe 95 PID 4364 wrote to memory of 2920 4364 msiexec.exe 95 PID 4364 wrote to memory of 2920 4364 msiexec.exe 95 PID 4364 wrote to memory of 4312 4364 msiexec.exe 96 PID 4364 wrote to memory of 4312 4364 msiexec.exe 96 PID 4364 wrote to memory of 4312 4364 msiexec.exe 96 PID 4364 wrote to memory of 2416 4364 msiexec.exe 98 PID 4364 wrote to memory of 2416 4364 msiexec.exe 98 PID 3220 wrote to memory of 4672 3220 ZTSAux.exe 103 PID 3220 wrote to memory of 4672 3220 ZTSAux.exe 103 PID 3220 wrote to memory of 4672 3220 ZTSAux.exe 103 PID 4672 wrote to memory of 3216 4672 cmd.exe 106 PID 4672 wrote to memory of 3216 4672 cmd.exe 106 PID 4672 wrote to memory of 3216 4672 cmd.exe 106 PID 4672 wrote to memory of 4904 4672 cmd.exe 107 PID 4672 wrote to memory of 4904 4672 cmd.exe 107 PID 4672 wrote to memory of 4904 4672 cmd.exe 107 PID 3220 wrote to memory of 4692 3220 ZTSAux.exe 111 PID 3220 wrote to memory of 4692 3220 ZTSAux.exe 111 PID 3220 wrote to memory of 4692 3220 ZTSAux.exe 111 PID 4692 wrote to memory of 844 4692 cmd.exe 113 PID 4692 wrote to memory of 844 4692 cmd.exe 113 PID 4692 wrote to memory of 844 4692 cmd.exe 113 PID 4692 wrote to memory of 4260 4692 cmd.exe 114 PID 4692 wrote to memory of 4260 4692 cmd.exe 114 PID 4692 wrote to memory of 4260 4692 cmd.exe 114 PID 4364 wrote to memory of 3216 4364 msiexec.exe 115 PID 4364 wrote to memory of 3216 4364 msiexec.exe 115 PID 4364 wrote to memory of 3216 4364 msiexec.exe 115 PID 3220 wrote to memory of 4864 3220 ZTSAux.exe 118 PID 3220 wrote to memory of 4864 3220 ZTSAux.exe 118 PID 3220 wrote to memory of 4864 3220 ZTSAux.exe 118 PID 4864 wrote to memory of 4880 4864 cmd.exe 120 PID 4864 wrote to memory of 4880 4864 cmd.exe 120 PID 4864 wrote to memory of 4880 4864 cmd.exe 120 PID 4864 wrote to memory of 2012 4864 cmd.exe 121 PID 4864 wrote to memory of 2012 4864 cmd.exe 121 PID 4864 wrote to memory of 2012 4864 cmd.exe 121 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZTS3.exe"C:\Users\Admin\AppData\Local\Temp\ZTS3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\is-G8QLV.tmp\ZTS3.tmp"C:\Users\Admin\AppData\Local\Temp\is-G8QLV.tmp\ZTS3.tmp" /SL5="$30174,443486740,121344,C:\Users\Admin\AppData\Local\Temp\ZTS3.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\is-SJDD6.tmp\ZTS3Setup_3.0.2377.0_en.msi"3⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3720
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4624
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:1448
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Program Files (x86)\Zillya Total Security\MSCMgr.exe"C:\Program Files (x86)\Zillya Total Security\MSCMgr.exe" -i2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4012
-
-
C:\Program Files (x86)\Zillya Total Security\drvcmd.exe"C:\Program Files (x86)\Zillya Total Security\drvcmd.exe" znf -ni zsc -i zef -ei2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920
-
-
C:\Program Files (x86)\Zillya Total Security\WDReg.exe"C:\Program Files (x86)\Zillya Total Security\WDReg.exe" -i2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4312
