Malware Analysis Report

2025-08-11 06:34

Sample ID 241109-mdg6hs1rew
Target ZTS3.exe
SHA256 a71944f5c2523be7d3a93b2b2fe9c145853808d24895e15ebd40a3d5db06a878
Tags
discovery persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a71944f5c2523be7d3a93b2b2fe9c145853808d24895e15ebd40a3d5db06a878

Threat Level: Likely malicious

The file ZTS3.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence privilege_escalation

Drops file in Drivers directory

Loads dropped DLL

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 10:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 10:20

Reported

2024-11-09 10:24

Platform

win11-20241007-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZTS3.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\znf.sys C:\Program Files (x86)\Zillya Total Security\drvcmd.exe N/A
File created C:\Windows\system32\drivers\zsc.sys C:\Program Files (x86)\Zillya Total Security\drvcmd.exe N/A
File created C:\Windows\system32\drivers\zef.sys C:\Program Files (x86)\Zillya Total Security\drvcmd.exe N/A
File created C:\Windows\system32\drivers\znf.sys C:\Program Files (x86)\Zillya Total Security\drvcmd.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSNet.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSNet.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSHips.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSHips.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSHips.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSHips.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSHips.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Zillya Total Security = "\"C:\\Program Files (x86)\\Zillya Total Security\\ZTS.exe\" /min" C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\h: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\q: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\r: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\x: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\y: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\s: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\l: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\n: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\t: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\m: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\v: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\j: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\k: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\w: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\e: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\z: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\g: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\p: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\i: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\u: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\o: C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Zillya Total Security\icuin54.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\icuuc54.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\libEGL.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\Qt5Widgets.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\Qt5Xml.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\ConScan.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\SystemStatus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\nss\smime3.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\Drivers\znf\Znf.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\ZCtx64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\platforms\qwindows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\ZscLib.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\nss\mozcrt19.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\ZTSNet.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\drvcmd.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\imageformats\qwindows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\Qt5Network.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\PCBlockedText.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\app.ver C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\MSCMgr.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\nss\plds4.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\Qt5Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\icudt54.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\keyboard.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\nss\softokn3.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\WDReg.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\EventsFilterDLL.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\nss\certutil.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\SystemResearchTool.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\libGLESv2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\nss\nss3.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\Qt5WinExtras.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\WFBlockedText.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\Drivers\zsc\Zsc.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\ZTSHips.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\SettingsLib.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\nss\plc4.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\Qt5Gui.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\Drivers\zef\Zef.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\ZTS.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Zillya Total Security\nss\nspr4.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_mfc120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{4FD7CE15-D84A-4F02-83DC-A1052470631B} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_mfc120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_msvcp120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{4FD7CE15-D84A-4F02-83DC-A1052470631B}\ProductIcon C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFC3D1AC480CFA7C0F.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_mfc120u_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFC48BFB548BD57E51.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58654f.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF5820F87A68F7F1D3.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFACB48B7A5F7D3E5D.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_mfcm120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_mfcm120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_mfcm120u_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58654d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58654d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{4FD7CE15-D84A-4F02-83DC-A1052470631B}\ProductIcon C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_mfc120u_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_mfcm120u_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_msvcp120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6F7E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\51EC7DF4A48D20F438CD1A50420736B1\3.0.2377\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-G8QLV.tmp\ZTS3.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Zillya Total Security\MSCMgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Zillya Total Security\drvcmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Zillya Total Security\ZTSNet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Zillya Total Security\ZTSHips.