Edit tour

Windows Analysis Report
Zscaler-windows-4.4.0.309-installer-x64.exe

Overview

General Information

Sample name:	Zscaler-windows-4.4.0.309-installer-x64.exe
Analysis ID:	1554237
MD5:	37d6c75390d283f47665db629ebaa626
SHA1:	7eaeba97bba91b0c1fcfda9538ced8b813676514
SHA256:	bb7f812a83fbbde43ff81b0349dc59b06a226765333817c7157593494fa5e65c
Infos:

Detection

Score:	26
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Compliance

Score:	65
Range:	0 - 100

Signatures

Changes security center settings (notifications, updates, antivirus, firewall)

Query firmware table information (likely to detect VMs)

Registers a service to start in safe boot mode

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Creates or modifies windows services

Drops PE files

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables driver privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sigma detected: Suspicious Copy From or To System Directory

Stores large binary data to the registry

Classification

Process Tree

System is w10x64_ra

Zscaler-windows-4.4.0.309-installer-x64.exe (PID: 7048 cmdline: "C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe" MD5: 37D6C75390D283F47665DB629EBAA626)

dllhost.exe (PID: 6916 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

cmd.exe (PID: 6692 cmdline: C:\Windows\system32\cmd.exe /s /c " copy C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe "C:\Program Files\Zscaler\RevertZcc"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ZSAService.exe (PID: 1092 cmdline: "C:\Program Files\Zscaler\ZSAService\ZSAService.exe" -pushCert MD5: BA783DEC4A0BBBA3619648B2853D68F1)

ZSAHelper.exe (PID: 6728 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setRecoveryMode MD5: F9BB669A809694C1E085E963610A4866)

ZSAHelper.exe (PID: 6508 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSATrayManager MD5: F9BB669A809694C1E085E963610A4866)

ZSAHelper.exe (PID: 7136 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSATunnel MD5: F9BB669A809694C1E085E963610A4866)

ZSAHelper.exe (PID: 6936 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAService MD5: F9BB669A809694C1E085E963610A4866)

ZSAHelper.exe (PID: 6876 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAUpdater MD5: F9BB669A809694C1E085E963610A4866)

ZSAHelper.exe (PID: 4540 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAUpm MD5: F9BB669A809694C1E085E963610A4866)

ZSAHelper.exe (PID: 3424 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSATray MD5: F9BB669A809694C1E085E963610A4866)

ZSAHelper.exe (PID: 1816 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAHelper MD5: F9BB669A809694C1E085E963610A4866)

ZSAHelper.exe (PID: 1428 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAMTAuthApp MD5: F9BB669A809694C1E085E963610A4866)

ZSAHelper.exe (PID: 3364 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZEPInstaller MD5: F9BB669A809694C1E085E963610A4866)

ZSAHelper.exe (PID: 6916 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZEPService MD5: F9BB669A809694C1E085E963610A4866)

ZSAHelper.exe (PID: 6604 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZDPInstaller MD5: F9BB669A809694C1E085E963610A4866)

ZSAHelper.exe (PID: 408 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSACli MD5: F9BB669A809694C1E085E963610A4866)

ZSAHelper.exe (PID: 5464 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSFFutil MD5: F9BB669A809694C1E085E963610A4866)

ZSAHelper.exe (PID: 1788 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --migrateConfigFiles MD5: F9BB669A809694C1E085E963610A4866)

ZSAHelper.exe (PID: 6748 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --updatePrevInstallerHash MD5: F9BB669A809694C1E085E963610A4866)

svchost.exe (PID: 7124 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 6352 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 7160 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1540 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 2196 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 3632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 5868 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ZSAService.exe (PID: 3720 cmdline: "C:\Program Files\Zscaler\ZSAService\ZSAService.exe" MD5: BA783DEC4A0BBBA3619648B2853D68F1)

sc.exe (PID: 3224 cmdline: C:\Windows\System32\sc.exe stop ZSAUpm MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ZSATrayManager.exe (PID: 2120 cmdline: "C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe" MD5: 90AFC50FD2BB415992B218E20BB303F2)

ZSATray.exe (PID: 3484 cmdline: ZSATray.exe MD5: 70271880E4C851B68574F76962C01D1E)

Zscaler-windows-4.4.0.309-installer-x64.exe (PID: 3724 cmdline: "C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe" MD5: 37D6C75390D283F47665DB629EBAA626)

Zscaler-windows-4.4.0.309-installer-x64.exe (PID: 5612 cmdline: "C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe" MD5: 37D6C75390D283F47665DB629EBAA626)

fsutil.exe (PID: 6744 cmdline: C:\Windows\System32\fsutil.exe reparsepoint query C:\ProgramData\Zscaler MD5: DE00EDA7134D3365E6074700E3008CAD)

ZSAHelper.exe (PID: 6372 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --isInstallerPasswordConfigured 2 0 MD5: F9BB669A809694C1E085E963610A4866)

ZSAHelper.exe (PID: 6560 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --installerDisableAntiTampering 2 0 MD5: F9BB669A809694C1E085E963610A4866)

cmd.exe (PID: 2852 cmdline: C:\Windows\system32\cmd.exe /s /c " copy C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe "C:\Program Files\Zscaler\RevertZcc"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ZSAHelper.exe (PID: 1100 cmdline: "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --markStop 2 0 MD5: F9BB669A809694C1E085E963610A4866)

cleanup

Sigma Signatures

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /s /c " copy C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe "C:\Program Files\Zscaler\RevertZcc"", CommandLine: C:\Windows\system32\cmd.exe /s /c " copy C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe "C:\Program Files\Zscaler\RevertZcc"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe", ParentImage: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe, ParentProcessId: 7048, ParentProcessName: Zscaler-windows-4.4.0.309-installer-x64.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /s /c " copy C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe "C:\Program Files\Zscaler\RevertZcc"", ProcessId: 6692, ProcessName: cmd.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 7124, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Bitcoin Miner
• Compliance
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

Bitcoin Miner

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION ZSATray.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION ZSAMTAuthApp.exe
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION ZSATray.exe

Compliance

Creates a directory in C:\Program Files

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\RevertZcc
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\RevertZcc\Config
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\RevertZcc\Config\Backup
Source: C:\Windows\System32\cmd.exe	Directory created: C:\Program Files\Zscaler\RevertZcc\Zscaler-windows-4.4.0.309-installer-x64.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAInstaller
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAInstaller\rollbackBackupDirectory
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATray
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATunnel
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAHelper
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAService
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\lib
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\resources
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\Npcap
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\PacParser
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\PacParser\x64
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\TAPDriver
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\TAPDriver\x64
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\WebView2
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAUpdater
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\arm64
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver\amd64
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver\arm64
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATrayManager
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSACredentialProviders
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSACredentialProviders\ARM64
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZEPInstaller
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSACli
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATray\Microsoft.Web.WebView2.Wpf.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATray\WebView2Loader.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\resources\ZscalerAppSplash.png
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nssutil3.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\smime3.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\ZSFFutil.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64\zapprd.sys
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\arm64\zapprd.sys
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.sys
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver\amd64\zsawdrv.sys
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver\arm64\zsawdrv.sys
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\resources\ZscalerApp.ico
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\resources\ZscalerApp.png
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\resources\ZscalerAppTop.png
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\Npcap\Libpcap-License.txt
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\Npcap\WinPcap-License-And-Acknowledgements.txt
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nspr-LICENSE
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nss-COPYING
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plc4.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plds4.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64\zapprd.cat
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64\zapprd.inf
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\arm64\zapprd.cat
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\arm64\zapprd.inf
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.cat
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.inf
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver\amd64\zsawdrv.cat
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver\amd64\zsawdrv.inf
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver\arm64\zsawdrv.cat
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver\arm64\zsawdrv.inf
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATray\Microsoft.Web.WebView2.Core.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATray\Newtonsoft.Json.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATray\ZSAMTAuthApp.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATray\ZSATray.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATunnel\ZSATunnel.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAService\ZSAService.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\lib\ZSAAuth.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\lib\ZSALogger.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\lib\ZSATrayHelper.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\Npcap\npcap-1.78-oem.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\PacParser\x64\pacparser.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\PacParser\x64\PacparserV8.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\TAPDriver\x64\Zscaler-Network-Adapter-Win10-1.0.2.0.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\WebView2\MicrosoftEdgeWebview2Setup.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\freebl3.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nspr4.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nss3.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nssckbi.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\softokn3.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\sqlite3.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\ssl3.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAUpdater\ZSAUpdater.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSACredentialProviders\ZSACredentialProvider.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSACredentialProviders\ARM64\ZSACredentialProvider.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZEPInstaller\ZEPInstaller.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSACli\ZSACli.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAInstaller\uninstall.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAInstaller\uninstbr.000
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAInstaller\uninstall.dat
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAInstaller\uninstall.dat.new
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAInstaller\tclEA5B.tmp
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAInstaller\Zscaler-installLog.log
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\RevertZcc\Config\Backup
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\RevertZcc\Config\Backup\Zscaler-windows-4.4.0.309-installer-x64.exe

