Malware Analysis Report

2025-03-15 05:41

Sample ID 240510-kqqx3sdd9w
Target ZKAccess35.zip
SHA256 6550d561ccdfa0ad2e470d02a4c966121690238334cd96a0e55e32a6d26c1965
Tags
aspackv2 discovery persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6550d561ccdfa0ad2e470d02a4c966121690238334cd96a0e55e32a6d26c1965

Threat Level: Shows suspicious behavior

The file ZKAccess35.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 discovery persistence upx

UPX packed file

Loads dropped DLL

Registers COM server for autorun

ACProtect 1.3x - 1.4x DLL software

ASPack v2.12-2.42

Executes dropped EXE

Checks installed software on the system

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs net.exe

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 08:50

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 08:48

Reported

2024-05-10 08:54

Platform

win10v2004-20240426-en

Max time kernel

157s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32\ = "C:\\Windows\\system32\\DpClback.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\InprocServer32\ = "C:\\Program Files (x86)\\FPSensor\\support\\u.are.u\\win64\\DPCms.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D01AC23A-B04B-4BD2-B9D4-FBC9AD8A0A03}\LocalServer32 C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D01AC23A-B04B-4BD2-B9D4-FBC9AD8A0A03}\LocalServer32\ = "C:\\Program Files (x86)\\FPSensor\\support\\u.are.u\\win64\\DpHostw.exe" C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\is-LHDST.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\SET2E49.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\is-5F2M2.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\syswow64\is-SK4VT.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\SysWOW64\is-BID1Q.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_d9a56a0c507c5e8f\dpdevdat.dll C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\is-U90BR.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\SysWOW64\is-VMVQS.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\SysWOW64\is-1A7V4.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{1287397d-4a55-ca4b-8052-efd00823c082}\ZKFP.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\dpD00701x64.dll C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\syswow64\is-7MU7P.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\syswow64\is-F2IHN.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\system32\is-B7UHO.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\is-5J35S.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\SysWOW64\is-207K3.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\SysWOW64\is-QIV5T.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_d9a56a0c507c5e8f\dpdevctl.dll C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\plcommpro.dll C:\ZKTeco\ZKAccess3.5\Access.exe N/A
File created C:\Windows\SysWOW64\is-2LM7F.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\syswow64\is-BN47I.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\usbdpfp.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\pltcpcomm.dll C:\ZKTeco\ZKAccess3.5\Access.exe N/A
File created C:\Windows\SysWOW64\is-TDIR2.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\SysWOW64\is-NPMD0.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\dpdrv\DPInst64.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\SET2DF1.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\SET2E03.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\is-8GQI3.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\SysWOW64\is-52P43.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\SysWOW64\is-4GI7N.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\SysWOW64\is-QOLV1.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\is-FI9BB.tmp C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-M9342.tmp C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp N/A
File created C:\Windows\syswow64\is-S3JSR.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\dpdevctl.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{1287397d-4a55-ca4b-8052-efd00823c082} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_d9a56a0c507c5e8f\dpD00701.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\appsyn.cch C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
File created C:\Windows\SysWOW64\tcpcomm.dll C:\ZKTeco\ZKAccess3.5\Access.exe N/A
File created C:\Windows\SysWOW64\is-51BAA.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\system32\is-27GVV.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\system32\is-50S5Q.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\dpersona_x64.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\SET2E49.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\is-4EP8D.tmp C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-H1L2L.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\system32\is-EEKCI.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\SET2E59.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_d9a56a0c507c5e8f\dpdevdatx64.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_d9a56a0c507c5e8f\dpersona_x64.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\is-UUV7O.tmp C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{1287397d-4a55-ca4b-8052-efd00823c082}\zkfp.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\SET2E08.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\zkfp.inf_amd64_ab1035548178aff8\libusb0_x64.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\SET2E48.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\is-2SHD9.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\SET2E59.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_d9a56a0c507c5e8f\usbdpfp.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\is-JLSVL.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\FPSensor\Biokey\is-4QE35.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-CQJSU.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\is-4EHEE.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-A5HI5.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Program Files (x86)\FPSensor\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\bin\is-8V5FH.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-OEA8I.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-4RLR9.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-R5BQ2.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\it\is-Q3QRH.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-M59HJ.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-D24IB.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-MIO5O.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-MCP35.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\es\is-H2J14.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-LUGJG.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-A7R7J.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-SFA97.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-3I2IU.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-CC0Q7.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\is-L7BP1.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-727IM.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-N0A6G.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-JU9M3.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\de\is-VQLPF.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-TCD3K.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-CPH1N.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\en-US\is-AM0OH.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\ja\is-20ULP.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\ko\is-GTVIC.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\pt-BR\is-R9GVH.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\zh-Hans\is-TDGOL.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-IVO52.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\is-6SN2E.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-3I6RJ.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\PROGRA~1\DIFX\0169CE3A95F06636\DPInst64.exe C:\Windows\dpdrv\DPInst64.exe N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-EIKQ9.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-RIKC3.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\fr\is-U9VEA.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\zh-Hant\is-3K3AE.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-GT7PH.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-9U5MF.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-4CGPT.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\is-6FHD2.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-NQ82F.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\is-L987D.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\DPDrv\is-RPICS.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\DPDrv\is-CTOMU.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\DPDrv\is-AP6LT.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\zkdrv\is-AJKRI.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\dpdrv\DPInst64.exe N/A
File created C:\Windows\Installer\SourceHash{91EFBF0A-594C-5C14-AEC0-96516B69ABDE} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\zkdrv\is-0BQI9.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5157.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DPDrv\is-82QU0.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\DPDrv\is-23QE6.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\DPDrv\is-CDVPJ.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\zkdrv\is-J7GCL.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\Installer\e58507c.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DPDrv\is-RHC85.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\Installer\e58507c.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DPDrv\is-V2T2Q.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\zkdrv\is-U3KE5.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\DPINST.LOG C:\Windows\dpdrv\DPInst64.exe N/A
File created C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\zkdrv\is-0M95H.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\zkdrv\is-8HE34.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DPDrv\is-S4OQ1.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\DPDrv\is-3V5R4.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\DPDrv\is-21I2Q.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\DPDrv\is-RVJ8C.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\DPDrv\is-C30DT.tmp C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\Installer\MSI5177.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\dpdrv\DPInst64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\dpdrv\DPInst64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\dpdrv\DPInst64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\dpdrv\DPInst64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\dpdrv\DPInst64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\dpdrv\DPInst64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\dpdrv\DPInst64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\dpdrv\DPInst64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\dpdrv\DPInst64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\dpdrv\DPInst64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\dpdrv\DPInst64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\dpdrv\DPInst64.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D01AC23A-B04B-4BD2-B9D4-FBC9AD8A0A03}\LocalServer32\ = "C:\\Program Files (x86)\\FPSensor\\support\\u.are.u\\win64\\DpHostw.exe" C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A318A9AC-E75F-424C-9364-6B40A848FC6B}\ = "AFXOnlineMain Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE9DED34-E159-408E-8490-B720A5E632C7}\1.0\ = "ZKEMKeeper 6.0 Control" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DPCms.Client\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DPCms.Client\ = "DPCms.Client" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02060A64-B3DC-43C3-A85B-5F5BABAB57BC}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A318A9AC-E75F-424C-9364-6B40A848FC6B}\InprocServer32\ = "C:\\Windows\\SysWow64\\ZKOnline.ocx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zkonline.AFXOnlineMain C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE9DED34-E159-408E-8490-B720A5E632C7}\1.0\0 C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA46E7A7-1E15-459D-B032-7C3AF6AF167B}\ = "IFPProcess" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA46E7A7-1E15-459D-B032-7C3AF6AF167B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8AEE2E53-7EBE-4B51-A964-009ADC68D107}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02060A64-B3DC-43C3-A85B-5F5BABAB57BC}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ZKOnline.ocx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A318A9AC-E75F-424C-9364-6B40A848FC6B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\ProxyStubClsid32 C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8AEE2E53-7EBE-4B51-A964-009ADC68D107}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{161A8D2D-3DDE-4744-BA38-08F900D10D6D}\ = "IZKFPEngX" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\Verb\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1CAF04A-BD7E-4D71-9A59-567B9430CD9E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{FE9DED34-E159-408E-8490-B720A5E632C7}\ = "zkemkeeper" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02060A64-B3DC-43C3-A85B-5F5BABAB57BC}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{378CC504-3B96-49E1-BE1E-4C098959C5D1}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{378CC504-3B96-49E1-BE1E-4C098959C5D1}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zkemkeeper.ZKEM.1\ = "CZKEM Object" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8AEE2E53-7EBE-4B51-A964-009ADC68D107}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DPCms.Client\CLSID\ = "{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\ProgID\ = "ZKFPEngXControl.ZKFPEngX" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA46E7A7-1E15-459D-B032-7C3AF6AF167B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A318A9AC-E75F-424C-9364-6B40A848FC6B}\ProgID\ = "zkonline.AFXOnlineMain" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{253AF648-E194-49D0-95CD-E5071519517E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FPCom.FPProcess\Clsid\ = "{253AF648-E194-49D0-95CD-E5071519517E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\Control\ C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8AEE2E53-7EBE-4B51-A964-009ADC68D107}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8AEE2E53-7EBE-4B51-A964-009ADC68D107}\ = "IZKFPEngXEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{253AF648-E194-49D0-95CD-E5071519517E}\ = "FPProcess Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\VersionIndependentProgID C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\MiscStatus\1 C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DPCms.Client.1\CLSID\ = "{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\Control C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FPCom.FPProcess\ = "FPProcess Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{161A8D2D-3DDE-4744-BA38-08F900D10D6D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD59645-9CC5-4C0E-AA37-5E5BADE3AC5D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\Version C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE9DED34-E159-408E-8490-B720A5E632C7}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\zkemkeeper.dll" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE9DED34-E159-408E-8490-B720A5E632C7}\1.0\HELPDIR\ = "C:\\Windows\\SYSTEM32" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32\ = "C:\\Windows\\SysWow64\\DpClback.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{161A8D2D-3DDE-4744-BA38-08F900D10D6D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{378CC504-3B96-49E1-BE1E-4C098959C5D1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{378CC504-3B96-49E1-BE1E-4C098959C5D1}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA46E7A7-1E15-459D-B032-7C3AF6AF167B}\TypeLib\ = "{1CD59645-9CC5-4C0E-AA37-5E5BADE3AC5D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{253AF648-E194-49D0-95CD-E5071519517E}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{253AF648-E194-49D0-95CD-E5071519517E}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\TypeLib C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\ZKTeco\ZKAccess3.5\Access.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Token: SeImpersonatePrivilege N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Token: SeAuditPrivilege N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Token: SeShutdownPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\ZKTeco\ZKAccess3.5\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Access.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Att.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Att.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\ZKTeco\ZKAccess3.5\Att.exe N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\Att.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4584 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp
PID 4584 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp
PID 4584 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp
PID 4548 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\ZKTeco\ZKAccess3.5\DataBase.exe
PID 4504 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\ZKTeco\ZKAccess3.5\DataBase.exe
PID 4548 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe
PID 4548 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe
PID 4548 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe
PID 4072 wrote to memory of 3740 N/A C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp
PID 4072 wrote to memory of 3740 N/A C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp
PID 4072 wrote to memory of 3740 N/A C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp
PID 3740 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\rundll32.exe
PID 3740 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\rundll32.exe
PID 3716 wrote to memory of 2676 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3716 wrote to memory of 2676 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3740 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\dpdrv\DPInst64.exe
PID 3740 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\dpdrv\DPInst64.exe
PID 3716 wrote to memory of 2296 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3716 wrote to memory of 2296 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 3740 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 624 wrote to memory of 5088 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 624 wrote to memory of 5088 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 624 wrote to memory of 5088 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3740 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe
PID 3740 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp C:\Windows\system32\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp" /SL5="$7011A,380507,58368,C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\ZKTeco\ZKAccess3.5\InitDatabase.bat""

C:\ZKTeco\ZKAccess3.5\DataBase.exe

DataBase.exe

C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe

"C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe" /NORESTART

C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp" /SL5="$50208,17664398,56832,C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe" /NORESTART

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" libusb0.dll,usb_install_driver_np_rundll C:\Windows\zkdrv\ZKFP.inf

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3ac252a2-4e4a-2f49-ba9c-9281f25500bb}\ZKFP.inf" "9" "429e2a833" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Windows\zkdrv"

C:\Windows\dpdrv\DPInst64.exe

"C:\Windows\dpdrv\DPInst64.exe" /s

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "8" "C:\Users\Admin\AppData\Local\Temp\{b773fb63-4da3-c64a-be04-e4434cad85c8}\dpersona_x64.inf" "9" "47ae312af" "0000000000000158" "WinSta0\Default" "0000000000000160" "208" "c:\windows\dpdrv"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPCms.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPDevTS.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DpFnd2.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPJasPer.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPPTUtils.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\DpClback.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\Syswow64\DpClback.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Windows\Syswow64\DpClback.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPAppSyn.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPCms.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPCOper2.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPDevice2.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPDevice5.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPDevTS.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpFnd2.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPFstCon.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPJasPer.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPMux.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPPTUtils.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpSvInfo2.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPTSClnt.dll"

C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe

"C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe" /RegServer

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" start "DPHost"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /u "C:\Program Files (x86)\FPSensor\Biokey\biokey.ocx"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\Biokey\biokey.ocx"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start "DPHost"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /u "zkonline.ocx"

C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe

"C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\zkonline.ocx"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /u "FPCom.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\FPCom.dll"

C:\ZKTeco\ZKAccess3.5\msiexec.exe

"C:\ZKTeco\ZKAccess3.5\msiexec.exe" /i"C:\ZKTeco\ZKAccess3.5\USBDrv3.0_x86.msi"/qn

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 366EB9D9627B61A74D3CA34CC42A37AD

C:\ZKTeco\ZKAccess3.5\Access.exe

"C:\ZKTeco\ZKAccess3.5\Access.exe"

C:\ZKTeco\ZKAccess3.5\Att.exe

"C:\ZKTeco\ZKAccess3.5\Att.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
N/A 10.127.0.70:1433 tcp
N/A 10.127.0.70:1433 tcp
N/A 10.127.0.70:1433 tcp
N/A 10.127.0.70:1433 tcp
N/A 10.127.0.70:1433 tcp
N/A 10.127.0.70:1433 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4584-0-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4584-3-0x0000000000401000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp

MD5 a305877eabf2c8d30cd5df98345952ae
SHA1 c0518290145415e66f9f1b9a9c3c1b3e346a10fa
SHA256 8558efadf63fb12cf3ddacccfe07d397f2f902efadc4adf679a7e5c27cd49d76
SHA512 6f22868d451f3f07fdaa096b303a480fb9f5f9bd4675046bba79b9c15435892ea07b3ef5f3a3788144af696a675c2d4639ab4396e22761923c955747463b9fad

memory/4548-7-0x0000000000400000-0x00000000004C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PDN4C.tmp\isskin.dll

MD5 a5f48d365d7527289e9a599519bfe590
SHA1 166589cf8ac1d9989eda0da0e9488104a079bc69
SHA256 66edea4626b79d2b86eb8bbcb1f6b10a2f4631c04f023eb75b37f9ff3fcb42ba
SHA512 3c946e947cdfa8c2780b8bcc0abcb9117cb2397fae8470ee2fdcf3f6069539c179aa5771cef8ff36bbc591854949bcb808979ca02b1fbc26e374c7c9c1d28a59

memory/4584-13-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4548-14-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4548-17-0x00000000065A0000-0x00000000066B6000-memory.dmp

memory/4548-18-0x0000000003460000-0x000000000346D000-memory.dmp

memory/4548-20-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4548-21-0x00000000065A0000-0x00000000066B6000-memory.dmp

C:\ZKTeco\ZKAccess3.5\Languages\is-8KSB3.tmp

MD5 1e7990d499a59ddc7d2af6ebdf1ca807
SHA1 7b481967772fd2dea77d8aca14d1bbca7847896f
SHA256 bf931b0e31daa2453f60921bb64d5e1a2d6de8873e71175d36c91b6a79acaa4d
SHA512 3dd2c713f8b9c2dc6498fe1380a4d7cf8fa4f617c2d40972902a551c4b58f600fc694927badc3a73d6b984c7d5bfe3495a36fbce45cfde2ae81ecc350b61ea7e