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ZTS3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Zillya Total Security\WDReg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000097e32746e391c5270000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000097e327460000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090097e32746000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d97e32746000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000097e3274600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Zillya Total Security\Proxy C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Zillya Total Security C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Zillya Total Security\Proxy\SettingsFrom = "0" C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\ProductIcon = "C:\\Windows\\Installer\\{4FD7CE15-D84A-4F02-83DC-A1052470631B}\\ProductIcon" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\is-SJDD6.tmp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C14F7681-33D8-11D3-A09B-00500402F30B}\ = "ZContextMenu" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C14F7681-33D8-11D3-A09B-00500402F30B}\InProcServer32\ = "C:\\Program Files (x86)\\Zillya Total Security\\ZCtx64.dll" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZContextMenu C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\ProductName = "Zillya Total Security" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24D7CA01-FB95-4556-9D54-A6486794E071}\InprocServer32\ = "ole32.dll" C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24D7CA01-FB95-4556-9D54-A6486794E071}\Data = "EC8679CD058C5A83A6F646CA39580890" C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C1926438604375A40B71B3314667C76F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C14F7681-33D8-11D3-A09B-00500402F30B}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\ZContextMenu C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZContextMenu\ = "{C14F7681-33D8-11D3-A09B-00500402F30B}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\SourceList\PackageName = "ZTS3Setup_3.0.2377.0_en.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C14F7681-33D8-11D3-A09B-00500402F30B}\InProcServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\PackageCode = "7308DF65F86037D4A8BE479436C17686" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\Version = "50334025" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\is-SJDD6.tmp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ZContextMenu C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\ZContextMenu\ = "{C14F7681-33D8-11D3-A09B-00500402F30B}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\51EC7DF4A48D20F438CD1A50420736B1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C14F7681-33D8-11D3-A09B-00500402F30B} C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24D7CA01-FB95-4556-9D54-A6486794E071}\InprocServer32 C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ZContextMenu C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ZContextMenu C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\ZContextMenu\ = "{C14F7681-33D8-11D3-A09B-00500402F30B}" C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\ZContextMenu\ = "{C14F7681-33D8-11D3-A09B-00500402F30B}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24D7CA01-FB95-4556-9D54-A6486794E071} C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ZContextMenu\ = "{C14F7681-33D8-11D3-A09B-00500402F30B}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\51EC7DF4A48D20F438CD1A50420736B1\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C1926438604375A40B71B3314667C76F\51EC7DF4A48D20F438CD1A50420736B1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EC7DF4A48D20F438CD1A50420736B1\SourceList C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A
N/A N/A C:\Program Files (x86)\Zillya Total Security\ZTS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\ZTS3.exe C:\Users\Admin\AppData\Local\Temp\is-G8QLV.tmp\ZTS3.tmp
PID 2712 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\ZTS3.exe C:\Users\Admin\AppData\Local\Temp\is-G8QLV.tmp\ZTS3.tmp
PID 2712 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\ZTS3.exe C:\Users\Admin\AppData\Local\Temp\is-G8QLV.tmp\ZTS3.tmp
PID 4460 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\is-G8QLV.tmp\ZTS3.tmp C:\Windows\SysWOW64\msiexec.exe
PID 4460 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\is-G8QLV.tmp\ZTS3.tmp C:\Windows\SysWOW64\msiexec.exe
PID 4460 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\is-G8QLV.tmp\ZTS3.tmp C:\Windows\SysWOW64\msiexec.exe
PID 4364 wrote to memory of 1868 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4364 wrote to memory of 1868 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4364 wrote to memory of 4012 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Zillya Total Security\MSCMgr.exe
PID 4364 wrote to memory of 4012 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Zillya Total Security\MSCMgr.exe
PID 4364 wrote to memory of 4012 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Zillya Total Security\MSCMgr.exe
PID 4364 wrote to memory of 2920 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Zillya Total Security\drvcmd.exe
PID 4364 wrote to memory of 2920 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Zillya Total Security\drvcmd.exe
PID 4364 wrote to memory of 2920 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Zillya Total Security\drvcmd.exe
PID 4364 wrote to memory of 4312 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Zillya Total Security\WDReg.exe
PID 4364 wrote to memory of 4312 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Zillya Total Security\WDReg.exe
PID 4364 wrote to memory of 4312 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Zillya Total Security\WDReg.exe
PID 4364 wrote to memory of 2416 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4364 wrote to memory of 2416 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3220 wrote to memory of 4672 N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 4672 N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 4672 N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 3216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4672 wrote to memory of 3216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4672 wrote to memory of 3216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4672 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4672 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4672 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3220 wrote to memory of 4692 N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 4692 N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 4692 N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4692 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4692 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4692 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4692 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4692 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4364 wrote to memory of 3216 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Zillya Total Security\ZTS.exe
PID 4364 wrote to memory of 3216 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Zillya Total Security\ZTS.exe
PID 4364 wrote to memory of 3216 N/A C:\Windows\system32\msiexec.exe C:\Program Files (x86)\Zillya Total Security\ZTS.exe
PID 3220 wrote to memory of 4864 N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 4864 N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 4864 N/A C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4864 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4864 wrote to memory of 4880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4864 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4864 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4864 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ZTS3.exe

"C:\Users\Admin\AppData\Local\Temp\ZTS3.exe"

C:\Users\Admin\AppData\Local\Temp\is-G8QLV.tmp\ZTS3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-G8QLV.tmp\ZTS3.tmp" /SL5="$30174,443486740,121344,C:\Users\Admin\AppData\Local\Temp\ZTS3.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\is-SJDD6.tmp\ZTS3Setup_3.0.2377.0_en.msi"