Creates a software uninstall entry

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zscaler

Creates install or setup log file

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\installbuilder_installer.log
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSAInstaller\Zscaler-installLog.log
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\installbuilder_installer_5612.log

Creates license or readme file

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\Npcap\Libpcap-License.txt
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\Npcap\WinPcap-License-And-Acknowledgements.txt

PE / OLE file has a valid certificate

Source: Zscaler-windows-4.4.0.309-installer-x64.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Zscaler-windows-4.4.0.309-installer-x64.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

E-Banking Fraud

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64\zapprd.cat	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSAWFPDriver\arm64\zsawdrv.cat	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\arm64\zapprd.cat	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.cat	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSAWFPDriver\amd64\zsawdrv.cat	Jump to dropped file

System Summary

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe

File created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64\zapprd.sys

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe

File created: C:\Windows\System32\ZSACredentialProvider.dll

Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe

Process token adjusted: Load Driver

Source: Zscaler-windows-4.4.0.309-installer-x64.exe

Static PE information: Number of sections : 12 > 10

Source: classification engine

Classification label: sus26.evad.winEXE@67/122@0/0

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe

File created: C:\Program Files\Zscaler

Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe

File created: C:\Users\user\AppData\Local\Zscaler\ZSATray_2024-11-12-08-20-51.606816.log

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3632:120:WilError_03
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1904:120:WilError_03
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global itrockSingleInstanceCheck

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe

File created: C:\Users\user\AppData\Local\Temp\BRL00001b88

Source: Zscaler-windows-4.4.0.309-installer-x64.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_Process Where ParentProcessId = 3484

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe

File read: C:\Program Files\desktop.ini

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe

File read: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe

Source: unknown	Process created: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe "C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe"
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /s /c " copy C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe "C:\Program Files\Zscaler\RevertZcc""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /s /c " copy C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe "C:\Program Files\Zscaler\RevertZcc""
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAService\ZSAService.exe "C:\Program Files\Zscaler\ZSAService\ZSAService.exe" -pushCert
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setRecoveryMode
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSATrayManager
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSATunnel
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAService
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAUpdater
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAUpm
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSATray
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAHelper
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAMTAuthApp
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZEPInstaller
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZEPService
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZDPInstaller
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSACli
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSFFutil
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --migrateConfigFiles
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --updatePrevInstallerHash
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Program Files\Zscaler\ZSAService\ZSAService.exe "C:\Program Files\Zscaler\ZSAService\ZSAService.exe"
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe stop ZSAUpm
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe "C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe"
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAService\ZSAService.exe "C:\Program Files\Zscaler\ZSAService\ZSAService.exe" -pushCert
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setRecoveryMode
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSATrayManager
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSATunnel
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAService
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAUpdater
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAUpm
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSATray
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAHelper
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAMTAuthApp
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZEPInstaller
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZDPInstaller
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSACli
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSFFutil
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --migrateConfigFiles
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --updatePrevInstallerHash
Source: unknown	Process created: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe "C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe"
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Process created: C:\Program Files\Zscaler\ZSATray\ZSATray.exe ZSATray.exe
Source: unknown	Process created: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe "C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe"
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Windows\System32\fsutil.exe C:\Windows\System32\fsutil.exe reparsepoint query C:\ProgramData\Zscaler
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --isInstallerPasswordConfigured 2 0
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --installerDisableAntiTampering 2 0
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /s /c " copy C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe "C:\Program Files\Zscaler\RevertZcc""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --markStop 2 0
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe stop ZSAUpm
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Process created: C:\Program Files\Zscaler\ZSATray\ZSATray.exe ZSATray.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Windows\System32\fsutil.exe C:\Windows\System32\fsutil.exe reparsepoint query C:\ProgramData\Zscaler
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --isInstallerPasswordConfigured 2 0
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --installerDisableAntiTampering 2 0
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /s /c " copy C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe "C:\Program Files\Zscaler\RevertZcc""
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --markStop 2 0

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: pdh.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: samcli.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: wkscli.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: logoncli.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: cscapi.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: wpdshext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: dbghelp.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: userenv.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: version.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: dbgcore.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: wldp.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: profapi.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: powrprof.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: umpdc.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: winsta.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: cryptnet.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: netapi32.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: netutils.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: wkscli.dll
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: wevtapi.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: userenv.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: version.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: dbghelp.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: netapi32.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: rasapi32.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: wininet.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: rasman.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: dbgcore.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: dsreg.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: netutils.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: msvcp110_win.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: samcli.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: ntasn1.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: wldp.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: profapi.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: powrprof.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: umpdc.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: winsta.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: winbrand.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: amsi.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: winnsi.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: wkscli.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: cryptnet.dll
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: pdh.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: samcli.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: wkscli.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: logoncli.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Section loaded: textshaping.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: version.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: dwrite.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: wldp.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: profapi.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: userenv.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: dbghelp.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: netapi32.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: dbgcore.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: netutils.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: samcli.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: dsreg.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: msvcp110_win.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: ntasn1.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: cryptnet.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: dwmapi.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: d3d9.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: amsi.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: textshaping.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: winnsi.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: winsta.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: powrprof.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: umpdc.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: dataexchange.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: d3d11.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: dcomp.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: dxgi.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: dxcore.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: propsys.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: msctfui.dll
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Section loaded: d3dcompiler_47.dll
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Section loaded: userenv.dll
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Section loaded: version.dll
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Section loaded: wldp.dll
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Section loaded: profapi.dll
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Section loaded: userenv.dll
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Section loaded: version.dll
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Section loaded: wldp.dll
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Section loaded: profapi.dll
Source: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Section loaded: ntmarta.dll

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Creates a directory in C:\Program Files