-
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Zillya Total Security\ZCtx64.dll"2⤵
- Loads dropped DLL
- Modifies registry class
PID:2416
-
-
C:\Program Files (x86)\Zillya Total Security\ZTS.exe"C:\Program Files (x86)\Zillya Total Security\ZTS.exe" /min /en2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3216
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe"C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic qfe list | find "KB3033929"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic qfe list3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3216
-
-
C:\Windows\SysWOW64\find.exefind "KB3033929"3⤵
- System Location Discovery: System Language Discovery
PID:4904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic qfe list | find "KB3033929"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic qfe list3⤵
- System Location Discovery: System Language Discovery
PID:844
-
-
C:\Windows\SysWOW64\find.exefind "KB3033929"3⤵
- System Location Discovery: System Language Discovery
PID:4260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic qfe list | find "KB3033929"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic qfe list3⤵
- System Location Discovery: System Language Discovery
PID:4880
-
-
C:\Windows\SysWOW64\find.exefind "KB3033929"3⤵
- System Location Discovery: System Language Discovery
PID:2012
-
-
-
C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe"C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3868
-
C:\Program Files (x86)\Zillya Total Security\ZTSNet.exe"C:\Program Files (x86)\Zillya Total Security\ZTSNet.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2208
-
C:\Program Files (x86)\Zillya Total Security\ZTSHips.exe"C:\Program Files (x86)\Zillya Total Security\ZTSHips.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:32
-
C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe"C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:4628
-
C:\Program Files (x86)\Zillya Total Security\ZTS.exe"C:\Program Files (x86)\Zillya Total Security\ZTS.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4692
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD5ab9b8c784d8065c50e941a0c0a226440
SHA18bad3c659bb8b44acfe3ef5c5019d792e4ab87e7
SHA256026001885c9b644253edb7ab5d33352ca0923e20942ebf9062002fb1bbba72d5
SHA512b82131803b8cc7f56077c985f7dcb3c58ae363143981e04b945fed99f31852748274202689b6025a67ef0760017a883d5225941ee7cde4cce8c93dc83303229a
-
Filesize
44KB
MD5ade47a3761e8a3dc2b328ae6d6a3dc47
SHA1aec69d3907995ae0cfe7642e53413f5217d4ec90
SHA25613c987d0381b7c035a52edd7c1fec4dd2f8f4ac63d9ec2d7e6c0b91884cf7606
SHA512b2df76490d9d51fdc79b344466b3247caed1cf82a5894b97f7d3aa7afdf4418aff36eed4f7aaa1ac47d7964322c92ae853a89bb0f5a41d1c55e2803991d12025
-
Filesize
111KB
MD5a948707ca4c4397386d2a0b33a3a7418
SHA11ebc0eb3ecae92d394cb874f583565816a15f665
SHA256a4210956cf92ea4212007708b4529d71ceb92f771749378845f650182a098680