C:\ZKTeco\ZKAccess3.5\Languages\is-ADHQF.tmp

MD5 bb825332da2a1b633707043cfe88620c
SHA1 508a85a26841ba0c11226fca5aafff7e806fdcd7
SHA256 67ea801a80303d5167dcd78a84c91720b143d6c88510f24e0f9d3bda61507111
SHA512 ac090df745896efca4bb7789a9a19d00eab90d1fdcb14f4a1f642e7f8a0b444deef2c253512605c7326724ca1122826acc0d1eb2e9a071a747c3f2e71ba96714

C:\ZKTeco\ZKAccess3.5\Languages\is-JDQ77.tmp

MD5 f0b1655115326129d826c2313993919f
SHA1 d9181bb44755a187918d68e64c0e8ce53e17c460
SHA256 091a8ecf79ba9117df3a80e22974d5a77ba98d49a30c4c4391f343bb27e0b611
SHA512 ea1013de191e6d9413a44f563b826eb033827358676f809c0331e62119bea24853bd97d7e8981c5c636caf70db9b2233f25ea383035637df2bf8646ceed1984a

C:\ZKTeco\ZKAccess3.5\Languages\is-VERUE.tmp

MD5 fc734af8b0b62e8dc4fee6fb2e55376b
SHA1 38b13f68c8e95df11786adac26c00900dfaeb8f4
SHA256 100fbe9fe7585bdbbcd1d5d190f59740813359f4ec3fb66f0a91451d833a5205
SHA512 0cb99cd33d179d3de1de97c0bb57684fd047a7b19a517a9fe731dd0579aa2017e4a608e8d27b087a8697e56cbe2b27b2dbd2c74bd99314b44e178e2fa66d8307

C:\ZKTeco\ZKAccess3.5\Languages\is-IJT3F.tmp

MD5 5f43b5ae4df98b599e11c243b8cee7a6
SHA1 6b3a9b0ad80a9626e370961ffd84f216afc489d3
SHA256 1898e9139177efe7b9645c407f95998d1e60849b5ce63ba9b0884d548372ff6b
SHA512 f246fd5a4fa73c07b88dd9682578d135b177573f98b9fbebc10d443359790f40d3bdfe3c45d41218b4bef21a12ed962b943c32df90a1dc3f86d3fd174537c0b1

C:\ZKTeco\ZKAccess3.5\Languages\is-9NOUF.tmp

MD5 c952ee337c813afa949539f44ac0534c
SHA1 6a715ecbfb22d5d36a5afffc15cf29cdecce8033
SHA256 d01fc70299a04aa4bcc6df88ca47b88d2844322e9ff77ceec78a605a1d12c245
SHA512 b206c171e5c8e4a6d1f2001bcb055b56d5b78d683b1c59e9743409abf0ba685c459b9f249ba5147db0344a536dc35ca298d317e031059305e7b07e7e40b8f5b9

C:\ZKTeco\ZKAccess3.5\is-G4L6R.tmp

MD5 25b7bbc9aecdeac55913bac5b135c61a
SHA1 3a7583e7fd78c15e2f40cfe9a2c28ec5452ecd37
SHA256 b9ca6595d63e0c3738eb6ce2cfcecc3966e8c4546a884d9e3e084918b813b7d6
SHA512 6849bea5d054972422c8d2d6a58b4dfdfd58fc194aa2573e6b908a16e04bff192c38ade84105d023b1ff25f752d84a1d620b8f89c5135208c43e914c903826c0

C:\ZKTeco\ZKAccess3.5\is-KAOB1.tmp

MD5 3bd3261a51269c8c40b2f33e498b5d17
SHA1 5a8fc34d5135e0ba9c5c214ca8ecc778379d6729
SHA256 dd68117306b0192d2e571f9edf7fac94ec1de0154a3724d99df3055b42650e3a
SHA512 f02d4d9eaf31dd3246847466a7602f0cc064e62f0ff33a62953310fbb5ac08ea517089be1275ecd5b35b14f935f01b6d3ade28950c6845ff1f8d65d3d9688afd

C:\Windows\SysWOW64\is-PTM77.tmp

MD5 afab8e482be11151fb0e03ce4ff8d837
SHA1 dd1600e727b17eb9a88ee46c51b0e2b1fc06949c
SHA256 67cd76a3353cab3e4f08577ba81459820da5f9ada4aef7f5787fe3b6a6518e2c
SHA512 bf96495f896cc02112d540ff010fb6a75caf0a921e8a371547ed8e339bfaa100f66acd66208852e6ff31f397d56a6ff132350c2001c64150957e6ddcf3da0fdd

C:\Windows\SysWOW64\is-FI9BB.tmp

MD5 f831a4f936619a827ad095de00c5e95b
SHA1 7973b831f0eab3c2ce31a74381d066c7d91eb497
SHA256 e288a2568bc023c00d8e4acaf93066a63208c10cc642bba98aaf827cce6a141c
SHA512 c1da2fd769945be554350dd81c854c5399c681cfba5cc055a248c68a6bf32ddd510d246065b305e54aaa40f16c5184951aa6c92e8d4dbd22f2026207adfced9a

C:\Windows\SysWOW64\is-8BJV8.tmp

MD5 e797beed9fe37ae67081d86f18654313
SHA1 664d34c634270e1c8bd05f3069779217b1d5575e
SHA256 45bebe981ca5ca851d3bf746a7368d9982495dad5da4c1d54b759eba8fe74d4d
SHA512 e3689ae65e7ff32645d523b96733abc0f8d1d6feba6528dd1645f0de91954655cac24bb484a4b27f7ee4a4c8a5b5c3c48b12c44237196a41a027fda0d669a5bc

C:\Windows\SysWOW64\is-4EP8D.tmp

MD5 94e2f7110a27babfda5e7a90699ba9e2
SHA1 d32c27e74af8b60919476badab4f2aef0f721b71
SHA256 f805f387e3a6e73a1d2cf61c99744b3ca72fec8a8f34c02071780e0486934e1a
SHA512 ac6e8724436a65bfa40e8174351826c55cdca902cb457e6091967b55f1a66d1fae16101130e6d4657ea7724f327c2f57d33465e7425b68a421811cb9a698e638

C:\Windows\SysWOW64\is-M9342.tmp

MD5 1c8449dcccbfb5470e06c33a47fbf937
SHA1 b246a9a0888637f121bd06479ee498174f7e2cd2
SHA256 ad652892e07af6ffc992b3a6470aeaa1249827b36df6840fd9a6bb43c47f297b
SHA512 7c4ca4afbe2c2e817e8024e5c577fb3695a3af334aade629674078ed63be99d6adc44fe0ee4f9fda12785ad9fa213eb9f3a1b2a2132ce248d6280f2eca3f6839

C:\ZKTeco\ZKAccess3.5\appconfig.ini

MD5 bb3cffcd46e616d2ed77aa7a65609313
SHA1 9800cb6700dc18a930065340b1f37f520a157f20
SHA256 e2da0e56e1139c7d88245e038247f3200630c2ed4f1f9ceb1e130e8be0d8e814
SHA512 2abfe6813909a9ff9adb836e538e612ef4ae60a9c32f86b89835ca7cdf0ee347e91a2888d2ef63693e6150bebbd59b3e1878bad73833104fa46bd1207f67e7f2

C:\ZKTeco\ZKAccess3.5\Access.exe

MD5 f40f43edcc46eec1c64e1e794b0539d1
SHA1 fb431ced00d12f863eab9fef9dfe490f5b9681dd
SHA256 be9b424b2058b6cc10c697a7fff96c1af62949cfb34ca43af7cc82b4e4ab2fab
SHA512 e12f510fbed3ba7ebcf5c1d30eac464e36c4a33073b34f1a29e11306e5760b44924f11eca338f00c398f5c26a53fa55406b8dd513ff02d1d9292cbf89cc1766b

C:\ZKTeco\ZKAccess3.5\unins000.exe

MD5 3f779b952459be9d3788bb1ba018ad35
SHA1 9fb6663660c89f66bb1c140d80ec98b20d16c7d1
SHA256 d75777bab8e467ac205c37ad69c84e3e427f767666d2300839b21ffe8ed05da7
SHA512 58963b3379ae50bd8f23d195fcdaaf5e2de09813a04084015a2e72a6d40e7f199fcf29593d27629a43c397545bcffdb4571dabb77159611854abd09ff54db014

C:\ZKTeco\ZKAccess3.5\Att.exe

MD5 d7de1f512e31da1cb7f3fa98ab1f73bf
SHA1 afe00331afaeb8b5f4c8763c39800ead783e4120
SHA256 4e77e7298c2519f2008c2eda5c656f75d1802439beebc5f23b7503e888800cf6
SHA512 e31b92909f5fe26c0353ab54d051762d278c834b8c86cceb320ecc9c388b48c8a0fe044aaccb44df6a4be000ec0a0e7e63184508bde0c3e409eb1834b380eebb

C:\ZKTeco\ZKAccess3.5\DataBase.exe

MD5 ded18ca95cbcca1703e2e42ee9c3f1b9
SHA1 02581f99307d217623b2a629e38ca54cc2182b30
SHA256 1163b0d67c17d4fbdb64cf480b1f99ee5b3ee5f7c099e65c859921b6b3e906e9
SHA512 fe853dcf17b1170711a37f1ddb435af7b64ba8dcc225439927e6bbb3cd0806736606e187e72b423c1121d876ebef8f36813715b20f9cad176f7f7e026dc7a4b7

C:\ZKTeco\ZKAccess3.5\InitDatabase.bat

MD5 8f6a918a8721f26331903efd3c91ae67
SHA1 cb25667f0a80548d66a4f4e1be0abef915609272
SHA256 acf3cb03a7eb5b4c0e2b0bf9af66cace4a7f7820a2aba9c1f0404f52f81b731f
SHA512 b343d3666e9e9cd0b7bf925fe2895cc3ea29728b68c1384edfd68b06b01447a6fb99c8fc7bda3aaf3e7ddb503ebe4b5d39382857b0d386596c8ba2b172aed82e

memory/4128-990-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

memory/4128-991-0x00007FFA0E663000-0x00007FFA0E665000-memory.dmp

memory/4128-993-0x0000000002C40000-0x0000000002C7A000-memory.dmp

memory/4128-994-0x0000000002BB0000-0x0000000002BD6000-memory.dmp

memory/4548-996-0x0000000000400000-0x00000000004C1000-memory.dmp

C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe

MD5 06062fed9ea10ed7bee8fa82e22a7ec7
SHA1 81ce48fb9853dde8104216cd84530013d5cf7fb2
SHA256 4be20a1b7ef1c2adeb573fbda23158e1b6508c943be76792dacc6ca77b93e8de
SHA512 a4da8fe4bb46fdb0c120798ed03031d0a828eef427dba44ab11759083764be7a533b5be7f607626a9631df89907323e8506d93738b86e8e3db54847ebda10c37

memory/4072-1004-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

C:\Windows\SysWOW64\is-2TUV5.tmp

MD5 2540916777e828c24e89a79329bf5598
SHA1 445219ff6601d8ac707d416655c744f4eea07e24
SHA256 7d4889f448087e23b4504a0bade1a765dc3826998042ecb82c744b2447964f5f
SHA512 0ceff0a7b333552a68aad951a2a14405a8d8c0baefcfcc5f6ecb8ad14f9b234874e36a2607d6ad7d95a33b2b47269872efe74642ea52f0f89a91ecbc94c1852c

C:\Windows\SysWOW64\fpslib.dll

MD5 4a8aa2cb879ddeae2d8e5bab5bf310b2
SHA1 ff956c8593f55cab33bc087b2f624b14b710e603
SHA256 6626b4ca32408bcdb4cfd5e3e84faf7d1c6c49c4674b9b319cf68286575f416d
SHA512 192bd3134910d92778d2dd9eaa4cb2d8a19140b00469b373626162148986ca91d4df36488a90e8064e2a7684b1261eb56420aeed4612ee9c56c59991e01c94f8

C:\Windows\SysWOW64\libusb0.dll

MD5 a0263041d4a4023a8e78f7f417404a42
SHA1 90a0f6dd891f2b166317bec604008d624009c678
SHA256 771743d4fd9b325fd8f583487b0001a4d36c0a5554feba59cdbaaa75c6fdb615
SHA512 0346fd5e328fcbf8e55f31d257b330fba494dae00a9cc57cddf5abbb9d4a7fe40806d71efebad0585c83632208d1f11b78c7385224bb653dbb8d59e2dc8b5c3d

C:\Windows\SysWOW64\libcorrect.dll

MD5 bb16a0e5d2d75c0751ea6835aa36d940
SHA1 278b6b054fe4fb88b0dee3cbd69e1735c3520c59
SHA256 24c7c677c50b2c54d0232ea447a241d0dd61eb70aeff871f8bb6c16c8d0dc196
SHA512 31d8429c373cda4eca5a8b60935b885b8816308125ec0228c6d0732fd981aa6e091bb54fe5e8afdc0348bd0f060a66d9be321ac9d18ee8c4d2a43822a0bdb12c

C:\Windows\SysWOW64\libsilkid.dll

MD5 4982430535a837b23913c50454dfc622
SHA1 50dfa02f92d63af78a80c3a731b60cd3f01f4ff2
SHA256 0feda63b2613feddf7ea6103d66b09c5d9f9852c43e3c2f452cf3233e617fb9c
SHA512 d246002aa68a0a1dd0c2fa9cf70232903417561cdad05694f669b285740fba987eae6371592d041b31ae4538beeb870953536545c4f5e6f53bd20ede945f9d8a

C:\Windows\SysWOW64\ZKFPSensors\libdpcap.dll

MD5 84bea5a6e9dd1681660af3f4b74b27ea
SHA1 f1a727271ed9142333586e1516a95229735fd7bb
SHA256 bcf2a2ad0def866739e911cad2b65f6829671d70a69b5bba45764751add16e28
SHA512 9684f0528f6b4db23f24ebe1f7f2bce92dddcee32587680499d6ee85b921fd3c8edd78e4fcb1481b63c12522043dff59421e16c1df3fde6fcfee3deb0324bf57

C:\Windows\SysWOW64\ZKFPSensors\libsilkidcap.dll

MD5 ef9cc5f8bcee7c4daf1a845dd60bcb73
SHA1 a75eb761c93c5826b36b835524fdbe8b9239fe4a
SHA256 f941c38f017150323d4a56712e1fe2250004c49f05c91a1c46de8cfdb2d1f576
SHA512 c4f5def779310bef75e57f59295f5dbc8bc868dfefc805ea301fbf91c0ba5e453cd10a314882bfa5053c42651ad8fdd9ae93e3c9ecf3a343b80e1f853ea82b4d

C:\Windows\SysWOW64\ZKFPSensors\libzklibcap.dll

MD5 fc29d9d49dc13f5bf30035513f782ed1
SHA1 985dd539e9210829d60e11d1419a87883304e7bc
SHA256 93fcd70336d5e6a9293020b4d57ea66968e7387d860133d6c090b22a9611186d
SHA512 b71579ba071126b0d5683f32f71e891cf63e65c72c7dc8dc4b090f992c18efdfb014a68855628932b4247fa4ad95056f7e198c58edc8e582bcc60aa6304a729a

C:\Windows\system32\libusb0.dll

MD5 fe7548fc329229576d6e672f9ee08ce6
SHA1 8e5d4e944fc341ac787d236ea9b48c75637e0719
SHA256 d4c35e72e3dfa67f18576df927caf9fdbadf148231b98ac22bdc5bb11f6bd796
SHA512 4fcf3d0458d557bf33792ce11e09832300410c6df88b1ee12b07142eff867495aaa7cb3aa00cc6a6a9b19f01e447b25103ec0de75fddca306026ba1330dded2c