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Program Files (x86)\Zillya Total Security\MSCMgr.exe

"C:\Program Files (x86)\Zillya Total Security\MSCMgr.exe" -i

C:\Program Files (x86)\Zillya Total Security\drvcmd.exe

"C:\Program Files (x86)\Zillya Total Security\drvcmd.exe" znf -ni zsc -i zef -ei

C:\Program Files (x86)\Zillya Total Security\WDReg.exe

"C:\Program Files (x86)\Zillya Total Security\WDReg.exe" -i

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Zillya Total Security\ZCtx64.dll"

C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe

"C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe"

C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe

"C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe"

C:\Program Files (x86)\Zillya Total Security\ZTSNet.exe

"C:\Program Files (x86)\Zillya Total Security\ZTSNet.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c wmic qfe list | find "KB3033929"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic qfe list

C:\Windows\SysWOW64\find.exe

find "KB3033929"

C:\Program Files (x86)\Zillya Total Security\ZTSHips.exe

"C:\Program Files (x86)\Zillya Total Security\ZTSHips.exe"

C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe

"C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c wmic qfe list | find "KB3033929"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic qfe list

C:\Windows\SysWOW64\find.exe

find "KB3033929"

C:\Program Files (x86)\Zillya Total Security\ZTS.exe

"C:\Program Files (x86)\Zillya Total Security\ZTS.exe" /min /en

C:\Program Files (x86)\Zillya Total Security\ZTS.exe

"C:\Program Files (x86)\Zillya Total Security\ZTS.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c wmic qfe list | find "KB3033929"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic qfe list

C:\Windows\SysWOW64\find.exe

find "KB3033929"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cxcs.microsoft.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 2.18.66.162:443 tcp
GB 2.18.66.162:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
GB 2.18.66.162:443 tcp
US 8.8.8.8:53 licenses.zillyaantivirus.com udp
GB 2.18.66.74:443 tcp
GB 2.18.66.74:443 tcp
GB 2.18.66.74:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
GB 2.18.66.74:443 tcp
GB 2.18.66.65:443 tcp
GB 2.18.66.65:443 tcp
GB 2.18.66.65:443 tcp
GB 2.18.66.65:443 tcp
GB 2.18.66.65:443 tcp
GB 2.18.66.65:443 tcp
US 8.8.8.8:53 files.zillyaantivirus.com udp
US 8.8.8.8:53 files.zillyaantivirus.com udp
US 8.8.8.8:53 updateserver.zillya.com udp
US 8.8.8.8:53 messages.zillyaantivirus.com udp
US 8.8.8.8:53 messages.zillya.ua udp
US 8.8.8.8:53 licenses.zillyaantivirus.com udp

Files

memory/2712-1-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2712-2-0x0000000000401000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-G8QLV.tmp\ZTS3.tmp

MD5 90fc739c83cd19766acb562c66a7d0e2
SHA1 451f385a53d5fed15e7649e7891e05f231ef549a
SHA256 821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431
SHA512 4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

memory/4460-6-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2712-8-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4460-10-0x0000000000400000-0x000000000052D000-memory.dmp

memory/4460-16-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Program Files (x86)\Zillya Total Security\MSCMgr.exe

MD5 8a25e81f3274d902ad3d4cf38a188142
SHA1 e3cc21987210ad1e9ec501e08ebeae86fb695d64
SHA256 ef79310a5d72bafd391e8a56b7c07aa2bb61c606d8f88d4b1d32e4be7de8cdc1
SHA512 acc22d8238c64131afd2362fa1c7bbfba50dc858831fb097034f7a58f9e45e2f53a55e43b1e23e68c3e459bffe7996bbc14349bbe71f8ead978d26f53c15239b

C:\Program Files (x86)\Zillya Total Security\drvcmd.exe

MD5 eb5c361ef56a3de8882c0e88807ecb2a
SHA1 a5d1f630c0521abf5f1ad1080eb331a7fa2da71d
SHA256 b66436429d7e9a209a7c91f6cc882506a5777722450107ec27fae3af4d2fc7e2
SHA512 5c392e7c45114237a72a67d96191857a0eeafe54ddf11020840e122bf914b1a9ec14de42198d3c3a23f11f48c3f08568eccd185468c3dcee9eece55b8e251ccf

C:\Program Files (x86)\Zillya Total Security\WDReg.exe

MD5 f0337377d11b067deb5b6b2da719663a
SHA1 6924486c76f9a5c68c629cac505fd229c1e7a0d2
SHA256 14f37a81090cc3eaec508adfdf7b365214855abf21febeb441faa621848a3a99
SHA512 3e9dd0fec937b572b7f8f7cdb5aa3196c5fc014db769029bce873e89bc64a983cf81b66c6003657fadba1b9eec66171f6d5cc20b301aea29c9e2f696343ff294