SHA5126cba869e19570c087340e2c9ef6a084abe030514d82850b9a41689827444ed578531fec17142b9a85b32eafba698c5d7b3cca663eca3373f3f7da85418be4525
-
Filesize
92KB
MD5493d7ceaa350e690075cf88fe7e75731
SHA1d81e5a5467edd5a3e0df48b2d7d15df2113acf2b
SHA256605b7a5f419d1f2f80f71d64553cd1b6494b9559d28d335637a0969deef31fd3
SHA51246443b3819b9a9669fbdfa5a545a21a62a062e3c47ae975df8a70a5ba0b504c0dad3352cc9440eb41edba01cf6d36b11d8e363ea1bb65dc83323e0eba9ca7838
-
Filesize
81KB
MD5ec607f851302ba994b3b62becce410de
SHA1e23af25a71b41d17bf716f86a803946cafcbfdaf
SHA256fcb37de351738d2bff8bbe6b746128d8aa4c271e3a05d0e72574ab783245e03e
SHA5125fc1ba0bd6e0c0b568ebe9b9ea7658110b45b7338083a91fcd7951d0296d72b99ed5b1d564e558e1066d8618b0f0e4d69e13c3f6eb2c6fbf3f40e8648c711889
-
Filesize
36KB
MD58a25e81f3274d902ad3d4cf38a188142
SHA1e3cc21987210ad1e9ec501e08ebeae86fb695d64
SHA256ef79310a5d72bafd391e8a56b7c07aa2bb61c606d8f88d4b1d32e4be7de8cdc1
SHA512acc22d8238c64131afd2362fa1c7bbfba50dc858831fb097034f7a58f9e45e2f53a55e43b1e23e68c3e459bffe7996bbc14349bbe71f8ead978d26f53c15239b
-
Filesize
23KB
MD5d07a2a823ce35f50c341c3f07d990982
SHA153fe8e8238b29bc5e6c81f57e699838760da8005
SHA256437242ebe5f5720a76c8d36ffff356e077237618b5ba87eaac797042ea7d9ee1
SHA51254f2313539bea2c75532ff6b13f69f53608de45606150a358757c96a4eadaaeafd767c74bd145226eae8ff156396fe858857957e52695ef1c2da892b206690e6
-
Filesize
623KB
MD5b2c4c15a1c35f61fe5ab4623741e4bea
SHA15660dbdfc6b7e38fe2217b9027123397aa2239e0
SHA2562caaf09aa6250c4e2f6282f92dfd8527a1e176597ccb7daed175206421e7c6fd
SHA512d66b567560ec084cb299741f9a16fa45fa83ebfb66e56bfee05f0cf9889ae04c49fed9b6abbdf25397e2d192dffcf862fdb9cf6b06aca55d511b7a2f0a8dec62
-
Filesize
1.5MB
MD5133489e8b7e87f917062182e63356246
SHA1604149492574d77f72923cdf94a449b8898c756e
SHA256df1ec2bf6381ca1292663f252759fc1a612043223ebd70ea4dbefac4f4d697e3
SHA512839a4677ec688d3689b4ef17686748805b728aa27d26307d407eface72aa32d54a0ab5a8c21ad7bbb8400779a08575db324058bab79245ec353b348f2b347179
-
Filesize
56KB
MD5f0337377d11b067deb5b6b2da719663a
SHA16924486c76f9a5c68c629cac505fd229c1e7a0d2
SHA25614f37a81090cc3eaec508adfdf7b365214855abf21febeb441faa621848a3a99
SHA5123e9dd0fec937b572b7f8f7cdb5aa3196c5fc014db769029bce873e89bc64a983cf81b66c6003657fadba1b9eec66171f6d5cc20b301aea29c9e2f696343ff294
-
Filesize
23KB
MD5cb1a37528bcc420275beaa8d816726fb
SHA1d772d5f3a62462fed45ee346c7efeae57aedc45d
SHA25635a962f1ccc6c7a0b88dfbfaf7a9d8a0ba45a217c50c498ef828d57307e256ca
SHA51253c77efd01ede84b016ab65b2dd453eceabe0ab92a198bdab08043846a9a2148b16f1f166cd9bd851399b5a24d66754863571d4184eee3e7d95685d089fe877e
-
Filesize
2.6MB
MD57d1382176ca0bb05d46fec1f8117b55f
SHA1ab46f5f8d93ad92d59d32be4ad4136665440ee65
SHA25639881bfbb801f4ce95ee5df907691d796a83be606b6ddd527ddf6a51f25ac59b
SHA512048d30c21546a08e103b21982ca2168546f28c439b5abc5d6296abdfa220ff4f67fb4d36e8846f332d0d47a2f66c02fc0f3ff160625653e722d4d9f8c902cdb3
-
Filesize
8.9MB
MD5217477945fbca3c306d20e0d06618aad
SHA1c5fb10681d163f4e82763a15155bdb985828f025
SHA25614db163f1397bab601297f66c1d0c9f02198707b9b783a6e2a11a801da01a100