C:\Windows\zkdrv\ZKFP.inf

MD5 283c2123020a1d80e1dc50f97c8e902e
SHA1 6261f70e969a71e92cc2d841b4d9d2faafa4a34c
SHA256 0150dcccc9071053b20eda0416c478319177667c773ce4639b5e2745374a6a2f
SHA512 4360b26ad4d5c439d651b9c37315a46cc218cf1d71e19c6bb2472c6fcb9d215a885aca058966156ab696d327176ea98e06076acc7be672aa18133c9c5ddfae46

C:\Windows\zkdrv\zkfp.cat

MD5 d3f97b9069ca4eeed99f5474f8afead5
SHA1 b89020d02650517826a3f513210a40ed9b122073
SHA256 c4ac2e14d7c2afe8d62675afe5a41ee62811a4baf57e4c60b0816b849ba4c7ac
SHA512 6f1cfcb081cbb6fc28602afe48df7e9ff4c66b6388159af1a0374f054b436d5bf4f08e6557b1b24d993640215886d8550794c14b6a48d2f09b87a43e7c5fe91f

C:\Windows\zkdrv\libusb0_x64.sys

MD5 77afff0483d5f84e41717cc358528a5e
SHA1 37084cce0b4b63780c9cc465cd54446e680e2986
SHA256 ecc512ba6a0fb290eece70d82edf9fc0891d336b39e7ae37e0156544150785cd
SHA512 4e6bea9ef8dc1ca8ecbe05e96f18019c20c57108ec6adc45ee1d423c30b65b31f0c8170e25a86809e8e8cb08ac8f7f8526769db283ed5bc448c70486bc3d7ff2

C:\Windows\DPDrv\DPInst64.exe

MD5 c3ac43b2018114a617e946aa8fdf3cac
SHA1 2d90f38bc995c9cd5efec52109f8bd2468001ca7
SHA256 ef6c5fe9f08be67f24c7dfa5c7bc3d69ab4e387e6065602d45ba358289f05117
SHA512 8c471a2575751c5995b10859219b979d75c8e8e4496604c0718268d8367790c5bb8e6dd47c735dcecd02a62dbb0d8fbbb70ea1d085ad7b798491a3d831cd9488

\??\c:\windows\dpdrv\dpersona_x64.inf

MD5 91967eb8b8468aadd50e2d880375d8d2
SHA1 e8fd6ef8cc869de121501fb543a7c0674d30756f
SHA256 d230952d38ecda93d971fe9798dca35d0e4c7a7c4b573d0af47a34b7928c8e92
SHA512 58c2f6885afdba94b63d2b1e42de41c561852870d0b6e45496fdee9fc7d1d1748eab6e71de7fdb59b4abb5aecbf7c81113fe7e975540c5d72886149f1cb4ba1a

\??\c:\windows\dpdrv\DPERSO~1.CAT

MD5 50f212c4f9b4a832a410d3e83f6317ea
SHA1 503bc574acaa4a79bea85304a5b7b3a0c85191ca
SHA256 29c2b3859fdd96d781e07f3ae778eabadbfa54cbcb437aa00e447978b18f7309
SHA512 0387139e4f49d236c09ee36d0bed34258e9518f90a4f486a43a06821a0889ecd6d3ec8341443f7b582d041e0f279cd81d2e072f52de44b1d0dbe217488ad6a97

\??\c:\windows\dpdrv\DPD007~1.DLL

MD5 39837e0c027fa2b35e4b406941dc01b3
SHA1 0e43708086396f5f21d4191fe115449e2e98ca32
SHA256 2728b5ed610ef55e89784fd5508b366d2bc7efdc5bf3e75d51f5dac82c4dc294
SHA512 b534508e0245f822698cb813da1d31bdd3d6d2bf60c005d510628adadc8b28ca608082f1c06bfb8a337e3e4a5eb5bf53196d0540c55335a7948ef75559bced47

\??\c:\windows\dpdrv\DPI007~1.DLL

MD5 ed673140ea6f2cd1b8fcafa041f02f2e
SHA1 d5ad7a43b53a965f4a1a9c76b1c609178993f27d
SHA256 107efb5853e1926be84164e7d21d5d56c7dcacd6b599838353ae95baa46ed059
SHA512 ed4d0ed91ac6eadd90acba5dc783f108469ebfc111ca2169dbce139d8dda6e822ea8e15b64509f436d950e159c12d95a08aa8ca685c242059ba92b392f43b123

\??\c:\windows\dpdrv\dpD00701.dll

MD5 e8bcf046f729253f2bb24ea0e8c047b9
SHA1 8104533c4bbb4265f71a87bb5d6966ea64974b66
SHA256 039966724018cf96157f1ee7f7cdf48f4f20a76192d920d55504ed1dcba7de7e
SHA512 df9fa6308c8b0b7128b78bf9bb3314c34f26fcf70799caae5f376fa418f99c5d2db439137718ad4f052d273719a95741d9a5d5bc2d17fc4ad1318281d20e2959

C:\Users\Admin\AppData\Local\Temp\{b773fb63-4da3-c64a-be04-e4434cad85c8}\dpdevctl.dll

MD5 7b3f4907bc409960c300ae50420c16a6
SHA1 ed97b09cb7853cd056e8d7d6318c0ead13b267a6
SHA256 09649414f843036df5c30846aed6059e0f43e973a729b07e8f690f4b668ddac7
SHA512 81eb78daf1849f3933b0622a6418ddf9d863a793e41b958e1641e5cd7d42928595df0ecdd35c5e30aa60117ae896fc0e6692e3f5461020b5bb547ad3fe6637fc

C:\Users\Admin\AppData\Local\Temp\{b773fb63-4da3-c64a-be04-e4434cad85c8}\dpdevdat.dll

MD5 2eccd46878dce0f84dadd29498bd900d
SHA1 d30ae67c9ca5dc53b8d1583bdae6c43dbaec3f37
SHA256 20b41562147e635d60e875cbef43f17d2373cb18fed9f8dfa97c2553b4f1e121
SHA512 b397366d11111dc613c7e4cde245d1a98864ba5b7c1a576c0d3ec7e8228bffcae2340ba375978d401b886e765785b207c2d652180d7c6f388130adf9b5ac93ac

C:\Users\Admin\AppData\Local\Temp\{b773fb63-4da3-c64a-be04-e4434cad85c8}\usbdpfp.sys

MD5 4846d37bba87b2e6138074ee076e367e
SHA1 e2e478efbc83b2fb604bd60af032402c3654f176
SHA256 098a0d4bcbad10920e2e05f7da06f291e711a766afdf293d2306ee44879f6436
SHA512 5a17f715556088b4f9d8ddcb298d03ff8fd61f23ce1c3c80e4f79ae6c34a18526d1829b8ca0d21be6513f4c6322fa770fdc7902c4569c452bcba84510be00c71

\??\c:\windows\dpdrv\DPDEVD~1.DLL

MD5 4b4e309fe52c6aa57674a4124a82b426
SHA1 8ac2bcb190b5185606b57234527b6d542a6df11f
SHA256 85e0225a8451b23fe9715939da1a9b8e780eca3c38277b1ad09acd9bf5dce20d
SHA512 d6004795a617869a2f46805eab28c509a077953da456c61c73a7f64eab2dd7f1bd75401bdadc068e09c0e0d7238eee4cb6dfa5070756479443ea2d77e76c3cba

\??\c:\windows\dpdrv\dpI00701.dll

MD5 b7d3259b3bda026eefa90f5523b6e996
SHA1 989b6d1e19134c2329c0749c15904c4ecec25ea4
SHA256 502b9c74fa0f6138a3ebfbb67829bfe267074f78cf6119b35e9975ef2176f503
SHA512 af3d0c4b807ceb2a275a7f219ff98a2776ec62c3686de20078d6004e729984446edb9b7c7b4340e03a27c36236db7e8e6ad0028e1e14e5e1e9be0e266f04e01f

\??\c:\windows\dpdrv\dpK00701.sys

MD5 1da17ab1ab496963949df99184796dbc
SHA1 1194f7ade39b6b40489e59d10f5bd9d6acbca639
SHA256 affdecc31fa032ff7e3fcf6cedfe746a5a89804fd72047a3ee03e0915d971bf1
SHA512 6b10644bb65dce8df9cd90c89a8b2e26895fd1a219973566ee419e0175b4d142173f2f7c5f255f7726f27065727229620da5821288390b9729743d939aeb4f6c

C:\Users\Admin\AppData\Local\Temp\{b773fb63-4da3-c64a-be04-e4434cad85c8}\dpdevctlx64.dll

MD5 d1adf6e4753778a90dc5215efa831565
SHA1 0ccff3f80e07a8e086b37c956552d829c55257ef
SHA256 db72a2515f6d3796aa3ff9acb2de22141c90fd9d016f6a6559a6f290e20e35e5
SHA512 dfaa69b63797b27e1274cc6ddf1d9d92f3c112ac1210f38e74afd52b812bedb9ed8bf968e61bab45114bee00d60408ae7383aa388494f7e72a217c53e5b7c491

C:\Windows\System32\CatRoot2\dberr.txt

MD5 f941a6c07ce71d378e3be8e7bcc047b0
SHA1 757f406f14a50a8ee307349cbcd70ee23ee08d20
SHA256 8171dae46518de9d80e879857030decdd3bfa17e6c53a31b803f599b0afe0d76
SHA512 11047d39cd49be0aaf0bec8cba58e8705df01a4d2e7e25d48e50d3fdde8aeb4dc2bc6258867cb47f63050e5b09b7f2243c5556e170538a2d7264309582b8f578

C:\Windows\System32\CatRoot2\dberr.txt

MD5 84ed399bfc37753dedaae0465571326e
SHA1 cb17eecb76f482e16b0f38c96aa7965aadbf90a6
SHA256 83a550960fbee8d4ac653b19b27c4416f878431a84d12c01f3be50dd234ff14a
SHA512 e120fec8334894a1a88053835a437c880e5edc71028159cc1ced2a2b21dfdf65cb5520fc2eaea08d2d5db9d341c13f16a7dff093027f40382c702440b3a8173f

C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPCms.dll

MD5 01bf190d0baec17ce5b40f2c4ab86764
SHA1 fa66aa337f0de801867b5bf675ef18b58e46bbe4
SHA256 7668ee2829543c10300f57f1f98c33465695dee05a02b3f680207071877ffc50
SHA512 0b18fae68f25af2d055f3d3856ede45512020e3a812f424067108e0cdf1c8b50e924fbc98b153ac78d390f68cc7a3e4f27f6b1d8d89669b1dc04004e08f5d887

C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPDevTS.dll

MD5 0c2e5c1b8f81747aa00699631268769e
SHA1 34fbf337bb5ab6a8d1203bf339782eaedd8feb93
SHA256 ef2a4c8959d24650131ec66921263049878c2a72cf0a1fccfbe47e99af7dda81
SHA512 dc8362b6da88ba8ceb4a896b0e6d93a49a9d9eb67be4cb8eacb73fb38eed2dea106685b915f2ac2d85c1d4664ccdfc6e43f7daea34f1a7658f9eedec9245cdc2

C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DpFnd2.dll

MD5 b91ee14eac7a839b4bb2c6ce011118f0
SHA1 83222af6061592039905302d274052cd439379f3
SHA256 c3c96eaa15d345b2f54b5acb3e03ba4259b3375c98309c72e369870860a79735
SHA512 06ced1075db8ecca6e8522c49dc17db68e57a0ebae301a3f3a937f4dd1d72c43243f1ad3427b8829eebcab250595844777f88e823c2e1f66f6a70baaa4f026a8

C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPPTUtils.dll

MD5 7029decf531b25856e564fed66b58a40
SHA1 5b1c4f4aff15aa733f7a76a105bfe1ccc58d0002
SHA256 9a1695af60fb74ae829eda415cc4e39203e559fe593a5cf9fa4c68973512cae9
SHA512 3866700316b0124bff04c8802a7cbcaddeda6b4f4d3690cc30e84d1d81ba60b50145d4ae15bd7cf1c21318d554b313dd8989a9b5f371db4342c508785b203227

C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPJasPer.dll

MD5 42fb249752d7e606fc292f17dfe1d507
SHA1 bbb0e986efc5deb4f38a5c789d632497cc6aa2c2
SHA256 5e251118db31bfb9aac79f4008fd833b8c4a324eef7bcbf830b6c2b4d5de8e44
SHA512 56ae06c61c2f0ad8501a71d4037dee42c1aa5663be5e636d2913a39591ead29587d130320dafbd038229ecd20b2ba3a9719d7ab0994ba2d5bf0bdb0bd8352c23

memory/3876-1594-0x00000000022E0000-0x0000000002453000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\45f2c6a1c069e80380428ef0ab87c5f7_41e50f4a-4a76-42e1-a3df-51306e426307

MD5 967fd0cb495f67398702c9eebf3c454b
SHA1 402c152cd5546b727b2642e4de8547340ed596f9
SHA256 1ae9fddb5f847f09314beadeb06683a81bdb6f699fc4ce8008a4b8179132ee11
SHA512 7ea8dfc09d2fb4fb0b47b7d3182ece7df8d07c35d5ca0d542c420f9a0ce633ec7286aec93812a144f36a081fc8bff1f3d599c676e4bf84ecc0ccaa7ec9c11331

memory/2148-1601-0x00000000003D0000-0x00000000003F6000-memory.dmp

memory/4548-1603-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4072-1605-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3740-1606-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3740-1609-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4072-1610-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4548-1622-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/4584-1623-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1432-1624-0x00000000009E0000-0x00000000022C8000-memory.dmp

memory/1432-1625-0x0000000006D80000-0x0000000006E52000-memory.dmp

memory/1432-1626-0x0000000007610000-0x0000000007BB4000-memory.dmp

memory/1432-1627-0x00000000070E0000-0x000000000711C000-memory.dmp

memory/1432-1628-0x00000000071C0000-0x0000000007252000-memory.dmp

memory/1432-1629-0x0000000007160000-0x0000000007194000-memory.dmp

memory/1432-1630-0x0000000007260000-0x0000000007296000-memory.dmp

memory/1432-1633-0x00000000074C0000-0x00000000074CA000-memory.dmp

memory/1432-1634-0x0000000008E70000-0x00000000091D8000-memory.dmp

memory/1432-1635-0x000000000A440000-0x000000000A6B6000-memory.dmp

memory/1432-1636-0x000000000ABC0000-0x000000000B0BA000-memory.dmp

memory/1432-1637-0x000000000B0C0000-0x000000000B41A000-memory.dmp

memory/1432-1638-0x000000000B420000-0x000000000B780000-memory.dmp

memory/1432-1639-0x0000000008CD0000-0x0000000008D38000-memory.dmp

memory/1432-1640-0x0000000008CA0000-0x0000000008CBA000-memory.dmp

C:\Windows\SysWOW64\commpro.dll

MD5 828bd419d3c3c4c4c1467e7efb590fd7
SHA1 5cbca9c37e04bc54003ddca3c28e935af6f9c603
SHA256 c64cecca165db8cfbf6bd6c99fd139d5bcf82d0d8926c7281902d77beca61c6f
SHA512 fb24066b4b0558cd914d2998aed6361fda1558941ff257e46f9d9cd8ae24b69b3bb5832f7c08ed4fccaf4b09cbfb6cb7f8b42526c6bf013e0374d7df3b611461

C:\Windows\SysWOW64\comms.dll

MD5 15c6e3c1b83d19c74c9f15f173d6a54a
SHA1 819b966af9d1d69b22dcefc92d448705ccd734bc
SHA256 096d7c6f697f9bcf1273db5e5452085279a270f2cf5a353c1b3bd483bb30ca9f
SHA512 0c06e8cc2e75bf012d56e619529ac69995614e6afdf164506a0ee1181851801e4da473cb0472f114bfc96edbbf00f11e4040635c0e1e04c081f6a5389885e943

C:\Windows\SysWOW64\pltcpcomm.dll

MD5 90b4dded7c04b0604e7f2a860b435087
SHA1 045fd76a357c37a78a7504abe682fa889227b3d8
SHA256 ac0aa7c014ec80c167c07fc185a022dda128bd30b97809e4e604b90b836de32c
SHA512 2134845dbf3d8f625f164e3f12673a6af8e268d0b868dbf3a629b2bd5cd4365d535f9fa1cb9e94cab9a8bdf91762b0b80f1bed12baf1c7f91d6a80029660a80c