C:\Program Files (x86)\Zillya Total Security\Drivers\zef\zef.sys

MD5 ade47a3761e8a3dc2b328ae6d6a3dc47
SHA1 aec69d3907995ae0cfe7642e53413f5217d4ec90
SHA256 13c987d0381b7c035a52edd7c1fec4dd2f8f4ac63d9ec2d7e6c0b91884cf7606
SHA512 b2df76490d9d51fdc79b344466b3247caed1cf82a5894b97f7d3aa7afdf4418aff36eed4f7aaa1ac47d7964322c92ae853a89bb0f5a41d1c55e2803991d12025

C:\Program Files (x86)\Zillya Total Security\ZTS.exe

MD5 217477945fbca3c306d20e0d06618aad
SHA1 c5fb10681d163f4e82763a15155bdb985828f025
SHA256 14db163f1397bab601297f66c1d0c9f02198707b9b783a6e2a11a801da01a100
SHA512 bc580b115b36df1484b182d87d203867996b31406867e28179b1ae3b6d4fffff722225cd08ce857a5d20c0df718fb521cf5079966362dc5e188108f399dcbadf

C:\Program Files (x86)\Zillya Total Security\Drivers\zsc\zsc.sys

MD5 493d7ceaa350e690075cf88fe7e75731
SHA1 d81e5a5467edd5a3e0df48b2d7d15df2113acf2b
SHA256 605b7a5f419d1f2f80f71d64553cd1b6494b9559d28d335637a0969deef31fd3
SHA512 46443b3819b9a9669fbdfa5a545a21a62a062e3c47ae975df8a70a5ba0b504c0dad3352cc9440eb41edba01cf6d36b11d8e363ea1bb65dc83323e0eba9ca7838

memory/4312-176-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Program Files (x86)\Zillya Total Security\ZCtx64.dll

MD5 7d1382176ca0bb05d46fec1f8117b55f
SHA1 ab46f5f8d93ad92d59d32be4ad4136665440ee65
SHA256 39881bfbb801f4ce95ee5df907691d796a83be606b6ddd527ddf6a51f25ac59b
SHA512 048d30c21546a08e103b21982ca2168546f28c439b5abc5d6296abdfa220ff4f67fb4d36e8846f332d0d47a2f66c02fc0f3ff160625653e722d4d9f8c902cdb3

C:\Program Files (x86)\Zillya Total Security\Drivers\znf\znf.sys

MD5 a948707ca4c4397386d2a0b33a3a7418
SHA1 1ebc0eb3ecae92d394cb874f583565816a15f665
SHA256 a4210956cf92ea4212007708b4529d71ceb92f771749378845f650182a098680
SHA512 6cba869e19570c087340e2c9ef6a084abe030514d82850b9a41689827444ed578531fec17142b9a85b32eafba698c5d7b3cca663eca3373f3f7da85418be4525

C:\Program Files (x86)\Zillya Total Security\app.ver

MD5 5fd69b3b7ebee628618bbda0368dbef9
SHA1 b48404aa93848005fc081cc59f77af7e05c5704f
SHA256 352d905e0bd476d7e6dfa461c8fb6d2655bad75210ff4d5315f98564f26f9de6
SHA512 c5626fd5b5b4d47c2a282841cb7bb4a02daa0ad25256115171b9d2537973834ae5057c57b38ac8c13a82f3c2ca5006fce7c9f93b42c3084fb2bc95d697a83f30

C:\Program Files (x86)\Zillya Total Security\ZTSAux.exe

MD5 aa93b7678c6124dfcc705bdd5527280d
SHA1 598d3d49dd27ab0bfe5b1bf232e3ce1466b85752
SHA256 eae63d90d5fb2dc9d03d6306748921566b143d7d7a035b8fdc26c39acd9908b2
SHA512 883038baafa9e70a3ca5c8406e51ed0d4af9b4e02f2ad9b1272c85337b7d84de454138846beb8e2f2d648b409a66e06a917c3e28913ea3de17b5c79b752dc320

C:\Program Files (x86)\Zillya Total Security\SettingsLib.dll

MD5 b2c4c15a1c35f61fe5ab4623741e4bea
SHA1 5660dbdfc6b7e38fe2217b9027123397aa2239e0
SHA256 2caaf09aa6250c4e2f6282f92dfd8527a1e176597ccb7daed175206421e7c6fd
SHA512 d66b567560ec084cb299741f9a16fa45fa83ebfb66e56bfee05f0cf9889ae04c49fed9b6abbdf25397e2d192dffcf862fdb9cf6b06aca55d511b7a2f0a8dec62

