Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/11/2024, 10:20

General

  • Target

    ZTS3.exe

  • Size

    423.3MB

  • MD5

    a0caeb6eb607c47f90530895a33bca41

  • SHA1

    96899e70acd146d7e5f76fd68dd0e9f27090ac2b

  • SHA256

    a71944f5c2523be7d3a93b2b2fe9c145853808d24895e15ebd40a3d5db06a878

  • SHA512

    31c5465184c96c01d08ca6022297adae9e19e527d4558c6055a300ed0460aa689d455807f8de2527613dbcc149fcf4f3a1c3b2137387b3c3f7b7892f57cf256b

  • SSDEEP

    12582912:GBOBoXWJ4nxRP37z2xZsGyuCOIN/RsX40AUV2O:GBfG2xBz2xZ4OYpzm2O

Malware Config

Signatures

  • Drops file in Drivers directory 4 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 41 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 44 IoCs
  • Drops file in Windows directory 30 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 12 IoCs
  • Modifies registry class 45 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZTS3.exe
    "C:\Users\Admin\AppData\Local\Temp\ZTS3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Users\Admin\AppData\Local\Temp\is-G8QLV.tmp\ZTS3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-G8QLV.tmp\ZTS3.tmp" /SL5="$30174,443486740,121344,C:\Users\Admin\AppData\Local\Temp\ZTS3.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4460
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\is-SJDD6.tmp\ZTS3Setup_3.0.2377.0_en.msi"
        3⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3720
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:4624
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:1448
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4364
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1868
      • C:\Program Files (x86)\Zillya Total Security\MSCMgr.exe
        "C:\Program Files (x86)\Zillya Total Security\MSCMgr.exe" -i
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4012
      • C:\Program Files (x86)\Zillya Total Security\drvcmd.exe
        "C:\Program Files (x86)\Zillya Total Security\drvcmd.exe" znf -ni zsc -i zef -ei
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2920
      • C:\Program Files (x86)\Zillya Total Security\WDReg.exe
        "C:\Program Files (x86)\Zillya Total Security\WDReg.exe" -i
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4312
      • C:\Windows\System32\MsiExec.exe
        "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Zillya Total Security\ZCtx64.dll"
        2⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:2416
      • C:\Program Files (x86)\Zillya Total Security\ZTS.exe
        "C:\Program Files (x86)\Zillya Total Security\ZTS.exe" /min /en
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:3216
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:1676
    • C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe
      "C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3220
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wmic qfe list | find "KB3033929"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4672
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic qfe list
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3216
        • C:\Windows\SysWOW64\find.exe
          find "KB3033929"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4904
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wmic qfe list | find "KB3033929"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4692
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic qfe list
          3⤵
          • System Location Discovery: System Language Discovery
          PID:844
        • C:\Windows\SysWOW64\find.exe
          find "KB3033929"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4260
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wmic qfe list | find "KB3033929"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4864
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic qfe list
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4880
        • C:\Windows\SysWOW64\find.exe
          find "KB3033929"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2012
    • C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe
      "C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:3868
    • C:\Program Files (x86)\Zillya Total Security\ZTSNet.exe
      "C:\Program Files (x86)\Zillya Total Security\ZTSNet.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2208
    • C:\Program Files (x86)\Zillya Total Security\ZTSHips.exe
      "C:\Program Files (x86)\Zillya Total Security\ZTSHips.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:32
    • C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe
      "C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      PID:4628
    • C:\Program Files (x86)\Zillya Total Security\ZTS.exe
      "C:\Program Files (x86)\Zillya Total Security\ZTS.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4692

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Config.Msi\e58654e.rbs

            Filesize

            26KB

            MD5

            ab9b8c784d8065c50e941a0c0a226440

            SHA1

            8bad3c659bb8b44acfe3ef5c5019d792e4ab87e7

            SHA256

            026001885c9b644253edb7ab5d33352ca0923e20942ebf9062002fb1bbba72d5

            SHA512

            b82131803b8cc7f56077c985f7dcb3c58ae363143981e04b945fed99f31852748274202689b6025a67ef0760017a883d5225941ee7cde4cce8c93dc83303229a