C:\Windows\SysWOW64\plrscomm.dll

MD5 adbdbfa949b6b948c3141e439f279263
SHA1 6fc0222417739da3fd4da30e46c1f4fe31938cb5
SHA256 720fa39785a97dd3792d4811800c413abdacaca2e7bdbc43123b2cf55cbfe010
SHA512 3a488ebe0528424ec1169891004f5113a097928546257afcb7c9bf96688b4d6460b0a5db4c245a078447532619d19576af669f90babbb36ad055d073e933ffd8

C:\Windows\SysWOW64\plrscagent.dll

MD5 f0a75bfe2c5e5487399f72886c581317
SHA1 e40dd78180fed788babc1c1a5384efbf0db8d85a
SHA256 971e2180b34ec63aa6b01583cba5d2bbfd81b8c82a9574f11a813ed4b1554def
SHA512 0b068a8eaba62a9874da6f2d5e034ace09197859f080224cc42c9bb4f175072bd4125885649f909c48a5536618852f55b69c5d97a381622af20a8d68e9407985

C:\Windows\SysWOW64\plcomms.dll

MD5 3fcb10c4d43770ebb1e2772242ca3128
SHA1 db5da8754e4e1eb2764f702f1d7acaff09b2090d
SHA256 93d6eca4a41fc20f790721b1d339192faa8afc8dd6ee5a2d09a4aa7443641b98
SHA512 2eb0108c0cbdce71310bf464ba56f5e29eec0bcb8e64fe6630b95ba6a30c1573cab4fd87eb073a0fdea0a7e567d4eaa11db168bbf083874cd4cee420205244cc

C:\Windows\SysWOW64\plcommpro.dll

MD5 08040571c103050308f38ef2fdcd657d
SHA1 a003e5b5645a601a2958d582ef3fcb6a02a91006
SHA256 760338d21e26365b4c726d93ff6a8279a47e4b1d4a16d5ffab17c10c628f2af8
SHA512 5c179be30148dbd78e7ada10937bcdce01f56a06725e954369c2e17bd77bf8ca4facd299c8f7ff556a6fa715483c6e49f91c327b1a33c7dfa2dfa85b940b01f9

C:\Windows\SysWOW64\p4pcomm.dll

MD5 76cbc221ce8f7025a73209996b57e15a
SHA1 d7d6dfc704bf0cba64d30f6f28e2023ca0dc6bab
SHA256 182dab50f936c7bd5e70c05d478b35e0ca5bf13397f983b3468352421e89f9cf
SHA512 153c95a8149bd990e0013e24f70a29e700eaf28f0a280af4b9e341c84907319ee41c9e34f8822d2a7c3ebf8fece930e1cc05fec9b481d66be3f39334618bdd7e

C:\Windows\SysWOW64\p4p.dll

MD5 6b506ed4da3392f9156852df33219009
SHA1 4237e716d77c8314d603524784382f857437dd09
SHA256 ffe70331c087621a2967fe2b2672d64931b906695f03d3c87552fb5d61a704ec
SHA512 010457a874f3d2dae6fd8e9dc2aba4c69577b54389b45744d17232436aeccc0d07ce8266bc2589c200c44bc3734df2a041a16ab2fea53cb882765d5a577099fe

C:\Windows\SysWOW64\libareacode.dll

MD5 0df0b735d7c59687d55465d1e39178a4
SHA1 af70f8e696353d184295ff465ded7ec5e94a9716
SHA256 857f7d10ac7929ac92bd347eecc134d83fcb98daf5800bbdb67e646c10df7489
SHA512 01d72d3617f3eef71480ce5004f867bded5a6b91b2f599bb2cdda7c3ab0d607c9761c741114fb138484512a37841fc24ed68859779560814a0151338665e5253

C:\Windows\SysWOW64\IOTCAPIs.dll

MD5 ebbec369b0257007e1b4dbcedabc222b
SHA1 e7d968f0374178bb918e7db50cd56664341bf5cc
SHA256 db4e4a48566a7ec7da0f1ec8dddb237c43c17c00ffe871b96a8ddd54e1d082d7
SHA512 248a2f74ee4ae844b542934eefcdff3febd096d3586776dff71051f697ffafcac3f4f97da7999d48913d276a404715eaca33b4b9b9648de4323cb71d7d388d5d

C:\Windows\SysWOW64\rscagent.dll

MD5 fcb235c79bb0979b99a471fb60ff4e20
SHA1 b26906b379ef324a24aab6a40729efbf53c24702
SHA256 0a1170824c160f3520260fda8e0172f09e5ae8a52485b932f87f7c5dcb7a297c
SHA512 dffee19da85966037e5100f32c2b58b339bba81b338419c9303df3608c7458b649de0c41ef6c68a82a3b62915752410c9bedb06b204cbd9fd0345adba2ac0791

C:\Windows\SysWOW64\tcpcomm.dll

MD5 364b784929e976115aac87fa09472b05
SHA1 af615fb20e3ba2b512af04f6164ad009c289cc2f
SHA256 6db3198b11f90accbf3934a095adabaa81ca4dac3aae18b0a45b1dc785d9bf25
SHA512 f65f382214dd5ec2ec80f2ca2bee8e87622c6bbeb45059e8ea8c0a80eb914ef70266ba41afe7ce7b31d54667cbf0cef03757d31509afc63f6912fb06fc358f6b

C:\Windows\SysWOW64\usbstd.dll

MD5 6bed769c8749572585b77fb2466b48f7
SHA1 ea73ca63c23bcdafd326d5d2014cc0a5ce720acc
SHA256 7c16210299aba8b0dd209d7d708a911db73ba20fd685fa42f87ca6525b831bfa
SHA512 9083c9f729bb394ef9aa8eebbb8b9262095ef7c8bbdb48f8e7f72a5beb2ff8eaff657fdab0217a1827a5f0807fbc33879426974f6728f9034b223cc1b08cee0d

C:\Windows\SysWOW64\usbcomm.dll

MD5 192a3f959976b85af6defef3f3f6f565
SHA1 308c4c489d8b7c9df8214945e0a250cbee10307d
SHA256 0d8fa044c00744db17d326e08d8bf9de06a70f410b844b1834ba8fe6534acda4
SHA512 2b04a5e5d25ba02e92056df5353472b0352fa1614617dd5615c518b04a01c72a974f2c8ed57ab369da839661208cd61fdeec71bb883b06e5e7d47ed357a10601

C:\Windows\SysWOW64\rscomm.dll

MD5 8b2c16a96745ae744b7b16e7a482de01
SHA1 f4d3dbc220615c46e88494ff5a60f27862f9496c
SHA256 e115131e1741e327036c807d55265147ea18d723e7a7703ddc9373e5330bda26
SHA512 db42195e929429874505081e63a5a11e14b100e130901a8454cb97426e747a663ed01ca72faabb97e4fa536ac58d3f93e485d021880e6157635ce9a8cf80262f

C:\Windows\SysWOW64\RDTAPIs.dll

MD5 19521bc3f7c700a58b53b49409676d51
SHA1 a504ab190a6834dfd9c32436d4df2fa489efde22
SHA256 825d95e102ecbc0e6a52480c42c0125273197e4f43de9e4bea6693a2214f0a9d
SHA512 1c5ee301ef319a614d8c6800eabc9741729a1e48ebbca0e9790af3168e4c3ab3a588695c7467b74de3a28a67fb981932a6db4604481fdeb857813dfe84dad9b7

C:\Windows\SysWOW64\plusbcomm.dll

MD5 dd40e2bc0b09100b448651f339cc1836
SHA1 e58f78ed874b53841c638e303c78bc1c651bc5e4
SHA256 5fe0a40c6a2168a0d72444f51d1848d31ccb09f0c9f1e2e9a18b160723730e8d
SHA512 2e535257cd33bdb2c975ddebdeaddc63a67109040a13253c3beb3fec17ecb374c40167f00a40da63e66b0554b351159399633c21ff2b64a8ec4aef025ed8b83f

C:\Windows\SysWOW64\zkemsdk.dll

MD5 a2d5bb4d7048b20b71569ebd2815675c
SHA1 0b7561f6be58271b88dcc670f3bb23953a437b35
SHA256 51110bd61d574107398d433b57a40930e8eb2fa07640c3dfe2f01e344d5a14dc
SHA512 da1157ef8d430c994a826d6e89f9a2016ee75d8366d22a9b7904b904b7404c33e437759168952597fa1f628dd222f63b7bc2df6e0c57c30238c81837a925dca3

C:\Windows\SysWOW64\ZKCommuCryptoClient.dll

MD5 bec7b5aa9fcf7e45642a031003e0f600
SHA1 fcc9eef3716aaf670c4cb52e7c1cc93ed61466e1
SHA256 1dd347bda2c3fe594bc30c038325bfe5ce30978603f30bfe96c441af3c971f8e
SHA512 c43d3cd341d2988c3495dcc53a928c2d248cceeec773d01929c068eef21a8ee41b8b0bc13c937c836c218c075237e3c3660933623c634976d64610528b63c1b4

C:\Windows\SysWOW64\zkemkeeper.dll

MD5 3231d0b478e3304c12daca897895f760
SHA1 876f6bc1c05f4c273fa612390b493012522d906e
SHA256 3dfde9ffaa85e71b51207fdf0d3dcd746920dcafad7eb298b10d9b30bda06852
SHA512 6dda01efe97adf421c70a726135e476d48439219618f45e5395ad766ed649416bbf7f4efaa5abcd8e58e5c930017889a3f084a9afae05f6df2e41912e0bdc495

memory/1432-1672-0x000000000C210000-0x000000000C273000-memory.dmp

memory/1432-1668-0x000000000C1C0000-0x000000000C208000-memory.dmp

memory/1432-1677-0x000000000C2A0000-0x000000000C2D0000-memory.dmp

memory/1432-1685-0x000000000C310000-0x000000000C31C000-memory.dmp

memory/1432-1686-0x000000000C340000-0x000000000C34E000-memory.dmp

C:\ZKTeco\ZKAccess3.5\Languages\emnetman_en.xml

MD5 92e522fd6545058d864b21b77b8619a0
SHA1 9cc4f134f8518c50b7c89d74ebc47fbf2ab76aff
SHA256 3d976c84865aa61d55abb63d5f3d54a5e804ab139036a135d5021d242d5de0dd
SHA512 345708503b16dfe004a66aee7bd20a221fa054f2417ab64aec0f624ec35afd2793e6dbc9a9cfff834aadfbaf9d34360561ed112a38d8d18e42acee89e91e220f

memory/1432-1689-0x000000000C4B0000-0x000000000C518000-memory.dmp

memory/1432-1690-0x000000000C430000-0x000000000C470000-memory.dmp

memory/1432-1691-0x000000000C5A0000-0x000000000C60A000-memory.dmp

memory/1432-1692-0x000000000C3F0000-0x000000000C3FE000-memory.dmp

memory/1432-1693-0x000000000C6B0000-0x000000000CA04000-memory.dmp

memory/1432-1694-0x000000000CA10000-0x000000000CA9C000-memory.dmp

memory/1432-1696-0x0000000010260000-0x000000001028E000-memory.dmp

memory/1432-1697-0x0000000010290000-0x00000000102DC000-memory.dmp

memory/1432-1698-0x0000000014A40000-0x0000000014A7C000-memory.dmp

memory/1432-1699-0x0000000014A00000-0x0000000014A21000-memory.dmp

memory/1432-1701-0x0000000014AB0000-0x0000000014B12000-memory.dmp

memory/1432-1703-0x0000000014B50000-0x0000000014B72000-memory.dmp

C:\ZKTeco\ZKAccess3.5\Access.ldb

MD5 e85bab8603c427cbd85d5d90cadf17e0
SHA1 2963cf0c635998e0132b258f6479015dee726def
SHA256 b928aa84a1ec22de674400ae6ba0c9cc33c3858f157e4d3e7c1006e4df4bd72d
SHA512 59a58b8d27f8466454bdb8cecca37b1dbf4069be3629a915f7f8802dd8488c4a8c2b80af2babc52368bd84c1440c8aa37f23153b4b30ea11f452e1fd7afd121c

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 dba25e326687e18486cc2c91ede9961a
SHA1 b4998e667dba2b8d440b2719661538a1e84b5c62
SHA256 fab3b940a190d4d3512f0857627ec6808fec300f207b064b2f37e328e2be8d9e
SHA512 a0d485bfcf85db25032adaf28996663bbbe647069d5e810df91f5abe71165fdabed637cffc89b83d20845491d4e5d62b163c19191797ecf01ddf8c6586a98a57

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 81f8efa809d56cf7e0707e4d0af5e4b9
SHA1 c23643e8687c9a005df5d35ed4216578c03d4694
SHA256 4bf46ecf4ae8b0daf9578a16d1340b6ed256392f1003e4dc556e4ce15d71f219
SHA512 ce68a19cb2eed76e1b8581892bb09e4bd87a5da1dc3f34a4c59fba895bec7388838c2df7114bc5d8fc6676734eda57751f03281ac5ac42744e22027640407a2d

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 f73fd60a8bcc70ddccaad3ca678d4759
SHA1 666eb093c563c29cec779ba16cb8e71aececb69e
SHA256 37cc2b45287b629c7ff82805762f60f53bc19b148442a36a0f185709aaca5f1a
SHA512 85805329defbf5b65893e263828e9e0f48d3aff7500fb642581f8f9a36ac66e339c2a6e7002e766fd23e1e32ed7cf8e56a7141e085d3527ad7e3e65062bcd126

C:\ZKTeco\ZKAccess3.5\Logs\20240510\ex08.txt

MD5 66ffb3eb2a7a0033a2b18c2e25721ca9
SHA1 49ca41455fa4466ea5879869da1e0c357c2997e6
SHA256 7214e1c29199f4e1a4c5fad277b2eb64f41d070862937009754145d341762c11
SHA512 a2088e6463b8cece3ba19c0e3ff74a3b03381eacbb5720940911363855d885f9eb06f1f3a9c39aa6e10a43c5ca2be9a9c90d6a561551d1a43bd9645373a4a709

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 3e177849c27565232124247ec3824d7b
SHA1 67efd74eb09e1b591418e223ed3ee533079ccfc9
SHA256 f32dd5082617962ffa99457b605eecf356a02c908dbb636bcb313adc921e2d88
SHA512 91df0eef1799fb6a428434286a003645772642c78cc2c4b5e3fd25e311858de5b20e5f09239facfb38cb1c4316590957302f8f75c4163ca6b7b257ec082dfe8e

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 951ce51855eecb2abccd80bde360c763
SHA1 5a6de98d92ad265a1883e34f3b93c84fa63c0334
SHA256 ca05c13f33503131029e6b591316782b28712edfc1bde77326081f14c51974ad
SHA512 80d88ff49f4afefa54d2adb23fccf9317d4b959dccbb54c24d278416f046dec7e1d583f7ebba7b84b9736d0432d879f72213f2b00245b515841d0de48cd88015

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 3e83641edb058de5a46477ecfcde9dc4
SHA1 c1b706c43ece3da046798927fc3ee01a0cb9f44a
SHA256 c8048b80ba185f3c855d740e257b244b3ab5ba52cfad4454fcd9165c9f340f11
SHA512 6afc0ca6a2a0adbb6a200c3335b000f8eb362481b9914e92e5b55075c14aa3b14938cd142da4bdbb3667f6502e4b6af745e15b92e515eee6e7da2dc5b56f0765

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 fbfc545017a9726457c103d652958cdf
SHA1 96cac2b37ab88cd74381b858eb89e40c38a68af4
SHA256 f5d6b519542e18e071195e6494b34f7d6f2132af906325c2d44ce9922d57642c
SHA512 78750c7dfbf7fb48151ff167233da96ad5d8ea162c311f502c2b0c6216d1d5d8f1580fa8e6dd64a89f9602e1e236e6589f87c448df7d9af7239108e847f30df2