SHA512bc580b115b36df1484b182d87d203867996b31406867e28179b1ae3b6d4fffff722225cd08ce857a5d20c0df718fb521cf5079966362dc5e188108f399dcbadf
-
Filesize
4.7MB
MD5aa93b7678c6124dfcc705bdd5527280d
SHA1598d3d49dd27ab0bfe5b1bf232e3ce1466b85752
SHA256eae63d90d5fb2dc9d03d6306748921566b143d7d7a035b8fdc26c39acd9908b2
SHA512883038baafa9e70a3ca5c8406e51ed0d4af9b4e02f2ad9b1272c85337b7d84de454138846beb8e2f2d648b409a66e06a917c3e28913ea3de17b5c79b752dc320
-
Filesize
3.3MB
MD5c5dbf7de3aaf7bbf14dfd35ae31548c1
SHA1b99beef90a0bba700b156b007c2662693725a06e
SHA256509e1d39d60886df026fea2db96d212b3156368708b27850cdb5ef0a731f12e9
SHA512ffc955c42f2fe06381ce5e60c9e6f8320e6b1d7ec9d8bfd74b077f3cc5c8e5dd05a522733b6083af0d8da5fa0c1ec6b2c0890812e27909562d7cd61cc6e4e2d7
-
Filesize
2.0MB
MD5c0fea8d63db45666f53d5645bb3eb9b7
SHA1f647d905ea229afd41d52b649ca75f4f657c2625
SHA256f7e7af645ee9cb6af4816551713eb83d3a8302db2c9d50a40698e9f0495e2571
SHA512eb04ef95d268f7246ccdf286aa729bd5250ae440ae23ad254d850debb49836efa337d0a6d07af15e19c4fffa0e076b0f5e28206d47095274c95f0aba2cf570fc
-
Filesize
4.4MB
MD564e43fa00a6fac75403193c87f6acc1c
SHA191464aab6cd294c5a7280dabfd628c5fb39dd64f
SHA2562235d58e372cc891c7dce56ee93b6393f20f51eead7bdf2573e5a58fc2506331
SHA512f2a5bf096bfcb340e830b41d164e108440df3afc4aeda7fd35c9f1b6829c602f78a699630e913e6229bae123c76ccccd1c7abd156b38db35f3c122a64343bd5b
-
Filesize
2.8MB
MD5d91706aace6b5c6991e38537ddc2189f
SHA1fe6470408f35760987978286a01c270ae0eb804a
SHA2568d3289525d26b5e79a944794f5a2b7f969e80ab5b5f9e937bc932aaca6e8b81c
SHA5126249c26ab897f8609679867351ff910aa0eb2ca35fcd6598c7a2eae4e27f0e6e834a65cc2ae26e99feccdbdc95e9b72e532c88ad3e5f5b9f78b9dfa16e5b1237
-
Filesize
79KB
MD58f45fe6e315809f3bef5f76579a778e3
SHA17dbdeef1ecbfb67167e574977f4fe54f063206ec
SHA2564d4e17d93283fbe5aa18a6a788defb3cbfa11ac08da786ea694e1cb10ca41705
SHA51276c32a118afd99d96a7b19b8f66c198e873a9315395c8f77b86bf45731e11cc9f2e3879694d23d3ac6d018e0e6da69624e35f33d01253d5ac5522a06ad4fbe76
-
Filesize
12B
MD55fd69b3b7ebee628618bbda0368dbef9
SHA1b48404aa93848005fc081cc59f77af7e05c5704f
SHA256352d905e0bd476d7e6dfa461c8fb6d2655bad75210ff4d5315f98564f26f9de6
SHA512c5626fd5b5b4d47c2a282841cb7bb4a02daa0ad25256115171b9d2537973834ae5057c57b38ac8c13a82f3c2ca5006fce7c9f93b42c3084fb2bc95d697a83f30
-
Filesize
79KB
MD5eb5c361ef56a3de8882c0e88807ecb2a
SHA1a5d1f630c0521abf5f1ad1080eb331a7fa2da71d
SHA256b66436429d7e9a209a7c91f6cc882506a5777722450107ec27fae3af4d2fc7e2
SHA5125c392e7c45114237a72a67d96191857a0eeafe54ddf11020840e122bf914b1a9ec14de42198d3c3a23f11f48c3f08568eccd185468c3dcee9eece55b8e251ccf
-
Filesize
177KB
MD5397ec6fc9ad0502125d5d48be9760abc
SHA109f43932f07ad6bd6133421e6f5b63ff960151aa
SHA25673ce14bc0c052e9315ce85a7c09073cff822af6db3c61b95568789ca65ff01fa
SHA512f8d7865ba91a97b98c6cb1d568332ea172a1bbcf77af73268d523fd35fb4025b13d18f13f324dde32f568f2e11a9369ab4abe3302bbfc53f4d47f5ea042ddfbe
-
Filesize
42B
MD581a0ad44c85c4f13dd914b9080454a30
SHA1b302c1533bb4cbc31ff89c4a332cde61313f9b15