          • C:\Program Files (x86)\Zillya Total Security\Drivers\zef\zef.sys

            Filesize

            44KB

            MD5

            ade47a3761e8a3dc2b328ae6d6a3dc47

            SHA1

            aec69d3907995ae0cfe7642e53413f5217d4ec90

            SHA256

            13c987d0381b7c035a52edd7c1fec4dd2f8f4ac63d9ec2d7e6c0b91884cf7606

            SHA512

            b2df76490d9d51fdc79b344466b3247caed1cf82a5894b97f7d3aa7afdf4418aff36eed4f7aaa1ac47d7964322c92ae853a89bb0f5a41d1c55e2803991d12025

          • C:\Program Files (x86)\Zillya Total Security\Drivers\znf\znf.sys

            Filesize

            111KB

            MD5

            a948707ca4c4397386d2a0b33a3a7418

            SHA1

            1ebc0eb3ecae92d394cb874f583565816a15f665

            SHA256

            a4210956cf92ea4212007708b4529d71ceb92f771749378845f650182a098680

            SHA512

            6cba869e19570c087340e2c9ef6a084abe030514d82850b9a41689827444ed578531fec17142b9a85b32eafba698c5d7b3cca663eca3373f3f7da85418be4525

          • C:\Program Files (x86)\Zillya Total Security\Drivers\zsc\zsc.sys

            Filesize

            92KB

            MD5

            493d7ceaa350e690075cf88fe7e75731

            SHA1

            d81e5a5467edd5a3e0df48b2d7d15df2113acf2b

            SHA256

            605b7a5f419d1f2f80f71d64553cd1b6494b9559d28d335637a0969deef31fd3

            SHA512

            46443b3819b9a9669fbdfa5a545a21a62a062e3c47ae975df8a70a5ba0b504c0dad3352cc9440eb41edba01cf6d36b11d8e363ea1bb65dc83323e0eba9ca7838

          • C:\Program Files (x86)\Zillya Total Security\EventsFilterDLL.dll

            Filesize

            81KB

            MD5

            ec607f851302ba994b3b62becce410de

            SHA1

            e23af25a71b41d17bf716f86a803946cafcbfdaf

            SHA256

            fcb37de351738d2bff8bbe6b746128d8aa4c271e3a05d0e72574ab783245e03e

            SHA512

            5fc1ba0bd6e0c0b568ebe9b9ea7658110b45b7338083a91fcd7951d0296d72b99ed5b1d564e558e1066d8618b0f0e4d69e13c3f6eb2c6fbf3f40e8648c711889

          • C:\Program Files (x86)\Zillya Total Security\MSCMgr.exe

            Filesize

            36KB

            MD5

            8a25e81f3274d902ad3d4cf38a188142

            SHA1

            e3cc21987210ad1e9ec501e08ebeae86fb695d64

            SHA256

            ef79310a5d72bafd391e8a56b7c07aa2bb61c606d8f88d4b1d32e4be7de8cdc1

            SHA512

            acc22d8238c64131afd2362fa1c7bbfba50dc858831fb097034f7a58f9e45e2f53a55e43b1e23e68c3e459bffe7996bbc14349bbe71f8ead978d26f53c15239b

          • C:\Program Files (x86)\Zillya Total Security\PCBlockedText.dat

            Filesize

            23KB

            MD5

            d07a2a823ce35f50c341c3f07d990982

            SHA1

            53fe8e8238b29bc5e6c81f57e699838760da8005

            SHA256

            437242ebe5f5720a76c8d36ffff356e077237618b5ba87eaac797042ea7d9ee1

            SHA512

            54f2313539bea2c75532ff6b13f69f53608de45606150a358757c96a4eadaaeafd767c74bd145226eae8ff156396fe858857957e52695ef1c2da892b206690e6