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 25dcf6cd84d471a75c9dc3a07e1f56f6
SHA1 88657a53060d3908192a7203604ba076a3d0f3ec
SHA256 ea6f79424bf1865ef69166b8fd3d9a9c444b287b354a41f86e99e9210652ec5f
SHA512 39c208232acf0e94ecacd912792632f423b8bbbc112b6d4a30348ffb90432ff53fdaf79d8195c7b84b2022c88ebfebf1c3062232f1cd7293934ee4e307762d92

memory/324-2451-0x0000000000FB0000-0x0000000000FC6000-memory.dmp

memory/324-2456-0x0000000005060000-0x0000000005073000-memory.dmp

memory/324-2455-0x0000000000FB0000-0x0000000000FC6000-memory.dmp

memory/324-2454-0x0000000000400000-0x0000000000E4B000-memory.dmp

memory/324-2462-0x0000000000FB0000-0x0000000000FC6000-memory.dmp

memory/324-2461-0x0000000000400000-0x0000000000E4B000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-10 08:48

Reported

2024-05-10 08:54

Platform

win7-20240221-en

Max time kernel

141s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe

"C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2440-0-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/2440-1-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2440-3-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/2440-5-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2440-8-0x0000000000400000-0x00000000004E4000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-10 08:48

Reported

2024-05-10 08:54

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1172 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe C:\Windows\splwow64.exe
PID 1172 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe

"C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/1172-0-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/1172-1-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

memory/1172-2-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/1172-4-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 08:48

Reported

2024-05-10 08:54

Platform

win7-20240508-en

Max time kernel

117s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp N/A
N/A N/A C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
N/A N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D01AC23A-B04B-4BD2-B9D4-FBC9AD8A0A03}\LocalServer32 C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D01AC23A-B04B-4BD2-B9D4-FBC9AD8A0A03}\LocalServer32\ = "C:\\Program Files (x86)\\FPSensor\\support\\u.are.u\\win64\\DpHostw.exe" C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32\ = "C:\\Windows\\system32\\DpClback.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\InprocServer32\ = "C:\\Program Files (x86)\\FPSensor\\support\\u.are.u\\win64\\DPCms.dll" C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\is-DRE8Q.tmp C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp N/A
File created C:\Windows\syswow64\is-JU8UB.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\SysWOW64\is-87IHF.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\System32\DriverStore\Temp\{6595dcc8-2e22-38b6-222e-b63865f3d118}\SET408.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\plcommpro.dll C:\ZKTeco\ZKAccess3.5\Access.exe N/A
File created C:\Windows\syswow64\is-CJJAI.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6595dcc8-2e22-38b6-222e-b63865f3d118}\libusb0.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstor.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\dpdevdatx64.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\dpK00701.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\INFCACHE.0 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\SysWOW64\commpro.dll C:\ZKTeco\ZKAccess3.5\Access.exe N/A
File created C:\Windows\SysWOW64\is-6MA20.tmp C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp N/A
File created C:\Windows\system32\is-BPJ9N.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\system32\is-78GBV.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6595dcc8-2e22-38b6-222e-b63865f3d118}\SET408.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\SET864.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\plcomms.dll C:\ZKTeco\ZKAccess3.5\Access.exe N/A
File created C:\Windows\SysWOW64\is-3LSST.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\SysWOW64\is-RBIC0.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\SysWOW64\ZKFPSensors\is-1TKCG.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\DriverStore\infpub.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6595dcc8-2e22-38b6-222e-b63865f3d118} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\is-43J7K.tmp C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-E30UA.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\SysWOW64\is-30EGT.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\syswow64\is-IN1PJ.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\SysWOW64\is-NC23S.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\system32\is-LCQF7.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\System32\DriverStore\Temp\{6595dcc8-2e22-38b6-222e-b63865f3d118}\SET419.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\usbdpfp.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\SET831.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\is-G643D.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\system32\is-L5ADL.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6595dcc8-2e22-38b6-222e-b63865f3d118}\SET419.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\SET863.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\libareacode.dll C:\ZKTeco\ZKAccess3.5\Access.exe N/A
File created C:\Windows\SysWOW64\RDTAPIs.dll C:\ZKTeco\ZKAccess3.5\Access.exe N/A
File created C:\Windows\SysWOW64\usbcomm.dll C:\ZKTeco\ZKAccess3.5\Access.exe N/A
File created C:\Windows\system32\is-15EQR.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\dpersona_x64.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\SET80E.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\dpI00701.dll C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_neutral_d9a56a0c507c5e8f\dpersona_x64.PNF C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\appsyn.cch C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
File created C:\Windows\SysWOW64\rscomm.dll C:\ZKTeco\ZKAccess3.5\Access.exe N/A
File created C:\Windows\SysWOW64\is-S5TKT.tmp C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6595dcc8-2e22-38b6-222e-b63865f3d118}\ZKFP.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\is-TC134.tmp C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-P1MEM.tmp C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-AU4GF.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\svinfo.cch C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
File created C:\Windows\system32\is-P9CSE.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\system32\is-KDF7J.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\dpdevdat.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\dpD00701.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_neutral_d9a56a0c507c5e8f\dpersona_x64.PNF C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\is-OH0DT.tmp C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp N/A
File created C:\Windows\System32\DriverStore\FileRepository\zkfp.inf_amd64_neutral_ab1035548178aff8\zkfp.PNF C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\SysWOW64\is-OK7B6.tmp C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp N/A
File created C:\Windows\SysWOW64\is-2PN08.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\SysWOW64\is-UJLCU.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\SysWOW64\is-L1V3B.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{6595dcc8-2e22-38b6-222e-b63865f3d118}\SET41A.tmp C:\Windows\system32\DrvInst.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\FPSensor\is-N2523.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-7J54U.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-F8ULQ.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-RQ26S.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Program Files (x86)\FPSensor\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\PROGRA~1\DIFX\0169CE3A95F06636\DPInst64.exe C:\Windows\dpdrv\DPInst64.exe N/A
File created C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\is-7IGJ0.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-9AQV8.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\es\is-ANPGB.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\ja\is-C6KDH.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-L8LRQ.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-KALDN.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-C2JMH.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-O1HIT.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\de\is-EUDTJ.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\is-R3A4J.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\is-SB064.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-SO6SP.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\en-US\is-H804B.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\bin\is-MV717.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-7MEEN.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-OOFHT.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\zh-Hans\is-E5OL5.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-LQPVB.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-MJ2QE.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-KLSII.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\fr\is-SONVL.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\pt-BR\is-SP5K0.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\zh-Hant\is-0TM87.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-97A9O.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-DRMSL.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-6LDLF.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\is-A17Q4.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-MH403.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-2HO37.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-FRNH0.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\it\is-QIMCD.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-ETRV3.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-V8ERJ.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-M254F.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-VF892.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-VQBGS.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win64\ko\is-EEGPD.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-KA7JH.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-5ODN3.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Program Files (x86)\FPSensor\Biokey\is-VJBK8.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\oem2.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1D7F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\zkdrv\is-C8GBC.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\DPDrv\is-3OLLL.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\zkdrv\is-FH110.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\rundll32.exe N/A
File created C:\Windows\INF\oem2.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f771ce3.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DPDrv\is-H86K6.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\DPDrv\is-20QGE.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\DPDrv\is-0E620.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\zkdrv\is-UO5MI.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\zkdrv\is-HN6LG.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\dpdrv\DPInst64.exe N/A
File created C:\Windows\Installer\f771ce6.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DPDrv\is-R8QR7.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\DPDrv\is-AADGT.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\INF\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f771ce3.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DPDrv\is-UTA6D.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\Installer\f771ce6.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DPDrv\is-ELJ79.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\zkdrv\is-55TMC.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\DPDrv\is-2MNJR.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\DPDrv\is-Q8HK5.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\DPDrv\is-JTG4D.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\DPDrv\is-HEU2O.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File created C:\Windows\zkdrv\is-IJ3FH.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\DPINST.LOG C:\Windows\dpdrv\DPInst64.exe N/A
File created C:\Windows\DPDrv\is-PIMI0.tmp C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp N/A
File opened for modification C:\Windows\Installer\MSI1D90.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{253AF648-E194-49D0-95CD-E5071519517E}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8AEE2E53-7EBE-4B51-A964-009ADC68D107}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zkemkeeper.ZKEM\CLSID\ = "{00853A19-BD51-419B-9269-2DABE57EB61F}" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\Version C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\TypeLib\ = "{FE9DED34-E159-408E-8490-B720A5E632C7}" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\VersionIndependentProgID\ = "DPCms.Client" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D95CB779-00CB-4B49-97B9-9F0B61CAB3C1}\4.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{161A8D2D-3DDE-4744-BA38-08F900D10D6D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A1CAF04A-BD7E-4D71-9A59-567B9430CD9E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA46E7A7-1E15-459D-B032-7C3AF6AF167B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zkemkeeper.ZKEM\CurVer C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\ProxyStubClsid32 C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{161A8D2D-3DDE-4744-BA38-08F900D10D6D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{161A8D2D-3DDE-4744-BA38-08F900D10D6D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{378CC504-3B96-49E1-BE1E-4C098959C5D1}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B} C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{161A8D2D-3DDE-4744-BA38-08F900D10D6D}\TypeLib\ = "{D95CB779-00CB-4B49-97B9-9F0B61CAB3C1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{378CC504-3B96-49E1-BE1E-4C098959C5D1} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{253AF648-E194-49D0-95CD-E5071519517E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{253AF648-E194-49D0-95CD-E5071519517E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\ = "DPCms.Client" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A1CAF04A-BD7E-4D71-9A59-567B9430CD9E}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{378CC504-3B96-49E1-BE1E-4C098959C5D1}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FPCom.FPProcess\ = "FPProcess Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\ = "CZKEM Object" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\ProgID\ = "zkemkeeper.ZKEM.1" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\ToolboxBitmap32 C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8AEE2E53-7EBE-4B51-A964-009ADC68D107}\ = "IZKFPEngXEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1CAF04A-BD7E-4D71-9A59-567B9430CD9E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A318A9AC-E75F-424C-9364-6B40A848FC6B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\TypeLib\Version = "1.0" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\ = "IZKEM" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DPCms.Client.1\CLSID\ = "{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D01AC23A-B04B-4BD2-B9D4-FBC9AD8A0A03}\LocalServer32\ = "C:\\Program Files (x86)\\FPSensor\\support\\u.are.u\\win64\\DpHostw.exe" C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\Verb\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1CAF04A-BD7E-4D71-9A59-567B9430CD9E}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\VersionIndependentProgID\ = "zkemkeeper.ZKEM" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DPCms.Client\ = "DPCms.Client" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\ProgID\ = "ZKFPEngXControl.ZKFPEngX" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A318A9AC-E75F-424C-9364-6B40A848FC6B}\Verb\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\zkemkeeper.DLL C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\MiscStatus\ = "0" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE9DED34-E159-408E-8490-B720A5E632C7}\1.0\FLAGS C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A318A9AC-E75F-424C-9364-6B40A848FC6B}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA46E7A7-1E15-459D-B032-7C3AF6AF167B}\ = "IFPProcess" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DPCms.Client\CLSID\ = "{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0D228640-0579-11D2-92F7-5CEB20524153}\LocalService = "DpHost" C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A318A9AC-E75F-424C-9364-6B40A848FC6B}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zkemkeeper.ZKEM\CLSID C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE9DED34-E159-408E-8490-B720A5E632C7}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\zkemkeeper.dll" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DPCms.Client.1\CLSID\ = "{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{161A8D2D-3DDE-4744-BA38-08F900D10D6D}\TypeLib\ = "{D95CB779-00CB-4B49-97B9-9F0B61CAB3C1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZKFPEngXControl.ZKFPEngX\ = "ZKFPEngX Control" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\AppID = "{FE9DED34-E159-408E-8490-B720A5E632C7}" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\ = "_IZKEMEvents" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\TypeLib\ = "{FE9DED34-E159-408E-8490-B720A5E632C7}" C:\ZKTeco\ZKAccess3.5\Access.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\MiscStatus\1\ = "132497" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A1CAF04A-BD7E-4D71-9A59-567B9430CD9E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1CAF04A-BD7E-4D71-9A59-567B9430CD9E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD59645-9CC5-4C0E-AA37-5E5BADE3AC5D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD59645-9CC5-4C0E-AA37-5E5BADE3AC5D}\1.0\ = "FPCom Library" C:\Windows\SysWOW64\regsvr32.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\dpdrv\DPInst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\dpdrv\DPInst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\dpdrv\DPInst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\dpdrv\DPInst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\dpdrv\DPInst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\dpdrv\DPInst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\dpdrv\DPInst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\dpdrv\DPInst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\dpdrv\DPInst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\dpdrv\DPInst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\dpdrv\DPInst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\dpdrv\DPInst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\dpdrv\DPInst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\dpdrv\DPInst64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Token: SeImpersonatePrivilege N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Token: SeAuditPrivilege N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp
PID 2008 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp
PID 2008 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp
PID 2008 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp
PID 2008 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp
PID 2008 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp
PID 2008 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp
PID 2892 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\ZKTeco\ZKAccess3.5\DataBase.exe
PID 588 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\ZKTeco\ZKAccess3.5\DataBase.exe
PID 588 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\ZKTeco\ZKAccess3.5\DataBase.exe
PID 588 wrote to memory of 652 N/A C:\Windows\SysWOW64\cmd.exe C:\ZKTeco\ZKAccess3.5\DataBase.exe
PID 2892 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe
PID 2892 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe
PID 2892 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe
PID 2892 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe
PID 2892 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe
PID 2892 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe
PID 2892 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe
PID 1728 wrote to memory of 1944 N/A C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp
PID 1728 wrote to memory of 1944 N/A C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp
PID 1728 wrote to memory of 1944 N/A C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp
PID 1728 wrote to memory of 1944 N/A C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp
PID 1728 wrote to memory of 1944 N/A C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp
PID 1728 wrote to memory of 1944 N/A C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp
PID 1728 wrote to memory of 1944 N/A C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp
PID 1944 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\system32\rundll32.exe
PID 1944 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\system32\rundll32.exe
PID 1944 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\system32\rundll32.exe
PID 1944 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\system32\rundll32.exe
PID 1944 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\dpdrv\DPInst64.exe
PID 1944 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\dpdrv\DPInst64.exe
PID 1944 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\dpdrv\DPInst64.exe
PID 1944 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\dpdrv\DPInst64.exe
PID 1944 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\dpdrv\DPInst64.exe
PID 1944 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\dpdrv\DPInst64.exe
PID 1944 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\dpdrv\DPInst64.exe
PID 1944 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 1944 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp" /SL5="$70122,380507,58368,C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\ZKTeco\ZKAccess3.5\InitDatabase.bat""

C:\ZKTeco\ZKAccess3.5\DataBase.exe

DataBase.exe

C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe

"C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe" /NORESTART

C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp" /SL5="$80162,17664398,56832,C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe" /NORESTART

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" libusb0.dll,usb_install_driver_np_rundll C:\Windows\zkdrv\ZKFP.inf

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{376c023d-54ba-3639-ce94-3351cd313607}\ZKFP.inf" "9" "629e2a833" "00000000000004D8" "WinSta0\Default" "0000000000000564" "208" "C:\Windows\zkdrv"

C:\Windows\dpdrv\DPInst64.exe

"C:\Windows\dpdrv\DPInst64.exe" /s

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "8" "C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpersona_x64.inf" "9" "6deb7b823" "00000000000003B8" "WinSta0\Default" "000000000000059C" "208" "c:\windows\dpdrv"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPCms.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPDevTS.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DpFnd2.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPJasPer.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPPTUtils.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\DpClback.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\Syswow64\DpClback.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Windows\Syswow64\DpClback.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPAppSyn.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPCms.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPCOper2.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPDevice2.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPDevice5.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPDevTS.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpFnd2.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPFstCon.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPJasPer.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPMux.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPPTUtils.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpSvInfo2.dll"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPTSClnt.dll"

C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe

"C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe" /RegServer

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" start "DPHost"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /u "C:\Program Files (x86)\FPSensor\Biokey\biokey.ocx"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\Biokey\biokey.ocx"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start "DPHost"

C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe

"C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /u "zkonline.ocx"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\zkonline.ocx"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s /u "FPCom.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\FPCom.dll"