C:\Program Files (x86)\Zillya Total Security\SystemStatus.dll

MD5 133489e8b7e87f917062182e63356246
SHA1 604149492574d77f72923cdf94a449b8898c756e
SHA256 df1ec2bf6381ca1292663f252759fc1a612043223ebd70ea4dbefac4f4d697e3
SHA512 839a4677ec688d3689b4ef17686748805b728aa27d26307d407eface72aa32d54a0ab5a8c21ad7bbb8400779a08575db324058bab79245ec353b348f2b347179

\??\Volume{4627e397-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cbebad44-130c-4dd1-8922-3b64827ee21c}_OnDiskSnapshotProp

MD5 ba8d71e5e014ac0a541cce6afaeea80f
SHA1 55f9a8bc94bdc7b087d67c78fa18d6d6a5195af7
SHA256 658deacca006b98b98f7bc50de91fb3f1228db7a953e5e343cb257dd4e9e3794
SHA512 590b024626d55d3b604641b6bda6bbe907c6b6a22994ac755445f655e128b5960489a76fe764f2388ce22816d8ecd9b33b428e9fc52a69e558b9393ad05daaf1

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 139ee6f23d3fd780cdf5a72f08107f25
SHA1 71d0b1f611a0305ca14d7ec80bf147755e6354ee
SHA256 f5bbf9bd65120cf1a6020e8632c31732576ec0b898743beb6334380cbdbce14a
SHA512 20bae77a8743de6e733833dbd49c511d177da5ce7952e424d90187bc79bf9e8f29ac27f4d843102e71ddeef640bb059a1803f7845878e3f478276948de036ddd

C:\Program Files (x86)\Zillya Total Security\ZTSUpdater.exe

MD5 d91706aace6b5c6991e38537ddc2189f
SHA1 fe6470408f35760987978286a01c270ae0eb804a
SHA256 8d3289525d26b5e79a944794f5a2b7f969e80ab5b5f9e937bc932aaca6e8b81c
SHA512 6249c26ab897f8609679867351ff910aa0eb2ca35fcd6598c7a2eae4e27f0e6e834a65cc2ae26e99feccdbdc95e9b72e532c88ad3e5f5b9f78b9dfa16e5b1237

C:\ProgramData\Zillya Total Security\settings.db

MD5 4356cdce620ca5d8924089a5d04ca9ff
SHA1 841a46beacfe110433945fae017c3c6c84b8af44
SHA256 c710f7c6e6c090de57430c56f0e6df2c9f282410836dfa3cc0c78468668a5bf1
SHA512 0b58dd16f35d3851b2fa2e2658951634469d075e12eae235dfaedb1e65386a723c02592626679a041f75a2729963f8de481f9f0fc31d1852f9dab301eacdefae

C:\ProgramData\Zillya Total Security\Logs\SystemStatus.log

MD5 d001f3d93225ac86c3af7784d09397f4
SHA1 889fe135188fad97ebabfb9f66e0bfb4549528f4
SHA256 8d633d762396222e04ac9d3fcba3547bd0a723790ca18bccea432bacad6f9a5d
SHA512 846e66f7debe84017a91f5603ef2fac12dbc5b485b617a3aa451c8f7331e97fe8dbba43c206b9672d0c9f09a42d2b740f28c683ea27aca22707c784d28a05bca

C:\ProgramData\Zillya Total Security\Logs\restore.log

MD5 a3a67647e2532feedded8646087d5990
SHA1 5764c971360d21a024a41f69228fddf275b1fb27
SHA256 e144dea4e9de1904edae6e30a04fb183c7b6f31aecbba2c10d46f2e4c0fc9000
SHA512 556f652ea9e0569389609b98a3b062b28a82d879579b3ac99941c30ac642ca5425ab1e4309c9a70585dda59fab09dc2b0c984768bb8e539afae6afe0e0ba8a43

C:\Program Files (x86)\Zillya Total Security\ZTSNet.exe

MD5 64e43fa00a6fac75403193c87f6acc1c
SHA1 91464aab6cd294c5a7280dabfd628c5fb39dd64f
SHA256 2235d58e372cc891c7dce56ee93b6393f20f51eead7bdf2573e5a58fc2506331
SHA512 f2a5bf096bfcb340e830b41d164e108440df3afc4aeda7fd35c9f1b6829c602f78a699630e913e6229bae123c76ccccd1c7abd156b38db35f3c122a64343bd5b