          • C:\Program Files (x86)\Zillya Total Security\SettingsLib.dll

            Filesize

            623KB

            MD5

            b2c4c15a1c35f61fe5ab4623741e4bea

            SHA1

            5660dbdfc6b7e38fe2217b9027123397aa2239e0

            SHA256

            2caaf09aa6250c4e2f6282f92dfd8527a1e176597ccb7daed175206421e7c6fd

            SHA512

            d66b567560ec084cb299741f9a16fa45fa83ebfb66e56bfee05f0cf9889ae04c49fed9b6abbdf25397e2d192dffcf862fdb9cf6b06aca55d511b7a2f0a8dec62

          • C:\Program Files (x86)\Zillya Total Security\SystemStatus.dll

            Filesize

            1.5MB

            MD5

            133489e8b7e87f917062182e63356246

            SHA1

            604149492574d77f72923cdf94a449b8898c756e

            SHA256

            df1ec2bf6381ca1292663f252759fc1a612043223ebd70ea4dbefac4f4d697e3

            SHA512

            839a4677ec688d3689b4ef17686748805b728aa27d26307d407eface72aa32d54a0ab5a8c21ad7bbb8400779a08575db324058bab79245ec353b348f2b347179

          • C:\Program Files (x86)\Zillya Total Security\WDReg.exe

            Filesize

            56KB

            MD5

            f0337377d11b067deb5b6b2da719663a

            SHA1

            6924486c76f9a5c68c629cac505fd229c1e7a0d2

            SHA256

            14f37a81090cc3eaec508adfdf7b365214855abf21febeb441faa621848a3a99

            SHA512

            3e9dd0fec937b572b7f8f7cdb5aa3196c5fc014db769029bce873e89bc64a983cf81b66c6003657fadba1b9eec66171f6d5cc20b301aea29c9e2f696343ff294

          • C:\Program Files (x86)\Zillya Total Security\WFBlockedText.dat

            Filesize

            23KB

            MD5

            cb1a37528bcc420275beaa8d816726fb

            SHA1

            d772d5f3a62462fed45ee346c7efeae57aedc45d

            SHA256

            35a962f1ccc6c7a0b88dfbfaf7a9d8a0ba45a217c50c498ef828d57307e256ca

            SHA512

            53c77efd01ede84b016ab65b2dd453eceabe0ab92a198bdab08043846a9a2148b16f1f166cd9bd851399b5a24d66754863571d4184eee3e7d95685d089fe877e

          • C:\Program Files (x86)\Zillya Total Security\ZCtx64.dll

            Filesize

            2.6MB

            MD5

            7d1382176ca0bb05d46fec1f8117b55f

            SHA1

            ab46f5f8d93ad92d59d32be4ad4136665440ee65

            SHA256

            39881bfbb801f4ce95ee5df907691d796a83be606b6ddd527ddf6a51f25ac59b

            SHA512

            048d30c21546a08e103b21982ca2168546f28c439b5abc5d6296abdfa220ff4f67fb4d36e8846f332d0d47a2f66c02fc0f3ff160625653e722d4d9f8c902cdb3

          • C:\Program Files (x86)\Zillya Total Security\ZTS.exe

            Filesize

            8.9MB

            MD5

            217477945fbca3c306d20e0d06618aad

            SHA1

            c5fb10681d163f4e82763a15155bdb985828f025

            SHA256

            14db163f1397bab601297f66c1d0c9f02198707b9b783a6e2a11a801da01a100

            SHA512

            bc580b115b36df1484b182d87d203867996b31406867e28179b1ae3b6d4fffff722225cd08ce857a5d20c0df718fb521cf5079966362dc5e188108f399dcbadf