C:\ZKTeco\ZKAccess3.5\msiexec.exe

"C:\ZKTeco\ZKAccess3.5\msiexec.exe" /i"C:\ZKTeco\ZKAccess3.5\USBDrv3.0_x86.msi"/qn

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DCA527C77BAD85F8B657C132A0D212F1

C:\ZKTeco\ZKAccess3.5\Access.exe

"C:\ZKTeco\ZKAccess3.5\Access.exe"

Network

Country Destination Domain Proto
N/A 10.127.0.31:1433 tcp
N/A 10.127.0.31:1433 tcp
N/A 10.127.0.31:1433 tcp
N/A 10.127.0.31:1433 tcp
N/A 10.127.0.31:1433 tcp
N/A 10.127.0.31:1433 tcp
N/A 10.127.0.31:1433 tcp
N/A 10.127.0.31:1433 tcp
N/A 10.127.0.31:1433 tcp

Files

memory/2008-0-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2008-3-0x0000000000401000-0x000000000040C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp

MD5 a305877eabf2c8d30cd5df98345952ae
SHA1 c0518290145415e66f9f1b9a9c3c1b3e346a10fa
SHA256 8558efadf63fb12cf3ddacccfe07d397f2f902efadc4adf679a7e5c27cd49d76
SHA512 6f22868d451f3f07fdaa096b303a480fb9f5f9bd4675046bba79b9c15435892ea07b3ef5f3a3788144af696a675c2d4639ab4396e22761923c955747463b9fad

memory/2892-8-0x0000000000400000-0x00000000004C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-4K7N0.tmp\isskin.dll

MD5 a5f48d365d7527289e9a599519bfe590
SHA1 166589cf8ac1d9989eda0da0e9488104a079bc69
SHA256 66edea4626b79d2b86eb8bbcb1f6b10a2f4631c04f023eb75b37f9ff3fcb42ba
SHA512 3c946e947cdfa8c2780b8bcc0abcb9117cb2397fae8470ee2fdcf3f6069539c179aa5771cef8ff36bbc591854949bcb808979ca02b1fbc26e374c7c9c1d28a59

memory/2892-13-0x0000000004010000-0x0000000004126000-memory.dmp

memory/2892-14-0x00000000005E0000-0x00000000005ED000-memory.dmp

memory/2892-16-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2892-17-0x0000000004010000-0x0000000004126000-memory.dmp

memory/2008-15-0x0000000000400000-0x0000000000415000-memory.dmp

C:\ZKTeco\ZKAccess3.5\Languages\is-IAUCA.tmp

MD5 1e7990d499a59ddc7d2af6ebdf1ca807
SHA1 7b481967772fd2dea77d8aca14d1bbca7847896f
SHA256 bf931b0e31daa2453f60921bb64d5e1a2d6de8873e71175d36c91b6a79acaa4d
SHA512 3dd2c713f8b9c2dc6498fe1380a4d7cf8fa4f617c2d40972902a551c4b58f600fc694927badc3a73d6b984c7d5bfe3495a36fbce45cfde2ae81ecc350b61ea7e

C:\ZKTeco\ZKAccess3.5\Languages\is-5R01G.tmp

MD5 bb825332da2a1b633707043cfe88620c
SHA1 508a85a26841ba0c11226fca5aafff7e806fdcd7
SHA256 67ea801a80303d5167dcd78a84c91720b143d6c88510f24e0f9d3bda61507111
SHA512 ac090df745896efca4bb7789a9a19d00eab90d1fdcb14f4a1f642e7f8a0b444deef2c253512605c7326724ca1122826acc0d1eb2e9a071a747c3f2e71ba96714

C:\ZKTeco\ZKAccess3.5\Languages\is-1LMQ8.tmp

MD5 f0b1655115326129d826c2313993919f
SHA1 d9181bb44755a187918d68e64c0e8ce53e17c460
SHA256 091a8ecf79ba9117df3a80e22974d5a77ba98d49a30c4c4391f343bb27e0b611
SHA512 ea1013de191e6d9413a44f563b826eb033827358676f809c0331e62119bea24853bd97d7e8981c5c636caf70db9b2233f25ea383035637df2bf8646ceed1984a

C:\ZKTeco\ZKAccess3.5\Languages\is-RSP0K.tmp

MD5 fc734af8b0b62e8dc4fee6fb2e55376b
SHA1 38b13f68c8e95df11786adac26c00900dfaeb8f4
SHA256 100fbe9fe7585bdbbcd1d5d190f59740813359f4ec3fb66f0a91451d833a5205
SHA512 0cb99cd33d179d3de1de97c0bb57684fd047a7b19a517a9fe731dd0579aa2017e4a608e8d27b087a8697e56cbe2b27b2dbd2c74bd99314b44e178e2fa66d8307

C:\ZKTeco\ZKAccess3.5\Languages\is-O1JQT.tmp

MD5 5f43b5ae4df98b599e11c243b8cee7a6
SHA1 6b3a9b0ad80a9626e370961ffd84f216afc489d3
SHA256 1898e9139177efe7b9645c407f95998d1e60849b5ce63ba9b0884d548372ff6b
SHA512 f246fd5a4fa73c07b88dd9682578d135b177573f98b9fbebc10d443359790f40d3bdfe3c45d41218b4bef21a12ed962b943c32df90a1dc3f86d3fd174537c0b1

C:\ZKTeco\ZKAccess3.5\Languages\is-513AD.tmp

MD5 c952ee337c813afa949539f44ac0534c
SHA1 6a715ecbfb22d5d36a5afffc15cf29cdecce8033
SHA256 d01fc70299a04aa4bcc6df88ca47b88d2844322e9ff77ceec78a605a1d12c245
SHA512 b206c171e5c8e4a6d1f2001bcb055b56d5b78d683b1c59e9743409abf0ba685c459b9f249ba5147db0344a536dc35ca298d317e031059305e7b07e7e40b8f5b9

C:\ZKTeco\ZKAccess3.5\is-4O0C4.tmp

MD5 25b7bbc9aecdeac55913bac5b135c61a
SHA1 3a7583e7fd78c15e2f40cfe9a2c28ec5452ecd37
SHA256 b9ca6595d63e0c3738eb6ce2cfcecc3966e8c4546a884d9e3e084918b813b7d6
SHA512 6849bea5d054972422c8d2d6a58b4dfdfd58fc194aa2573e6b908a16e04bff192c38ade84105d023b1ff25f752d84a1d620b8f89c5135208c43e914c903826c0

C:\ZKTeco\ZKAccess3.5\is-PTSKB.tmp

MD5 3bd3261a51269c8c40b2f33e498b5d17
SHA1 5a8fc34d5135e0ba9c5c214ca8ecc778379d6729
SHA256 dd68117306b0192d2e571f9edf7fac94ec1de0154a3724d99df3055b42650e3a
SHA512 f02d4d9eaf31dd3246847466a7602f0cc064e62f0ff33a62953310fbb5ac08ea517089be1275ecd5b35b14f935f01b6d3ade28950c6845ff1f8d65d3d9688afd

C:\Windows\SysWOW64\is-OK7B6.tmp

MD5 afab8e482be11151fb0e03ce4ff8d837
SHA1 dd1600e727b17eb9a88ee46c51b0e2b1fc06949c
SHA256 67cd76a3353cab3e4f08577ba81459820da5f9ada4aef7f5787fe3b6a6518e2c
SHA512 bf96495f896cc02112d540ff010fb6a75caf0a921e8a371547ed8e339bfaa100f66acd66208852e6ff31f397d56a6ff132350c2001c64150957e6ddcf3da0fdd

C:\Windows\SysWOW64\is-OH0DT.tmp

MD5 f831a4f936619a827ad095de00c5e95b
SHA1 7973b831f0eab3c2ce31a74381d066c7d91eb497
SHA256 e288a2568bc023c00d8e4acaf93066a63208c10cc642bba98aaf827cce6a141c
SHA512 c1da2fd769945be554350dd81c854c5399c681cfba5cc055a248c68a6bf32ddd510d246065b305e54aaa40f16c5184951aa6c92e8d4dbd22f2026207adfced9a

C:\Windows\SysWOW64\is-TC134.tmp

MD5 e797beed9fe37ae67081d86f18654313
SHA1 664d34c634270e1c8bd05f3069779217b1d5575e
SHA256 45bebe981ca5ca851d3bf746a7368d9982495dad5da4c1d54b759eba8fe74d4d
SHA512 e3689ae65e7ff32645d523b96733abc0f8d1d6feba6528dd1645f0de91954655cac24bb484a4b27f7ee4a4c8a5b5c3c48b12c44237196a41a027fda0d669a5bc

C:\Windows\SysWOW64\is-36VIH.tmp

MD5 94e2f7110a27babfda5e7a90699ba9e2
SHA1 d32c27e74af8b60919476badab4f2aef0f721b71
SHA256 f805f387e3a6e73a1d2cf61c99744b3ca72fec8a8f34c02071780e0486934e1a
SHA512 ac6e8724436a65bfa40e8174351826c55cdca902cb457e6091967b55f1a66d1fae16101130e6d4657ea7724f327c2f57d33465e7425b68a421811cb9a698e638

C:\Windows\SysWOW64\is-P1MEM.tmp

MD5 1c8449dcccbfb5470e06c33a47fbf937
SHA1 b246a9a0888637f121bd06479ee498174f7e2cd2
SHA256 ad652892e07af6ffc992b3a6470aeaa1249827b36df6840fd9a6bb43c47f297b
SHA512 7c4ca4afbe2c2e817e8024e5c577fb3695a3af334aade629674078ed63be99d6adc44fe0ee4f9fda12785ad9fa213eb9f3a1b2a2132ce248d6280f2eca3f6839

C:\ZKTeco\ZKAccess3.5\appconfig.ini

MD5 bb3cffcd46e616d2ed77aa7a65609313
SHA1 9800cb6700dc18a930065340b1f37f520a157f20
SHA256 e2da0e56e1139c7d88245e038247f3200630c2ed4f1f9ceb1e130e8be0d8e814
SHA512 2abfe6813909a9ff9adb836e538e612ef4ae60a9c32f86b89835ca7cdf0ee347e91a2888d2ef63693e6150bebbd59b3e1878bad73833104fa46bd1207f67e7f2

C:\ZKTeco\ZKAccess3.5\Access.exe

MD5 f40f43edcc46eec1c64e1e794b0539d1
SHA1 fb431ced00d12f863eab9fef9dfe490f5b9681dd
SHA256 be9b424b2058b6cc10c697a7fff96c1af62949cfb34ca43af7cc82b4e4ab2fab
SHA512 e12f510fbed3ba7ebcf5c1d30eac464e36c4a33073b34f1a29e11306e5760b44924f11eca338f00c398f5c26a53fa55406b8dd513ff02d1d9292cbf89cc1766b

\ZKTeco\ZKAccess3.5\Att.exe

MD5 d7de1f512e31da1cb7f3fa98ab1f73bf
SHA1 afe00331afaeb8b5f4c8763c39800ead783e4120
SHA256 4e77e7298c2519f2008c2eda5c656f75d1802439beebc5f23b7503e888800cf6
SHA512 e31b92909f5fe26c0353ab54d051762d278c834b8c86cceb320ecc9c388b48c8a0fe044aaccb44df6a4be000ec0a0e7e63184508bde0c3e409eb1834b380eebb

\ZKTeco\ZKAccess3.5\unins000.exe

MD5 3f779b952459be9d3788bb1ba018ad35
SHA1 9fb6663660c89f66bb1c140d80ec98b20d16c7d1
SHA256 d75777bab8e467ac205c37ad69c84e3e427f767666d2300839b21ffe8ed05da7
SHA512 58963b3379ae50bd8f23d195fcdaaf5e2de09813a04084015a2e72a6d40e7f199fcf29593d27629a43c397545bcffdb4571dabb77159611854abd09ff54db014

memory/2892-988-0x0000000000400000-0x00000000004C1000-memory.dmp

C:\ZKTeco\ZKAccess3.5\InitDatabase.bat

MD5 8f6a918a8721f26331903efd3c91ae67
SHA1 cb25667f0a80548d66a4f4e1be0abef915609272
SHA256 acf3cb03a7eb5b4c0e2b0bf9af66cace4a7f7820a2aba9c1f0404f52f81b731f
SHA512 b343d3666e9e9cd0b7bf925fe2895cc3ea29728b68c1384edfd68b06b01447a6fb99c8fc7bda3aaf3e7ddb503ebe4b5d39382857b0d386596c8ba2b172aed82e

C:\ZKTeco\ZKAccess3.5\DataBase.exe

MD5 ded18ca95cbcca1703e2e42ee9c3f1b9
SHA1 02581f99307d217623b2a629e38ca54cc2182b30
SHA256 1163b0d67c17d4fbdb64cf480b1f99ee5b3ee5f7c099e65c859921b6b3e906e9
SHA512 fe853dcf17b1170711a37f1ddb435af7b64ba8dcc225439927e6bbb3cd0806736606e187e72b423c1121d876ebef8f36813715b20f9cad176f7f7e026dc7a4b7

memory/652-996-0x0000000000B30000-0x0000000000B38000-memory.dmp

memory/652-998-0x0000000000640000-0x0000000000665000-memory.dmp

memory/2892-1000-0x0000000000400000-0x00000000004C1000-memory.dmp

\ZKTeco\ZKAccess3.5\FP_Driver_New.exe

MD5 06062fed9ea10ed7bee8fa82e22a7ec7
SHA1 81ce48fb9853dde8104216cd84530013d5cf7fb2
SHA256 4be20a1b7ef1c2adeb573fbda23158e1b6508c943be76792dacc6ca77b93e8de
SHA512 a4da8fe4bb46fdb0c120798ed03031d0a828eef427dba44ab11759083764be7a533b5be7f607626a9631df89907323e8506d93738b86e8e3db54847ebda10c37

\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

memory/1728-1006-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-5CTDU.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2892-1021-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1728-1023-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1944-1024-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Windows\SysWOW64\is-94IP7.tmp

MD5 2540916777e828c24e89a79329bf5598
SHA1 445219ff6601d8ac707d416655c744f4eea07e24
SHA256 7d4889f448087e23b4504a0bade1a765dc3826998042ecb82c744b2447964f5f
SHA512 0ceff0a7b333552a68aad951a2a14405a8d8c0baefcfcc5f6ecb8ad14f9b234874e36a2607d6ad7d95a33b2b47269872efe74642ea52f0f89a91ecbc94c1852c

C:\Windows\SysWOW64\fpslib.dll

MD5 4a8aa2cb879ddeae2d8e5bab5bf310b2
SHA1 ff956c8593f55cab33bc087b2f624b14b710e603
SHA256 6626b4ca32408bcdb4cfd5e3e84faf7d1c6c49c4674b9b319cf68286575f416d
SHA512 192bd3134910d92778d2dd9eaa4cb2d8a19140b00469b373626162148986ca91d4df36488a90e8064e2a7684b1261eb56420aeed4612ee9c56c59991e01c94f8

C:\Windows\SysWOW64\libusb0.dll

MD5 a0263041d4a4023a8e78f7f417404a42
SHA1 90a0f6dd891f2b166317bec604008d624009c678
SHA256 771743d4fd9b325fd8f583487b0001a4d36c0a5554feba59cdbaaa75c6fdb615
SHA512 0346fd5e328fcbf8e55f31d257b330fba494dae00a9cc57cddf5abbb9d4a7fe40806d71efebad0585c83632208d1f11b78c7385224bb653dbb8d59e2dc8b5c3d

C:\Windows\SysWOW64\libcorrect.dll

MD5 bb16a0e5d2d75c0751ea6835aa36d940
SHA1 278b6b054fe4fb88b0dee3cbd69e1735c3520c59
SHA256 24c7c677c50b2c54d0232ea447a241d0dd61eb70aeff871f8bb6c16c8d0dc196
SHA512 31d8429c373cda4eca5a8b60935b885b8816308125ec0228c6d0732fd981aa6e091bb54fe5e8afdc0348bd0f060a66d9be321ac9d18ee8c4d2a43822a0bdb12c