SHA25691975a61a546693e60941f54e19789f7e91ee4f9dd2787f00c51409fca1fb270
SHA512becc0ace29ca4a43d052e85a1e1e950ef45e656ba7df24f5096dcb5986b8476bf3ded2fd24dad7e49e21911e3a1f4401044627a94be7a165e4841bdd68b0c31f
-
Filesize
29KB
MD5f2264abae9d3da4bd185f8177016c234
SHA12eb10ce6cc47443b67c4e1ce495dd8d8bb2a90e1
SHA256d2a651547a83723be81fb4e87bd75fae6f95666050e072a30c22d7ace0cb5f20
SHA512b51d5e11417467682c68e0a92a20b03c18650edbc58cef7ce6ce1a768ec65643f094d549ce0139d28ebf9d90c4fc43d1bef013fcd923d7670c450a994c878104
-
Filesize
2KB
MD537b906c90af52e9088500b1ca534c481
SHA11d783968c6e230412f84cb5f994f14f140ec2396
SHA25620216e650efce62a7de0d43ab2651d4ba7744c7cf6ed50ae54b88358d4373ab8
SHA51231df701b781410077d8439a806f0bad8fd7aa3a28da3e93ae2e6181551af92d5567b116682c9e4160b9b1ca32d9e7b9925328f2d53be7a3bca0a0f1749582e6e
-
Filesize
105KB
MD5860f892463edc160c04bc4b3ca8c1d9a
SHA1cbb7360599908c71159da092524cf43413032149
SHA2568a7ba879a4e4854635d6e7e077e6c3681b79440a1c6e51303ee842b2b2e14579
SHA512fc0783b742c19fea017de1793f2583fa0f08e2c112e3fb41a63afd41714c942fe9b97e824a5c48e1c316f8072cd45a4b41813c3bfc7a2908a94b126ee7545177
-
Filesize
4.7MB
MD567d15235ab3b06b3eff17bbfde63d2bc
SHA1f8d9f67c68585c47536b42381a1e2060ca488cb6
SHA25663fbce4363e3ab94cec0d42640ded6701b82d154ad8c05ce7c383e3fef4615a6
SHA5121ca2cc3fd1b3fba85f7daebdb1096695161849ab6127f903ad883e80cd885ce5695c31859ea1a9359e88789de2cc2c317600d5a83a5defe29413a2838bc40e3d
-
Filesize
941B
MD54aa67c1b6ad9c2cdabe8f7ae8e515943
SHA11a6cc8eeceb0f1846d8d6d0093fa28fe9f649ee5
SHA256d44e3c6e49489697f4cb0bb5f01a53b1eaf20d1b8d613dadab2180a959d7dedf
SHA51225988c1e925b39710cb130d7fa08840b7343b7febe1d78147b445239f0c33d107e044df137fa2d5e762fcf2fb4e68d12353ae0c604aaf9b904b684b20c796a13
-
Filesize
69B
MD5d001f3d93225ac86c3af7784d09397f4
SHA1889fe135188fad97ebabfb9f66e0bfb4549528f4
SHA2568d633d762396222e04ac9d3fcba3547bd0a723790ca18bccea432bacad6f9a5d
SHA512846e66f7debe84017a91f5603ef2fac12dbc5b485b617a3aa451c8f7331e97fe8dbba43c206b9672d0c9f09a42d2b740f28c683ea27aca22707c784d28a05bca
-
Filesize
143B
MD5e9bbc5a77dc063435819b3ee6fbc2429
SHA12f46fec8fc34ebd0509d61b6559fcf8294418da2
SHA25625beb8c6c2a8928b030683376ead5589afe64cd12168fcea2d320e8ed562bbd1
SHA512517f4286b65c13025ccb5838f7bae09f664302f42dd68aa5d6248e171b7a136b892fa5964c8e3ccbc5c4a16d256e9b83b5852a8d5ae48d63c44e71872469790b
-
Filesize
634B
MD5ac696428350bcd67d5c7b05373d828a1
SHA1402aeb3946f9459d8b6048a4b3ac5ce8a64cf1d9
SHA2563c488eb824e45600ab5dcee3de17b1029aad8ec6c1fce413cd6339de3e6a1dbf
SHA512c2f3ec09224fe98579b5750166305df9de17fc355036e07c0cece614a056e25c0145458019d3790394aaefbec0463a5e2a67ecc7fb447231ee3a614127cb89b7
-
Filesize
704B
MD5b61b7bca58440199082771ab383ad662
SHA16a538696f15c337e51e5b31f39d0aaa01ce372b5
SHA256d6035edc5dec0bf24aa7207718d51939ca9e3e02c0975969fdd134c6c108bdb8
SHA51296b7fc9b7b2e8086254a48ab12bc13db678edbdbbbb8e51791e3fdf2f0410f45cb5baa1aa6310f24707e7a62d86383cfdabd742ee14abf9ca617976ea365a130
-
Filesize
38B
MD5a3a67647e2532feedded8646087d5990
SHA15764c971360d21a024a41f69228fddf275b1fb27