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\RevertZcc
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\RevertZcc\Config
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\RevertZcc\Config\Backup
Source: C:\Windows\System32\cmd.exe	Directory created: C:\Program Files\Zscaler\RevertZcc\Zscaler-windows-4.4.0.309-installer-x64.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAInstaller
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAInstaller\rollbackBackupDirectory
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATray
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATunnel
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAHelper
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAService
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\lib
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\resources
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\Npcap
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\PacParser
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\PacParser\x64
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\TAPDriver
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\TAPDriver\x64
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\WebView2
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAUpdater
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\arm64
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver\amd64
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver\arm64
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATrayManager
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSACredentialProviders
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSACredentialProviders\ARM64
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZEPInstaller
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSACli
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATray\Microsoft.Web.WebView2.Wpf.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATray\WebView2Loader.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\resources\ZscalerAppSplash.png
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nssutil3.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\smime3.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\ZSFFutil.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64\zapprd.sys
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\arm64\zapprd.sys
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.sys
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver\amd64\zsawdrv.sys
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver\arm64\zsawdrv.sys
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\resources\ZscalerApp.ico
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\resources\ZscalerApp.png
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\resources\ZscalerAppTop.png
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\Npcap\Libpcap-License.txt
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\Npcap\WinPcap-License-And-Acknowledgements.txt
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nspr-LICENSE
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nss-COPYING
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plc4.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plds4.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64\zapprd.cat
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64\zapprd.inf
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\arm64\zapprd.cat
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\arm64\zapprd.inf
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.cat
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.inf
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver\amd64\zsawdrv.cat
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver\amd64\zsawdrv.inf
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver\arm64\zsawdrv.cat
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAWFPDriver\arm64\zsawdrv.inf
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATray\Microsoft.Web.WebView2.Core.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATray\Newtonsoft.Json.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATray\ZSAMTAuthApp.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATray\ZSATray.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATunnel\ZSATunnel.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAService\ZSAService.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\lib\ZSAAuth.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\lib\ZSALogger.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\Common\lib\ZSATrayHelper.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\Npcap\npcap-1.78-oem.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\PacParser\x64\pacparser.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\PacParser\x64\PacparserV8.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\TAPDriver\x64\Zscaler-Network-Adapter-Win10-1.0.2.0.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\WebView2\MicrosoftEdgeWebview2Setup.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\freebl3.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nspr4.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nss3.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nssckbi.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\softokn3.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\sqlite3.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\ssl3.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAUpdater\ZSAUpdater.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSACredentialProviders\ZSACredentialProvider.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSACredentialProviders\ARM64\ZSACredentialProvider.dll
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZEPInstaller\ZEPInstaller.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSACli\ZSACli.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAInstaller\uninstall.exe
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAInstaller\uninstbr.000
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAInstaller\uninstall.dat
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAInstaller\uninstall.dat.new
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAInstaller\tclEA5B.tmp
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\ZSAInstaller\Zscaler-installLog.log
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\RevertZcc\Config\Backup
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Directory created: C:\Program Files\Zscaler\RevertZcc\Config\Backup\Zscaler-windows-4.4.0.309-installer-x64.exe

Creates a software uninstall entry

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zscaler

PE / OLE file has a valid certificate

Source: Zscaler-windows-4.4.0.309-installer-x64.exe

Static PE information: certificate valid

PE file has a big code size

Source: Zscaler-windows-4.4.0.309-installer-x64.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: Zscaler-windows-4.4.0.309-installer-x64.exe

Static file information: File size 62101792 > 1048576

PE file has a big raw section

Source: Zscaler-windows-4.4.0.309-installer-x64.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1f4200

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Zscaler-windows-4.4.0.309-installer-x64.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

Source: Zscaler-windows-4.4.0.309-installer-x64.exe

Static PE information: 0xA4F8A4E0 [Sat Sep 15 05:49:20 2057 UTC]

Source: Zscaler-windows-4.4.0.309-installer-x64.exe

Static PE information: section name: .xdata

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\TAPDriver\x64\Zscaler-Network-Adapter-Win10-1.0.2.0.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\ssl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR3B5F830D2BB11E2B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSACredentialProviders\ARM64\ZSACredentialProvider.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSATunnel\ZSATunnel.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR35615B2F934939A3.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.sys	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\PacParser\x64\pacparser.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nspr4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSATray\Microsoft.Web.WebView2.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR622C137B951D933C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nssutil3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\Npcap\npcap-1.78-oem.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSATray\ZSAMTAuthApp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\smime3.dll	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Program Files\Zscaler\RevertZcc\Zscaler-windows-4.4.0.309-installer-x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSATray\WebView2Loader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSAUpdater\ZSAUpdater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR21F29831012E61DD.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\BRL00001b88\BRA018BDF1AB2F73A8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1D736031D18236EB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR2D2C719D21C20E27.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\BRL00001b88\BRE029A274AC39924C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSACli\ZSACli.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR36228A1AD3752AD1.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1D69E23D81E01402.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSACredentialProviders\ZSACredentialProvider.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plc4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR2BF1381B13B7213D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\WebView2\MicrosoftEdgeWebview2Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSAWFPDriver\amd64\zsawdrv.sys	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plds4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSATray\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1310716922C20F10.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR34729C2D5264F725.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSAWFPDriver\arm64\zsawdrv.sys	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR2E61BD27E2AF2DF3.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSATray\Microsoft.Web.WebView2.Wpf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\PacParser\x64\PacparserV8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\arm64\zapprd.sys	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\Common\lib\ZSALogger.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64\zapprd.sys	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR33B1514629514031.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\Common\lib\ZSATrayHelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\ZSFFutil.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSAInstaller\uninstbr.000	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\Common\lib\ZSAAuth.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZEPInstaller\ZEPInstaller.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe

File created: C:\Program Files\Zscaler\ZSAInstaller\uninstbr.000

Jump to dropped file

Creates install or setup log file

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\installbuilder_installer.log
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ZSAInstaller\Zscaler-installLog.log
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Users\user\AppData\Local\Temp\installbuilder_installer_5612.log

Creates license or readme file

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\Npcap\Libpcap-License.txt
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	File created: C:\Program Files\Zscaler\ThirdParty\Npcap\WinPcap-License-And-Acknowledgements.txt

Boot Survival

Registers a service to start in safe boot mode

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe

Registry value created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ZSAService NULL

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ZSAService

Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe stop ZSAUpm

Hooking and other Techniques for Hiding and Protection

Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	System information queried: FirmwareTableInformation

Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Memory allocated: 15269EB0000 memory reserve \| memory write watch
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Memory allocated: 1526BA70000 memory reserve \| memory write watch

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Thread delayed: delay time: 922337203685477

Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Window / User API: threadDelayed 3422
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Window / User API: threadDelayed 862

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\TAPDriver\x64\Zscaler-Network-Adapter-Win10-1.0.2.0.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\ssl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR3B5F830D2BB11E2B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZSACredentialProviders\ARM64\ZSACredentialProvider.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZSATunnel\ZSATunnel.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR35615B2F934939A3.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.sys	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\PacParser\x64\pacparser.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nspr4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZSATray\Microsoft.Web.WebView2.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR622C137B951D933C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nssutil3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\Npcap\npcap-1.78-oem.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZSATray\ZSAMTAuthApp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\smime3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZSATray\WebView2Loader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZSAUpdater\ZSAUpdater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR21F29831012E61DD.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BRL00001b88\BRA018BDF1AB2F73A8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1D736031D18236EB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR2D2C719D21C20E27.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BRL00001b88\BRE029A274AC39924C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZSACli\ZSACli.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1D69E23D81E01402.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR36228A1AD3752AD1.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZSACredentialProviders\ZSACredentialProvider.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plc4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR2BF1381B13B7213D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\WebView2\MicrosoftEdgeWebview2Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZSAWFPDriver\amd64\zsawdrv.sys	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plds4.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZSATray\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1310716922C20F10.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR34729C2D5264F725.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZSAWFPDriver\arm64\zsawdrv.sys	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR2E61BD27E2AF2DF3.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\PacParser\x64\PacparserV8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZSATray\Microsoft.Web.WebView2.Wpf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZSAFilterDriver\win10\arm64\zapprd.sys	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\Common\lib\ZSALogger.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64\zapprd.sys	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR33B1514629514031.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\Common\lib\ZSATrayHelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\ZSFFutil.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZSAInstaller\uninstbr.000	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\Common\lib\ZSAAuth.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Dropped PE file which has not been started: C:\Program Files\Zscaler\ZEPInstaller\ZEPInstaller.exe	Jump to dropped file

Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe TID: 3636	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe TID: 4588	Thread sleep count: 3422 > 30
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe TID: 5144	Thread sleep count: 862 > 30
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe TID: 4124	Thread sleep count: 110 > 30
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe TID: 4572	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe TID: 3340	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe TID: 4840	Thread sleep count: 126 > 30