C:\Windows\SysWOW64\libsilkid.dll

MD5 4982430535a837b23913c50454dfc622
SHA1 50dfa02f92d63af78a80c3a731b60cd3f01f4ff2
SHA256 0feda63b2613feddf7ea6103d66b09c5d9f9852c43e3c2f452cf3233e617fb9c
SHA512 d246002aa68a0a1dd0c2fa9cf70232903417561cdad05694f669b285740fba987eae6371592d041b31ae4538beeb870953536545c4f5e6f53bd20ede945f9d8a

C:\Windows\SysWOW64\ZKFPSensors\libsilkidcap.dll

MD5 ef9cc5f8bcee7c4daf1a845dd60bcb73
SHA1 a75eb761c93c5826b36b835524fdbe8b9239fe4a
SHA256 f941c38f017150323d4a56712e1fe2250004c49f05c91a1c46de8cfdb2d1f576
SHA512 c4f5def779310bef75e57f59295f5dbc8bc868dfefc805ea301fbf91c0ba5e453cd10a314882bfa5053c42651ad8fdd9ae93e3c9ecf3a343b80e1f853ea82b4d

C:\Windows\SysWOW64\ZKFPSensors\libdpcap.dll

MD5 84bea5a6e9dd1681660af3f4b74b27ea
SHA1 f1a727271ed9142333586e1516a95229735fd7bb
SHA256 bcf2a2ad0def866739e911cad2b65f6829671d70a69b5bba45764751add16e28
SHA512 9684f0528f6b4db23f24ebe1f7f2bce92dddcee32587680499d6ee85b921fd3c8edd78e4fcb1481b63c12522043dff59421e16c1df3fde6fcfee3deb0324bf57

C:\Windows\SysWOW64\ZKFPSensors\libzklibcap.dll

MD5 fc29d9d49dc13f5bf30035513f782ed1
SHA1 985dd539e9210829d60e11d1419a87883304e7bc
SHA256 93fcd70336d5e6a9293020b4d57ea66968e7387d860133d6c090b22a9611186d
SHA512 b71579ba071126b0d5683f32f71e891cf63e65c72c7dc8dc4b090f992c18efdfb014a68855628932b4247fa4ad95056f7e198c58edc8e582bcc60aa6304a729a

C:\Windows\system32\libusb0.dll

MD5 fe7548fc329229576d6e672f9ee08ce6
SHA1 8e5d4e944fc341ac787d236ea9b48c75637e0719
SHA256 d4c35e72e3dfa67f18576df927caf9fdbadf148231b98ac22bdc5bb11f6bd796
SHA512 4fcf3d0458d557bf33792ce11e09832300410c6df88b1ee12b07142eff867495aaa7cb3aa00cc6a6a9b19f01e447b25103ec0de75fddca306026ba1330dded2c

C:\Windows\zkdrv\ZKFP.inf

MD5 283c2123020a1d80e1dc50f97c8e902e
SHA1 6261f70e969a71e92cc2d841b4d9d2faafa4a34c
SHA256 0150dcccc9071053b20eda0416c478319177667c773ce4639b5e2745374a6a2f
SHA512 4360b26ad4d5c439d651b9c37315a46cc218cf1d71e19c6bb2472c6fcb9d215a885aca058966156ab696d327176ea98e06076acc7be672aa18133c9c5ddfae46

C:\Windows\zkdrv\zkfp.cat

MD5 d3f97b9069ca4eeed99f5474f8afead5
SHA1 b89020d02650517826a3f513210a40ed9b122073
SHA256 c4ac2e14d7c2afe8d62675afe5a41ee62811a4baf57e4c60b0816b849ba4c7ac
SHA512 6f1cfcb081cbb6fc28602afe48df7e9ff4c66b6388159af1a0374f054b436d5bf4f08e6557b1b24d993640215886d8550794c14b6a48d2f09b87a43e7c5fe91f

C:\Users\Admin\AppData\Local\Temp\{376c023d-54ba-3639-ce94-3351cd313607}\libusb0_x64.sys

MD5 77afff0483d5f84e41717cc358528a5e
SHA1 37084cce0b4b63780c9cc465cd54446e680e2986
SHA256 ecc512ba6a0fb290eece70d82edf9fc0891d336b39e7ae37e0156544150785cd
SHA512 4e6bea9ef8dc1ca8ecbe05e96f18019c20c57108ec6adc45ee1d423c30b65b31f0c8170e25a86809e8e8cb08ac8f7f8526769db283ed5bc448c70486bc3d7ff2

\Windows\DPDrv\DPInst64.exe

MD5 c3ac43b2018114a617e946aa8fdf3cac
SHA1 2d90f38bc995c9cd5efec52109f8bd2468001ca7
SHA256 ef6c5fe9f08be67f24c7dfa5c7bc3d69ab4e387e6065602d45ba358289f05117
SHA512 8c471a2575751c5995b10859219b979d75c8e8e4496604c0718268d8367790c5bb8e6dd47c735dcecd02a62dbb0d8fbbb70ea1d085ad7b798491a3d831cd9488

\??\c:\windows\dpdrv\dpersona_x64.cat

MD5 50f212c4f9b4a832a410d3e83f6317ea
SHA1 503bc574acaa4a79bea85304a5b7b3a0c85191ca
SHA256 29c2b3859fdd96d781e07f3ae778eabadbfa54cbcb437aa00e447978b18f7309
SHA512 0387139e4f49d236c09ee36d0bed34258e9518f90a4f486a43a06821a0889ecd6d3ec8341443f7b582d041e0f279cd81d2e072f52de44b1d0dbe217488ad6a97

\??\c:\windows\dpdrv\dpersona_x64.inf

MD5 91967eb8b8468aadd50e2d880375d8d2
SHA1 e8fd6ef8cc869de121501fb543a7c0674d30756f
SHA256 d230952d38ecda93d971fe9798dca35d0e4c7a7c4b573d0af47a34b7928c8e92
SHA512 58c2f6885afdba94b63d2b1e42de41c561852870d0b6e45496fdee9fc7d1d1748eab6e71de7fdb59b4abb5aecbf7c81113fe7e975540c5d72886149f1cb4ba1a

C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpK00701.sys

MD5 1da17ab1ab496963949df99184796dbc
SHA1 1194f7ade39b6b40489e59d10f5bd9d6acbca639
SHA256 affdecc31fa032ff7e3fcf6cedfe746a5a89804fd72047a3ee03e0915d971bf1
SHA512 6b10644bb65dce8df9cd90c89a8b2e26895fd1a219973566ee419e0175b4d142173f2f7c5f255f7726f27065727229620da5821288390b9729743d939aeb4f6c

C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpdevctlx64.dll

MD5 d1adf6e4753778a90dc5215efa831565
SHA1 0ccff3f80e07a8e086b37c956552d829c55257ef
SHA256 db72a2515f6d3796aa3ff9acb2de22141c90fd9d016f6a6559a6f290e20e35e5
SHA512 dfaa69b63797b27e1274cc6ddf1d9d92f3c112ac1210f38e74afd52b812bedb9ed8bf968e61bab45114bee00d60408ae7383aa388494f7e72a217c53e5b7c491

C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpI00701.dll

MD5 b7d3259b3bda026eefa90f5523b6e996
SHA1 989b6d1e19134c2329c0749c15904c4ecec25ea4
SHA256 502b9c74fa0f6138a3ebfbb67829bfe267074f78cf6119b35e9975ef2176f503
SHA512 af3d0c4b807ceb2a275a7f219ff98a2776ec62c3686de20078d6004e729984446edb9b7c7b4340e03a27c36236db7e8e6ad0028e1e14e5e1e9be0e266f04e01f

C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpdevdatx64.dll

MD5 4b4e309fe52c6aa57674a4124a82b426
SHA1 8ac2bcb190b5185606b57234527b6d542a6df11f
SHA256 85e0225a8451b23fe9715939da1a9b8e780eca3c38277b1ad09acd9bf5dce20d
SHA512 d6004795a617869a2f46805eab28c509a077953da456c61c73a7f64eab2dd7f1bd75401bdadc068e09c0e0d7238eee4cb6dfa5070756479443ea2d77e76c3cba

C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpD00701.dll

MD5 e8bcf046f729253f2bb24ea0e8c047b9
SHA1 8104533c4bbb4265f71a87bb5d6966ea64974b66
SHA256 039966724018cf96157f1ee7f7cdf48f4f20a76192d920d55504ed1dcba7de7e
SHA512 df9fa6308c8b0b7128b78bf9bb3314c34f26fcf70799caae5f376fa418f99c5d2db439137718ad4f052d273719a95741d9a5d5bc2d17fc4ad1318281d20e2959

C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpdevctl.dll

MD5 7b3f4907bc409960c300ae50420c16a6
SHA1 ed97b09cb7853cd056e8d7d6318c0ead13b267a6
SHA256 09649414f843036df5c30846aed6059e0f43e973a729b07e8f690f4b668ddac7
SHA512 81eb78daf1849f3933b0622a6418ddf9d863a793e41b958e1641e5cd7d42928595df0ecdd35c5e30aa60117ae896fc0e6692e3f5461020b5bb547ad3fe6637fc

C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpdevdat.dll

MD5 2eccd46878dce0f84dadd29498bd900d
SHA1 d30ae67c9ca5dc53b8d1583bdae6c43dbaec3f37
SHA256 20b41562147e635d60e875cbef43f17d2373cb18fed9f8dfa97c2553b4f1e121
SHA512 b397366d11111dc613c7e4cde245d1a98864ba5b7c1a576c0d3ec7e8228bffcae2340ba375978d401b886e765785b207c2d652180d7c6f388130adf9b5ac93ac

C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\usbdpfp.sys

MD5 4846d37bba87b2e6138074ee076e367e
SHA1 e2e478efbc83b2fb604bd60af032402c3654f176
SHA256 098a0d4bcbad10920e2e05f7da06f291e711a766afdf293d2306ee44879f6436
SHA512 5a17f715556088b4f9d8ddcb298d03ff8fd61f23ce1c3c80e4f79ae6c34a18526d1829b8ca0d21be6513f4c6322fa770fdc7902c4569c452bcba84510be00c71

C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpI00701x64.dll

MD5 ed673140ea6f2cd1b8fcafa041f02f2e
SHA1 d5ad7a43b53a965f4a1a9c76b1c609178993f27d
SHA256 107efb5853e1926be84164e7d21d5d56c7dcacd6b599838353ae95baa46ed059
SHA512 ed4d0ed91ac6eadd90acba5dc783f108469ebfc111ca2169dbce139d8dda6e822ea8e15b64509f436d950e159c12d95a08aa8ca685c242059ba92b392f43b123

C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpD00701x64.dll

MD5 39837e0c027fa2b35e4b406941dc01b3
SHA1 0e43708086396f5f21d4191fe115449e2e98ca32
SHA256 2728b5ed610ef55e89784fd5508b366d2bc7efdc5bf3e75d51f5dac82c4dc294
SHA512 b534508e0245f822698cb813da1d31bdd3d6d2bf60c005d510628adadc8b28ca608082f1c06bfb8a337e3e4a5eb5bf53196d0540c55335a7948ef75559bced47

C:\Windows\System32\DriverStore\INFCACHE.1

MD5 f1191f5d486cf449183d213a99c0a8ad
SHA1 1a26cfc57a65919e5b90dc813f9c49449e91b098
SHA256 b814b0943fa9e90a4dbf1d7d521af32c0a8dda053956f94f689d0769804111ef
SHA512 b9985b1cd9699357aa8826c7cb45f3ee6735d3cd7ba41794d594de7eb6b927412113920ed6e3ae0b1abc688b44e372fe4c58308ccbad4e7845f0f82159605e82

memory/2128-1558-0x00000000009D0000-0x0000000000AAB000-memory.dmp

memory/2096-1559-0x0000000000600000-0x00000000006DB000-memory.dmp

memory/1552-1560-0x0000000002330000-0x00000000024A3000-memory.dmp

memory/2936-1563-0x00000000001F0000-0x0000000000216000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\45f2c6a1c069e80380428ef0ab87c5f7_a42634aa-f501-41cf-bed1-b8158857da02

MD5 eb41356e1a0c8c85d0a55ebd0f39df82
SHA1 ab22aff972bae2bfa240f0223fdc40f79312dfe5
SHA256 10c6dcb3c67749c95b877a4c48ff6bef6d321d9faf99a9336a6a9093e3eff279
SHA512 0f479594453786f06c40de98be035a440c6d80672bbbbce5d01b0349779e3ba2f48ff269098bda2e6bc41f42c9646d592af00c6cb769f4a48bb5c4db1947357b

memory/1944-1570-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1944-1573-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1728-1574-0x0000000000400000-0x0000000000414000-memory.dmp

C:\ZKTeco\ZKAccess3.5\msiexec.exe

MD5 6c985ebcd34f92d666b365b28272195f
SHA1 03b8d4cf8171b650ed68efc3c41258878c35d433
SHA256 a49ba96ce00aa92df7291454208637538af31c6df4dfc268c1dd8463a0d65c99
SHA512 c8879889fdc80caa97445e1b5e716ae6e5223fd06634d1957cf7da20c1aefe866e45513e8ce6adf2ddc396702ac720f0f56f961051053c7980a426c3da090f70

memory/2892-1587-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2892-1591-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2008-1592-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2320-1593-0x0000000000280000-0x0000000001B68000-memory.dmp

memory/2320-1594-0x0000000005FD0000-0x00000000060A2000-memory.dmp

memory/2320-1595-0x00000000037F0000-0x000000000382C000-memory.dmp

memory/2320-1596-0x00000000038E0000-0x0000000003914000-memory.dmp

memory/2320-1597-0x00000000060B0000-0x00000000060E6000-memory.dmp

memory/2320-1600-0x00000000073A0000-0x0000000007708000-memory.dmp

memory/2320-1601-0x0000000009F60000-0x000000000A1D6000-memory.dmp

memory/2320-1602-0x000000000A1E0000-0x000000000A6DA000-memory.dmp

memory/2320-1604-0x000000000AA40000-0x000000000ADA0000-memory.dmp

memory/2320-1603-0x000000000A6E0000-0x000000000AA3A000-memory.dmp

memory/2320-1605-0x0000000008100000-0x0000000008168000-memory.dmp

memory/2320-1606-0x0000000008170000-0x000000000818A000-memory.dmp

C:\Windows\SysWOW64\commpro.dll

MD5 828bd419d3c3c4c4c1467e7efb590fd7
SHA1 5cbca9c37e04bc54003ddca3c28e935af6f9c603
SHA256 c64cecca165db8cfbf6bd6c99fd139d5bcf82d0d8926c7281902d77beca61c6f
SHA512 fb24066b4b0558cd914d2998aed6361fda1558941ff257e46f9d9cd8ae24b69b3bb5832f7c08ed4fccaf4b09cbfb6cb7f8b42526c6bf013e0374d7df3b611461

C:\Windows\SysWOW64\rscagent.dll

MD5 fcb235c79bb0979b99a471fb60ff4e20
SHA1 b26906b379ef324a24aab6a40729efbf53c24702
SHA256 0a1170824c160f3520260fda8e0172f09e5ae8a52485b932f87f7c5dcb7a297c
SHA512 dffee19da85966037e5100f32c2b58b339bba81b338419c9303df3608c7458b649de0c41ef6c68a82a3b62915752410c9bedb06b204cbd9fd0345adba2ac0791

C:\Windows\SysWOW64\zkemkeeper.dll

MD5 3231d0b478e3304c12daca897895f760
SHA1 876f6bc1c05f4c273fa612390b493012522d906e
SHA256 3dfde9ffaa85e71b51207fdf0d3dcd746920dcafad7eb298b10d9b30bda06852
SHA512 6dda01efe97adf421c70a726135e476d48439219618f45e5395ad766ed649416bbf7f4efaa5abcd8e58e5c930017889a3f084a9afae05f6df2e41912e0bdc495

C:\Windows\SysWOW64\ZKCommuCryptoClient.dll

MD5 bec7b5aa9fcf7e45642a031003e0f600
SHA1 fcc9eef3716aaf670c4cb52e7c1cc93ed61466e1
SHA256 1dd347bda2c3fe594bc30c038325bfe5ce30978603f30bfe96c441af3c971f8e
SHA512 c43d3cd341d2988c3495dcc53a928c2d248cceeec773d01929c068eef21a8ee41b8b0bc13c937c836c218c075237e3c3660933623c634976d64610528b63c1b4