          • C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe

            Filesize

            4.7MB

            MD5

            aa93b7678c6124dfcc705bdd5527280d

            SHA1

            598d3d49dd27ab0bfe5b1bf232e3ce1466b85752

            SHA256

            eae63d90d5fb2dc9d03d6306748921566b143d7d7a035b8fdc26c39acd9908b2

            SHA512

            883038baafa9e70a3ca5c8406e51ed0d4af9b4e02f2ad9b1272c85337b7d84de454138846beb8e2f2d648b409a66e06a917c3e28913ea3de17b5c79b752dc320

          • C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe

            Filesize

            3.3MB

            MD5

            c5dbf7de3aaf7bbf14dfd35ae31548c1

            SHA1

            b99beef90a0bba700b156b007c2662693725a06e

            SHA256

            509e1d39d60886df026fea2db96d212b3156368708b27850cdb5ef0a731f12e9

            SHA512

            ffc955c42f2fe06381ce5e60c9e6f8320e6b1d7ec9d8bfd74b077f3cc5c8e5dd05a522733b6083af0d8da5fa0c1ec6b2c0890812e27909562d7cd61cc6e4e2d7

          • C:\Program Files (x86)\Zillya Total Security\ZTSHips.exe

            Filesize

            2.0MB

            MD5

            c0fea8d63db45666f53d5645bb3eb9b7

            SHA1

            f647d905ea229afd41d52b649ca75f4f657c2625

            SHA256

            f7e7af645ee9cb6af4816551713eb83d3a8302db2c9d50a40698e9f0495e2571

            SHA512

            eb04ef95d268f7246ccdf286aa729bd5250ae440ae23ad254d850debb49836efa337d0a6d07af15e19c4fffa0e076b0f5e28206d47095274c95f0aba2cf570fc

          • C:\Program Files (x86)\Zillya Total Security\ZTSNet.exe

            Filesize

            4.4MB

            MD5

            64e43fa00a6fac75403193c87f6acc1c

            SHA1

            91464aab6cd294c5a7280dabfd628c5fb39dd64f

            SHA256

            2235d58e372cc891c7dce56ee93b6393f20f51eead7bdf2573e5a58fc2506331

            SHA512

            f2a5bf096bfcb340e830b41d164e108440df3afc4aeda7fd35c9f1b6829c602f78a699630e913e6229bae123c76ccccd1c7abd156b38db35f3c122a64343bd5b

          • C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe

            Filesize

            2.8MB

            MD5

            d91706aace6b5c6991e38537ddc2189f

            SHA1

            fe6470408f35760987978286a01c270ae0eb804a

            SHA256

            8d3289525d26b5e79a944794f5a2b7f969e80ab5b5f9e937bc932aaca6e8b81c

            SHA512

            6249c26ab897f8609679867351ff910aa0eb2ca35fcd6598c7a2eae4e27f0e6e834a65cc2ae26e99feccdbdc95e9b72e532c88ad3e5f5b9f78b9dfa16e5b1237

          • C:\Program Files (x86)\Zillya Total Security\ZscLib.dll

            Filesize

            79KB

            MD5

            8f45fe6e315809f3bef5f76579a778e3

            SHA1

            7dbdeef1ecbfb67167e574977f4fe54f063206ec

            SHA256

            4d4e17d93283fbe5aa18a6a788defb3cbfa11ac08da786ea694e1cb10ca41705

            SHA512

            76c32a118afd99d96a7b19b8f66c198e873a9315395c8f77b86bf45731e11cc9f2e3879694d23d3ac6d018e0e6da69624e35f33d01253d5ac5522a06ad4fbe76

          • C:\Program Files (x86)\Zillya Total Security\app.ver

            Filesize

            12B

            MD5

            5fd69b3b7ebee628618bbda0368dbef9

            SHA1

            b48404aa93848005fc081cc59f77af7e05c5704f

            SHA256

            352d905e0bd476d7e6dfa461c8fb6d2655bad75210ff4d5315f98564f26f9de6

            SHA512

            c5626fd5b5b4d47c2a282841cb7bb4a02daa0ad25256115171b9d2537973834ae5057c57b38ac8c13a82f3c2ca5006fce7c9f93b42c3084fb2bc95d697a83f30