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation

Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe

Process information queried: ProcessInformation

Anti Debugging

Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /s /c " copy C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe "C:\Program Files\Zscaler\RevertZcc""
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAService\ZSAService.exe "C:\Program Files\Zscaler\ZSAService\ZSAService.exe" -pushCert
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setRecoveryMode
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSATrayManager
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSATunnel
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAService
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAUpdater
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAUpm
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSATray
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAHelper
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSAMTAuthApp
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZEPInstaller
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZDPInstaller
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSACli
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --setPreferSystem32Mitigation ZSFFutil
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --migrateConfigFiles
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --updatePrevInstallerHash
Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe stop ZSAUpm
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Windows\System32\fsutil.exe C:\Windows\System32\fsutil.exe reparsepoint query C:\ProgramData\Zscaler
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --isInstallerPasswordConfigured 2 0
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --installerDisableAntiTampering 2 0
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /s /c " copy C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe "C:\Program Files\Zscaler\RevertZcc""
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Process created: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe "C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe" --markStop 2 0

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR21F29831012E61DD.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR21F29831012E61DD.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR36228A1AD3752AD1.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR36228A1AD3752AD1.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BRE029A274AC39924C.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BRE029A274AC39924C.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1310716922C20F10.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1310716922C20F10.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR622C137B951D933C.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR622C137B951D933C.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BRA018BDF1AB2F73A8.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BRA018BDF1AB2F73A8.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR33B1514629514031.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR33B1514629514031.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR2BF1381B13B7213D.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR2BF1381B13B7213D.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR34729C2D5264F725.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR34729C2D5264F725.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR2E61BD27E2AF2DF3.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR2E61BD27E2AF2DF3.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR2D2C719D21C20E27.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR2D2C719D21C20E27.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1D736031D18236EB.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR35615B2F934939A3.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR35615B2F934939A3.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR3B5F830D2BB11E2B.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1D69E23D81E01402.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1D69E23D81E01402.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR3B5F830D2BB11E2B.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1D736031D18236EB.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Config VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Config VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Config\Backup VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Config VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Config\Backup VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Config\Backup VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAInstaller VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\Common VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\Common VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAFilterDriver VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAFilterDriver VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAFilterDriver VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAWFPDriver VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAWFPDriver VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSACredentialProviders VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSATray\Microsoft.Web.WebView2.Wpf.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSATray\Microsoft.Web.WebView2.Wpf.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSATray\Microsoft.Web.WebView2.Wpf.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSATray\WebView2Loader.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSATray\WebView2Loader.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSATray\WebView2Loader.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\Common\resources\ZscalerAppSplash.png VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\Common\resources\ZscalerAppSplash.png VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nssutil3.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nssutil3.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nssutil3.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\smime3.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\smime3.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\ZSFFutil.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\ZSFFutil.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\ZSFFutil.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64\zapprd.sys VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64\zapprd.sys VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAFilterDriver\win10\arm64\zapprd.sys VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.sys VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.sys VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.sys VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAWFPDriver\amd64\zsawdrv.sys VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAWFPDriver\arm64\zsawdrv.sys VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAWFPDriver\arm64\zsawdrv.sys VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\Common\resources\ZscalerApp.ico VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\Common\resources\ZscalerApp.ico VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\Common\resources\ZscalerApp.png VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\Common\resources\ZscalerApp.png VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\Common\resources\ZscalerAppTop.png VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\Npcap\Libpcap-License.txt VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\Npcap\Libpcap-License.txt VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\Npcap\WinPcap-License-And-Acknowledgements.txt VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nspr-LICENSE VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plc4.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plc4.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plc4.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plds4.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plds4.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plds4.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64\zapprd.cat VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64\zapprd.cat VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64\zapprd.cat VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.cat VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.cat VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.inf VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.inf VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAWFPDriver\amd64\zsawdrv.cat VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAWFPDriver\arm64\zsawdrv.cat VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAWFPDriver\arm64\zsawdrv.inf VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSATray\Microsoft.Web.WebView2.Core.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSATunnel\ZSATunnel.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSATunnel\ZSATunnel.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAService\ZSAService.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\Common\lib\ZSAAuth.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\Npcap\npcap-1.78-oem.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ThirdParty\PacParser\x64\pacparser.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAUpdater\ZSAUpdater.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSACredentialProviders\ZSACredentialProvider.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSACredentialProviders\ARM64\ZSACredentialProvider.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSACredentialProviders\ARM64\ZSACredentialProvider.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSACredentialProviders\ARM64\ZSACredentialProvider.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZEPInstaller\ZEPInstaller.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZEPInstaller\ZEPInstaller.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZEPInstaller\ZEPInstaller.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSACli\ZSACli.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSACli\ZSACli.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSACli\ZSACli.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAInstaller VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAInstaller\uninstall.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ProgramData VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ProgramData\Microsoft VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Windows VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Windows\System32 VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Windows\System32 VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Windows\System32 VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSACredentialProviders\ZSACredentialProvider.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Windows\System32 VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSACredentialProviders\ZSACredentialProvider.dll VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ProgramData VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSATray\ZSATray.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zscaler\Zscaler.lnk VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAInstaller\uninstall.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zscaler\Uninstall Zscaler.lnk VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAInstaller\uninstall.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAInstaller\uninstall.dat VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAInstaller\uninstall.dat.new VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAInstaller\uninstall.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAInstaller\uninstbr.000 VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAInstaller\uninstall.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\ZSAInstaller\rollbackBackupDirectory VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1310716922C20F10.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1D736031D18236EB.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR21F29831012E61DD.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR2D2C719D21C20E27.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR33B1514629514031.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR34729C2D5264F725.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR3B5F830D2BB11E2B.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BR622C137B951D933C.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BRA018BDF1AB2F73A8.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL00001b88\BRE029A274AC39924C.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\installbuilder_installer.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR3D5D26A2F537918F.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR3D5D26A2F537918F.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR2581D71E82E62FE1.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR2581D71E82E62FE1.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR1C118539B1771501.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR1C118539B1771501.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR1BE1312BF36218F2.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR1BE1312BF36218F2.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR1512E01121629831.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR1512E01121629831.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR4723D3BE92952072.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR4723D3BE92952072.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR1B51A011F3665910.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR1B51A011F3665910.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR1932335C2A2266D3.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR1932335C2A2266D3.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR3B73E734724039B3.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR3B73E734724039B3.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR3CD9E232401952A3.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR3CD9E232401952A3.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR1CE3A726A2157234.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR1CE3A726A2157234.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR1D43911EB9F1D12B.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR2C1A1118D63B024A.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR2C1A1118D63B024A.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR2A62C52E11E0260D.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR31B20E2F01943092.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR31B20E2F01943092.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR2A62C52E11E0260D.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BRL000015ec\BR1D43911EB9F1D12B.tmp VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Config VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Config\Backup VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Config\Backup VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Config\Backup VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Zscaler-windows-4.4.0.309-installer-x64.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Config\Backup VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Zscaler-windows-4.4.0.309-installer-x64.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Config VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Zscaler-windows-4.4.0.309-installer-x64.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Config VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Config\Backup VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Config\Backup\Zscaler-windows-4.4.0.309-installer-x64.exe VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Config\Backup VolumeInformation
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Queries volume information: C:\Program Files\Zscaler\RevertZcc\Zscaler-windows-4.4.0.309-installer-x64.exe.bak VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Program Files\Zscaler\ZSATray\ZSATray.exe VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Program Files\Zscaler\ZSATray\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\userbrii.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\userbrili.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\userbrib.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\userbriz.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\userFR.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\userFI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\userFB.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\userST.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\userSTI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\userSTB.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\userSTBI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Source: C:\Program Files\Zscaler\ZSAService\ZSAService.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'

Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Source: C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Source: C:\Program Files\Zscaler\ZSATray\ZSATray.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	21 Windows Management Instrumentation	22 Windows Service	22 Windows Service	23 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	1 Scripting	11 Process Injection	11 Modify Registry	LSASS Memory	13 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	111 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 LSASS Driver	1 LSASS Driver	151 Virtualization/Sandbox Evasion	NTDS	151 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	44 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Source	Detection	Scanner	Label	Link
Zscaler-windows-4.4.0.309-installer-x64.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1310716922C20F10.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1D69E23D81E01402.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\BRL00001b88\BR1D736031D18236EB.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\BRL00001b88\BR21F29831012E61DD.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\BRL00001b88\BR2BF1381B13B7213D.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\BRL00001b88\BR2D2C719D21C20E27.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\BRL00001b88\BR2E61BD27E2AF2DF3.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\BRL00001b88\BR33B1514629514031.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\BRL00001b88\BR34729C2D5264F725.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\BRL00001b88\BR35615B2F934939A3.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\BRL00001b88\BR36228A1AD3752AD1.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\BRL00001b88\BR3B5F830D2BB11E2B.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\BRL00001b88\BR622C137B951D933C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\BRL00001b88\BRA018BDF1AB2F73A8.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\BRL00001b88\BRE029A274AC39924C.tmp	0%	ReversingLabs
C:\Program Files\Zscaler\Common\lib\ZSAAuth.dll	0%	ReversingLabs
C:\Program Files\Zscaler\Common\lib\ZSALogger.dll	0%	ReversingLabs
C:\Program Files\Zscaler\Common\lib\ZSATrayHelper.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\Npcap\npcap-1.78-oem.exe	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\PacParser\x64\PacparserV8.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\PacParser\x64\pacparser.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\TAPDriver\x64\Zscaler-Network-Adapter-Win10-1.0.2.0.exe	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\WebView2\MicrosoftEdgeWebview2Setup.exe	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\ZSFFutil.exe	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\freebl3.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nspr4.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nss3.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nssckbi.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nssutil3.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plc4.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plds4.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\smime3.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\softokn3.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\sqlite3.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\ssl3.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ZEPInstaller\ZEPInstaller.exe	0%	ReversingLabs
C:\Program Files\Zscaler\ZSACli\ZSACli.exe	0%	ReversingLabs
C:\Program Files\Zscaler\ZSACredentialProviders\ARM64\ZSACredentialProvider.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ZSACredentialProviders\ZSACredentialProvider.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ZSAFilterDriver\win10\amd64\zapprd.sys	0%	ReversingLabs
C:\Program Files\Zscaler\ZSAFilterDriver\win10\arm64\zapprd.sys	0%	ReversingLabs
C:\Program Files\Zscaler\ZSAFilterDriver\win10\i386\zapprd.sys	0%	ReversingLabs
C:\Program Files\Zscaler\ZSAHelper\ZSAHelper.exe	0%	ReversingLabs
C:\Program Files\Zscaler\ZSAInstaller\uninstbr.000	0%	ReversingLabs
C:\Program Files\Zscaler\ZSAService\ZSAService.exe	0%	ReversingLabs
C:\Program Files\Zscaler\ZSATrayManager\ZSATrayManager.exe	0%	ReversingLabs
C:\Program Files\Zscaler\ZSATray\Microsoft.Web.WebView2.Core.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ZSATray\Microsoft.Web.WebView2.Wpf.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ZSATray\WebView2Loader.dll	0%	ReversingLabs
C:\Program Files\Zscaler\ZSATray\ZSAMTAuthApp.exe	0%	ReversingLabs
C:\Program Files\Zscaler\ZSATray\ZSATray.exe	0%	ReversingLabs
C:\Program Files\Zscaler\ZSATunnel\ZSATunnel.exe	0%	ReversingLabs
C:\Program Files\Zscaler\ZSAUpdater\ZSAUpdater.exe	0%	ReversingLabs
C:\Program Files\Zscaler\ZSAWFPDriver\amd64\zsawdrv.sys	0%	ReversingLabs
C:\Program Files\Zscaler\ZSAWFPDriver\arm64\zsawdrv.sys	0%	ReversingLabs

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554237
Start date and time:	2024-11-12 09:19:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	46
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled
Analysis Mode:	stream
Sample name:	Zscaler-windows-4.4.0.309-installer-x64.exe
Detection:	SUS
Classification:	sus26.evad.winEXE@67/122@0/0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Timeout during stream target processing, analysis might miss dynamic analysis data
VT rate limit hit for: Zscaler-windows-4.4.0.309-installer-x64.exe

Process:	C:\Users\user\Desktop\Zscaler-windows-4.4.0.309-installer-x64.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	8067976
Entropy (8bit):	6.484358089216621
Encrypted:	false
SSDEEP:
MD5:	24025FF3F98BF6E40FBE2B2AE8560487
SHA1:	72796EDF2A2B3618A50469E8DD6AD76EBECBFAF5
SHA-256:	0CACE7CC92FA6E84E6B0D09A49CE22CB4A2474EB3FFB6BFB43F397AF96CFF27F
SHA-512:	8FACB96B8862201D2D100949504E7BA0408B0E1790E6B1D56D12E947A6043CA784C5C049DEE3386027DA21490B228C0C08C8DD28C40F62D49CB60165428EE27E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......,...h...h...h......e............\|.l...:..a..........h...L.............w......O...:..L...:.......I......i......O...h..........Z......i.....D.i...h.,.i......i...Richh...........PE..d.....qf.........." .....,R..6).....`w?........@..............................{.......{...`A........................................0^n......fn.......{......@u.t]....z..%... {.\|... .b.T...................x.b.(....w_..............PR......Zn.@....................text....3Q......4Q................. ..`fipstx.......PQ......8Q............. ..`.rdata..BI...PR..J...0R.............@..@.data........n..(...zn.............@....pdata..t]...@u..^....t.............@..@.didat..H.....y.......y.............@...fipsro..0.....y.......y.............@..@fipsda...u...`z..v....y.............@...fipsrd..`+....z..,....z.............@..@.rsrc.........{......Fz.............@..@.reloc..\|.... {.

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	62101792
Entropy (8bit):	7.979928611768417
Encrypted:	false
SSDEEP:
MD5:	37D6C75390D283F47665DB629EBAA626
SHA1:	7EAEBA97BBA91B0C1FCFDA9538CED8B813676514
SHA-256:	BB7F812A83FBBDE43FF81B0349DC59B06A226765333817C7157593494FA5E65C
SHA-512:	653C7FF79F977320F353ABD7B301D8059C18358DB6F2EE20DEBAB5FBB92C67AC05D693A5963A98079DCAF3FC2ECAF78D27F2888F13BDE40BA6F9BDB45E1C0ED5
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.......................B...,-..@............@...............................-.....M\....@... ......................................@.n....P..O.....x.....'.8....s...%...p-. `.......................... ..(....................b..............................text....A.......B..................`.P`.data........`.......F..............@.p..rdata.......`"..0...@".............@.p@.pdata..8.....'......p'.............@.0@.xdata...Q....(..R...x(.............@.0@.bss.....?...........................p..edata..n....@.......).............@.0@.idata...O...P..P....).............@.0..CRT....h.........................@.@..tls....h.........................@.`..rsrc...x........... .............@.0..reloc.. `...p-..b....,.............@.0B................................................................................................................................