C:\Windows\SysWOW64\usbstd.dll

MD5 6bed769c8749572585b77fb2466b48f7
SHA1 ea73ca63c23bcdafd326d5d2014cc0a5ce720acc
SHA256 7c16210299aba8b0dd209d7d708a911db73ba20fd685fa42f87ca6525b831bfa
SHA512 9083c9f729bb394ef9aa8eebbb8b9262095ef7c8bbdb48f8e7f72a5beb2ff8eaff657fdab0217a1827a5f0807fbc33879426974f6728f9034b223cc1b08cee0d

C:\Windows\SysWOW64\usbcomm.dll

MD5 192a3f959976b85af6defef3f3f6f565
SHA1 308c4c489d8b7c9df8214945e0a250cbee10307d
SHA256 0d8fa044c00744db17d326e08d8bf9de06a70f410b844b1834ba8fe6534acda4
SHA512 2b04a5e5d25ba02e92056df5353472b0352fa1614617dd5615c518b04a01c72a974f2c8ed57ab369da839661208cd61fdeec71bb883b06e5e7d47ed357a10601

C:\Windows\SysWOW64\tcpcomm.dll

MD5 364b784929e976115aac87fa09472b05
SHA1 af615fb20e3ba2b512af04f6164ad009c289cc2f
SHA256 6db3198b11f90accbf3934a095adabaa81ca4dac3aae18b0a45b1dc785d9bf25
SHA512 f65f382214dd5ec2ec80f2ca2bee8e87622c6bbeb45059e8ea8c0a80eb914ef70266ba41afe7ce7b31d54667cbf0cef03757d31509afc63f6912fb06fc358f6b

C:\Windows\SysWOW64\rscomm.dll

MD5 8b2c16a96745ae744b7b16e7a482de01
SHA1 f4d3dbc220615c46e88494ff5a60f27862f9496c
SHA256 e115131e1741e327036c807d55265147ea18d723e7a7703ddc9373e5330bda26
SHA512 db42195e929429874505081e63a5a11e14b100e130901a8454cb97426e747a663ed01ca72faabb97e4fa536ac58d3f93e485d021880e6157635ce9a8cf80262f

C:\Windows\SysWOW64\RDTAPIs.dll

MD5 19521bc3f7c700a58b53b49409676d51
SHA1 a504ab190a6834dfd9c32436d4df2fa489efde22
SHA256 825d95e102ecbc0e6a52480c42c0125273197e4f43de9e4bea6693a2214f0a9d
SHA512 1c5ee301ef319a614d8c6800eabc9741729a1e48ebbca0e9790af3168e4c3ab3a588695c7467b74de3a28a67fb981932a6db4604481fdeb857813dfe84dad9b7

C:\Windows\SysWOW64\plusbcomm.dll

MD5 dd40e2bc0b09100b448651f339cc1836
SHA1 e58f78ed874b53841c638e303c78bc1c651bc5e4
SHA256 5fe0a40c6a2168a0d72444f51d1848d31ccb09f0c9f1e2e9a18b160723730e8d
SHA512 2e535257cd33bdb2c975ddebdeaddc63a67109040a13253c3beb3fec17ecb374c40167f00a40da63e66b0554b351159399633c21ff2b64a8ec4aef025ed8b83f

C:\Windows\SysWOW64\pltcpcomm.dll

MD5 90b4dded7c04b0604e7f2a860b435087
SHA1 045fd76a357c37a78a7504abe682fa889227b3d8
SHA256 ac0aa7c014ec80c167c07fc185a022dda128bd30b97809e4e604b90b836de32c
SHA512 2134845dbf3d8f625f164e3f12673a6af8e268d0b868dbf3a629b2bd5cd4365d535f9fa1cb9e94cab9a8bdf91762b0b80f1bed12baf1c7f91d6a80029660a80c

memory/2320-1632-0x000000000B070000-0x000000000B0B8000-memory.dmp

C:\Windows\SysWOW64\plrscomm.dll

MD5 adbdbfa949b6b948c3141e439f279263
SHA1 6fc0222417739da3fd4da30e46c1f4fe31938cb5
SHA256 720fa39785a97dd3792d4811800c413abdacaca2e7bdbc43123b2cf55cbfe010
SHA512 3a488ebe0528424ec1169891004f5113a097928546257afcb7c9bf96688b4d6460b0a5db4c245a078447532619d19576af669f90babbb36ad055d073e933ffd8

C:\Windows\SysWOW64\plrscagent.dll

MD5 f0a75bfe2c5e5487399f72886c581317
SHA1 e40dd78180fed788babc1c1a5384efbf0db8d85a
SHA256 971e2180b34ec63aa6b01583cba5d2bbfd81b8c82a9574f11a813ed4b1554def
SHA512 0b068a8eaba62a9874da6f2d5e034ace09197859f080224cc42c9bb4f175072bd4125885649f909c48a5536618852f55b69c5d97a381622af20a8d68e9407985

C:\Windows\SysWOW64\plcomms.dll

MD5 3fcb10c4d43770ebb1e2772242ca3128
SHA1 db5da8754e4e1eb2764f702f1d7acaff09b2090d
SHA256 93d6eca4a41fc20f790721b1d339192faa8afc8dd6ee5a2d09a4aa7443641b98
SHA512 2eb0108c0cbdce71310bf464ba56f5e29eec0bcb8e64fe6630b95ba6a30c1573cab4fd87eb073a0fdea0a7e567d4eaa11db168bbf083874cd4cee420205244cc

C:\Windows\SysWOW64\plcommpro.dll

MD5 08040571c103050308f38ef2fdcd657d
SHA1 a003e5b5645a601a2958d582ef3fcb6a02a91006
SHA256 760338d21e26365b4c726d93ff6a8279a47e4b1d4a16d5ffab17c10c628f2af8
SHA512 5c179be30148dbd78e7ada10937bcdce01f56a06725e954369c2e17bd77bf8ca4facd299c8f7ff556a6fa715483c6e49f91c327b1a33c7dfa2dfa85b940b01f9

C:\Windows\SysWOW64\p4pcomm.dll

MD5 76cbc221ce8f7025a73209996b57e15a
SHA1 d7d6dfc704bf0cba64d30f6f28e2023ca0dc6bab
SHA256 182dab50f936c7bd5e70c05d478b35e0ca5bf13397f983b3468352421e89f9cf
SHA512 153c95a8149bd990e0013e24f70a29e700eaf28f0a280af4b9e341c84907319ee41c9e34f8822d2a7c3ebf8fece930e1cc05fec9b481d66be3f39334618bdd7e

C:\Windows\SysWOW64\p4p.dll

MD5 6b506ed4da3392f9156852df33219009
SHA1 4237e716d77c8314d603524784382f857437dd09
SHA256 ffe70331c087621a2967fe2b2672d64931b906695f03d3c87552fb5d61a704ec
SHA512 010457a874f3d2dae6fd8e9dc2aba4c69577b54389b45744d17232436aeccc0d07ce8266bc2589c200c44bc3734df2a041a16ab2fea53cb882765d5a577099fe

C:\Windows\SysWOW64\libareacode.dll

MD5 0df0b735d7c59687d55465d1e39178a4
SHA1 af70f8e696353d184295ff465ded7ec5e94a9716
SHA256 857f7d10ac7929ac92bd347eecc134d83fcb98daf5800bbdb67e646c10df7489
SHA512 01d72d3617f3eef71480ce5004f867bded5a6b91b2f599bb2cdda7c3ab0d607c9761c741114fb138484512a37841fc24ed68859779560814a0151338665e5253

C:\Windows\SysWOW64\IOTCAPIs.dll

MD5 ebbec369b0257007e1b4dbcedabc222b
SHA1 e7d968f0374178bb918e7db50cd56664341bf5cc
SHA256 db4e4a48566a7ec7da0f1ec8dddb237c43c17c00ffe871b96a8ddd54e1d082d7
SHA512 248a2f74ee4ae844b542934eefcdff3febd096d3586776dff71051f697ffafcac3f4f97da7999d48913d276a404715eaca33b4b9b9648de4323cb71d7d388d5d

C:\Windows\SysWOW64\comms.dll

MD5 15c6e3c1b83d19c74c9f15f173d6a54a
SHA1 819b966af9d1d69b22dcefc92d448705ccd734bc
SHA256 096d7c6f697f9bcf1273db5e5452085279a270f2cf5a353c1b3bd483bb30ca9f
SHA512 0c06e8cc2e75bf012d56e619529ac69995614e6afdf164506a0ee1181851801e4da473cb0472f114bfc96edbbf00f11e4040635c0e1e04c081f6a5389885e943

C:\Windows\SysWOW64\zkemsdk.dll

MD5 a2d5bb4d7048b20b71569ebd2815675c
SHA1 0b7561f6be58271b88dcc670f3bb23953a437b35
SHA256 51110bd61d574107398d433b57a40930e8eb2fa07640c3dfe2f01e344d5a14dc
SHA512 da1157ef8d430c994a826d6e89f9a2016ee75d8366d22a9b7904b904b7404c33e437759168952597fa1f628dd222f63b7bc2df6e0c57c30238c81837a925dca3

memory/2320-1636-0x000000000B130000-0x000000000B193000-memory.dmp

memory/2320-1640-0x000000000B200000-0x000000000B230000-memory.dmp

memory/2320-1644-0x000000000B1A0000-0x000000000B1AC000-memory.dmp

memory/2320-1645-0x000000000B1B0000-0x000000000B1BE000-memory.dmp

C:\ZKTeco\ZKAccess3.5\Languages\emnetman_en.xml

MD5 92e522fd6545058d864b21b77b8619a0
SHA1 9cc4f134f8518c50b7c89d74ebc47fbf2ab76aff
SHA256 3d976c84865aa61d55abb63d5f3d54a5e804ab139036a135d5021d242d5de0dd
SHA512 345708503b16dfe004a66aee7bd20a221fa054f2417ab64aec0f624ec35afd2793e6dbc9a9cfff834aadfbaf9d34360561ed112a38d8d18e42acee89e91e220f

memory/2320-1648-0x000000000B790000-0x000000000B7F8000-memory.dmp

memory/2320-1651-0x000000000B340000-0x000000000B34E000-memory.dmp

memory/2320-1650-0x000000000B890000-0x000000000B8FA000-memory.dmp

memory/2320-1649-0x000000000B3D0000-0x000000000B410000-memory.dmp

memory/2320-1652-0x000000000B900000-0x000000000B98C000-memory.dmp

memory/2320-1654-0x000000000BAF0000-0x000000000BB1E000-memory.dmp

memory/2320-1655-0x000000000BB40000-0x000000000BB60000-memory.dmp

C:\ZKTeco\ZKAccess3.5\Access.ldb

MD5 9c1ea0bea2ba416274f7e55e00a33ba3
SHA1 40894fba8cee86694fa3e3e72f8595a2979e5115
SHA256 d51d3f403d2cdb64e9153541c359e393f2f9cfd9d660ba0fe97e972d2ca32480
SHA512 25af1875d9cc7b9361549b286ea97bb6c7c1e15259a17200d3c82acae98ccbf34a101817ac0580982f1ed24b9735e8b12af2522ce6e3145be96ab28bbef72f15

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 dba25e326687e18486cc2c91ede9961a
SHA1 b4998e667dba2b8d440b2719661538a1e84b5c62
SHA256 fab3b940a190d4d3512f0857627ec6808fec300f207b064b2f37e328e2be8d9e
SHA512 a0d485bfcf85db25032adaf28996663bbbe647069d5e810df91f5abe71165fdabed637cffc89b83d20845491d4e5d62b163c19191797ecf01ddf8c6586a98a57

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 752eed990925ebfc24a768b48d25a667
SHA1 0137cb3e8dddcd311fcd204cacf0900a7020456c
SHA256 cf0dfb94e544750390e14200c5b20e367710b0d46fd4b4fd8807af7178691e42
SHA512 b72ab6a2cce949958b17a6aa64f6bfea358f52650feaab0e063fcd504c983193b8bfd3e71aab16fe05e0595773125529bd806dd38f2326028a6e3039762a1c5c

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 b96171739e39b38812d80ebfe399fd17
SHA1 5530ff5322ecc9d252e5d3b9638a7604d1bdab69
SHA256 58b33ad9e0bdf27e2be6761ceb423d3345fb0c8620df99a57dfb05ff47b99bf0
SHA512 864b2a6ef94098d358202866acacb3a80d846d4adb2356ce8806d9effeb7f8130422e0f660297a8ee0f8dc3a11ab5697bff0ecea06891c79dbfe002548997aa2

C:\ZKTeco\ZKAccess3.5\Logs\20240510\ex08.txt

MD5 77163cce4b77e0b9f244dc29de5d9f81
SHA1 e77ba995865ed91afb0003ef9739dfdb79ad6b14
SHA256 c1e6419fe7bb627f1c0be2ecf735385cdebc33d1e334d388f4f18eaf07a367a4
SHA512 5ae82f0e68f8c1cfbc354a63bafb804d71bb863e8f8f9d5684a444a1761d080f774725ed6696625e92a6948f148ad19b4cf6a3b1e723aa029390c00118366003

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 70492b1c841c1295d57f51378a24cb05
SHA1 a0879e4f75054b464bde3c1a4c419ab47f8a3ad3
SHA256 3a2a4c58d21aed26a00d9cffa315111b79df7b554c950cd287a62939b4c6f27e
SHA512 be7920b3c78e3896ff0b952abfeceab393c46ba3b91d081f3eae80a119d687ccb0c07b4011e09b910c7dff83b866eebda4c4469afb0242e92aa386be9c76d723

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 cb9bc3ddd89bab4517157f78ee794ca5
SHA1 4c2ac139c06f7579c19197695e3aafecc90489f9
SHA256 15de6e1fdbae145caa3c011f1eb6be81e8f2e6d56fe350a74dbe5c573ebaaa84
SHA512 1cd1eb325f5e8b4d513f8dea44032ce49789d405ab30d9994e5617abe9ca0220879eb7dac909e7e9f41624fff5b45c95704c134b52d9b21734097cdef8ee8166

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 7bf3b41fa33fe37b634607eb4b5e5975
SHA1 1f124a8c053d1111b462d0803bb83d880056dd6b
SHA256 158ea7592f1533c9aa45c12ace157ea31be35a55f21dbc1569782fe7dd240c64
SHA512 af04b506bb50389db784d4dbf31468d15e84d682320d1a97e1aab14442b9519d9b9890673a3fc68f93e1f8e1610b742ae3f60c9f4c79a32c5e1e32c9d0d46337

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 b511fbcccde75f513f68de61fa69d031
SHA1 069270a19c9a48591ac41e05a1a801a0653a6af4
SHA256 810a7da91d4719b4ad6c67635298d8eaa342fc4e12ccfd7f2ed491d3eb7b53d6
SHA512 ca77997f517d57504d67b70fc5e738c12b44ed32ebd38adb491f391e508e1ff2f6a91955e38c5993603d771439983f82bb13bbb56a8f034cb079c5f0d65fab83

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 1243553e61855aa67f94aea8378cb12b
SHA1 345a89a1875ce099a98bfc55d0aafc7abd93513e
SHA256 44fc6e6e08996b48a99e8bd5b73ee91b30054acd6ea09b595c90e4517d26ba21
SHA512 800b255d4305daeb05f649493d55d7cc0323e01aa4defce7c867c08cfa4c5c74fd4c27f19e84687fa054e972b09044ae3441d137ed2c4f38ec4b6857b5eafc8a

C:\ZKTeco\ZKAccess3.5\Access.mdb

MD5 f2ffa8e4f42a54016ee94a1868055881
SHA1 b95490ce37b3a5a5e158d496b2f9769549cd5bd4
SHA256 b4e90c82859ecfbf482e4c44a1bd6a5b1731de52efddcb2cc804284b1f592b10
SHA512 31e15689ead0955179a09353864f3cefb9d6c73c7ac29526a345ed34e5191980bbe0b40f9e611c37d378f72caeae9b1c335ca35ecf73372d0c015ef8863256a7