          • C:\Program Files (x86)\Zillya Total Security\drvcmd.exe

            Filesize

            79KB

            MD5

            eb5c361ef56a3de8882c0e88807ecb2a

            SHA1

            a5d1f630c0521abf5f1ad1080eb331a7fa2da71d

            SHA256

            b66436429d7e9a209a7c91f6cc882506a5777722450107ec27fae3af4d2fc7e2

            SHA512

            5c392e7c45114237a72a67d96191857a0eeafe54ddf11020840e122bf914b1a9ec14de42198d3c3a23f11f48c3f08568eccd185468c3dcee9eece55b8e251ccf

          • C:\ProgramData\Zillya Total Security\Bases\CoreMain.DLL

            Filesize

            177KB

            MD5

            397ec6fc9ad0502125d5d48be9760abc

            SHA1

            09f43932f07ad6bd6133421e6f5b63ff960151aa

            SHA256

            73ce14bc0c052e9315ce85a7c09073cff822af6db3c61b95568789ca65ff01fa

            SHA512

            f8d7865ba91a97b98c6cb1d568332ea172a1bbcf77af73268d523fd35fb4025b13d18f13f324dde32f568f2e11a9369ab4abe3302bbfc53f4d47f5ea042ddfbe

          • C:\ProgramData\Zillya Total Security\Bases\avbd.cur

            Filesize

            42B

            MD5

            81a0ad44c85c4f13dd914b9080454a30

            SHA1

            b302c1533bb4cbc31ff89c4a332cde61313f9b15

            SHA256

            91975a61a546693e60941f54e19789f7e91ee4f9dd2787f00c51409fca1fb270

            SHA512

            becc0ace29ca4a43d052e85a1e1e950ef45e656ba7df24f5096dcb5986b8476bf3ded2fd24dad7e49e21911e3a1f4401044627a94be7a165e4841bdd68b0c31f

          • C:\ProgramData\Zillya Total Security\Bases\borlndmm.dll

            Filesize

            29KB

            MD5

            f2264abae9d3da4bd185f8177016c234

            SHA1

            2eb10ce6cc47443b67c4e1ce495dd8d8bb2a90e1

            SHA256

            d2a651547a83723be81fb4e87bd75fae6f95666050e072a30c22d7ace0cb5f20

            SHA512

            b51d5e11417467682c68e0a92a20b03c18650edbc58cef7ce6ce1a768ec65643f094d549ce0139d28ebf9d90c4fc43d1bef013fcd923d7670c450a994c878104

          • C:\ProgramData\Zillya Total Security\Bases\fr001.dat

            Filesize

            2KB

            MD5

            37b906c90af52e9088500b1ca534c481

            SHA1

            1d783968c6e230412f84cb5f994f14f140ec2396

            SHA256

            20216e650efce62a7de0d43ab2651d4ba7744c7cf6ed50ae54b88358d4373ab8

            SHA512

            31df701b781410077d8439a806f0bad8fd7aa3a28da3e93ae2e6181551af92d5567b116682c9e4160b9b1ca32d9e7b9925328f2d53be7a3bca0a0f1749582e6e

          • C:\ProgramData\Zillya Total Security\Bases\h001.dll

            Filesize

            105KB

            MD5

            860f892463edc160c04bc4b3ca8c1d9a

            SHA1

            cbb7360599908c71159da092524cf43413032149

            SHA256

            8a7ba879a4e4854635d6e7e077e6c3681b79440a1c6e51303ee842b2b2e14579

            SHA512

            fc0783b742c19fea017de1793f2583fa0f08e2c112e3fb41a63afd41714c942fe9b97e824a5c48e1c316f8072cd45a4b41813c3bfc7a2908a94b126ee7545177