C:\ProgramData\Zillya Total Security\Logs\SystemStatus.log

MD5 e9bbc5a77dc063435819b3ee6fbc2429
SHA1 2f46fec8fc34ebd0509d61b6559fcf8294418da2
SHA256 25beb8c6c2a8928b030683376ead5589afe64cd12168fcea2d320e8ed562bbd1
SHA512 517f4286b65c13025ccb5838f7bae09f664302f42dd68aa5d6248e171b7a136b892fa5964c8e3ccbc5c4a16d256e9b83b5852a8d5ae48d63c44e71872469790b

C:\ProgramData\Zillya Total Security\Logs\restore.log

MD5 9994834f8ca65bd2134021a3ae2404a7
SHA1 22554f9117ba77d365f7970f63034cf520a9f4e0
SHA256 13e2f6167ee235e61bf412b4bd49f91dd3b145660cec7887a1c2bc86482d63ae
SHA512 5ef9f9b0a74c8054e3bff124c8cb645384f054f1eea2359e416138eedf860037cc1c53ea4a49215d9cb6b57741968ff53dc97e8c14f8c88bb893b5956eebb923

C:\ProgramData\Zillya Total Security\FwSysRules.dat

MD5 4aa67c1b6ad9c2cdabe8f7ae8e515943
SHA1 1a6cc8eeceb0f1846d8d6d0093fa28fe9f649ee5
SHA256 d44e3c6e49489697f4cb0bb5f01a53b1eaf20d1b8d613dadab2180a959d7dedf
SHA512 25988c1e925b39710cb130d7fa08840b7343b7febe1d78147b445239f0c33d107e044df137fa2d5e762fcf2fb4e68d12353ae0c604aaf9b904b684b20c796a13

C:\Program Files (x86)\Zillya Total Security\WFBlockedText.dat

MD5 cb1a37528bcc420275beaa8d816726fb
SHA1 d772d5f3a62462fed45ee346c7efeae57aedc45d
SHA256 35a962f1ccc6c7a0b88dfbfaf7a9d8a0ba45a217c50c498ef828d57307e256ca
SHA512 53c77efd01ede84b016ab65b2dd453eceabe0ab92a198bdab08043846a9a2148b16f1f166cd9bd851399b5a24d66754863571d4184eee3e7d95685d089fe877e

C:\Program Files (x86)\Zillya Total Security\PCBlockedText.dat

MD5 d07a2a823ce35f50c341c3f07d990982
SHA1 53fe8e8238b29bc5e6c81f57e699838760da8005
SHA256 437242ebe5f5720a76c8d36ffff356e077237618b5ba87eaac797042ea7d9ee1
SHA512 54f2313539bea2c75532ff6b13f69f53608de45606150a358757c96a4eadaaeafd767c74bd145226eae8ff156396fe858857957e52695ef1c2da892b206690e6

C:\ProgramData\Zillya Total Security\Bases\fr001.dat

MD5 37b906c90af52e9088500b1ca534c481
SHA1 1d783968c6e230412f84cb5f994f14f140ec2396
SHA256 20216e650efce62a7de0d43ab2651d4ba7744c7cf6ed50ae54b88358d4373ab8
SHA512 31df701b781410077d8439a806f0bad8fd7aa3a28da3e93ae2e6181551af92d5567b116682c9e4160b9b1ca32d9e7b9925328f2d53be7a3bca0a0f1749582e6e

C:\ProgramData\Zillya Total Security\Bases\wf001.dat

MD5 67d15235ab3b06b3eff17bbfde63d2bc
SHA1 f8d9f67c68585c47536b42381a1e2060ca488cb6
SHA256 63fbce4363e3ab94cec0d42640ded6701b82d154ad8c05ce7c383e3fef4615a6
SHA512 1ca2cc3fd1b3fba85f7daebdb1096695161849ab6127f903ad883e80cd885ce5695c31859ea1a9359e88789de2cc2c317600d5a83a5defe29413a2838bc40e3d

C:\Program Files (x86)\Zillya Total Security\ZTSHips.exe

MD5 c0fea8d63db45666f53d5645bb3eb9b7
SHA1 f647d905ea229afd41d52b649ca75f4f657c2625
SHA256 f7e7af645ee9cb6af4816551713eb83d3a8302db2c9d50a40698e9f0495e2571
SHA512 eb04ef95d268f7246ccdf286aa729bd5250ae440ae23ad254d850debb49836efa337d0a6d07af15e19c4fffa0e076b0f5e28206d47095274c95f0aba2cf570fc