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4926
Entropy (8bit):	3.2468645971038192
Encrypted:	false
SSDEEP:
MD5:	9BF983DACDEBC9BB173634F9D92F6A40
SHA1:	6E0AD885D86C6E93EE103B21FF408C43B8A95EA3
SHA-256:	72B5B17293787412D3C1854FCD39D0C148CA48302C040860DF05D52112DB9094
SHA-512:	E5B626E64D04E41D51DEE3806415D8FE24597DDE8E182EC19472DB557FCD15D20EE5AB1C1D36370C16BA92B82C9D7352646C1B56CE1E50472B1367E284142481
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.6. .. 2.0.2.3. .1.1.:.3.5.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

Entrypoint:	0x4014d0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH
Time Stamp:	0xA4F8A4E0 [Sat Sep 15 05:49:20 2057 UTC]
TLS Callbacks:	0x5e7cc0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	8c6e3a20ed69c3cf0fd555f92863226b

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	19/09/2023 20:00:00 14/07/2026 19:59:59
Subject Chain	CN="Zscaler, Inc.", O="Zscaler, Inc.", L=San Jose, S=California, C=US, SERIALNUMBER=4431830, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	343B234595B99143D2004F638ED19655
Thumbprint SHA-1:	E0D9E7B346F24BB06B8E37C8AA2BAA9A0FB16DB3
Thumbprint SHA-256:	A29E78E3E6B0525F29F4E521CA58AAAAA8988E90121CAF762638CDAC9B34F36A
Serial:	0E138B65C32AD225E42025C5DEB716BC

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2a4000	0x6e	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2a5000	0x4fa8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2ac000	0x2ad78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x279000	0x10638	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3b37398	0x2588
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d7000	0x6020	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2ab020	0x28	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a629c	0x1198	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1f41b0	0x1f4200	24e911cd2d0d9f0eac7191a1fb21f508	False	0.5090397322544364	data	6.229728054867929	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x1f6000	0x2f980	0x2fa00	fb52a6367249b9b92154ad60f58ca502	False	0.13543204560367453	dBase III DBT, version number 0, next free block index 10, 1st item "set ::tclKitMkCounter 0"	1.7694251031892874	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x226000	0x52ea0	0x53000	0b7754b5ea5475777098cbdd6afb8578	False	0.33064288403614456	data	5.351728215353662	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x279000	0x10638	0x10800	364490ce09c9dde46a825e8ac3d38889	False	0.5196792140151515	data	6.165787204861382	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x28a000	0x151b4	0x15200	0b57031d6c802f58ce1f297c80b90acd	False	0.20305565828402367	data	4.889247057922903	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x2a0000	0x3f00	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x2a4000	0x6e	0x200	765d4d21df1a3050120e3f894e1a03b0	False	0.19140625	data	1.3728070899138527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x2a5000	0x4fa8	0x5000	5e8b685053b954081aa3b939d4272081	False	0.280224609375	data	4.706020366802908	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x2aa000	0x68	0x200	8a4f0845d0fd2bed5b84f8f582c9d9fb	False	0.07421875	data	0.2804011676589459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x2ab000	0x68	0x200	91d4f699db3f59565e721047890d7f91	False	0.060546875	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2ac000	0x2ad78	0x2ae00	7aa7880eec20fa71d41869618406399e	False	0.06780133928571429	data	2.071592022842992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x2d7000	0x6020	0x6200	f9a340b111cbe0c630bdaa38c543fcfb	False	0.2861926020408163	data	5.426028697049459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x2ae5e8	0x134	data	English	United States	0.37662337662337664
RT_CURSOR	0x2ae71c	0x134	data	English	United States	0.3961038961038961
RT_CURSOR	0x2ae850	0x134	data	English	United States	0.2694805194805195
RT_CURSOR	0x2ae984	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"	English	United States	0.24675324675324675
RT_CURSOR	0x2aeab8	0x134	data	English	United States	0.25
RT_CURSOR	0x2aebec	0x134	data	English	United States	0.2694805194805195
RT_CURSOR	0x2aed20	0x134	data	English	United States	0.32142857142857145
RT_CURSOR	0x2aee54	0x134	data	English	United States	0.3246753246753247
RT_CURSOR	0x2aef88	0x134	data	English	United States	0.30844155844155846
RT_CURSOR	0x2af0bc	0x134	data	English	United States	0.19480519480519481
RT_CURSOR	0x2af1f0	0x134	data	English	United States	0.2694805194805195
RT_CURSOR	0x2af324	0x134	data	English	United States	0.2857142857142857
RT_CURSOR	0x2af458	0x134	data	English	United States	0.3344155844155844
RT_CURSOR	0x2af58c	0x134	data	English	United States	0.45454545454545453
RT_CURSOR	0x2af6c0	0x134	data	English	United States	0.3181818181818182
RT_CURSOR	0x2af7f4	0x134	data	English	United States	0.2077922077922078
RT_CURSOR	0x2af928	0x134	data	English	United States	0.39935064935064934
RT_CURSOR	0x2afa5c	0x134	data	English	United States	0.17857142857142858
RT_CURSOR	0x2afb90	0x134	data	English	United States	0.37012987012987014
RT_CURSOR	0x2afcc4	0x134	data	English	United States	0.22402597402597402
RT_CURSOR	0x2afdf8	0x134	data	English	United States	0.21428571428571427
RT_CURSOR	0x2aff2c	0x134	data	English	United States	0.33766233766233766
RT_CURSOR	0x2b0060	0x134	data	English	United States	0.37987012987012986
RT_CURSOR	0x2b0194	0x134	data	English	United States	0.37662337662337664
RT_CURSOR	0x2b02c8	0x134	data	English	United States	0.3409090909090909
RT_CURSOR	0x2b03fc	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x2b0530	0x134	data	English	United States	0.37662337662337664
RT_CURSOR	0x2b0664	0x134	data	English	United States	0.3181818181818182
RT_CURSOR	0x2b0798	0x134	data	English	United States	0.4155844155844156
RT_CURSOR	0x2b08cc	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x2b0a00	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.44155844155844154
RT_CURSOR	0x2b0b34	0x134	data	English	United States	0.41233766233766234
RT_CURSOR	0x2b0c68	0x134	data	English	United States	0.21428571428571427
RT_CURSOR	0x2b0d9c	0x134	data	English	United States	0.3116883116883117
RT_CURSOR	0x2b0ed0	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.33766233766233766
RT_CURSOR	0x2b1004	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.3051948051948052
RT_CURSOR	0x2b1138	0x134	data	English	United States	0.19480519480519481
RT_CURSOR	0x2b126c	0x134	data	English	United States	0.21428571428571427
RT_CURSOR	0x2b13a0	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.19480519480519481
RT_CURSOR	0x2b14d4	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.19155844155844157
RT_CURSOR	0x2b1608	0x134	data	English	United States	0.4383116883116883
RT_CURSOR	0x2b173c	0x134	data	English	United States	0.21428571428571427
RT_CURSOR	0x2b1870	0x134	data	English	United States	0.33766233766233766
RT_CURSOR	0x2b19a4	0x134	data	English	United States	0.37987012987012986
RT_CURSOR	0x2b1ad8	0x134	data	English	United States	0.4318181818181818
RT_CURSOR	0x2b1c0c	0x134	data	English	United States	0.18506493506493507
RT_CURSOR	0x2b1d40	0x134	data	English	United States	0.37662337662337664
RT_CURSOR	0x2b1e74	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.35064935064935066
RT_CURSOR	0x2b1fa8	0x134	data	English	United States	0.2922077922077922
RT_CURSOR	0x2b20dc	0x134	data	English	United States	0.19480519480519481
RT_CURSOR	0x2b2210	0x134	data	English	United States	0.19805194805194806
RT_CURSOR	0x2b2344	0x134	data	English	United States	0.2824675324675325
RT_CURSOR	0x2b2478	0x134	data	English	United States	0.32142857142857145
RT_CURSOR	0x2b25ac	0x134	data	English	United States	0.262987012987013
RT_CURSOR	0x2b26e0	0x134	data	English	United States	0.288961038961039
RT_CURSOR	0x2b2814	0x134	data	English	United States	0.2435064935064935
RT_CURSOR	0x2b2948	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.2435064935064935
RT_CURSOR	0x2b2a7c	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.24675324675324675
RT_CURSOR	0x2b2bb0	0x134	data	English	United States	0.3116883116883117
RT_CURSOR	0x2b2ce4	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x2b2e18	0x134	data	English	United States	0.32792207792207795
RT_CURSOR	0x2b2f4c	0x134	data	English	United States	0.37337662337662336
RT_CURSOR	0x2b3080	0x134	data	English	United States	0.2597402597402597
RT_CURSOR	0x2b31b4	0x134	data	English	United States	0.4512987012987013
RT_CURSOR	0x2b32e8	0x134	data	English	United States	0.36688311688311687
RT_CURSOR	0x2b341c	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.18831168831168832
RT_CURSOR	0x2b3550	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38311688311688313
RT_CURSOR	0x2b3684	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.3181818181818182
RT_CURSOR	0x2b37b8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.32142857142857145
RT_CURSOR	0x2b38ec	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.30194805194805197
RT_CURSOR	0x2b3a20	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"	English	United States	0.19480519480519481
RT_CURSOR	0x2b3b54	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"	English	United States	0.3409090909090909
RT_CURSOR	0x2b3c88	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"	English	United States	0.18831168831168832
RT_CURSOR	0x2b3dbc	0x134	data	English	United States	0.3246753246753247
RT_CURSOR	0x2b3ef0	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"	English	United States	0.18831168831168832
RT_CURSOR	0x2b4024	0x134	data	English	United States	0.288961038961039
RT_CURSOR	0x2b4158	0x134	data	English	United States	0.24025974025974026
RT_CURSOR	0x2b428c	0x134	data	English	United States	0.12012987012987013
RT_BITMAP	0x2b43c0	0x340	Device independent bitmap graphic, 52 x 26 x 4, image size 728	English	United States	0.40625
RT_ICON	0x2b4700	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.062529522909778
RT_ICON	0x2b8928	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.13215767634854772
RT_ICON	0x2baed0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.12148217636022514
RT_ICON	0x2bbf78	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.22074468085106383
RT_DIALOG	0x2bc3e0	0x23a	data	English	United States	0.5421052631578948
RT_GROUP_CURSOR	0x2bc61a	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x2bc62e	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc642	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc656	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc66a	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc67e	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc692	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc6a6	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc6ba	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc6ce	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc6e2	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc6f6	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc70a	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc71e	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc732	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc746	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc75a	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc76e	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc782	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc796	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc7aa	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc7be	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc7d2	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc7e6	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc7fa	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc80e	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc822	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc836	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc84a	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc85e	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc872	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x2bc886	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc89a	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc8ae	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc8c2	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc8d6	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc8ea	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc8fe	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc912	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc926	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc93a	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc94e	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc962	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc976	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc98a	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc99e	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc9b2	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc9c6	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc9da	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bc9ee	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bca02	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bca16	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bca2a	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bca3e	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bca52	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bca66	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bca7a	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bca8e	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcaa2	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcab6	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcaca	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcade	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcaf2	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcb06	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x2bcb1a	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcb2e	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcb42	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcb56	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcb6a	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcb7e	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcb92	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcba6	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcbba	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcbce	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcbe2	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcbf6	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x2bcc0a	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x2bcc1e	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x2bcc32	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x2bcc70	0x310	data	English	United States	0.45535714285714285
RT_MANIFEST	0x2bcf80	0x79f	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.38185545873910814
RT_MANIFEST	0x2bd71f	0x79f	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.38185545873910814