SHA256e144dea4e9de1904edae6e30a04fb183c7b6f31aecbba2c10d46f2e4c0fc9000
SHA512556f652ea9e0569389609b98a3b062b28a82d879579b3ac99941c30ac642ca5425ab1e4309c9a70585dda59fab09dc2b0c984768bb8e539afae6afe0e0ba8a43
-
Filesize
57B
MD59994834f8ca65bd2134021a3ae2404a7
SHA122554f9117ba77d365f7970f63034cf520a9f4e0
SHA25613e2f6167ee235e61bf412b4bd49f91dd3b145660cec7887a1c2bc86482d63ae
SHA5125ef9f9b0a74c8054e3bff124c8cb645384f054f1eea2359e416138eedf860037cc1c53ea4a49215d9cb6b57741968ff53dc97e8c14f8c88bb893b5956eebb923
-
Filesize
76B
MD57f104b7461321790743084452542f7e0
SHA1f34afabd7d3ffbdf61cbc3a9e5ecda08909643c2
SHA256064ceb088b0a5473fc96ff84df4ce38547b7604f9e5a6bc983ec0c59398019df
SHA512557c50ea8d6c4e498b2d389bc16a8a7440ba8f8a755e4c829827b37b391b4760478c3d81b64a58c4ce40f4082d1113a8682787c6b26501f9bf8e0e0b96297b98
-
Filesize
95B
MD586c503bd36792a303fe9718ff0048fed
SHA1b1e22277c5ef9695bedd1b440bc5e1493995e5e8
SHA256559e910773ebbe48e5990383cf6b5c79378b3a074c7f0812aed619c4cfe5aab4
SHA512adb7ff67649a45d01fcec6f7fc43a2ec9e353a4b6b4e8640850863ec80f9e786c0edfd8ecfdfef7bb6e6e3f9cbe5d0faa0353bb1d5d737292998b7214d88e980
-
Filesize
314B
MD5509fd96d3dea6d65f895573dd0862d42
SHA150a0f2c0868de98894f96870f06c8854deba5b06
SHA25616df1136c78a098ff3d4f3c32321fdb975da4cdd0bd466c205e5eacb44c69d24
SHA51215fd9581e009f29ea340f30597ab687cf7d0c5dcb06faaee5ca6592d5584560ba09dd4522c93ca8af062c9b2ff2216c02f42eebedec61305a389df6500751846
-
Filesize
1KB
MD561583f887168b02eabddc6206509f2a6
SHA1a6dce65eaaecc0551bb1d2abc86bcf9815f2c130
SHA2568046eaf29550870faa34561d354e4541a08b3adc50227159f02533084e3ab48d
SHA512513a8cd6bddd49fcf2cbe7e203e82cd78d0b6dc8e2251d94a6462876f5191c3e4a826b4fbe421b3dc97baf3aeea4f689526f12250e8ea1a9aa1acae43c5a1dc5
-
Filesize
28KB
MD54356cdce620ca5d8924089a5d04ca9ff
SHA1841a46beacfe110433945fae017c3c6c84b8af44
SHA256c710f7c6e6c090de57430c56f0e6df2c9f282410836dfa3cc0c78468668a5bf1
SHA5120b58dd16f35d3851b2fa2e2658951634469d075e12eae235dfaedb1e65386a723c02592626679a041f75a2729963f8de481f9f0fc31d1852f9dab301eacdefae
-
Filesize
1.1MB
MD590fc739c83cd19766acb562c66a7d0e2
SHA1451f385a53d5fed15e7649e7891e05f231ef549a
SHA256821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431
SHA5124cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c
-
Filesize
24.6MB
MD5139ee6f23d3fd780cdf5a72f08107f25
SHA171d0b1f611a0305ca14d7ec80bf147755e6354ee
SHA256f5bbf9bd65120cf1a6020e8632c31732576ec0b898743beb6334380cbdbce14a
SHA51220bae77a8743de6e733833dbd49c511d177da5ce7952e424d90187bc79bf9e8f29ac27f4d843102e71ddeef640bb059a1803f7845878e3f478276948de036ddd
-
\??\Volume{4627e397-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cbebad44-130c-4dd1-8922-3b64827ee21c}_OnDiskSnapshotProp
Filesize6KB
MD5ba8d71e5e014ac0a541cce6afaeea80f
SHA155f9a8bc94bdc7b087d67c78fa18d6d6a5195af7
SHA256658deacca006b98b98f7bc50de91fb3f1228db7a953e5e343cb257dd4e9e3794
SHA512590b024626d55d3b604641b6bda6bbe907c6b6a22994ac755445f655e128b5960489a76fe764f2388ce22816d8ecd9b33b428e9fc52a69e558b9393ad05daaf1