C:\Program Files (x86)\Zillya Total Security\EventsFilterDLL.dll

MD5 ec607f851302ba994b3b62becce410de
SHA1 e23af25a71b41d17bf716f86a803946cafcbfdaf
SHA256 fcb37de351738d2bff8bbe6b746128d8aa4c271e3a05d0e72574ab783245e03e
SHA512 5fc1ba0bd6e0c0b568ebe9b9ea7658110b45b7338083a91fcd7951d0296d72b99ed5b1d564e558e1066d8618b0f0e4d69e13c3f6eb2c6fbf3f40e8648c711889

C:\ProgramData\Zillya Total Security\Logs\SystemStatus.log

MD5 ac696428350bcd67d5c7b05373d828a1
SHA1 402aeb3946f9459d8b6048a4b3ac5ce8a64cf1d9
SHA256 3c488eb824e45600ab5dcee3de17b1029aad8ec6c1fce413cd6339de3e6a1dbf
SHA512 c2f3ec09224fe98579b5750166305df9de17fc355036e07c0cece614a056e25c0145458019d3790394aaefbec0463a5e2a67ecc7fb447231ee3a614127cb89b7

C:\ProgramData\Zillya Total Security\Logs\restore.log

MD5 7f104b7461321790743084452542f7e0
SHA1 f34afabd7d3ffbdf61cbc3a9e5ecda08909643c2
SHA256 064ceb088b0a5473fc96ff84df4ce38547b7604f9e5a6bc983ec0c59398019df
SHA512 557c50ea8d6c4e498b2d389bc16a8a7440ba8f8a755e4c829827b37b391b4760478c3d81b64a58c4ce40f4082d1113a8682787c6b26501f9bf8e0e0b96297b98

C:\ProgramData\Zillya Total Security\Bases\h001.dll

MD5 860f892463edc160c04bc4b3ca8c1d9a
SHA1 cbb7360599908c71159da092524cf43413032149
SHA256 8a7ba879a4e4854635d6e7e077e6c3681b79440a1c6e51303ee842b2b2e14579
SHA512 fc0783b742c19fea017de1793f2583fa0f08e2c112e3fb41a63afd41714c942fe9b97e824a5c48e1c316f8072cd45a4b41813c3bfc7a2908a94b126ee7545177

memory/32-322-0x00000000019F0000-0x0000000001A13000-memory.dmp

C:\Program Files (x86)\Zillya Total Security\ZTSCore.exe

MD5 c5dbf7de3aaf7bbf14dfd35ae31548c1
SHA1 b99beef90a0bba700b156b007c2662693725a06e
SHA256 509e1d39d60886df026fea2db96d212b3156368708b27850cdb5ef0a731f12e9
SHA512 ffc955c42f2fe06381ce5e60c9e6f8320e6b1d7ec9d8bfd74b077f3cc5c8e5dd05a522733b6083af0d8da5fa0c1ec6b2c0890812e27909562d7cd61cc6e4e2d7

C:\Program Files (x86)\Zillya Total Security\ZscLib.dll

MD5 8f45fe6e315809f3bef5f76579a778e3
SHA1 7dbdeef1ecbfb67167e574977f4fe54f063206ec
SHA256 4d4e17d93283fbe5aa18a6a788defb3cbfa11ac08da786ea694e1cb10ca41705
SHA512 76c32a118afd99d96a7b19b8f66c198e873a9315395c8f77b86bf45731e11cc9f2e3879694d23d3ac6d018e0e6da69624e35f33d01253d5ac5522a06ad4fbe76

C:\ProgramData\Zillya Total Security\Logs\SystemStatus.log

MD5 b61b7bca58440199082771ab383ad662
SHA1 6a538696f15c337e51e5b31f39d0aaa01ce372b5
SHA256 d6035edc5dec0bf24aa7207718d51939ca9e3e02c0975969fdd134c6c108bdb8
SHA512 96b7fc9b7b2e8086254a48ab12bc13db678edbdbbbb8e51791e3fdf2f0410f45cb5baa1aa6310f24707e7a62d86383cfdabd742ee14abf9ca617976ea365a130