          • C:\ProgramData\Zillya Total Security\Bases\wf001.dat

            Filesize

            4.7MB

            MD5

            67d15235ab3b06b3eff17bbfde63d2bc

            SHA1

            f8d9f67c68585c47536b42381a1e2060ca488cb6

            SHA256

            63fbce4363e3ab94cec0d42640ded6701b82d154ad8c05ce7c383e3fef4615a6

            SHA512

            1ca2cc3fd1b3fba85f7daebdb1096695161849ab6127f903ad883e80cd885ce5695c31859ea1a9359e88789de2cc2c317600d5a83a5defe29413a2838bc40e3d

          • C:\ProgramData\Zillya Total Security\FwSysRules.dat

            Filesize

            941B

            MD5

            4aa67c1b6ad9c2cdabe8f7ae8e515943

            SHA1

            1a6cc8eeceb0f1846d8d6d0093fa28fe9f649ee5

            SHA256

            d44e3c6e49489697f4cb0bb5f01a53b1eaf20d1b8d613dadab2180a959d7dedf

            SHA512

            25988c1e925b39710cb130d7fa08840b7343b7febe1d78147b445239f0c33d107e044df137fa2d5e762fcf2fb4e68d12353ae0c604aaf9b904b684b20c796a13

          • C:\ProgramData\Zillya Total Security\Logs\SystemStatus.log

            Filesize

            69B

            MD5

            d001f3d93225ac86c3af7784d09397f4

            SHA1

            889fe135188fad97ebabfb9f66e0bfb4549528f4

            SHA256

            8d633d762396222e04ac9d3fcba3547bd0a723790ca18bccea432bacad6f9a5d

            SHA512

            846e66f7debe84017a91f5603ef2fac12dbc5b485b617a3aa451c8f7331e97fe8dbba43c206b9672d0c9f09a42d2b740f28c683ea27aca22707c784d28a05bca

          • C:\ProgramData\Zillya Total Security\Logs\SystemStatus.log

            Filesize

            143B

            MD5

            e9bbc5a77dc063435819b3ee6fbc2429

            SHA1

            2f46fec8fc34ebd0509d61b6559fcf8294418da2

            SHA256

            25beb8c6c2a8928b030683376ead5589afe64cd12168fcea2d320e8ed562bbd1

            SHA512

            517f4286b65c13025ccb5838f7bae09f664302f42dd68aa5d6248e171b7a136b892fa5964c8e3ccbc5c4a16d256e9b83b5852a8d5ae48d63c44e71872469790b

          • C:\ProgramData\Zillya Total Security\Logs\SystemStatus.log

            Filesize

            634B

            MD5

            ac696428350bcd67d5c7b05373d828a1

            SHA1

            402aeb3946f9459d8b6048a4b3ac5ce8a64cf1d9

            SHA256

            3c488eb824e45600ab5dcee3de17b1029aad8ec6c1fce413cd6339de3e6a1dbf

            SHA512

            c2f3ec09224fe98579b5750166305df9de17fc355036e07c0cece614a056e25c0145458019d3790394aaefbec0463a5e2a67ecc7fb447231ee3a614127cb89b7

          • C:\ProgramData\Zillya Total Security\Logs\SystemStatus.log

            Filesize

            704B

            MD5

            b61b7bca58440199082771ab383ad662

            SHA1

            6a538696f15c337e51e5b31f39d0aaa01ce372b5

            SHA256

            d6035edc5dec0bf24aa7207718d51939ca9e3e02c0975969fdd134c6c108bdb8

            SHA512

            96b7fc9b7b2e8086254a48ab12bc13db678edbdbbbb8e51791e3fdf2f0410f45cb5baa1aa6310f24707e7a62d86383cfdabd742ee14abf9ca617976ea365a130