DLL	Import
ADVAPI32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorA, GetSecurityDescriptorOwner, GetSidIdentifierAuthority, GetUserNameA, GetUserNameW, InitializeSecurityDescriptor, RegCloseKey, RegOpenKeyExA, RegOpenKeyExW, RegQueryValueExA
COMCTL32.dll	InitCommonControlsEx
comdlg32.dll	ChooseColorA, CommDlgExtendedError, GetOpenFileNameA, GetOpenFileNameW, GetSaveFileNameA, GetSaveFileNameW
GDI32.dll	Arc, BitBlt, Chord, CombineRgn, CreateBitmap, CreateCompatibleBitmap, CreateCompatibleDC, CreateDCA, CreateDIBSection, CreateDIBitmap, CreateFontIndirectA, CreateFontIndirectW, CreatePalette, CreatePatternBrush, CreatePen, CreateRectRgn, CreateRectRgnIndirect, CreateSolidBrush, DPtoLP, DeleteDC, DeleteObject, EnumFontFamiliesA, EnumFontFamiliesW, ExtCreatePen, ExtTextOutA, GetBkMode, GetCharWidthA, GetCharWidthW, GetDIBits, GetDeviceCaps, GetFontData, GetMapMode, GetNearestColor, GetNearestPaletteIndex, GetObjectA, GetPaletteEntries, GetPixel, GetRgnBox, GetStockObject, GetTextCharset, GetTextExtentPoint32A, GetTextExtentPoint32W, GetTextExtentPointA, GetTextFaceA, GetTextFaceW, GetTextMetricsA, OffsetClipRgn, PatBlt, Pie, Polygon, Polyline, RealizePalette, RectInRegion, Rectangle, ResizePalette, SelectClipRgn, SelectObject, SelectPalette, SetBkColor, SetBkMode, SetBrushOrgEx, SetMapMode, SetPaletteEntries, SetPolyFillMode, SetROP2, SetRectRgn, SetTextAlign, SetTextColor, StretchDIBits, TextOutA, TextOutW, TranslateCharsetInfo, UpdateColors
IMM32.dll	ImmGetCompositionStringA, ImmGetCompositionStringW, ImmGetContext, ImmReleaseContext, ImmSetCompositionWindow
KERNEL32.dll	BuildCommDCBA, BuildCommDCBW, ClearCommError, CloseHandle, CopyFileA, CopyFileW, CreateDirectoryA, CreateDirectoryW, CreateEventA, CreateFileA, CreateFileMappingA, CreateFileW, CreatePipe, CreateProcessA, CreateProcessW, CreateSemaphoreW, CreateThread, DeleteCriticalSection, DeleteFileA, DeleteFileW, DeviceIoControl, DuplicateHandle, EnterCriticalSection, EscapeCommFunction, ExitProcess, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileA, FindNextFileW, FindResourceA, FlushFileBuffers, FormatMessageA, FreeLibrary, GetACP, GetCommModemStatus, GetCommState, GetComputerNameA, GetComputerNameW, GetConsoleCP, GetConsoleMode, GetCurrentDirectoryA, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentVariableW, GetExitCodeProcess, GetExitCodeThread, GetFileAttributesA, GetFileAttributesW, GetFileInformationByHandle, GetFileType, GetFullPathNameA, GetFullPathNameW, GetLastError, GetLocaleInfoA, GetLogicalDriveStringsA, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetOverlappedResult, GetPrivateProfileStringA, GetProcAddress, GetProcessHeap, GetShortPathNameA, GetShortPathNameW, GetStartupInfoA, GetStdHandle, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetTempFileNameA, GetTempFileNameW, GetTempPathA, GetTempPathW, GetTickCount, GetTimeZoneInformation, GetVersion, GetVersionExA, GetVolumeInformationA, GetVolumeInformationW, GetWindowsDirectoryA, GetWindowsDirectoryW, GlobalAlloc, GlobalLock, GlobalUnlock, HeapAlloc, HeapFree, InitializeCriticalSection, IsDBCSLeadByte, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LoadLibraryExW, LoadResource, LocalFree, LockResource, MapViewOfFile, MoveFileA, MoveFileW, MulDiv, MultiByteToWideChar, OutputDebugStringA, PeekConsoleInputA, PeekNamedPipe, PurgeComm, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadConsoleA, ReadConsoleW, ReadFile, ReleaseSemaphore, RemoveDirectoryA, RemoveDirectoryW, ResetEvent, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SearchPathA, SearchPathW, SetCommState, SetCommTimeouts, SetConsoleMode, SetCurrentDirectoryA, SetCurrentDirectoryW, SetEndOfFile, SetEnvironmentVariableW, SetErrorMode, SetEvent, SetFileAttributesA, SetFileAttributesW, SetFilePointer, SetFileTime, SetHandleInformation, SetLastError, SetThreadPriority, SetUnhandledExceptionFilter, SetupComm, Sleep, TerminateProcess, TerminateThread, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UnmapViewOfFile, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleA, WriteConsoleW, WriteFile, lstrcpyA, lstrcpyW, lstrcpynA, lstrlenA, lstrlenW
msvcrt.dll	__C_specific_handler, __argc, __argv, __dllonexit, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthreadex, _cexit, _ctime64, _endthreadex, _environ, _errno, _fdopen, _fileno, _fmode, _ftime64, _get_osfhandle, _gmtime64, _initterm, _localtime64, _lock, _mktime64, _onexit, _open, _stricmp, _strnicmp, _strtoi64, _time64, _unlock, _vsnwprintf, _wcsicmp, _wopen, abort, acos, asin, atan, atan2, atoi, calloc, cosh, exit, fclose, ferror, fflush, fprintf, fputc, fputs, fread, free, frexp, fseek, ftell, fwrite, getenv, isalnum, isalpha, islower, isprint, isspace, isupper, isxdigit, localeconv, log10, malloc, memcmp, memcpy, memmove, memset, printf, puts, qsort, rand_s, realloc, setlocale, signal, sinh, sprintf, sscanf, strcat, strchr, strcmp, strcpy, strcspn, strerror, strlen, strncmp, strncpy, strpbrk, strrchr, strspn, strstr, strtol, strtoul, tan, tanh, tolower, toupper, vfprintf, vsprintf, wcschr, wcscmp, wcscpy, wcslen, wcsncmp, wcsncpy, _timezone, _hypot, _write, _tzset, _strnicmp, _stricmp, _strdup, _putenv, _isatty, _getpid
ole32.dll	CreateBindCtx, CreateErrorInfo, CreateFileMoniker, GetRunningObjectTable, SetErrorInfo
OLEAUT32.dll	SysAllocString, SysFreeString, VariantChangeType, VariantClear, VariantInit
SHELL32.dll	SHBrowseForFolderA, SHBrowseForFolderW, SHGetDesktopFolder, SHGetMalloc, SHGetPathFromIDListA, SHGetPathFromIDListW
USER32.dll	AdjustWindowRectEx, BeginPaint, CallNextHookEx, CallWindowProcA, CallWindowProcW, CharLowerA, CharLowerW, ClientToScreen, CloseClipboard, CreateCaret, CreateIconFromResource, CreateIconIndirect, CreateMenu, CreatePopupMenu, CreateWindowExA, CreateWindowExW, DefWindowProcA, DefWindowProcW, DestroyCaret, DestroyIcon, DestroyMenu, DestroyWindow, DispatchMessageA, DrawEdge, DrawFocusRect, DrawFrameControl, DrawMenuBar, EmptyClipboard, EnableWindow, EndPaint, EnumWindows, FillRect, GetAsyncKeyState, GetCapture, GetClassLongPtrA, GetClientRect, GetClipboardData, GetClipboardOwner, GetCursorPos, GetDC, GetDesktopWindow, GetFocus, GetForegroundWindow, GetKeyState, GetKeyboardLayout, GetMenuCheckMarkDimensions, GetMenuItemCount, GetMessageA, GetMessagePos, GetParent, GetSysColor, GetSysColorBrush, GetSystemMenu, GetSystemMetrics, GetWindow, GetWindowLongPtrA, GetWindowPlacement, GetWindowRect, GetWindowTextA, GetWindowTextW, InsertMenuA, InsertMenuW, InvalidateRect, IsClipboardFormatAvailable, IsIconic, IsWindow, IsWindowVisible, IsZoomed, KillTimer, LoadBitmapA, LoadCursorA, LoadCursorFromFileA, LoadIconA, MapVirtualKeyA, MessageBeep, MessageBoxA, MessageBoxW, MoveWindow, MsgWaitForMultipleObjectsEx, OpenClipboard, PeekMessageA, PostMessageA, PostQuitMessage, RegisterClassA, RegisterClassExA, RegisterClassW, ReleaseCapture, ReleaseDC, RemoveMenu, ScreenToClient, ScrollWindowEx, SendInput, SendMessageA, SendMessageW, SetActiveWindow, SetCapture, SetCaretPos, SetClassLongPtrA, SetClipboardData, SetCursor, SetCursorPos, SetFocus, SetForegroundWindow, SetMenu, SetParent, SetScrollInfo, SetTimer, SetWindowLongPtrA, SetWindowLongPtrW, SetWindowPos, SetWindowTextA, SetWindowTextW, SetWindowsHookExA, ShowWindow, SystemParametersInfoA, ToAscii, TrackPopupMenu, TranslateMessage, UnhookWindowsHookEx, UnregisterClassA, UpdateWindow, VkKeyScanA, WaitForInputIdle, WindowFromPoint, wsprintfA, wsprintfW
WS2_32.dll	WSAAsyncSelect, WSACleanup, WSAGetLastError, WSAStartup, accept, bind, closesocket, connect, gethostbyaddr, gethostbyname, gethostname, getpeername, getservbyname, getsockname, getsockopt, htons, inet_addr, inet_ntoa, ioctlsocket, listen, ntohs, recv, select, send, setsockopt, socket