C:\ProgramData\Zillya Total Security\Logs\restore.log

MD5 86c503bd36792a303fe9718ff0048fed
SHA1 b1e22277c5ef9695bedd1b440bc5e1493995e5e8
SHA256 559e910773ebbe48e5990383cf6b5c79378b3a074c7f0812aed619c4cfe5aab4
SHA512 adb7ff67649a45d01fcec6f7fc43a2ec9e353a4b6b4e8640850863ec80f9e786c0edfd8ecfdfef7bb6e6e3f9cbe5d0faa0353bb1d5d737292998b7214d88e980

memory/4628-340-0x0000000000D50000-0x0000000000D61000-memory.dmp

memory/4628-339-0x0000000000C20000-0x0000000000C2E000-memory.dmp

C:\ProgramData\Zillya Total Security\Bases\CoreMain.DLL

MD5 397ec6fc9ad0502125d5d48be9760abc
SHA1 09f43932f07ad6bd6133421e6f5b63ff960151aa
SHA256 73ce14bc0c052e9315ce85a7c09073cff822af6db3c61b95568789ca65ff01fa
SHA512 f8d7865ba91a97b98c6cb1d568332ea172a1bbcf77af73268d523fd35fb4025b13d18f13f324dde32f568f2e11a9369ab4abe3302bbfc53f4d47f5ea042ddfbe

C:\ProgramData\Zillya Total Security\Bases\borlndmm.dll

MD5 f2264abae9d3da4bd185f8177016c234
SHA1 2eb10ce6cc47443b67c4e1ce495dd8d8bb2a90e1
SHA256 d2a651547a83723be81fb4e87bd75fae6f95666050e072a30c22d7ace0cb5f20
SHA512 b51d5e11417467682c68e0a92a20b03c18650edbc58cef7ce6ce1a768ec65643f094d549ce0139d28ebf9d90c4fc43d1bef013fcd923d7670c450a994c878104

memory/4628-336-0x0000000001C90000-0x0000000001CC6000-memory.dmp

C:\Config.Msi\e58654e.rbs

MD5 ab9b8c784d8065c50e941a0c0a226440
SHA1 8bad3c659bb8b44acfe3ef5c5019d792e4ab87e7
SHA256 026001885c9b644253edb7ab5d33352ca0923e20942ebf9062002fb1bbba72d5
SHA512 b82131803b8cc7f56077c985f7dcb3c58ae363143981e04b945fed99f31852748274202689b6025a67ef0760017a883d5225941ee7cde4cce8c93dc83303229a

memory/4460-358-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2712-360-0x0000000000400000-0x0000000000428000-memory.dmp

memory/32-364-0x00000000019F0000-0x0000000001A13000-memory.dmp

memory/4628-368-0x0000000000D50000-0x0000000000D61000-memory.dmp

memory/4628-367-0x0000000000C20000-0x0000000000C2E000-memory.dmp

memory/4628-366-0x0000000021660000-0x0000000021671000-memory.dmp

memory/4628-365-0x0000000001C90000-0x0000000001CC6000-memory.dmp

C:\ProgramData\Zillya Total Security\Logs\restore.log

MD5 509fd96d3dea6d65f895573dd0862d42
SHA1 50a0f2c0868de98894f96870f06c8854deba5b06
SHA256 16df1136c78a098ff3d4f3c32321fdb975da4cdd0bd466c205e5eacb44c69d24
SHA512 15fd9581e009f29ea340f30597ab687cf7d0c5dcb06faaee5ca6592d5584560ba09dd4522c93ca8af062c9b2ff2216c02f42eebedec61305a389df6500751846

memory/4628-382-0x0000000000D50000-0x0000000000D61000-memory.dmp

memory/4628-380-0x0000000021660000-0x0000000021671000-memory.dmp

memory/4628-379-0x0000000001C90000-0x0000000001CC6000-memory.dmp

C:\ProgramData\Zillya Total Security\Logs\update.log

MD5 61583f887168b02eabddc6206509f2a6
SHA1 a6dce65eaaecc0551bb1d2abc86bcf9815f2c130
SHA256 8046eaf29550870faa34561d354e4541a08b3adc50227159f02533084e3ab48d
SHA512 513a8cd6bddd49fcf2cbe7e203e82cd78d0b6dc8e2251d94a6462876f5191c3e4a826b4fbe421b3dc97baf3aeea4f689526f12250e8ea1a9aa1acae43c5a1dc5

C:\ProgramData\Zillya Total Security\Bases\avbd.cur

MD5 81a0ad44c85c4f13dd914b9080454a30
SHA1 b302c1533bb4cbc31ff89c4a332cde61313f9b15
SHA256 91975a61a546693e60941f54e19789f7e91ee4f9dd2787f00c51409fca1fb270
SHA512 becc0ace29ca4a43d052e85a1e1e950ef45e656ba7df24f5096dcb5986b8476bf3ded2fd24dad7e49e21911e3a1f4401044627a94be7a165e4841bdd68b0c31f