          • C:\ProgramData\Zillya Total Security\Logs\restore.log

            Filesize

            38B

            MD5

            a3a67647e2532feedded8646087d5990

            SHA1

            5764c971360d21a024a41f69228fddf275b1fb27

            SHA256

            e144dea4e9de1904edae6e30a04fb183c7b6f31aecbba2c10d46f2e4c0fc9000

            SHA512

            556f652ea9e0569389609b98a3b062b28a82d879579b3ac99941c30ac642ca5425ab1e4309c9a70585dda59fab09dc2b0c984768bb8e539afae6afe0e0ba8a43

          • C:\ProgramData\Zillya Total Security\Logs\restore.log

            Filesize

            57B

            MD5

            9994834f8ca65bd2134021a3ae2404a7

            SHA1

            22554f9117ba77d365f7970f63034cf520a9f4e0

            SHA256

            13e2f6167ee235e61bf412b4bd49f91dd3b145660cec7887a1c2bc86482d63ae

            SHA512

            5ef9f9b0a74c8054e3bff124c8cb645384f054f1eea2359e416138eedf860037cc1c53ea4a49215d9cb6b57741968ff53dc97e8c14f8c88bb893b5956eebb923

          • C:\ProgramData\Zillya Total Security\Logs\restore.log

            Filesize

            76B

            MD5

            7f104b7461321790743084452542f7e0

            SHA1

            f34afabd7d3ffbdf61cbc3a9e5ecda08909643c2

            SHA256

            064ceb088b0a5473fc96ff84df4ce38547b7604f9e5a6bc983ec0c59398019df

            SHA512

            557c50ea8d6c4e498b2d389bc16a8a7440ba8f8a755e4c829827b37b391b4760478c3d81b64a58c4ce40f4082d1113a8682787c6b26501f9bf8e0e0b96297b98

          • C:\ProgramData\Zillya Total Security\Logs\restore.log

            Filesize

            95B

            MD5

            86c503bd36792a303fe9718ff0048fed

            SHA1

            b1e22277c5ef9695bedd1b440bc5e1493995e5e8

            SHA256

            559e910773ebbe48e5990383cf6b5c79378b3a074c7f0812aed619c4cfe5aab4

            SHA512

            adb7ff67649a45d01fcec6f7fc43a2ec9e353a4b6b4e8640850863ec80f9e786c0edfd8ecfdfef7bb6e6e3f9cbe5d0faa0353bb1d5d737292998b7214d88e980

          • C:\ProgramData\Zillya Total Security\Logs\restore.log

            Filesize

            314B

            MD5

            509fd96d3dea6d65f895573dd0862d42

            SHA1

            50a0f2c0868de98894f96870f06c8854deba5b06

            SHA256

            16df1136c78a098ff3d4f3c32321fdb975da4cdd0bd466c205e5eacb44c69d24

            SHA512

            15fd9581e009f29ea340f30597ab687cf7d0c5dcb06faaee5ca6592d5584560ba09dd4522c93ca8af062c9b2ff2216c02f42eebedec61305a389df6500751846

          • C:\ProgramData\Zillya Total Security\Logs\update.log

            Filesize

            1KB

            MD5

            61583f887168b02eabddc6206509f2a6

            SHA1

            a6dce65eaaecc0551bb1d2abc86bcf9815f2c130

            SHA256

            8046eaf29550870faa34561d354e4541a08b3adc50227159f02533084e3ab48d

            SHA512

            513a8cd6bddd49fcf2cbe7e203e82cd78d0b6dc8e2251d94a6462876f5191c3e4a826b4fbe421b3dc97baf3aeea4f689526f12250e8ea1a9aa1acae43c5a1dc5

          • C:\ProgramData\Zillya Total Security\settings.db

            Filesize

            28KB

            MD5

            4356cdce620ca5d8924089a5d04ca9ff

            SHA1

            841a46beacfe110433945fae017c3c6c84b8af44

            SHA256

            c710f7c6e6c090de57430c56f0e6df2c9f282410836dfa3cc0c78468668a5bf1

            SHA512

            0b58dd16f35d3851b2fa2e2658951634469d075e12eae235dfaedb1e65386a723c02592626679a041f75a2729963f8de481f9f0fc31d1852f9dab301eacdefae

          • C:\Users\Admin\AppData\Local\Temp\is-G8QLV.tmp\ZTS3.tmp

            Filesize

            1.1MB

            MD5

            90fc739c83cd19766acb562c66a7d0e2

            SHA1

            451f385a53d5fed15e7649e7891e05f231ef549a

            SHA256

            821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431

            SHA512

            4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

          • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

            Filesize

            24.6MB

            MD5

            139ee6f23d3fd780cdf5a72f08107f25

            SHA1

            71d0b1f611a0305ca14d7ec80bf147755e6354ee

            SHA256

            f5bbf9bd65120cf1a6020e8632c31732576ec0b898743beb6334380cbdbce14a

            SHA512

            20bae77a8743de6e733833dbd49c511d177da5ce7952e424d90187bc79bf9e8f29ac27f4d843102e71ddeef640bb059a1803f7845878e3f478276948de036ddd

          • \??\Volume{4627e397-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cbebad44-130c-4dd1-8922-3b64827ee21c}_OnDiskSnapshotProp

            Filesize

            6KB

            MD5

            ba8d71e5e014ac0a541cce6afaeea80f

            SHA1

            55f9a8bc94bdc7b087d67c78fa18d6d6a5195af7

            SHA256

            658deacca006b98b98f7bc50de91fb3f1228db7a953e5e343cb257dd4e9e3794

            SHA512

            590b024626d55d3b604641b6bda6bbe907c6b6a22994ac755445f655e128b5960489a76fe764f2388ce22816d8ecd9b33b428e9fc52a69e558b9393ad05daaf1

          • memory/32-322-0x00000000019F0000-0x0000000001A13000-memory.dmp

            Filesize

            140KB

          • memory/32-364-0x00000000019F0000-0x0000000001A13000-memory.dmp

            Filesize

            140KB

          • memory/2712-2-0x0000000000401000-0x0000000000412000-memory.dmp

            Filesize

            68KB

          • memory/2712-8-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/2712-1-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/2712-360-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

          • memory/4312-176-0x0000000000400000-0x0000000000414000-memory.dmp

            Filesize

            80KB

          • memory/4460-10-0x0000000000400000-0x000000000052D000-memory.dmp

            Filesize

            1.2MB

          • memory/4460-358-0x0000000000400000-0x000000000052D000-memory.dmp

            Filesize

            1.2MB

          • memory/4460-6-0x0000000000400000-0x000000000052D000-memory.dmp

            Filesize

            1.2MB

          • memory/4460-16-0x0000000000400000-0x000000000052D000-memory.dmp

            Filesize

            1.2MB

          • memory/4628-365-0x0000000001C90000-0x0000000001CC6000-memory.dmp

            Filesize

            216KB

          • memory/4628-367-0x0000000000C20000-0x0000000000C2E000-memory.dmp

            Filesize

            56KB

          • memory/4628-366-0x0000000021660000-0x0000000021671000-memory.dmp

            Filesize

            68KB

          • memory/4628-368-0x0000000000D50000-0x0000000000D61000-memory.dmp

            Filesize

            68KB

          • memory/4628-339-0x0000000000C20000-0x0000000000C2E000-memory.dmp

            Filesize

            56KB

          • memory/4628-382-0x0000000000D50000-0x0000000000D61000-memory.dmp

            Filesize

            68KB

          • memory/4628-380-0x0000000021660000-0x0000000021671000-memory.dmp

            Filesize

            68KB

          • memory/4628-379-0x0000000001C90000-0x0000000001CC6000-memory.dmp

            Filesize

            216KB

          • memory/4628-340-0x0000000000D50000-0x0000000000D61000-memory.dmp

            Filesize

            68KB

          • memory/4628-336-0x0000000001C90000-0x0000000001CC6000-memory.dmp

            Filesize

            216KB