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Zscaler-windows-4.4.0.309-installer-x64.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Bitcoin Miner

Compliance

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Created / dropped Files

C:\Program Files\Zscaler\Common\lib\ZSAAuth.dll

C:\Program Files\Zscaler\Common\lib\ZSALogger.dll

C:\Program Files\Zscaler\Common\lib\ZSATrayHelper.dll

C:\Program Files\Zscaler\Common\resources\ZscalerApp.ico

C:\Program Files\Zscaler\Common\resources\ZscalerApp.png

C:\Program Files\Zscaler\Common\resources\ZscalerAppSplash.png

C:\Program Files\Zscaler\Common\resources\ZscalerAppTop.png

C:\Program Files\Zscaler\RevertZcc\Config\Backup\Zscaler-windows-4.4.0.309-installer-x64.exe:Zone.Identifier (copy)

C:\Program Files\Zscaler\RevertZcc\Zscaler-windows-4.4.0.309-installer-x64.exe

C:\Program Files\Zscaler\RevertZcc\Zscaler-windows-4.4.0.309-installer-x64.exe.bak (copy)

C:\Program Files\Zscaler\RevertZcc\Zscaler-windows-4.4.0.309-installer-x64.exe:Zone.Identifier

C:\Program Files\Zscaler\ThirdParty\Npcap\Libpcap-License.txt

C:\Program Files\Zscaler\ThirdParty\Npcap\WinPcap-License-And-Acknowledgements.txt

C:\Program Files\Zscaler\ThirdParty\Npcap\npcap-1.78-oem.exe

C:\Program Files\Zscaler\ThirdParty\PacParser\x64\PacparserV8.dll

C:\Program Files\Zscaler\ThirdParty\PacParser\x64\pacparser.dll

C:\Program Files\Zscaler\ThirdParty\TAPDriver\x64\Zscaler-Network-Adapter-Win10-1.0.2.0.exe

C:\Program Files\Zscaler\ThirdParty\WebView2\MicrosoftEdgeWebview2Setup.exe

C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\ZSFFutil.exe

C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\freebl3.dll

C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nspr-LICENSE

C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nspr4.dll

C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nss-COPYING

C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nss3.dll

C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nssckbi.dll

C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\nssutil3.dll

C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plc4.dll

C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\plds4.dll

C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\smime3.dll

C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\softokn3.dll

C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\sqlite3.dll

C:\Program Files\Zscaler\ThirdParty\ZSFFUtil\x64\ssl3.dll

Windows Analysis Report
Zscaler-windows-4.4.0.309-installer-x64.exe

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre