Analysis Overview
SHA256
6550d561ccdfa0ad2e470d02a4c966121690238334cd96a0e55e32a6d26c1965
Threat Level: Shows suspicious behavior
The file ZKAccess35.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Loads dropped DLL
Registers COM server for autorun
ACProtect 1.3x - 1.4x DLL software
ASPack v2.12-2.42
Executes dropped EXE
Checks installed software on the system
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Runs net.exe
Modifies registry class
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 08:50
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 08:48
Reported
2024-05-10 08:54
Platform
win10v2004-20240426-en
Max time kernel
157s
Max time network
156s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\DataBase.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| N/A | N/A | C:\Windows\dpdrv\DPInst64.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Att.exe | N/A |
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32\ = "C:\\Windows\\system32\\DpClback.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\InprocServer32\ = "C:\\Program Files (x86)\\FPSensor\\support\\u.are.u\\win64\\DPCms.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D01AC23A-B04B-4BD2-B9D4-FBC9AD8A0A03}\LocalServer32 | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D01AC23A-B04B-4BD2-B9D4-FBC9AD8A0A03}\LocalServer32\ = "C:\\Program Files (x86)\\FPSensor\\support\\u.are.u\\win64\\DpHostw.exe" | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\is-LHDST.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\SET2E49.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\is-5F2M2.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\syswow64\is-SK4VT.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-BID1Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_d9a56a0c507c5e8f\dpdevdat.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\is-U90BR.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-VMVQS.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-1A7V4.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{1287397d-4a55-ca4b-8052-efd00823c082}\ZKFP.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\dpD00701x64.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\syswow64\is-7MU7P.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\syswow64\is-F2IHN.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\system32\is-B7UHO.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\is-5J35S.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-207K3.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-QIV5T.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_d9a56a0c507c5e8f\dpdevctl.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\plcommpro.dll | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| File created | C:\Windows\SysWOW64\is-2LM7F.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\syswow64\is-BN47I.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\usbdpfp.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\pltcpcomm.dll | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| File created | C:\Windows\SysWOW64\is-TDIR2.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-NPMD0.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\dpdrv\DPInst64.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\SET2DF1.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\SET2E03.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac} | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\is-8GQI3.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-52P43.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-4GI7N.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-QOLV1.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\is-FI9BB.tmp | C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-M9342.tmp | C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp | N/A |
| File created | C:\Windows\syswow64\is-S3JSR.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\dpdevctl.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{1287397d-4a55-ca4b-8052-efd00823c082} | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_d9a56a0c507c5e8f\dpD00701.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\appsyn.cch | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| File created | C:\Windows\SysWOW64\tcpcomm.dll | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| File created | C:\Windows\SysWOW64\is-51BAA.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\system32\is-27GVV.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\system32\is-50S5Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\dpersona_x64.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\SET2E49.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\is-4EP8D.tmp | C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-H1L2L.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\system32\is-EEKCI.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\SET2E59.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_d9a56a0c507c5e8f\dpdevdatx64.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_d9a56a0c507c5e8f\dpersona_x64.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\is-UUV7O.tmp | C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{1287397d-4a55-ca4b-8052-efd00823c082}\zkfp.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\SET2E08.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\zkfp.inf_amd64_ab1035548178aff8\libusb0_x64.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\SET2E48.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\is-2SHD9.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{d1784271-b34e-1541-a706-5800267be9ac}\SET2E59.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_d9a56a0c507c5e8f\usbdpfp.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\is-JLSVL.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-4QE35.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-CQJSU.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\is-4EHEE.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-A5HI5.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\FPSensor\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\bin\is-8V5FH.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-OEA8I.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-4RLR9.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-R5BQ2.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\it\is-Q3QRH.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-M59HJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-D24IB.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-MIO5O.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-MCP35.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\es\is-H2J14.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-LUGJG.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-A7R7J.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-SFA97.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-3I2IU.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-CC0Q7.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\is-L7BP1.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-727IM.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-N0A6G.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-JU9M3.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\de\is-VQLPF.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-TCD3K.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-CPH1N.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\en-US\is-AM0OH.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\ja\is-20ULP.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\ko\is-GTVIC.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\pt-BR\is-R9GVH.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\zh-Hans\is-TDGOL.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-IVO52.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\is-6SN2E.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-3I6RJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\PROGRA~1\DIFX\0169CE3A95F06636\DPInst64.exe | C:\Windows\dpdrv\DPInst64.exe | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-EIKQ9.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-RIKC3.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\fr\is-U9VEA.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\zh-Hant\is-3K3AE.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-GT7PH.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-9U5MF.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-4CGPT.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\is-6FHD2.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-NQ82F.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\is-L987D.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\DPDrv\is-RPICS.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\DPDrv\is-CTOMU.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\DPDrv\is-AP6LT.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\zkdrv\is-AJKRI.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\dpdrv\DPInst64.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{91EFBF0A-594C-5C14-AEC0-96516B69ABDE} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\zkdrv\is-0BQI9.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\rundll32.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\inf\oem4.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5157.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DPDrv\is-82QU0.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\DPDrv\is-23QE6.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\DPDrv\is-CDVPJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\zkdrv\is-J7GCL.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\Installer\e58507c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DPDrv\is-RHC85.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\Installer\e58507c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DPDrv\is-V2T2Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\zkdrv\is-U3KE5.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\DPINST.LOG | C:\Windows\dpdrv\DPInst64.exe | N/A |
| File created | C:\Windows\inf\oem4.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\zkdrv\is-0M95H.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\zkdrv\is-8HE34.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DPDrv\is-S4OQ1.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\DPDrv\is-3V5R4.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\DPDrv\is-21I2Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\DPDrv\is-RVJ8C.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\DPDrv\is-C30DT.tmp | C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\Installer\MSI5177.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\dpdrv\DPInst64.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D01AC23A-B04B-4BD2-B9D4-FBC9AD8A0A03}\LocalServer32\ = "C:\\Program Files (x86)\\FPSensor\\support\\u.are.u\\win64\\DpHostw.exe" | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A318A9AC-E75F-424C-9364-6B40A848FC6B}\ = "AFXOnlineMain Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE9DED34-E159-408E-8490-B720A5E632C7}\1.0\ = "ZKEMKeeper 6.0 Control" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DPCms.Client\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DPCms.Client\ = "DPCms.Client" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02060A64-B3DC-43C3-A85B-5F5BABAB57BC}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A318A9AC-E75F-424C-9364-6B40A848FC6B}\InprocServer32\ = "C:\\Windows\\SysWow64\\ZKOnline.ocx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\zkonline.AFXOnlineMain | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE9DED34-E159-408E-8490-B720A5E632C7}\1.0\0 | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA46E7A7-1E15-459D-B032-7C3AF6AF167B}\ = "IFPProcess" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA46E7A7-1E15-459D-B032-7C3AF6AF167B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8AEE2E53-7EBE-4B51-A964-009ADC68D107}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02060A64-B3DC-43C3-A85B-5F5BABAB57BC}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ZKOnline.ocx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A318A9AC-E75F-424C-9364-6B40A848FC6B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\ProxyStubClsid32 | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8AEE2E53-7EBE-4B51-A964-009ADC68D107}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{161A8D2D-3DDE-4744-BA38-08F900D10D6D}\ = "IZKFPEngX" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\Verb\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1CAF04A-BD7E-4D71-9A59-567B9430CD9E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{FE9DED34-E159-408E-8490-B720A5E632C7}\ = "zkemkeeper" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{02060A64-B3DC-43C3-A85B-5F5BABAB57BC}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{378CC504-3B96-49E1-BE1E-4C098959C5D1}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{378CC504-3B96-49E1-BE1E-4C098959C5D1}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\zkemkeeper.ZKEM.1\ = "CZKEM Object" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8AEE2E53-7EBE-4B51-A964-009ADC68D107}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DPCms.Client\CLSID\ = "{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\ProgID\ = "ZKFPEngXControl.ZKFPEngX" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA46E7A7-1E15-459D-B032-7C3AF6AF167B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A318A9AC-E75F-424C-9364-6B40A848FC6B}\ProgID\ = "zkonline.AFXOnlineMain" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{253AF648-E194-49D0-95CD-E5071519517E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FPCom.FPProcess\Clsid\ = "{253AF648-E194-49D0-95CD-E5071519517E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\Control\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8AEE2E53-7EBE-4B51-A964-009ADC68D107}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8AEE2E53-7EBE-4B51-A964-009ADC68D107}\ = "IZKFPEngXEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{253AF648-E194-49D0-95CD-E5071519517E}\ = "FPProcess Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\VersionIndependentProgID | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\MiscStatus\1 | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DPCms.Client.1\CLSID\ = "{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\Control | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FPCom.FPProcess\ = "FPProcess Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{161A8D2D-3DDE-4744-BA38-08F900D10D6D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD59645-9CC5-4C0E-AA37-5E5BADE3AC5D}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\Version | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE9DED34-E159-408E-8490-B720A5E632C7}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\zkemkeeper.dll" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE9DED34-E159-408E-8490-B720A5E632C7}\1.0\HELPDIR\ = "C:\\Windows\\SYSTEM32" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32\ = "C:\\Windows\\SysWow64\\DpClback.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{161A8D2D-3DDE-4744-BA38-08F900D10D6D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{378CC504-3B96-49E1-BE1E-4C098959C5D1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{378CC504-3B96-49E1-BE1E-4C098959C5D1}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA46E7A7-1E15-459D-B032-7C3AF6AF167B}\TypeLib\ = "{1CD59645-9CC5-4C0E-AA37-5E5BADE3AC5D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{253AF648-E194-49D0-95CD-E5071519517E}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{253AF648-E194-49D0-95CD-E5071519517E}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\TypeLib | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Att.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Att.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Att.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Att.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Att.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Att.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Att.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp" /SL5="$7011A,380507,58368,C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\ZKTeco\ZKAccess3.5\InitDatabase.bat""
C:\ZKTeco\ZKAccess3.5\DataBase.exe
DataBase.exe
C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe
"C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe" /NORESTART
C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp" /SL5="$50208,17664398,56832,C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe" /NORESTART
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" libusb0.dll,usb_install_driver_np_rundll C:\Windows\zkdrv\ZKFP.inf
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3ac252a2-4e4a-2f49-ba9c-9281f25500bb}\ZKFP.inf" "9" "429e2a833" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Windows\zkdrv"
C:\Windows\dpdrv\DPInst64.exe
"C:\Windows\dpdrv\DPInst64.exe" /s
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "8" "C:\Users\Admin\AppData\Local\Temp\{b773fb63-4da3-c64a-be04-e4434cad85c8}\dpersona_x64.inf" "9" "47ae312af" "0000000000000158" "WinSta0\Default" "0000000000000160" "208" "c:\windows\dpdrv"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPCms.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPDevTS.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DpFnd2.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPJasPer.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPPTUtils.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\DpClback.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\Syswow64\DpClback.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Windows\Syswow64\DpClback.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPAppSyn.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPCms.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPCOper2.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPDevice2.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPDevice5.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPDevTS.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpFnd2.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPFstCon.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPJasPer.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPMux.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPPTUtils.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpSvInfo2.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPTSClnt.dll"
C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe
"C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe" /RegServer
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" start "DPHost"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /u "C:\Program Files (x86)\FPSensor\Biokey\biokey.ocx"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\Biokey\biokey.ocx"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "DPHost"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /u "zkonline.ocx"
C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe
"C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\zkonline.ocx"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /u "FPCom.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\FPCom.dll"
C:\ZKTeco\ZKAccess3.5\msiexec.exe
"C:\ZKTeco\ZKAccess3.5\msiexec.exe" /i"C:\ZKTeco\ZKAccess3.5\USBDrv3.0_x86.msi"/qn
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 366EB9D9627B61A74D3CA34CC42A37AD
C:\ZKTeco\ZKAccess3.5\Access.exe
"C:\ZKTeco\ZKAccess3.5\Access.exe"
C:\ZKTeco\ZKAccess3.5\Att.exe
"C:\ZKTeco\ZKAccess3.5\Att.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| N/A | 10.127.0.70:1433 | tcp | |
| N/A | 10.127.0.70:1433 | tcp | |
| N/A | 10.127.0.70:1433 | tcp | |
| N/A | 10.127.0.70:1433 | tcp | |
| N/A | 10.127.0.70:1433 | tcp | |
| N/A | 10.127.0.70:1433 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4584-0-0x0000000000400000-0x0000000000415000-memory.dmp
memory/4584-3-0x0000000000401000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-DMV1D.tmp\Setup.tmp
| MD5 | a305877eabf2c8d30cd5df98345952ae |
| SHA1 | c0518290145415e66f9f1b9a9c3c1b3e346a10fa |
| SHA256 | 8558efadf63fb12cf3ddacccfe07d397f2f902efadc4adf679a7e5c27cd49d76 |
| SHA512 | 6f22868d451f3f07fdaa096b303a480fb9f5f9bd4675046bba79b9c15435892ea07b3ef5f3a3788144af696a675c2d4639ab4396e22761923c955747463b9fad |
memory/4548-7-0x0000000000400000-0x00000000004C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-PDN4C.tmp\isskin.dll
| MD5 | a5f48d365d7527289e9a599519bfe590 |
| SHA1 | 166589cf8ac1d9989eda0da0e9488104a079bc69 |
| SHA256 | 66edea4626b79d2b86eb8bbcb1f6b10a2f4631c04f023eb75b37f9ff3fcb42ba |
| SHA512 | 3c946e947cdfa8c2780b8bcc0abcb9117cb2397fae8470ee2fdcf3f6069539c179aa5771cef8ff36bbc591854949bcb808979ca02b1fbc26e374c7c9c1d28a59 |
memory/4584-13-0x0000000000400000-0x0000000000415000-memory.dmp
memory/4548-14-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/4548-17-0x00000000065A0000-0x00000000066B6000-memory.dmp
memory/4548-18-0x0000000003460000-0x000000000346D000-memory.dmp
memory/4548-20-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/4548-21-0x00000000065A0000-0x00000000066B6000-memory.dmp
C:\ZKTeco\ZKAccess3.5\Languages\is-8KSB3.tmp
| MD5 | 1e7990d499a59ddc7d2af6ebdf1ca807 |
| SHA1 | 7b481967772fd2dea77d8aca14d1bbca7847896f |
| SHA256 | bf931b0e31daa2453f60921bb64d5e1a2d6de8873e71175d36c91b6a79acaa4d |
| SHA512 | 3dd2c713f8b9c2dc6498fe1380a4d7cf8fa4f617c2d40972902a551c4b58f600fc694927badc3a73d6b984c7d5bfe3495a36fbce45cfde2ae81ecc350b61ea7e |
C:\ZKTeco\ZKAccess3.5\Languages\is-ADHQF.tmp
| MD5 | bb825332da2a1b633707043cfe88620c |
| SHA1 | 508a85a26841ba0c11226fca5aafff7e806fdcd7 |
| SHA256 | 67ea801a80303d5167dcd78a84c91720b143d6c88510f24e0f9d3bda61507111 |
| SHA512 | ac090df745896efca4bb7789a9a19d00eab90d1fdcb14f4a1f642e7f8a0b444deef2c253512605c7326724ca1122826acc0d1eb2e9a071a747c3f2e71ba96714 |
C:\ZKTeco\ZKAccess3.5\Languages\is-JDQ77.tmp
| MD5 | f0b1655115326129d826c2313993919f |
| SHA1 | d9181bb44755a187918d68e64c0e8ce53e17c460 |
| SHA256 | 091a8ecf79ba9117df3a80e22974d5a77ba98d49a30c4c4391f343bb27e0b611 |
| SHA512 | ea1013de191e6d9413a44f563b826eb033827358676f809c0331e62119bea24853bd97d7e8981c5c636caf70db9b2233f25ea383035637df2bf8646ceed1984a |
C:\ZKTeco\ZKAccess3.5\Languages\is-VERUE.tmp
| MD5 | fc734af8b0b62e8dc4fee6fb2e55376b |
| SHA1 | 38b13f68c8e95df11786adac26c00900dfaeb8f4 |
| SHA256 | 100fbe9fe7585bdbbcd1d5d190f59740813359f4ec3fb66f0a91451d833a5205 |
| SHA512 | 0cb99cd33d179d3de1de97c0bb57684fd047a7b19a517a9fe731dd0579aa2017e4a608e8d27b087a8697e56cbe2b27b2dbd2c74bd99314b44e178e2fa66d8307 |
C:\ZKTeco\ZKAccess3.5\Languages\is-IJT3F.tmp
| MD5 | 5f43b5ae4df98b599e11c243b8cee7a6 |
| SHA1 | 6b3a9b0ad80a9626e370961ffd84f216afc489d3 |
| SHA256 | 1898e9139177efe7b9645c407f95998d1e60849b5ce63ba9b0884d548372ff6b |
| SHA512 | f246fd5a4fa73c07b88dd9682578d135b177573f98b9fbebc10d443359790f40d3bdfe3c45d41218b4bef21a12ed962b943c32df90a1dc3f86d3fd174537c0b1 |
C:\ZKTeco\ZKAccess3.5\Languages\is-9NOUF.tmp
| MD5 | c952ee337c813afa949539f44ac0534c |
| SHA1 | 6a715ecbfb22d5d36a5afffc15cf29cdecce8033 |
| SHA256 | d01fc70299a04aa4bcc6df88ca47b88d2844322e9ff77ceec78a605a1d12c245 |
| SHA512 | b206c171e5c8e4a6d1f2001bcb055b56d5b78d683b1c59e9743409abf0ba685c459b9f249ba5147db0344a536dc35ca298d317e031059305e7b07e7e40b8f5b9 |
C:\ZKTeco\ZKAccess3.5\is-G4L6R.tmp
| MD5 | 25b7bbc9aecdeac55913bac5b135c61a |
| SHA1 | 3a7583e7fd78c15e2f40cfe9a2c28ec5452ecd37 |
| SHA256 | b9ca6595d63e0c3738eb6ce2cfcecc3966e8c4546a884d9e3e084918b813b7d6 |
| SHA512 | 6849bea5d054972422c8d2d6a58b4dfdfd58fc194aa2573e6b908a16e04bff192c38ade84105d023b1ff25f752d84a1d620b8f89c5135208c43e914c903826c0 |
C:\ZKTeco\ZKAccess3.5\is-KAOB1.tmp
| MD5 | 3bd3261a51269c8c40b2f33e498b5d17 |
| SHA1 | 5a8fc34d5135e0ba9c5c214ca8ecc778379d6729 |
| SHA256 | dd68117306b0192d2e571f9edf7fac94ec1de0154a3724d99df3055b42650e3a |
| SHA512 | f02d4d9eaf31dd3246847466a7602f0cc064e62f0ff33a62953310fbb5ac08ea517089be1275ecd5b35b14f935f01b6d3ade28950c6845ff1f8d65d3d9688afd |
C:\Windows\SysWOW64\is-PTM77.tmp
| MD5 | afab8e482be11151fb0e03ce4ff8d837 |
| SHA1 | dd1600e727b17eb9a88ee46c51b0e2b1fc06949c |
| SHA256 | 67cd76a3353cab3e4f08577ba81459820da5f9ada4aef7f5787fe3b6a6518e2c |
| SHA512 | bf96495f896cc02112d540ff010fb6a75caf0a921e8a371547ed8e339bfaa100f66acd66208852e6ff31f397d56a6ff132350c2001c64150957e6ddcf3da0fdd |
C:\Windows\SysWOW64\is-FI9BB.tmp
| MD5 | f831a4f936619a827ad095de00c5e95b |
| SHA1 | 7973b831f0eab3c2ce31a74381d066c7d91eb497 |
| SHA256 | e288a2568bc023c00d8e4acaf93066a63208c10cc642bba98aaf827cce6a141c |
| SHA512 | c1da2fd769945be554350dd81c854c5399c681cfba5cc055a248c68a6bf32ddd510d246065b305e54aaa40f16c5184951aa6c92e8d4dbd22f2026207adfced9a |
C:\Windows\SysWOW64\is-8BJV8.tmp
| MD5 | e797beed9fe37ae67081d86f18654313 |
| SHA1 | 664d34c634270e1c8bd05f3069779217b1d5575e |
| SHA256 | 45bebe981ca5ca851d3bf746a7368d9982495dad5da4c1d54b759eba8fe74d4d |
| SHA512 | e3689ae65e7ff32645d523b96733abc0f8d1d6feba6528dd1645f0de91954655cac24bb484a4b27f7ee4a4c8a5b5c3c48b12c44237196a41a027fda0d669a5bc |
C:\Windows\SysWOW64\is-4EP8D.tmp
| MD5 | 94e2f7110a27babfda5e7a90699ba9e2 |
| SHA1 | d32c27e74af8b60919476badab4f2aef0f721b71 |
| SHA256 | f805f387e3a6e73a1d2cf61c99744b3ca72fec8a8f34c02071780e0486934e1a |
| SHA512 | ac6e8724436a65bfa40e8174351826c55cdca902cb457e6091967b55f1a66d1fae16101130e6d4657ea7724f327c2f57d33465e7425b68a421811cb9a698e638 |
C:\Windows\SysWOW64\is-M9342.tmp
| MD5 | 1c8449dcccbfb5470e06c33a47fbf937 |
| SHA1 | b246a9a0888637f121bd06479ee498174f7e2cd2 |
| SHA256 | ad652892e07af6ffc992b3a6470aeaa1249827b36df6840fd9a6bb43c47f297b |
| SHA512 | 7c4ca4afbe2c2e817e8024e5c577fb3695a3af334aade629674078ed63be99d6adc44fe0ee4f9fda12785ad9fa213eb9f3a1b2a2132ce248d6280f2eca3f6839 |
C:\ZKTeco\ZKAccess3.5\appconfig.ini
| MD5 | bb3cffcd46e616d2ed77aa7a65609313 |
| SHA1 | 9800cb6700dc18a930065340b1f37f520a157f20 |
| SHA256 | e2da0e56e1139c7d88245e038247f3200630c2ed4f1f9ceb1e130e8be0d8e814 |
| SHA512 | 2abfe6813909a9ff9adb836e538e612ef4ae60a9c32f86b89835ca7cdf0ee347e91a2888d2ef63693e6150bebbd59b3e1878bad73833104fa46bd1207f67e7f2 |
C:\ZKTeco\ZKAccess3.5\Access.exe
| MD5 | f40f43edcc46eec1c64e1e794b0539d1 |
| SHA1 | fb431ced00d12f863eab9fef9dfe490f5b9681dd |
| SHA256 | be9b424b2058b6cc10c697a7fff96c1af62949cfb34ca43af7cc82b4e4ab2fab |
| SHA512 | e12f510fbed3ba7ebcf5c1d30eac464e36c4a33073b34f1a29e11306e5760b44924f11eca338f00c398f5c26a53fa55406b8dd513ff02d1d9292cbf89cc1766b |
C:\ZKTeco\ZKAccess3.5\unins000.exe
| MD5 | 3f779b952459be9d3788bb1ba018ad35 |
| SHA1 | 9fb6663660c89f66bb1c140d80ec98b20d16c7d1 |
| SHA256 | d75777bab8e467ac205c37ad69c84e3e427f767666d2300839b21ffe8ed05da7 |
| SHA512 | 58963b3379ae50bd8f23d195fcdaaf5e2de09813a04084015a2e72a6d40e7f199fcf29593d27629a43c397545bcffdb4571dabb77159611854abd09ff54db014 |
C:\ZKTeco\ZKAccess3.5\Att.exe
| MD5 | d7de1f512e31da1cb7f3fa98ab1f73bf |
| SHA1 | afe00331afaeb8b5f4c8763c39800ead783e4120 |
| SHA256 | 4e77e7298c2519f2008c2eda5c656f75d1802439beebc5f23b7503e888800cf6 |
| SHA512 | e31b92909f5fe26c0353ab54d051762d278c834b8c86cceb320ecc9c388b48c8a0fe044aaccb44df6a4be000ec0a0e7e63184508bde0c3e409eb1834b380eebb |
C:\ZKTeco\ZKAccess3.5\DataBase.exe
| MD5 | ded18ca95cbcca1703e2e42ee9c3f1b9 |
| SHA1 | 02581f99307d217623b2a629e38ca54cc2182b30 |
| SHA256 | 1163b0d67c17d4fbdb64cf480b1f99ee5b3ee5f7c099e65c859921b6b3e906e9 |
| SHA512 | fe853dcf17b1170711a37f1ddb435af7b64ba8dcc225439927e6bbb3cd0806736606e187e72b423c1121d876ebef8f36813715b20f9cad176f7f7e026dc7a4b7 |
C:\ZKTeco\ZKAccess3.5\InitDatabase.bat
| MD5 | 8f6a918a8721f26331903efd3c91ae67 |
| SHA1 | cb25667f0a80548d66a4f4e1be0abef915609272 |
| SHA256 | acf3cb03a7eb5b4c0e2b0bf9af66cace4a7f7820a2aba9c1f0404f52f81b731f |
| SHA512 | b343d3666e9e9cd0b7bf925fe2895cc3ea29728b68c1384edfd68b06b01447a6fb99c8fc7bda3aaf3e7ddb503ebe4b5d39382857b0d386596c8ba2b172aed82e |
memory/4128-990-0x0000000000AC0000-0x0000000000AC8000-memory.dmp
memory/4128-991-0x00007FFA0E663000-0x00007FFA0E665000-memory.dmp
memory/4128-993-0x0000000002C40000-0x0000000002C7A000-memory.dmp
memory/4128-994-0x0000000002BB0000-0x0000000002BD6000-memory.dmp
memory/4548-996-0x0000000000400000-0x00000000004C1000-memory.dmp
C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe
| MD5 | 06062fed9ea10ed7bee8fa82e22a7ec7 |
| SHA1 | 81ce48fb9853dde8104216cd84530013d5cf7fb2 |
| SHA256 | 4be20a1b7ef1c2adeb573fbda23158e1b6508c943be76792dacc6ca77b93e8de |
| SHA512 | a4da8fe4bb46fdb0c120798ed03031d0a828eef427dba44ab11759083764be7a533b5be7f607626a9631df89907323e8506d93738b86e8e3db54847ebda10c37 |
memory/4072-1004-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-4T1GP.tmp\FP_Driver_New.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
C:\Windows\SysWOW64\is-2TUV5.tmp
| MD5 | 2540916777e828c24e89a79329bf5598 |
| SHA1 | 445219ff6601d8ac707d416655c744f4eea07e24 |
| SHA256 | 7d4889f448087e23b4504a0bade1a765dc3826998042ecb82c744b2447964f5f |
| SHA512 | 0ceff0a7b333552a68aad951a2a14405a8d8c0baefcfcc5f6ecb8ad14f9b234874e36a2607d6ad7d95a33b2b47269872efe74642ea52f0f89a91ecbc94c1852c |
C:\Windows\SysWOW64\fpslib.dll
| MD5 | 4a8aa2cb879ddeae2d8e5bab5bf310b2 |
| SHA1 | ff956c8593f55cab33bc087b2f624b14b710e603 |
| SHA256 | 6626b4ca32408bcdb4cfd5e3e84faf7d1c6c49c4674b9b319cf68286575f416d |
| SHA512 | 192bd3134910d92778d2dd9eaa4cb2d8a19140b00469b373626162148986ca91d4df36488a90e8064e2a7684b1261eb56420aeed4612ee9c56c59991e01c94f8 |
C:\Windows\SysWOW64\libusb0.dll
| MD5 | a0263041d4a4023a8e78f7f417404a42 |
| SHA1 | 90a0f6dd891f2b166317bec604008d624009c678 |
| SHA256 | 771743d4fd9b325fd8f583487b0001a4d36c0a5554feba59cdbaaa75c6fdb615 |
| SHA512 | 0346fd5e328fcbf8e55f31d257b330fba494dae00a9cc57cddf5abbb9d4a7fe40806d71efebad0585c83632208d1f11b78c7385224bb653dbb8d59e2dc8b5c3d |
C:\Windows\SysWOW64\libcorrect.dll
| MD5 | bb16a0e5d2d75c0751ea6835aa36d940 |
| SHA1 | 278b6b054fe4fb88b0dee3cbd69e1735c3520c59 |
| SHA256 | 24c7c677c50b2c54d0232ea447a241d0dd61eb70aeff871f8bb6c16c8d0dc196 |
| SHA512 | 31d8429c373cda4eca5a8b60935b885b8816308125ec0228c6d0732fd981aa6e091bb54fe5e8afdc0348bd0f060a66d9be321ac9d18ee8c4d2a43822a0bdb12c |
C:\Windows\SysWOW64\libsilkid.dll
| MD5 | 4982430535a837b23913c50454dfc622 |
| SHA1 | 50dfa02f92d63af78a80c3a731b60cd3f01f4ff2 |
| SHA256 | 0feda63b2613feddf7ea6103d66b09c5d9f9852c43e3c2f452cf3233e617fb9c |
| SHA512 | d246002aa68a0a1dd0c2fa9cf70232903417561cdad05694f669b285740fba987eae6371592d041b31ae4538beeb870953536545c4f5e6f53bd20ede945f9d8a |
C:\Windows\SysWOW64\ZKFPSensors\libdpcap.dll
| MD5 | 84bea5a6e9dd1681660af3f4b74b27ea |
| SHA1 | f1a727271ed9142333586e1516a95229735fd7bb |
| SHA256 | bcf2a2ad0def866739e911cad2b65f6829671d70a69b5bba45764751add16e28 |
| SHA512 | 9684f0528f6b4db23f24ebe1f7f2bce92dddcee32587680499d6ee85b921fd3c8edd78e4fcb1481b63c12522043dff59421e16c1df3fde6fcfee3deb0324bf57 |
C:\Windows\SysWOW64\ZKFPSensors\libsilkidcap.dll
| MD5 | ef9cc5f8bcee7c4daf1a845dd60bcb73 |
| SHA1 | a75eb761c93c5826b36b835524fdbe8b9239fe4a |
| SHA256 | f941c38f017150323d4a56712e1fe2250004c49f05c91a1c46de8cfdb2d1f576 |
| SHA512 | c4f5def779310bef75e57f59295f5dbc8bc868dfefc805ea301fbf91c0ba5e453cd10a314882bfa5053c42651ad8fdd9ae93e3c9ecf3a343b80e1f853ea82b4d |
C:\Windows\SysWOW64\ZKFPSensors\libzklibcap.dll
| MD5 | fc29d9d49dc13f5bf30035513f782ed1 |
| SHA1 | 985dd539e9210829d60e11d1419a87883304e7bc |
| SHA256 | 93fcd70336d5e6a9293020b4d57ea66968e7387d860133d6c090b22a9611186d |
| SHA512 | b71579ba071126b0d5683f32f71e891cf63e65c72c7dc8dc4b090f992c18efdfb014a68855628932b4247fa4ad95056f7e198c58edc8e582bcc60aa6304a729a |
C:\Windows\system32\libusb0.dll
| MD5 | fe7548fc329229576d6e672f9ee08ce6 |
| SHA1 | 8e5d4e944fc341ac787d236ea9b48c75637e0719 |
| SHA256 | d4c35e72e3dfa67f18576df927caf9fdbadf148231b98ac22bdc5bb11f6bd796 |
| SHA512 | 4fcf3d0458d557bf33792ce11e09832300410c6df88b1ee12b07142eff867495aaa7cb3aa00cc6a6a9b19f01e447b25103ec0de75fddca306026ba1330dded2c |
C:\Windows\zkdrv\ZKFP.inf
| MD5 | 283c2123020a1d80e1dc50f97c8e902e |
| SHA1 | 6261f70e969a71e92cc2d841b4d9d2faafa4a34c |
| SHA256 | 0150dcccc9071053b20eda0416c478319177667c773ce4639b5e2745374a6a2f |
| SHA512 | 4360b26ad4d5c439d651b9c37315a46cc218cf1d71e19c6bb2472c6fcb9d215a885aca058966156ab696d327176ea98e06076acc7be672aa18133c9c5ddfae46 |
C:\Windows\zkdrv\zkfp.cat
| MD5 | d3f97b9069ca4eeed99f5474f8afead5 |
| SHA1 | b89020d02650517826a3f513210a40ed9b122073 |
| SHA256 | c4ac2e14d7c2afe8d62675afe5a41ee62811a4baf57e4c60b0816b849ba4c7ac |
| SHA512 | 6f1cfcb081cbb6fc28602afe48df7e9ff4c66b6388159af1a0374f054b436d5bf4f08e6557b1b24d993640215886d8550794c14b6a48d2f09b87a43e7c5fe91f |
C:\Windows\zkdrv\libusb0_x64.sys
| MD5 | 77afff0483d5f84e41717cc358528a5e |
| SHA1 | 37084cce0b4b63780c9cc465cd54446e680e2986 |
| SHA256 | ecc512ba6a0fb290eece70d82edf9fc0891d336b39e7ae37e0156544150785cd |
| SHA512 | 4e6bea9ef8dc1ca8ecbe05e96f18019c20c57108ec6adc45ee1d423c30b65b31f0c8170e25a86809e8e8cb08ac8f7f8526769db283ed5bc448c70486bc3d7ff2 |
C:\Windows\DPDrv\DPInst64.exe
| MD5 | c3ac43b2018114a617e946aa8fdf3cac |
| SHA1 | 2d90f38bc995c9cd5efec52109f8bd2468001ca7 |
| SHA256 | ef6c5fe9f08be67f24c7dfa5c7bc3d69ab4e387e6065602d45ba358289f05117 |
| SHA512 | 8c471a2575751c5995b10859219b979d75c8e8e4496604c0718268d8367790c5bb8e6dd47c735dcecd02a62dbb0d8fbbb70ea1d085ad7b798491a3d831cd9488 |
\??\c:\windows\dpdrv\dpersona_x64.inf
| MD5 | 91967eb8b8468aadd50e2d880375d8d2 |
| SHA1 | e8fd6ef8cc869de121501fb543a7c0674d30756f |
| SHA256 | d230952d38ecda93d971fe9798dca35d0e4c7a7c4b573d0af47a34b7928c8e92 |
| SHA512 | 58c2f6885afdba94b63d2b1e42de41c561852870d0b6e45496fdee9fc7d1d1748eab6e71de7fdb59b4abb5aecbf7c81113fe7e975540c5d72886149f1cb4ba1a |
\??\c:\windows\dpdrv\DPERSO~1.CAT
| MD5 | 50f212c4f9b4a832a410d3e83f6317ea |
| SHA1 | 503bc574acaa4a79bea85304a5b7b3a0c85191ca |
| SHA256 | 29c2b3859fdd96d781e07f3ae778eabadbfa54cbcb437aa00e447978b18f7309 |
| SHA512 | 0387139e4f49d236c09ee36d0bed34258e9518f90a4f486a43a06821a0889ecd6d3ec8341443f7b582d041e0f279cd81d2e072f52de44b1d0dbe217488ad6a97 |
\??\c:\windows\dpdrv\DPD007~1.DLL
| MD5 | 39837e0c027fa2b35e4b406941dc01b3 |
| SHA1 | 0e43708086396f5f21d4191fe115449e2e98ca32 |
| SHA256 | 2728b5ed610ef55e89784fd5508b366d2bc7efdc5bf3e75d51f5dac82c4dc294 |
| SHA512 | b534508e0245f822698cb813da1d31bdd3d6d2bf60c005d510628adadc8b28ca608082f1c06bfb8a337e3e4a5eb5bf53196d0540c55335a7948ef75559bced47 |
\??\c:\windows\dpdrv\DPI007~1.DLL
| MD5 | ed673140ea6f2cd1b8fcafa041f02f2e |
| SHA1 | d5ad7a43b53a965f4a1a9c76b1c609178993f27d |
| SHA256 | 107efb5853e1926be84164e7d21d5d56c7dcacd6b599838353ae95baa46ed059 |
| SHA512 | ed4d0ed91ac6eadd90acba5dc783f108469ebfc111ca2169dbce139d8dda6e822ea8e15b64509f436d950e159c12d95a08aa8ca685c242059ba92b392f43b123 |
\??\c:\windows\dpdrv\dpD00701.dll
| MD5 | e8bcf046f729253f2bb24ea0e8c047b9 |
| SHA1 | 8104533c4bbb4265f71a87bb5d6966ea64974b66 |
| SHA256 | 039966724018cf96157f1ee7f7cdf48f4f20a76192d920d55504ed1dcba7de7e |
| SHA512 | df9fa6308c8b0b7128b78bf9bb3314c34f26fcf70799caae5f376fa418f99c5d2db439137718ad4f052d273719a95741d9a5d5bc2d17fc4ad1318281d20e2959 |
C:\Users\Admin\AppData\Local\Temp\{b773fb63-4da3-c64a-be04-e4434cad85c8}\dpdevctl.dll
| MD5 | 7b3f4907bc409960c300ae50420c16a6 |
| SHA1 | ed97b09cb7853cd056e8d7d6318c0ead13b267a6 |
| SHA256 | 09649414f843036df5c30846aed6059e0f43e973a729b07e8f690f4b668ddac7 |
| SHA512 | 81eb78daf1849f3933b0622a6418ddf9d863a793e41b958e1641e5cd7d42928595df0ecdd35c5e30aa60117ae896fc0e6692e3f5461020b5bb547ad3fe6637fc |
C:\Users\Admin\AppData\Local\Temp\{b773fb63-4da3-c64a-be04-e4434cad85c8}\dpdevdat.dll
| MD5 | 2eccd46878dce0f84dadd29498bd900d |
| SHA1 | d30ae67c9ca5dc53b8d1583bdae6c43dbaec3f37 |
| SHA256 | 20b41562147e635d60e875cbef43f17d2373cb18fed9f8dfa97c2553b4f1e121 |
| SHA512 | b397366d11111dc613c7e4cde245d1a98864ba5b7c1a576c0d3ec7e8228bffcae2340ba375978d401b886e765785b207c2d652180d7c6f388130adf9b5ac93ac |
C:\Users\Admin\AppData\Local\Temp\{b773fb63-4da3-c64a-be04-e4434cad85c8}\usbdpfp.sys
| MD5 | 4846d37bba87b2e6138074ee076e367e |
| SHA1 | e2e478efbc83b2fb604bd60af032402c3654f176 |
| SHA256 | 098a0d4bcbad10920e2e05f7da06f291e711a766afdf293d2306ee44879f6436 |
| SHA512 | 5a17f715556088b4f9d8ddcb298d03ff8fd61f23ce1c3c80e4f79ae6c34a18526d1829b8ca0d21be6513f4c6322fa770fdc7902c4569c452bcba84510be00c71 |
\??\c:\windows\dpdrv\DPDEVD~1.DLL
| MD5 | 4b4e309fe52c6aa57674a4124a82b426 |
| SHA1 | 8ac2bcb190b5185606b57234527b6d542a6df11f |
| SHA256 | 85e0225a8451b23fe9715939da1a9b8e780eca3c38277b1ad09acd9bf5dce20d |
| SHA512 | d6004795a617869a2f46805eab28c509a077953da456c61c73a7f64eab2dd7f1bd75401bdadc068e09c0e0d7238eee4cb6dfa5070756479443ea2d77e76c3cba |
\??\c:\windows\dpdrv\dpI00701.dll
| MD5 | b7d3259b3bda026eefa90f5523b6e996 |
| SHA1 | 989b6d1e19134c2329c0749c15904c4ecec25ea4 |
| SHA256 | 502b9c74fa0f6138a3ebfbb67829bfe267074f78cf6119b35e9975ef2176f503 |
| SHA512 | af3d0c4b807ceb2a275a7f219ff98a2776ec62c3686de20078d6004e729984446edb9b7c7b4340e03a27c36236db7e8e6ad0028e1e14e5e1e9be0e266f04e01f |
\??\c:\windows\dpdrv\dpK00701.sys
| MD5 | 1da17ab1ab496963949df99184796dbc |
| SHA1 | 1194f7ade39b6b40489e59d10f5bd9d6acbca639 |
| SHA256 | affdecc31fa032ff7e3fcf6cedfe746a5a89804fd72047a3ee03e0915d971bf1 |
| SHA512 | 6b10644bb65dce8df9cd90c89a8b2e26895fd1a219973566ee419e0175b4d142173f2f7c5f255f7726f27065727229620da5821288390b9729743d939aeb4f6c |
C:\Users\Admin\AppData\Local\Temp\{b773fb63-4da3-c64a-be04-e4434cad85c8}\dpdevctlx64.dll
| MD5 | d1adf6e4753778a90dc5215efa831565 |
| SHA1 | 0ccff3f80e07a8e086b37c956552d829c55257ef |
| SHA256 | db72a2515f6d3796aa3ff9acb2de22141c90fd9d016f6a6559a6f290e20e35e5 |
| SHA512 | dfaa69b63797b27e1274cc6ddf1d9d92f3c112ac1210f38e74afd52b812bedb9ed8bf968e61bab45114bee00d60408ae7383aa388494f7e72a217c53e5b7c491 |
C:\Windows\System32\CatRoot2\dberr.txt
| MD5 | f941a6c07ce71d378e3be8e7bcc047b0 |
| SHA1 | 757f406f14a50a8ee307349cbcd70ee23ee08d20 |
| SHA256 | 8171dae46518de9d80e879857030decdd3bfa17e6c53a31b803f599b0afe0d76 |
| SHA512 | 11047d39cd49be0aaf0bec8cba58e8705df01a4d2e7e25d48e50d3fdde8aeb4dc2bc6258867cb47f63050e5b09b7f2243c5556e170538a2d7264309582b8f578 |
C:\Windows\System32\CatRoot2\dberr.txt
| MD5 | 84ed399bfc37753dedaae0465571326e |
| SHA1 | cb17eecb76f482e16b0f38c96aa7965aadbf90a6 |
| SHA256 | 83a550960fbee8d4ac653b19b27c4416f878431a84d12c01f3be50dd234ff14a |
| SHA512 | e120fec8334894a1a88053835a437c880e5edc71028159cc1ced2a2b21dfdf65cb5520fc2eaea08d2d5db9d341c13f16a7dff093027f40382c702440b3a8173f |
C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPCms.dll
| MD5 | 01bf190d0baec17ce5b40f2c4ab86764 |
| SHA1 | fa66aa337f0de801867b5bf675ef18b58e46bbe4 |
| SHA256 | 7668ee2829543c10300f57f1f98c33465695dee05a02b3f680207071877ffc50 |
| SHA512 | 0b18fae68f25af2d055f3d3856ede45512020e3a812f424067108e0cdf1c8b50e924fbc98b153ac78d390f68cc7a3e4f27f6b1d8d89669b1dc04004e08f5d887 |
C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPDevTS.dll
| MD5 | 0c2e5c1b8f81747aa00699631268769e |
| SHA1 | 34fbf337bb5ab6a8d1203bf339782eaedd8feb93 |
| SHA256 | ef2a4c8959d24650131ec66921263049878c2a72cf0a1fccfbe47e99af7dda81 |
| SHA512 | dc8362b6da88ba8ceb4a896b0e6d93a49a9d9eb67be4cb8eacb73fb38eed2dea106685b915f2ac2d85c1d4664ccdfc6e43f7daea34f1a7658f9eedec9245cdc2 |
C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DpFnd2.dll
| MD5 | b91ee14eac7a839b4bb2c6ce011118f0 |
| SHA1 | 83222af6061592039905302d274052cd439379f3 |
| SHA256 | c3c96eaa15d345b2f54b5acb3e03ba4259b3375c98309c72e369870860a79735 |
| SHA512 | 06ced1075db8ecca6e8522c49dc17db68e57a0ebae301a3f3a937f4dd1d72c43243f1ad3427b8829eebcab250595844777f88e823c2e1f66f6a70baaa4f026a8 |
C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPPTUtils.dll
| MD5 | 7029decf531b25856e564fed66b58a40 |
| SHA1 | 5b1c4f4aff15aa733f7a76a105bfe1ccc58d0002 |
| SHA256 | 9a1695af60fb74ae829eda415cc4e39203e559fe593a5cf9fa4c68973512cae9 |
| SHA512 | 3866700316b0124bff04c8802a7cbcaddeda6b4f4d3690cc30e84d1d81ba60b50145d4ae15bd7cf1c21318d554b313dd8989a9b5f371db4342c508785b203227 |
C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPJasPer.dll
| MD5 | 42fb249752d7e606fc292f17dfe1d507 |
| SHA1 | bbb0e986efc5deb4f38a5c789d632497cc6aa2c2 |
| SHA256 | 5e251118db31bfb9aac79f4008fd833b8c4a324eef7bcbf830b6c2b4d5de8e44 |
| SHA512 | 56ae06c61c2f0ad8501a71d4037dee42c1aa5663be5e636d2913a39591ead29587d130320dafbd038229ecd20b2ba3a9719d7ab0994ba2d5bf0bdb0bd8352c23 |
memory/3876-1594-0x00000000022E0000-0x0000000002453000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\45f2c6a1c069e80380428ef0ab87c5f7_41e50f4a-4a76-42e1-a3df-51306e426307
| MD5 | 967fd0cb495f67398702c9eebf3c454b |
| SHA1 | 402c152cd5546b727b2642e4de8547340ed596f9 |
| SHA256 | 1ae9fddb5f847f09314beadeb06683a81bdb6f699fc4ce8008a4b8179132ee11 |
| SHA512 | 7ea8dfc09d2fb4fb0b47b7d3182ece7df8d07c35d5ca0d542c420f9a0ce633ec7286aec93812a144f36a081fc8bff1f3d599c676e4bf84ecc0ccaa7ec9c11331 |
memory/2148-1601-0x00000000003D0000-0x00000000003F6000-memory.dmp
memory/4548-1603-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/4072-1605-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3740-1606-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3740-1609-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4072-1610-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4548-1622-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/4584-1623-0x0000000000400000-0x0000000000415000-memory.dmp
memory/1432-1624-0x00000000009E0000-0x00000000022C8000-memory.dmp
memory/1432-1625-0x0000000006D80000-0x0000000006E52000-memory.dmp
memory/1432-1626-0x0000000007610000-0x0000000007BB4000-memory.dmp
memory/1432-1627-0x00000000070E0000-0x000000000711C000-memory.dmp
memory/1432-1628-0x00000000071C0000-0x0000000007252000-memory.dmp
memory/1432-1629-0x0000000007160000-0x0000000007194000-memory.dmp
memory/1432-1630-0x0000000007260000-0x0000000007296000-memory.dmp
memory/1432-1633-0x00000000074C0000-0x00000000074CA000-memory.dmp
memory/1432-1634-0x0000000008E70000-0x00000000091D8000-memory.dmp
memory/1432-1635-0x000000000A440000-0x000000000A6B6000-memory.dmp
memory/1432-1636-0x000000000ABC0000-0x000000000B0BA000-memory.dmp
memory/1432-1637-0x000000000B0C0000-0x000000000B41A000-memory.dmp
memory/1432-1638-0x000000000B420000-0x000000000B780000-memory.dmp
memory/1432-1639-0x0000000008CD0000-0x0000000008D38000-memory.dmp
memory/1432-1640-0x0000000008CA0000-0x0000000008CBA000-memory.dmp
C:\Windows\SysWOW64\commpro.dll
| MD5 | 828bd419d3c3c4c4c1467e7efb590fd7 |
| SHA1 | 5cbca9c37e04bc54003ddca3c28e935af6f9c603 |
| SHA256 | c64cecca165db8cfbf6bd6c99fd139d5bcf82d0d8926c7281902d77beca61c6f |
| SHA512 | fb24066b4b0558cd914d2998aed6361fda1558941ff257e46f9d9cd8ae24b69b3bb5832f7c08ed4fccaf4b09cbfb6cb7f8b42526c6bf013e0374d7df3b611461 |
C:\Windows\SysWOW64\comms.dll
| MD5 | 15c6e3c1b83d19c74c9f15f173d6a54a |
| SHA1 | 819b966af9d1d69b22dcefc92d448705ccd734bc |
| SHA256 | 096d7c6f697f9bcf1273db5e5452085279a270f2cf5a353c1b3bd483bb30ca9f |
| SHA512 | 0c06e8cc2e75bf012d56e619529ac69995614e6afdf164506a0ee1181851801e4da473cb0472f114bfc96edbbf00f11e4040635c0e1e04c081f6a5389885e943 |
C:\Windows\SysWOW64\pltcpcomm.dll
| MD5 | 90b4dded7c04b0604e7f2a860b435087 |
| SHA1 | 045fd76a357c37a78a7504abe682fa889227b3d8 |
| SHA256 | ac0aa7c014ec80c167c07fc185a022dda128bd30b97809e4e604b90b836de32c |
| SHA512 | 2134845dbf3d8f625f164e3f12673a6af8e268d0b868dbf3a629b2bd5cd4365d535f9fa1cb9e94cab9a8bdf91762b0b80f1bed12baf1c7f91d6a80029660a80c |
C:\Windows\SysWOW64\plrscomm.dll
| MD5 | adbdbfa949b6b948c3141e439f279263 |
| SHA1 | 6fc0222417739da3fd4da30e46c1f4fe31938cb5 |
| SHA256 | 720fa39785a97dd3792d4811800c413abdacaca2e7bdbc43123b2cf55cbfe010 |
| SHA512 | 3a488ebe0528424ec1169891004f5113a097928546257afcb7c9bf96688b4d6460b0a5db4c245a078447532619d19576af669f90babbb36ad055d073e933ffd8 |
C:\Windows\SysWOW64\plrscagent.dll
| MD5 | f0a75bfe2c5e5487399f72886c581317 |
| SHA1 | e40dd78180fed788babc1c1a5384efbf0db8d85a |
| SHA256 | 971e2180b34ec63aa6b01583cba5d2bbfd81b8c82a9574f11a813ed4b1554def |
| SHA512 | 0b068a8eaba62a9874da6f2d5e034ace09197859f080224cc42c9bb4f175072bd4125885649f909c48a5536618852f55b69c5d97a381622af20a8d68e9407985 |
C:\Windows\SysWOW64\plcomms.dll
| MD5 | 3fcb10c4d43770ebb1e2772242ca3128 |
| SHA1 | db5da8754e4e1eb2764f702f1d7acaff09b2090d |
| SHA256 | 93d6eca4a41fc20f790721b1d339192faa8afc8dd6ee5a2d09a4aa7443641b98 |
| SHA512 | 2eb0108c0cbdce71310bf464ba56f5e29eec0bcb8e64fe6630b95ba6a30c1573cab4fd87eb073a0fdea0a7e567d4eaa11db168bbf083874cd4cee420205244cc |
C:\Windows\SysWOW64\plcommpro.dll
| MD5 | 08040571c103050308f38ef2fdcd657d |
| SHA1 | a003e5b5645a601a2958d582ef3fcb6a02a91006 |
| SHA256 | 760338d21e26365b4c726d93ff6a8279a47e4b1d4a16d5ffab17c10c628f2af8 |
| SHA512 | 5c179be30148dbd78e7ada10937bcdce01f56a06725e954369c2e17bd77bf8ca4facd299c8f7ff556a6fa715483c6e49f91c327b1a33c7dfa2dfa85b940b01f9 |
C:\Windows\SysWOW64\p4pcomm.dll
| MD5 | 76cbc221ce8f7025a73209996b57e15a |
| SHA1 | d7d6dfc704bf0cba64d30f6f28e2023ca0dc6bab |
| SHA256 | 182dab50f936c7bd5e70c05d478b35e0ca5bf13397f983b3468352421e89f9cf |
| SHA512 | 153c95a8149bd990e0013e24f70a29e700eaf28f0a280af4b9e341c84907319ee41c9e34f8822d2a7c3ebf8fece930e1cc05fec9b481d66be3f39334618bdd7e |
C:\Windows\SysWOW64\p4p.dll
| MD5 | 6b506ed4da3392f9156852df33219009 |
| SHA1 | 4237e716d77c8314d603524784382f857437dd09 |
| SHA256 | ffe70331c087621a2967fe2b2672d64931b906695f03d3c87552fb5d61a704ec |
| SHA512 | 010457a874f3d2dae6fd8e9dc2aba4c69577b54389b45744d17232436aeccc0d07ce8266bc2589c200c44bc3734df2a041a16ab2fea53cb882765d5a577099fe |
C:\Windows\SysWOW64\libareacode.dll
| MD5 | 0df0b735d7c59687d55465d1e39178a4 |
| SHA1 | af70f8e696353d184295ff465ded7ec5e94a9716 |
| SHA256 | 857f7d10ac7929ac92bd347eecc134d83fcb98daf5800bbdb67e646c10df7489 |
| SHA512 | 01d72d3617f3eef71480ce5004f867bded5a6b91b2f599bb2cdda7c3ab0d607c9761c741114fb138484512a37841fc24ed68859779560814a0151338665e5253 |
C:\Windows\SysWOW64\IOTCAPIs.dll
| MD5 | ebbec369b0257007e1b4dbcedabc222b |
| SHA1 | e7d968f0374178bb918e7db50cd56664341bf5cc |
| SHA256 | db4e4a48566a7ec7da0f1ec8dddb237c43c17c00ffe871b96a8ddd54e1d082d7 |
| SHA512 | 248a2f74ee4ae844b542934eefcdff3febd096d3586776dff71051f697ffafcac3f4f97da7999d48913d276a404715eaca33b4b9b9648de4323cb71d7d388d5d |
C:\Windows\SysWOW64\rscagent.dll
| MD5 | fcb235c79bb0979b99a471fb60ff4e20 |
| SHA1 | b26906b379ef324a24aab6a40729efbf53c24702 |
| SHA256 | 0a1170824c160f3520260fda8e0172f09e5ae8a52485b932f87f7c5dcb7a297c |
| SHA512 | dffee19da85966037e5100f32c2b58b339bba81b338419c9303df3608c7458b649de0c41ef6c68a82a3b62915752410c9bedb06b204cbd9fd0345adba2ac0791 |
C:\Windows\SysWOW64\tcpcomm.dll
| MD5 | 364b784929e976115aac87fa09472b05 |
| SHA1 | af615fb20e3ba2b512af04f6164ad009c289cc2f |
| SHA256 | 6db3198b11f90accbf3934a095adabaa81ca4dac3aae18b0a45b1dc785d9bf25 |
| SHA512 | f65f382214dd5ec2ec80f2ca2bee8e87622c6bbeb45059e8ea8c0a80eb914ef70266ba41afe7ce7b31d54667cbf0cef03757d31509afc63f6912fb06fc358f6b |
C:\Windows\SysWOW64\usbstd.dll
| MD5 | 6bed769c8749572585b77fb2466b48f7 |
| SHA1 | ea73ca63c23bcdafd326d5d2014cc0a5ce720acc |
| SHA256 | 7c16210299aba8b0dd209d7d708a911db73ba20fd685fa42f87ca6525b831bfa |
| SHA512 | 9083c9f729bb394ef9aa8eebbb8b9262095ef7c8bbdb48f8e7f72a5beb2ff8eaff657fdab0217a1827a5f0807fbc33879426974f6728f9034b223cc1b08cee0d |
C:\Windows\SysWOW64\usbcomm.dll
| MD5 | 192a3f959976b85af6defef3f3f6f565 |
| SHA1 | 308c4c489d8b7c9df8214945e0a250cbee10307d |
| SHA256 | 0d8fa044c00744db17d326e08d8bf9de06a70f410b844b1834ba8fe6534acda4 |
| SHA512 | 2b04a5e5d25ba02e92056df5353472b0352fa1614617dd5615c518b04a01c72a974f2c8ed57ab369da839661208cd61fdeec71bb883b06e5e7d47ed357a10601 |
C:\Windows\SysWOW64\rscomm.dll
| MD5 | 8b2c16a96745ae744b7b16e7a482de01 |
| SHA1 | f4d3dbc220615c46e88494ff5a60f27862f9496c |
| SHA256 | e115131e1741e327036c807d55265147ea18d723e7a7703ddc9373e5330bda26 |
| SHA512 | db42195e929429874505081e63a5a11e14b100e130901a8454cb97426e747a663ed01ca72faabb97e4fa536ac58d3f93e485d021880e6157635ce9a8cf80262f |
C:\Windows\SysWOW64\RDTAPIs.dll
| MD5 | 19521bc3f7c700a58b53b49409676d51 |
| SHA1 | a504ab190a6834dfd9c32436d4df2fa489efde22 |
| SHA256 | 825d95e102ecbc0e6a52480c42c0125273197e4f43de9e4bea6693a2214f0a9d |
| SHA512 | 1c5ee301ef319a614d8c6800eabc9741729a1e48ebbca0e9790af3168e4c3ab3a588695c7467b74de3a28a67fb981932a6db4604481fdeb857813dfe84dad9b7 |
C:\Windows\SysWOW64\plusbcomm.dll
| MD5 | dd40e2bc0b09100b448651f339cc1836 |
| SHA1 | e58f78ed874b53841c638e303c78bc1c651bc5e4 |
| SHA256 | 5fe0a40c6a2168a0d72444f51d1848d31ccb09f0c9f1e2e9a18b160723730e8d |
| SHA512 | 2e535257cd33bdb2c975ddebdeaddc63a67109040a13253c3beb3fec17ecb374c40167f00a40da63e66b0554b351159399633c21ff2b64a8ec4aef025ed8b83f |
C:\Windows\SysWOW64\zkemsdk.dll
| MD5 | a2d5bb4d7048b20b71569ebd2815675c |
| SHA1 | 0b7561f6be58271b88dcc670f3bb23953a437b35 |
| SHA256 | 51110bd61d574107398d433b57a40930e8eb2fa07640c3dfe2f01e344d5a14dc |
| SHA512 | da1157ef8d430c994a826d6e89f9a2016ee75d8366d22a9b7904b904b7404c33e437759168952597fa1f628dd222f63b7bc2df6e0c57c30238c81837a925dca3 |
C:\Windows\SysWOW64\ZKCommuCryptoClient.dll
| MD5 | bec7b5aa9fcf7e45642a031003e0f600 |
| SHA1 | fcc9eef3716aaf670c4cb52e7c1cc93ed61466e1 |
| SHA256 | 1dd347bda2c3fe594bc30c038325bfe5ce30978603f30bfe96c441af3c971f8e |
| SHA512 | c43d3cd341d2988c3495dcc53a928c2d248cceeec773d01929c068eef21a8ee41b8b0bc13c937c836c218c075237e3c3660933623c634976d64610528b63c1b4 |
C:\Windows\SysWOW64\zkemkeeper.dll
| MD5 | 3231d0b478e3304c12daca897895f760 |
| SHA1 | 876f6bc1c05f4c273fa612390b493012522d906e |
| SHA256 | 3dfde9ffaa85e71b51207fdf0d3dcd746920dcafad7eb298b10d9b30bda06852 |
| SHA512 | 6dda01efe97adf421c70a726135e476d48439219618f45e5395ad766ed649416bbf7f4efaa5abcd8e58e5c930017889a3f084a9afae05f6df2e41912e0bdc495 |
memory/1432-1672-0x000000000C210000-0x000000000C273000-memory.dmp
memory/1432-1668-0x000000000C1C0000-0x000000000C208000-memory.dmp
memory/1432-1677-0x000000000C2A0000-0x000000000C2D0000-memory.dmp
memory/1432-1685-0x000000000C310000-0x000000000C31C000-memory.dmp
memory/1432-1686-0x000000000C340000-0x000000000C34E000-memory.dmp
C:\ZKTeco\ZKAccess3.5\Languages\emnetman_en.xml
| MD5 | 92e522fd6545058d864b21b77b8619a0 |
| SHA1 | 9cc4f134f8518c50b7c89d74ebc47fbf2ab76aff |
| SHA256 | 3d976c84865aa61d55abb63d5f3d54a5e804ab139036a135d5021d242d5de0dd |
| SHA512 | 345708503b16dfe004a66aee7bd20a221fa054f2417ab64aec0f624ec35afd2793e6dbc9a9cfff834aadfbaf9d34360561ed112a38d8d18e42acee89e91e220f |
memory/1432-1689-0x000000000C4B0000-0x000000000C518000-memory.dmp
memory/1432-1690-0x000000000C430000-0x000000000C470000-memory.dmp
memory/1432-1691-0x000000000C5A0000-0x000000000C60A000-memory.dmp
memory/1432-1692-0x000000000C3F0000-0x000000000C3FE000-memory.dmp
memory/1432-1693-0x000000000C6B0000-0x000000000CA04000-memory.dmp
memory/1432-1694-0x000000000CA10000-0x000000000CA9C000-memory.dmp
memory/1432-1696-0x0000000010260000-0x000000001028E000-memory.dmp
memory/1432-1697-0x0000000010290000-0x00000000102DC000-memory.dmp
memory/1432-1698-0x0000000014A40000-0x0000000014A7C000-memory.dmp
memory/1432-1699-0x0000000014A00000-0x0000000014A21000-memory.dmp
memory/1432-1701-0x0000000014AB0000-0x0000000014B12000-memory.dmp
memory/1432-1703-0x0000000014B50000-0x0000000014B72000-memory.dmp
C:\ZKTeco\ZKAccess3.5\Access.ldb
| MD5 | e85bab8603c427cbd85d5d90cadf17e0 |
| SHA1 | 2963cf0c635998e0132b258f6479015dee726def |
| SHA256 | b928aa84a1ec22de674400ae6ba0c9cc33c3858f157e4d3e7c1006e4df4bd72d |
| SHA512 | 59a58b8d27f8466454bdb8cecca37b1dbf4069be3629a915f7f8802dd8488c4a8c2b80af2babc52368bd84c1440c8aa37f23153b4b30ea11f452e1fd7afd121c |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | dba25e326687e18486cc2c91ede9961a |
| SHA1 | b4998e667dba2b8d440b2719661538a1e84b5c62 |
| SHA256 | fab3b940a190d4d3512f0857627ec6808fec300f207b064b2f37e328e2be8d9e |
| SHA512 | a0d485bfcf85db25032adaf28996663bbbe647069d5e810df91f5abe71165fdabed637cffc89b83d20845491d4e5d62b163c19191797ecf01ddf8c6586a98a57 |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | 81f8efa809d56cf7e0707e4d0af5e4b9 |
| SHA1 | c23643e8687c9a005df5d35ed4216578c03d4694 |
| SHA256 | 4bf46ecf4ae8b0daf9578a16d1340b6ed256392f1003e4dc556e4ce15d71f219 |
| SHA512 | ce68a19cb2eed76e1b8581892bb09e4bd87a5da1dc3f34a4c59fba895bec7388838c2df7114bc5d8fc6676734eda57751f03281ac5ac42744e22027640407a2d |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | f73fd60a8bcc70ddccaad3ca678d4759 |
| SHA1 | 666eb093c563c29cec779ba16cb8e71aececb69e |
| SHA256 | 37cc2b45287b629c7ff82805762f60f53bc19b148442a36a0f185709aaca5f1a |
| SHA512 | 85805329defbf5b65893e263828e9e0f48d3aff7500fb642581f8f9a36ac66e339c2a6e7002e766fd23e1e32ed7cf8e56a7141e085d3527ad7e3e65062bcd126 |
C:\ZKTeco\ZKAccess3.5\Logs\20240510\ex08.txt
| MD5 | 66ffb3eb2a7a0033a2b18c2e25721ca9 |
| SHA1 | 49ca41455fa4466ea5879869da1e0c357c2997e6 |
| SHA256 | 7214e1c29199f4e1a4c5fad277b2eb64f41d070862937009754145d341762c11 |
| SHA512 | a2088e6463b8cece3ba19c0e3ff74a3b03381eacbb5720940911363855d885f9eb06f1f3a9c39aa6e10a43c5ca2be9a9c90d6a561551d1a43bd9645373a4a709 |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | 3e177849c27565232124247ec3824d7b |
| SHA1 | 67efd74eb09e1b591418e223ed3ee533079ccfc9 |
| SHA256 | f32dd5082617962ffa99457b605eecf356a02c908dbb636bcb313adc921e2d88 |
| SHA512 | 91df0eef1799fb6a428434286a003645772642c78cc2c4b5e3fd25e311858de5b20e5f09239facfb38cb1c4316590957302f8f75c4163ca6b7b257ec082dfe8e |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | 951ce51855eecb2abccd80bde360c763 |
| SHA1 | 5a6de98d92ad265a1883e34f3b93c84fa63c0334 |
| SHA256 | ca05c13f33503131029e6b591316782b28712edfc1bde77326081f14c51974ad |
| SHA512 | 80d88ff49f4afefa54d2adb23fccf9317d4b959dccbb54c24d278416f046dec7e1d583f7ebba7b84b9736d0432d879f72213f2b00245b515841d0de48cd88015 |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | 3e83641edb058de5a46477ecfcde9dc4 |
| SHA1 | c1b706c43ece3da046798927fc3ee01a0cb9f44a |
| SHA256 | c8048b80ba185f3c855d740e257b244b3ab5ba52cfad4454fcd9165c9f340f11 |
| SHA512 | 6afc0ca6a2a0adbb6a200c3335b000f8eb362481b9914e92e5b55075c14aa3b14938cd142da4bdbb3667f6502e4b6af745e15b92e515eee6e7da2dc5b56f0765 |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | fbfc545017a9726457c103d652958cdf |
| SHA1 | 96cac2b37ab88cd74381b858eb89e40c38a68af4 |
| SHA256 | f5d6b519542e18e071195e6494b34f7d6f2132af906325c2d44ce9922d57642c |
| SHA512 | 78750c7dfbf7fb48151ff167233da96ad5d8ea162c311f502c2b0c6216d1d5d8f1580fa8e6dd64a89f9602e1e236e6589f87c448df7d9af7239108e847f30df2 |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | 25dcf6cd84d471a75c9dc3a07e1f56f6 |
| SHA1 | 88657a53060d3908192a7203604ba076a3d0f3ec |
| SHA256 | ea6f79424bf1865ef69166b8fd3d9a9c444b287b354a41f86e99e9210652ec5f |
| SHA512 | 39c208232acf0e94ecacd912792632f423b8bbbc112b6d4a30348ffb90432ff53fdaf79d8195c7b84b2022c88ebfebf1c3062232f1cd7293934ee4e307762d92 |
memory/324-2451-0x0000000000FB0000-0x0000000000FC6000-memory.dmp
memory/324-2456-0x0000000005060000-0x0000000005073000-memory.dmp
memory/324-2455-0x0000000000FB0000-0x0000000000FC6000-memory.dmp
memory/324-2454-0x0000000000400000-0x0000000000E4B000-memory.dmp
memory/324-2462-0x0000000000FB0000-0x0000000000FC6000-memory.dmp
memory/324-2461-0x0000000000400000-0x0000000000E4B000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-10 08:48
Reported
2024-05-10 08:54
Platform
win7-20240221-en
Max time kernel
141s
Max time network
130s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2440 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe | C:\Windows\splwow64.exe |
| PID 2440 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe | C:\Windows\splwow64.exe |
| PID 2440 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe | C:\Windows\splwow64.exe |
| PID 2440 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe | C:\Windows\splwow64.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe
"C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/2440-0-0x0000000000400000-0x00000000004E4000-memory.dmp
memory/2440-1-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2440-3-0x0000000000400000-0x00000000004E4000-memory.dmp
memory/2440-5-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2440-8-0x0000000000400000-0x00000000004E4000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-10 08:48
Reported
2024-05-10 08:54
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
160s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1172 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe | C:\Windows\splwow64.exe |
| PID 1172 wrote to memory of 3036 | N/A | C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe | C:\Windows\splwow64.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe
"C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\attfiles\rptViewer.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/1172-0-0x0000000000400000-0x00000000004E4000-memory.dmp
memory/1172-1-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
memory/1172-2-0x0000000000400000-0x00000000004E4000-memory.dmp
memory/1172-4-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 08:48
Reported
2024-05-10 08:54
Platform
win7-20240508-en
Max time kernel
117s
Max time network
125s
Command Line
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\DataBase.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| N/A | N/A | C:\Windows\dpdrv\DPInst64.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\msiexec.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D01AC23A-B04B-4BD2-B9D4-FBC9AD8A0A03}\LocalServer32 | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D01AC23A-B04B-4BD2-B9D4-FBC9AD8A0A03}\LocalServer32\ = "C:\\Program Files (x86)\\FPSensor\\support\\u.are.u\\win64\\DpHostw.exe" | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32\ = "C:\\Windows\\system32\\DpClback.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5088E18-0F7C-4A53-8666-A4F24D18626F}\InProcServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\InprocServer32\ = "C:\\Program Files (x86)\\FPSensor\\support\\u.are.u\\win64\\DPCms.dll" | C:\Windows\system32\regsvr32.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\is-DRE8Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp | N/A |
| File created | C:\Windows\syswow64\is-JU8UB.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-87IHF.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{6595dcc8-2e22-38b6-222e-b63865f3d118}\SET408.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\plcommpro.dll | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| File created | C:\Windows\syswow64\is-CJJAI.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6595dcc8-2e22-38b6-222e-b63865f3d118}\libusb0.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infstor.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\dpdevdatx64.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\dpK00701.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\INFCACHE.0 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\commpro.dll | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| File created | C:\Windows\SysWOW64\is-6MA20.tmp | C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp | N/A |
| File created | C:\Windows\system32\is-BPJ9N.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\system32\is-78GBV.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6595dcc8-2e22-38b6-222e-b63865f3d118}\SET408.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\SET864.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\plcomms.dll | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| File created | C:\Windows\SysWOW64\is-3LSST.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-RBIC0.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\SysWOW64\ZKFPSensors\is-1TKCG.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infpub.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6595dcc8-2e22-38b6-222e-b63865f3d118} | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\is-43J7K.tmp | C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-E30UA.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-30EGT.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\syswow64\is-IN1PJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-NC23S.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\system32\is-LCQF7.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{6595dcc8-2e22-38b6-222e-b63865f3d118}\SET419.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\usbdpfp.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\SET831.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\is-G643D.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\system32\is-L5ADL.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6595dcc8-2e22-38b6-222e-b63865f3d118}\SET419.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\SET863.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\libareacode.dll | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| File created | C:\Windows\SysWOW64\RDTAPIs.dll | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| File created | C:\Windows\SysWOW64\usbcomm.dll | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| File created | C:\Windows\system32\is-15EQR.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\dpersona_x64.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\SET80E.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\dpI00701.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_neutral_d9a56a0c507c5e8f\dpersona_x64.PNF | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\appsyn.cch | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| File created | C:\Windows\SysWOW64\rscomm.dll | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| File created | C:\Windows\SysWOW64\is-S5TKT.tmp | C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6595dcc8-2e22-38b6-222e-b63865f3d118}\ZKFP.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\is-TC134.tmp | C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-P1MEM.tmp | C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-AU4GF.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\svinfo.cch | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| File created | C:\Windows\system32\is-P9CSE.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\system32\is-KDF7J.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\dpdevdat.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{604cb8ea-ebf7-45b0-d4ce-6c2cb73c7210}\dpD00701.dll | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\dpersona_x64.inf_amd64_neutral_d9a56a0c507c5e8f\dpersona_x64.PNF | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\is-OH0DT.tmp | C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\zkfp.inf_amd64_neutral_ab1035548178aff8\zkfp.PNF | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\SysWOW64\is-OK7B6.tmp | C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-2PN08.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-UJLCU.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\SysWOW64\is-L1V3B.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6595dcc8-2e22-38b6-222e-b63865f3d118}\SET41A.tmp | C:\Windows\system32\DrvInst.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\FPSensor\is-N2523.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-7J54U.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-F8ULQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-RQ26S.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\FPSensor\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\PROGRA~1\DIFX\0169CE3A95F06636\DPInst64.exe | C:\Windows\dpdrv\DPInst64.exe | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\is-7IGJ0.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-9AQV8.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\es\is-ANPGB.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\ja\is-C6KDH.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-L8LRQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-KALDN.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-C2JMH.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-O1HIT.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\de\is-EUDTJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\is-R3A4J.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\ZKFPSensors\is-SB064.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-SO6SP.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\en-US\is-H804B.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\bin\is-MV717.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-7MEEN.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-OOFHT.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\zh-Hans\is-E5OL5.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-LQPVB.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-MJ2QE.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-KLSII.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\fr\is-SONVL.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\pt-BR\is-SP5K0.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\zh-Hant\is-0TM87.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-97A9O.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-DRMSL.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-6LDLF.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\is-A17Q4.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-MH403.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-2HO37.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-FRNH0.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\it\is-QIMCD.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-ETRV3.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-V8ERJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-M254F.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-VF892.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\is-VQBGS.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\ko\is-EEGPD.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-KA7JH.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\support\u.are.u\win32\is-5ODN3.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Program Files (x86)\FPSensor\Biokey\is-VJBK8.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1D7F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\zkdrv\is-C8GBC.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\DPDrv\is-3OLLL.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\zkdrv\is-FH110.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\rundll32.exe | N/A |
| File created | C:\Windows\INF\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\INF\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f771ce3.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DPDrv\is-H86K6.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\DPDrv\is-20QGE.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\DPDrv\is-0E620.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\zkdrv\is-UO5MI.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\zkdrv\is-HN6LG.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\dpdrv\DPInst64.exe | N/A |
| File created | C:\Windows\Installer\f771ce6.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DPDrv\is-R8QR7.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\DPDrv\is-AADGT.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\INF\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f771ce3.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DPDrv\is-UTA6D.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\Installer\f771ce6.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DPDrv\is-ELJ79.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\zkdrv\is-55TMC.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\DPDrv\is-2MNJR.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\DPDrv\is-Q8HK5.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\DPDrv\is-JTG4D.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\DPDrv\is-HEU2O.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File created | C:\Windows\zkdrv\is-IJ3FH.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\DPINST.LOG | C:\Windows\dpdrv\DPInst64.exe | N/A |
| File created | C:\Windows\DPDrv\is-PIMI0.tmp | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| File opened for modification | C:\Windows\Installer\MSI1D90.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{253AF648-E194-49D0-95CD-E5071519517E}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8AEE2E53-7EBE-4B51-A964-009ADC68D107}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\zkemkeeper.ZKEM\CLSID\ = "{00853A19-BD51-419B-9269-2DABE57EB61F}" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\Version | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\TypeLib\ = "{FE9DED34-E159-408E-8490-B720A5E632C7}" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\VersionIndependentProgID\ = "DPCms.Client" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D95CB779-00CB-4B49-97B9-9F0B61CAB3C1}\4.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{161A8D2D-3DDE-4744-BA38-08F900D10D6D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A1CAF04A-BD7E-4D71-9A59-567B9430CD9E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA46E7A7-1E15-459D-B032-7C3AF6AF167B}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\zkemkeeper.ZKEM\CurVer | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\ProxyStubClsid32 | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{161A8D2D-3DDE-4744-BA38-08F900D10D6D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{161A8D2D-3DDE-4744-BA38-08F900D10D6D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{378CC504-3B96-49E1-BE1E-4C098959C5D1}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B} | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{161A8D2D-3DDE-4744-BA38-08F900D10D6D}\TypeLib\ = "{D95CB779-00CB-4B49-97B9-9F0B61CAB3C1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{378CC504-3B96-49E1-BE1E-4C098959C5D1} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{253AF648-E194-49D0-95CD-E5071519517E}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{253AF648-E194-49D0-95CD-E5071519517E}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}\ = "DPCms.Client" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A1CAF04A-BD7E-4D71-9A59-567B9430CD9E}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{378CC504-3B96-49E1-BE1E-4C098959C5D1}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FPCom.FPProcess\ = "FPProcess Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\ = "CZKEM Object" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\ProgID\ = "zkemkeeper.ZKEM.1" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\ToolboxBitmap32 | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8AEE2E53-7EBE-4B51-A964-009ADC68D107}\ = "IZKFPEngXEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1CAF04A-BD7E-4D71-9A59-567B9430CD9E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A318A9AC-E75F-424C-9364-6B40A848FC6B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\TypeLib\Version = "1.0" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\ = "IZKEM" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DPCms.Client.1\CLSID\ = "{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D01AC23A-B04B-4BD2-B9D4-FBC9AD8A0A03}\LocalServer32\ = "C:\\Program Files (x86)\\FPSensor\\support\\u.are.u\\win64\\DpHostw.exe" | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\Verb\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1CAF04A-BD7E-4D71-9A59-567B9430CD9E}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\VersionIndependentProgID\ = "zkemkeeper.ZKEM" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DPCms.Client\ = "DPCms.Client" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\ProgID\ = "ZKFPEngXControl.ZKFPEngX" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A318A9AC-E75F-424C-9364-6B40A848FC6B}\Verb\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\zkemkeeper.DLL | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\MiscStatus\ = "0" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE9DED34-E159-408E-8490-B720A5E632C7}\1.0\FLAGS | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A318A9AC-E75F-424C-9364-6B40A848FC6B}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA46E7A7-1E15-459D-B032-7C3AF6AF167B}\ = "IFPProcess" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DPCms.Client\CLSID\ = "{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0D228640-0579-11D2-92F7-5CEB20524153}\LocalService = "DpHost" | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A318A9AC-E75F-424C-9364-6B40A848FC6B}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\zkemkeeper.ZKEM\CLSID | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE9DED34-E159-408E-8490-B720A5E632C7}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\zkemkeeper.dll" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DPCms.Client.1\CLSID\ = "{A1EDCB2C-47E0-4868-ADA9-5F6C98DB0395}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{161A8D2D-3DDE-4744-BA38-08F900D10D6D}\TypeLib\ = "{D95CB779-00CB-4B49-97B9-9F0B61CAB3C1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZKFPEngXControl.ZKFPEngX\ = "ZKFPEngX Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\AppID = "{FE9DED34-E159-408E-8490-B720A5E632C7}" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\ = "_IZKEMEvents" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\TypeLib\ = "{FE9DED34-E159-408E-8490-B720A5E632C7}" | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA69969C-2F27-41D3-954D-A48B941C3BA7}\MiscStatus\1\ = "132497" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A1CAF04A-BD7E-4D71-9A59-567B9430CD9E}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1CAF04A-BD7E-4D71-9A59-567B9430CD9E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD59645-9CC5-4C0E-AA37-5E5BADE3AC5D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1CD59645-9CC5-4C0E-AA37-5E5BADE3AC5D}\1.0\ = "FPCom Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\dpdrv\DPInst64.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
| N/A | N/A | C:\ZKTeco\ZKAccess3.5\Access.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp" /SL5="$70122,380507,58368,C:\Users\Admin\AppData\Local\Temp\ZKAccess3.5.17\Setup.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\ZKTeco\ZKAccess3.5\InitDatabase.bat""
C:\ZKTeco\ZKAccess3.5\DataBase.exe
DataBase.exe
C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe
"C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe" /NORESTART
C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp" /SL5="$80162,17664398,56832,C:\ZKTeco\ZKAccess3.5\FP_Driver_New.exe" /NORESTART
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" libusb0.dll,usb_install_driver_np_rundll C:\Windows\zkdrv\ZKFP.inf
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{376c023d-54ba-3639-ce94-3351cd313607}\ZKFP.inf" "9" "629e2a833" "00000000000004D8" "WinSta0\Default" "0000000000000564" "208" "C:\Windows\zkdrv"
C:\Windows\dpdrv\DPInst64.exe
"C:\Windows\dpdrv\DPInst64.exe" /s
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "8" "C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpersona_x64.inf" "9" "6deb7b823" "00000000000003B8" "WinSta0\Default" "000000000000059C" "208" "c:\windows\dpdrv"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPCms.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPDevTS.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DpFnd2.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPJasPer.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win32\DPPTUtils.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\DpClback.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\Syswow64\DpClback.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Windows\Syswow64\DpClback.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPAppSyn.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPCms.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPCOper2.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPDevice2.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPDevice5.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPDevTS.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpFnd2.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPFstCon.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPJasPer.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPMux.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPPTUtils.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpSvInfo2.dll"
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DPTSClnt.dll"
C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe
"C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe" /RegServer
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" start "DPHost"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /u "C:\Program Files (x86)\FPSensor\Biokey\biokey.ocx"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\FPSensor\Biokey\biokey.ocx"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "DPHost"
C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe
"C:\Program Files (x86)\FPSensor\support\u.are.u\win64\DpHostw.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /u "zkonline.ocx"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\zkonline.ocx"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /u "FPCom.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\FPCom.dll"
C:\ZKTeco\ZKAccess3.5\msiexec.exe
"C:\ZKTeco\ZKAccess3.5\msiexec.exe" /i"C:\ZKTeco\ZKAccess3.5\USBDrv3.0_x86.msi"/qn
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DCA527C77BAD85F8B657C132A0D212F1
C:\ZKTeco\ZKAccess3.5\Access.exe
"C:\ZKTeco\ZKAccess3.5\Access.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.31:1433 | tcp | |
| N/A | 10.127.0.31:1433 | tcp | |
| N/A | 10.127.0.31:1433 | tcp | |
| N/A | 10.127.0.31:1433 | tcp | |
| N/A | 10.127.0.31:1433 | tcp | |
| N/A | 10.127.0.31:1433 | tcp | |
| N/A | 10.127.0.31:1433 | tcp | |
| N/A | 10.127.0.31:1433 | tcp | |
| N/A | 10.127.0.31:1433 | tcp |
Files
memory/2008-0-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2008-3-0x0000000000401000-0x000000000040C000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-A408B.tmp\Setup.tmp
| MD5 | a305877eabf2c8d30cd5df98345952ae |
| SHA1 | c0518290145415e66f9f1b9a9c3c1b3e346a10fa |
| SHA256 | 8558efadf63fb12cf3ddacccfe07d397f2f902efadc4adf679a7e5c27cd49d76 |
| SHA512 | 6f22868d451f3f07fdaa096b303a480fb9f5f9bd4675046bba79b9c15435892ea07b3ef5f3a3788144af696a675c2d4639ab4396e22761923c955747463b9fad |
memory/2892-8-0x0000000000400000-0x00000000004C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-4K7N0.tmp\isskin.dll
| MD5 | a5f48d365d7527289e9a599519bfe590 |
| SHA1 | 166589cf8ac1d9989eda0da0e9488104a079bc69 |
| SHA256 | 66edea4626b79d2b86eb8bbcb1f6b10a2f4631c04f023eb75b37f9ff3fcb42ba |
| SHA512 | 3c946e947cdfa8c2780b8bcc0abcb9117cb2397fae8470ee2fdcf3f6069539c179aa5771cef8ff36bbc591854949bcb808979ca02b1fbc26e374c7c9c1d28a59 |
memory/2892-13-0x0000000004010000-0x0000000004126000-memory.dmp
memory/2892-14-0x00000000005E0000-0x00000000005ED000-memory.dmp
memory/2892-16-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2892-17-0x0000000004010000-0x0000000004126000-memory.dmp
memory/2008-15-0x0000000000400000-0x0000000000415000-memory.dmp
C:\ZKTeco\ZKAccess3.5\Languages\is-IAUCA.tmp
| MD5 | 1e7990d499a59ddc7d2af6ebdf1ca807 |
| SHA1 | 7b481967772fd2dea77d8aca14d1bbca7847896f |
| SHA256 | bf931b0e31daa2453f60921bb64d5e1a2d6de8873e71175d36c91b6a79acaa4d |
| SHA512 | 3dd2c713f8b9c2dc6498fe1380a4d7cf8fa4f617c2d40972902a551c4b58f600fc694927badc3a73d6b984c7d5bfe3495a36fbce45cfde2ae81ecc350b61ea7e |
C:\ZKTeco\ZKAccess3.5\Languages\is-5R01G.tmp
| MD5 | bb825332da2a1b633707043cfe88620c |
| SHA1 | 508a85a26841ba0c11226fca5aafff7e806fdcd7 |
| SHA256 | 67ea801a80303d5167dcd78a84c91720b143d6c88510f24e0f9d3bda61507111 |
| SHA512 | ac090df745896efca4bb7789a9a19d00eab90d1fdcb14f4a1f642e7f8a0b444deef2c253512605c7326724ca1122826acc0d1eb2e9a071a747c3f2e71ba96714 |
C:\ZKTeco\ZKAccess3.5\Languages\is-1LMQ8.tmp
| MD5 | f0b1655115326129d826c2313993919f |
| SHA1 | d9181bb44755a187918d68e64c0e8ce53e17c460 |
| SHA256 | 091a8ecf79ba9117df3a80e22974d5a77ba98d49a30c4c4391f343bb27e0b611 |
| SHA512 | ea1013de191e6d9413a44f563b826eb033827358676f809c0331e62119bea24853bd97d7e8981c5c636caf70db9b2233f25ea383035637df2bf8646ceed1984a |
C:\ZKTeco\ZKAccess3.5\Languages\is-RSP0K.tmp
| MD5 | fc734af8b0b62e8dc4fee6fb2e55376b |
| SHA1 | 38b13f68c8e95df11786adac26c00900dfaeb8f4 |
| SHA256 | 100fbe9fe7585bdbbcd1d5d190f59740813359f4ec3fb66f0a91451d833a5205 |
| SHA512 | 0cb99cd33d179d3de1de97c0bb57684fd047a7b19a517a9fe731dd0579aa2017e4a608e8d27b087a8697e56cbe2b27b2dbd2c74bd99314b44e178e2fa66d8307 |
C:\ZKTeco\ZKAccess3.5\Languages\is-O1JQT.tmp
| MD5 | 5f43b5ae4df98b599e11c243b8cee7a6 |
| SHA1 | 6b3a9b0ad80a9626e370961ffd84f216afc489d3 |
| SHA256 | 1898e9139177efe7b9645c407f95998d1e60849b5ce63ba9b0884d548372ff6b |
| SHA512 | f246fd5a4fa73c07b88dd9682578d135b177573f98b9fbebc10d443359790f40d3bdfe3c45d41218b4bef21a12ed962b943c32df90a1dc3f86d3fd174537c0b1 |
C:\ZKTeco\ZKAccess3.5\Languages\is-513AD.tmp
| MD5 | c952ee337c813afa949539f44ac0534c |
| SHA1 | 6a715ecbfb22d5d36a5afffc15cf29cdecce8033 |
| SHA256 | d01fc70299a04aa4bcc6df88ca47b88d2844322e9ff77ceec78a605a1d12c245 |
| SHA512 | b206c171e5c8e4a6d1f2001bcb055b56d5b78d683b1c59e9743409abf0ba685c459b9f249ba5147db0344a536dc35ca298d317e031059305e7b07e7e40b8f5b9 |
C:\ZKTeco\ZKAccess3.5\is-4O0C4.tmp
| MD5 | 25b7bbc9aecdeac55913bac5b135c61a |
| SHA1 | 3a7583e7fd78c15e2f40cfe9a2c28ec5452ecd37 |
| SHA256 | b9ca6595d63e0c3738eb6ce2cfcecc3966e8c4546a884d9e3e084918b813b7d6 |
| SHA512 | 6849bea5d054972422c8d2d6a58b4dfdfd58fc194aa2573e6b908a16e04bff192c38ade84105d023b1ff25f752d84a1d620b8f89c5135208c43e914c903826c0 |
C:\ZKTeco\ZKAccess3.5\is-PTSKB.tmp
| MD5 | 3bd3261a51269c8c40b2f33e498b5d17 |
| SHA1 | 5a8fc34d5135e0ba9c5c214ca8ecc778379d6729 |
| SHA256 | dd68117306b0192d2e571f9edf7fac94ec1de0154a3724d99df3055b42650e3a |
| SHA512 | f02d4d9eaf31dd3246847466a7602f0cc064e62f0ff33a62953310fbb5ac08ea517089be1275ecd5b35b14f935f01b6d3ade28950c6845ff1f8d65d3d9688afd |
C:\Windows\SysWOW64\is-OK7B6.tmp
| MD5 | afab8e482be11151fb0e03ce4ff8d837 |
| SHA1 | dd1600e727b17eb9a88ee46c51b0e2b1fc06949c |
| SHA256 | 67cd76a3353cab3e4f08577ba81459820da5f9ada4aef7f5787fe3b6a6518e2c |
| SHA512 | bf96495f896cc02112d540ff010fb6a75caf0a921e8a371547ed8e339bfaa100f66acd66208852e6ff31f397d56a6ff132350c2001c64150957e6ddcf3da0fdd |
C:\Windows\SysWOW64\is-OH0DT.tmp
| MD5 | f831a4f936619a827ad095de00c5e95b |
| SHA1 | 7973b831f0eab3c2ce31a74381d066c7d91eb497 |
| SHA256 | e288a2568bc023c00d8e4acaf93066a63208c10cc642bba98aaf827cce6a141c |
| SHA512 | c1da2fd769945be554350dd81c854c5399c681cfba5cc055a248c68a6bf32ddd510d246065b305e54aaa40f16c5184951aa6c92e8d4dbd22f2026207adfced9a |
C:\Windows\SysWOW64\is-TC134.tmp
| MD5 | e797beed9fe37ae67081d86f18654313 |
| SHA1 | 664d34c634270e1c8bd05f3069779217b1d5575e |
| SHA256 | 45bebe981ca5ca851d3bf746a7368d9982495dad5da4c1d54b759eba8fe74d4d |
| SHA512 | e3689ae65e7ff32645d523b96733abc0f8d1d6feba6528dd1645f0de91954655cac24bb484a4b27f7ee4a4c8a5b5c3c48b12c44237196a41a027fda0d669a5bc |
C:\Windows\SysWOW64\is-36VIH.tmp
| MD5 | 94e2f7110a27babfda5e7a90699ba9e2 |
| SHA1 | d32c27e74af8b60919476badab4f2aef0f721b71 |
| SHA256 | f805f387e3a6e73a1d2cf61c99744b3ca72fec8a8f34c02071780e0486934e1a |
| SHA512 | ac6e8724436a65bfa40e8174351826c55cdca902cb457e6091967b55f1a66d1fae16101130e6d4657ea7724f327c2f57d33465e7425b68a421811cb9a698e638 |
C:\Windows\SysWOW64\is-P1MEM.tmp
| MD5 | 1c8449dcccbfb5470e06c33a47fbf937 |
| SHA1 | b246a9a0888637f121bd06479ee498174f7e2cd2 |
| SHA256 | ad652892e07af6ffc992b3a6470aeaa1249827b36df6840fd9a6bb43c47f297b |
| SHA512 | 7c4ca4afbe2c2e817e8024e5c577fb3695a3af334aade629674078ed63be99d6adc44fe0ee4f9fda12785ad9fa213eb9f3a1b2a2132ce248d6280f2eca3f6839 |
C:\ZKTeco\ZKAccess3.5\appconfig.ini
| MD5 | bb3cffcd46e616d2ed77aa7a65609313 |
| SHA1 | 9800cb6700dc18a930065340b1f37f520a157f20 |
| SHA256 | e2da0e56e1139c7d88245e038247f3200630c2ed4f1f9ceb1e130e8be0d8e814 |
| SHA512 | 2abfe6813909a9ff9adb836e538e612ef4ae60a9c32f86b89835ca7cdf0ee347e91a2888d2ef63693e6150bebbd59b3e1878bad73833104fa46bd1207f67e7f2 |
C:\ZKTeco\ZKAccess3.5\Access.exe
| MD5 | f40f43edcc46eec1c64e1e794b0539d1 |
| SHA1 | fb431ced00d12f863eab9fef9dfe490f5b9681dd |
| SHA256 | be9b424b2058b6cc10c697a7fff96c1af62949cfb34ca43af7cc82b4e4ab2fab |
| SHA512 | e12f510fbed3ba7ebcf5c1d30eac464e36c4a33073b34f1a29e11306e5760b44924f11eca338f00c398f5c26a53fa55406b8dd513ff02d1d9292cbf89cc1766b |
\ZKTeco\ZKAccess3.5\Att.exe
| MD5 | d7de1f512e31da1cb7f3fa98ab1f73bf |
| SHA1 | afe00331afaeb8b5f4c8763c39800ead783e4120 |
| SHA256 | 4e77e7298c2519f2008c2eda5c656f75d1802439beebc5f23b7503e888800cf6 |
| SHA512 | e31b92909f5fe26c0353ab54d051762d278c834b8c86cceb320ecc9c388b48c8a0fe044aaccb44df6a4be000ec0a0e7e63184508bde0c3e409eb1834b380eebb |
\ZKTeco\ZKAccess3.5\unins000.exe
| MD5 | 3f779b952459be9d3788bb1ba018ad35 |
| SHA1 | 9fb6663660c89f66bb1c140d80ec98b20d16c7d1 |
| SHA256 | d75777bab8e467ac205c37ad69c84e3e427f767666d2300839b21ffe8ed05da7 |
| SHA512 | 58963b3379ae50bd8f23d195fcdaaf5e2de09813a04084015a2e72a6d40e7f199fcf29593d27629a43c397545bcffdb4571dabb77159611854abd09ff54db014 |
memory/2892-988-0x0000000000400000-0x00000000004C1000-memory.dmp
C:\ZKTeco\ZKAccess3.5\InitDatabase.bat
| MD5 | 8f6a918a8721f26331903efd3c91ae67 |
| SHA1 | cb25667f0a80548d66a4f4e1be0abef915609272 |
| SHA256 | acf3cb03a7eb5b4c0e2b0bf9af66cace4a7f7820a2aba9c1f0404f52f81b731f |
| SHA512 | b343d3666e9e9cd0b7bf925fe2895cc3ea29728b68c1384edfd68b06b01447a6fb99c8fc7bda3aaf3e7ddb503ebe4b5d39382857b0d386596c8ba2b172aed82e |
C:\ZKTeco\ZKAccess3.5\DataBase.exe
| MD5 | ded18ca95cbcca1703e2e42ee9c3f1b9 |
| SHA1 | 02581f99307d217623b2a629e38ca54cc2182b30 |
| SHA256 | 1163b0d67c17d4fbdb64cf480b1f99ee5b3ee5f7c099e65c859921b6b3e906e9 |
| SHA512 | fe853dcf17b1170711a37f1ddb435af7b64ba8dcc225439927e6bbb3cd0806736606e187e72b423c1121d876ebef8f36813715b20f9cad176f7f7e026dc7a4b7 |
memory/652-996-0x0000000000B30000-0x0000000000B38000-memory.dmp
memory/652-998-0x0000000000640000-0x0000000000665000-memory.dmp
memory/2892-1000-0x0000000000400000-0x00000000004C1000-memory.dmp
\ZKTeco\ZKAccess3.5\FP_Driver_New.exe
| MD5 | 06062fed9ea10ed7bee8fa82e22a7ec7 |
| SHA1 | 81ce48fb9853dde8104216cd84530013d5cf7fb2 |
| SHA256 | 4be20a1b7ef1c2adeb573fbda23158e1b6508c943be76792dacc6ca77b93e8de |
| SHA512 | a4da8fe4bb46fdb0c120798ed03031d0a828eef427dba44ab11759083764be7a533b5be7f607626a9631df89907323e8506d93738b86e8e3db54847ebda10c37 |
\Users\Admin\AppData\Local\Temp\is-MU92A.tmp\FP_Driver_New.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/1728-1006-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-5CTDU.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2892-1021-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/1728-1023-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1944-1024-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Windows\SysWOW64\is-94IP7.tmp
| MD5 | 2540916777e828c24e89a79329bf5598 |
| SHA1 | 445219ff6601d8ac707d416655c744f4eea07e24 |
| SHA256 | 7d4889f448087e23b4504a0bade1a765dc3826998042ecb82c744b2447964f5f |
| SHA512 | 0ceff0a7b333552a68aad951a2a14405a8d8c0baefcfcc5f6ecb8ad14f9b234874e36a2607d6ad7d95a33b2b47269872efe74642ea52f0f89a91ecbc94c1852c |
C:\Windows\SysWOW64\fpslib.dll
| MD5 | 4a8aa2cb879ddeae2d8e5bab5bf310b2 |
| SHA1 | ff956c8593f55cab33bc087b2f624b14b710e603 |
| SHA256 | 6626b4ca32408bcdb4cfd5e3e84faf7d1c6c49c4674b9b319cf68286575f416d |
| SHA512 | 192bd3134910d92778d2dd9eaa4cb2d8a19140b00469b373626162148986ca91d4df36488a90e8064e2a7684b1261eb56420aeed4612ee9c56c59991e01c94f8 |
C:\Windows\SysWOW64\libusb0.dll
| MD5 | a0263041d4a4023a8e78f7f417404a42 |
| SHA1 | 90a0f6dd891f2b166317bec604008d624009c678 |
| SHA256 | 771743d4fd9b325fd8f583487b0001a4d36c0a5554feba59cdbaaa75c6fdb615 |
| SHA512 | 0346fd5e328fcbf8e55f31d257b330fba494dae00a9cc57cddf5abbb9d4a7fe40806d71efebad0585c83632208d1f11b78c7385224bb653dbb8d59e2dc8b5c3d |
C:\Windows\SysWOW64\libcorrect.dll
| MD5 | bb16a0e5d2d75c0751ea6835aa36d940 |
| SHA1 | 278b6b054fe4fb88b0dee3cbd69e1735c3520c59 |
| SHA256 | 24c7c677c50b2c54d0232ea447a241d0dd61eb70aeff871f8bb6c16c8d0dc196 |
| SHA512 | 31d8429c373cda4eca5a8b60935b885b8816308125ec0228c6d0732fd981aa6e091bb54fe5e8afdc0348bd0f060a66d9be321ac9d18ee8c4d2a43822a0bdb12c |
C:\Windows\SysWOW64\libsilkid.dll
| MD5 | 4982430535a837b23913c50454dfc622 |
| SHA1 | 50dfa02f92d63af78a80c3a731b60cd3f01f4ff2 |
| SHA256 | 0feda63b2613feddf7ea6103d66b09c5d9f9852c43e3c2f452cf3233e617fb9c |
| SHA512 | d246002aa68a0a1dd0c2fa9cf70232903417561cdad05694f669b285740fba987eae6371592d041b31ae4538beeb870953536545c4f5e6f53bd20ede945f9d8a |
C:\Windows\SysWOW64\ZKFPSensors\libsilkidcap.dll
| MD5 | ef9cc5f8bcee7c4daf1a845dd60bcb73 |
| SHA1 | a75eb761c93c5826b36b835524fdbe8b9239fe4a |
| SHA256 | f941c38f017150323d4a56712e1fe2250004c49f05c91a1c46de8cfdb2d1f576 |
| SHA512 | c4f5def779310bef75e57f59295f5dbc8bc868dfefc805ea301fbf91c0ba5e453cd10a314882bfa5053c42651ad8fdd9ae93e3c9ecf3a343b80e1f853ea82b4d |
C:\Windows\SysWOW64\ZKFPSensors\libdpcap.dll
| MD5 | 84bea5a6e9dd1681660af3f4b74b27ea |
| SHA1 | f1a727271ed9142333586e1516a95229735fd7bb |
| SHA256 | bcf2a2ad0def866739e911cad2b65f6829671d70a69b5bba45764751add16e28 |
| SHA512 | 9684f0528f6b4db23f24ebe1f7f2bce92dddcee32587680499d6ee85b921fd3c8edd78e4fcb1481b63c12522043dff59421e16c1df3fde6fcfee3deb0324bf57 |
C:\Windows\SysWOW64\ZKFPSensors\libzklibcap.dll
| MD5 | fc29d9d49dc13f5bf30035513f782ed1 |
| SHA1 | 985dd539e9210829d60e11d1419a87883304e7bc |
| SHA256 | 93fcd70336d5e6a9293020b4d57ea66968e7387d860133d6c090b22a9611186d |
| SHA512 | b71579ba071126b0d5683f32f71e891cf63e65c72c7dc8dc4b090f992c18efdfb014a68855628932b4247fa4ad95056f7e198c58edc8e582bcc60aa6304a729a |
C:\Windows\system32\libusb0.dll
| MD5 | fe7548fc329229576d6e672f9ee08ce6 |
| SHA1 | 8e5d4e944fc341ac787d236ea9b48c75637e0719 |
| SHA256 | d4c35e72e3dfa67f18576df927caf9fdbadf148231b98ac22bdc5bb11f6bd796 |
| SHA512 | 4fcf3d0458d557bf33792ce11e09832300410c6df88b1ee12b07142eff867495aaa7cb3aa00cc6a6a9b19f01e447b25103ec0de75fddca306026ba1330dded2c |
C:\Windows\zkdrv\ZKFP.inf
| MD5 | 283c2123020a1d80e1dc50f97c8e902e |
| SHA1 | 6261f70e969a71e92cc2d841b4d9d2faafa4a34c |
| SHA256 | 0150dcccc9071053b20eda0416c478319177667c773ce4639b5e2745374a6a2f |
| SHA512 | 4360b26ad4d5c439d651b9c37315a46cc218cf1d71e19c6bb2472c6fcb9d215a885aca058966156ab696d327176ea98e06076acc7be672aa18133c9c5ddfae46 |
C:\Windows\zkdrv\zkfp.cat
| MD5 | d3f97b9069ca4eeed99f5474f8afead5 |
| SHA1 | b89020d02650517826a3f513210a40ed9b122073 |
| SHA256 | c4ac2e14d7c2afe8d62675afe5a41ee62811a4baf57e4c60b0816b849ba4c7ac |
| SHA512 | 6f1cfcb081cbb6fc28602afe48df7e9ff4c66b6388159af1a0374f054b436d5bf4f08e6557b1b24d993640215886d8550794c14b6a48d2f09b87a43e7c5fe91f |
C:\Users\Admin\AppData\Local\Temp\{376c023d-54ba-3639-ce94-3351cd313607}\libusb0_x64.sys
| MD5 | 77afff0483d5f84e41717cc358528a5e |
| SHA1 | 37084cce0b4b63780c9cc465cd54446e680e2986 |
| SHA256 | ecc512ba6a0fb290eece70d82edf9fc0891d336b39e7ae37e0156544150785cd |
| SHA512 | 4e6bea9ef8dc1ca8ecbe05e96f18019c20c57108ec6adc45ee1d423c30b65b31f0c8170e25a86809e8e8cb08ac8f7f8526769db283ed5bc448c70486bc3d7ff2 |
\Windows\DPDrv\DPInst64.exe
| MD5 | c3ac43b2018114a617e946aa8fdf3cac |
| SHA1 | 2d90f38bc995c9cd5efec52109f8bd2468001ca7 |
| SHA256 | ef6c5fe9f08be67f24c7dfa5c7bc3d69ab4e387e6065602d45ba358289f05117 |
| SHA512 | 8c471a2575751c5995b10859219b979d75c8e8e4496604c0718268d8367790c5bb8e6dd47c735dcecd02a62dbb0d8fbbb70ea1d085ad7b798491a3d831cd9488 |
\??\c:\windows\dpdrv\dpersona_x64.cat
| MD5 | 50f212c4f9b4a832a410d3e83f6317ea |
| SHA1 | 503bc574acaa4a79bea85304a5b7b3a0c85191ca |
| SHA256 | 29c2b3859fdd96d781e07f3ae778eabadbfa54cbcb437aa00e447978b18f7309 |
| SHA512 | 0387139e4f49d236c09ee36d0bed34258e9518f90a4f486a43a06821a0889ecd6d3ec8341443f7b582d041e0f279cd81d2e072f52de44b1d0dbe217488ad6a97 |
\??\c:\windows\dpdrv\dpersona_x64.inf
| MD5 | 91967eb8b8468aadd50e2d880375d8d2 |
| SHA1 | e8fd6ef8cc869de121501fb543a7c0674d30756f |
| SHA256 | d230952d38ecda93d971fe9798dca35d0e4c7a7c4b573d0af47a34b7928c8e92 |
| SHA512 | 58c2f6885afdba94b63d2b1e42de41c561852870d0b6e45496fdee9fc7d1d1748eab6e71de7fdb59b4abb5aecbf7c81113fe7e975540c5d72886149f1cb4ba1a |
C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpK00701.sys
| MD5 | 1da17ab1ab496963949df99184796dbc |
| SHA1 | 1194f7ade39b6b40489e59d10f5bd9d6acbca639 |
| SHA256 | affdecc31fa032ff7e3fcf6cedfe746a5a89804fd72047a3ee03e0915d971bf1 |
| SHA512 | 6b10644bb65dce8df9cd90c89a8b2e26895fd1a219973566ee419e0175b4d142173f2f7c5f255f7726f27065727229620da5821288390b9729743d939aeb4f6c |
C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpdevctlx64.dll
| MD5 | d1adf6e4753778a90dc5215efa831565 |
| SHA1 | 0ccff3f80e07a8e086b37c956552d829c55257ef |
| SHA256 | db72a2515f6d3796aa3ff9acb2de22141c90fd9d016f6a6559a6f290e20e35e5 |
| SHA512 | dfaa69b63797b27e1274cc6ddf1d9d92f3c112ac1210f38e74afd52b812bedb9ed8bf968e61bab45114bee00d60408ae7383aa388494f7e72a217c53e5b7c491 |
C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpI00701.dll
| MD5 | b7d3259b3bda026eefa90f5523b6e996 |
| SHA1 | 989b6d1e19134c2329c0749c15904c4ecec25ea4 |
| SHA256 | 502b9c74fa0f6138a3ebfbb67829bfe267074f78cf6119b35e9975ef2176f503 |
| SHA512 | af3d0c4b807ceb2a275a7f219ff98a2776ec62c3686de20078d6004e729984446edb9b7c7b4340e03a27c36236db7e8e6ad0028e1e14e5e1e9be0e266f04e01f |
C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpdevdatx64.dll
| MD5 | 4b4e309fe52c6aa57674a4124a82b426 |
| SHA1 | 8ac2bcb190b5185606b57234527b6d542a6df11f |
| SHA256 | 85e0225a8451b23fe9715939da1a9b8e780eca3c38277b1ad09acd9bf5dce20d |
| SHA512 | d6004795a617869a2f46805eab28c509a077953da456c61c73a7f64eab2dd7f1bd75401bdadc068e09c0e0d7238eee4cb6dfa5070756479443ea2d77e76c3cba |
C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpD00701.dll
| MD5 | e8bcf046f729253f2bb24ea0e8c047b9 |
| SHA1 | 8104533c4bbb4265f71a87bb5d6966ea64974b66 |
| SHA256 | 039966724018cf96157f1ee7f7cdf48f4f20a76192d920d55504ed1dcba7de7e |
| SHA512 | df9fa6308c8b0b7128b78bf9bb3314c34f26fcf70799caae5f376fa418f99c5d2db439137718ad4f052d273719a95741d9a5d5bc2d17fc4ad1318281d20e2959 |
C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpdevctl.dll
| MD5 | 7b3f4907bc409960c300ae50420c16a6 |
| SHA1 | ed97b09cb7853cd056e8d7d6318c0ead13b267a6 |
| SHA256 | 09649414f843036df5c30846aed6059e0f43e973a729b07e8f690f4b668ddac7 |
| SHA512 | 81eb78daf1849f3933b0622a6418ddf9d863a793e41b958e1641e5cd7d42928595df0ecdd35c5e30aa60117ae896fc0e6692e3f5461020b5bb547ad3fe6637fc |
C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpdevdat.dll
| MD5 | 2eccd46878dce0f84dadd29498bd900d |
| SHA1 | d30ae67c9ca5dc53b8d1583bdae6c43dbaec3f37 |
| SHA256 | 20b41562147e635d60e875cbef43f17d2373cb18fed9f8dfa97c2553b4f1e121 |
| SHA512 | b397366d11111dc613c7e4cde245d1a98864ba5b7c1a576c0d3ec7e8228bffcae2340ba375978d401b886e765785b207c2d652180d7c6f388130adf9b5ac93ac |
C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\usbdpfp.sys
| MD5 | 4846d37bba87b2e6138074ee076e367e |
| SHA1 | e2e478efbc83b2fb604bd60af032402c3654f176 |
| SHA256 | 098a0d4bcbad10920e2e05f7da06f291e711a766afdf293d2306ee44879f6436 |
| SHA512 | 5a17f715556088b4f9d8ddcb298d03ff8fd61f23ce1c3c80e4f79ae6c34a18526d1829b8ca0d21be6513f4c6322fa770fdc7902c4569c452bcba84510be00c71 |
C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpI00701x64.dll
| MD5 | ed673140ea6f2cd1b8fcafa041f02f2e |
| SHA1 | d5ad7a43b53a965f4a1a9c76b1c609178993f27d |
| SHA256 | 107efb5853e1926be84164e7d21d5d56c7dcacd6b599838353ae95baa46ed059 |
| SHA512 | ed4d0ed91ac6eadd90acba5dc783f108469ebfc111ca2169dbce139d8dda6e822ea8e15b64509f436d950e159c12d95a08aa8ca685c242059ba92b392f43b123 |
C:\Users\Admin\AppData\Local\Temp\{2080992e-249c-0f45-f9b6-4d5412b2ef52}\dpD00701x64.dll
| MD5 | 39837e0c027fa2b35e4b406941dc01b3 |
| SHA1 | 0e43708086396f5f21d4191fe115449e2e98ca32 |
| SHA256 | 2728b5ed610ef55e89784fd5508b366d2bc7efdc5bf3e75d51f5dac82c4dc294 |
| SHA512 | b534508e0245f822698cb813da1d31bdd3d6d2bf60c005d510628adadc8b28ca608082f1c06bfb8a337e3e4a5eb5bf53196d0540c55335a7948ef75559bced47 |
C:\Windows\System32\DriverStore\INFCACHE.1
| MD5 | f1191f5d486cf449183d213a99c0a8ad |
| SHA1 | 1a26cfc57a65919e5b90dc813f9c49449e91b098 |
| SHA256 | b814b0943fa9e90a4dbf1d7d521af32c0a8dda053956f94f689d0769804111ef |
| SHA512 | b9985b1cd9699357aa8826c7cb45f3ee6735d3cd7ba41794d594de7eb6b927412113920ed6e3ae0b1abc688b44e372fe4c58308ccbad4e7845f0f82159605e82 |
memory/2128-1558-0x00000000009D0000-0x0000000000AAB000-memory.dmp
memory/2096-1559-0x0000000000600000-0x00000000006DB000-memory.dmp
memory/1552-1560-0x0000000002330000-0x00000000024A3000-memory.dmp
memory/2936-1563-0x00000000001F0000-0x0000000000216000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\45f2c6a1c069e80380428ef0ab87c5f7_a42634aa-f501-41cf-bed1-b8158857da02
| MD5 | eb41356e1a0c8c85d0a55ebd0f39df82 |
| SHA1 | ab22aff972bae2bfa240f0223fdc40f79312dfe5 |
| SHA256 | 10c6dcb3c67749c95b877a4c48ff6bef6d321d9faf99a9336a6a9093e3eff279 |
| SHA512 | 0f479594453786f06c40de98be035a440c6d80672bbbbce5d01b0349779e3ba2f48ff269098bda2e6bc41f42c9646d592af00c6cb769f4a48bb5c4db1947357b |
memory/1944-1570-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1944-1573-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1728-1574-0x0000000000400000-0x0000000000414000-memory.dmp
C:\ZKTeco\ZKAccess3.5\msiexec.exe
| MD5 | 6c985ebcd34f92d666b365b28272195f |
| SHA1 | 03b8d4cf8171b650ed68efc3c41258878c35d433 |
| SHA256 | a49ba96ce00aa92df7291454208637538af31c6df4dfc268c1dd8463a0d65c99 |
| SHA512 | c8879889fdc80caa97445e1b5e716ae6e5223fd06634d1957cf7da20c1aefe866e45513e8ce6adf2ddc396702ac720f0f56f961051053c7980a426c3da090f70 |
memory/2892-1587-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2892-1591-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2008-1592-0x0000000000400000-0x0000000000415000-memory.dmp
memory/2320-1593-0x0000000000280000-0x0000000001B68000-memory.dmp
memory/2320-1594-0x0000000005FD0000-0x00000000060A2000-memory.dmp
memory/2320-1595-0x00000000037F0000-0x000000000382C000-memory.dmp
memory/2320-1596-0x00000000038E0000-0x0000000003914000-memory.dmp
memory/2320-1597-0x00000000060B0000-0x00000000060E6000-memory.dmp
memory/2320-1600-0x00000000073A0000-0x0000000007708000-memory.dmp
memory/2320-1601-0x0000000009F60000-0x000000000A1D6000-memory.dmp
memory/2320-1602-0x000000000A1E0000-0x000000000A6DA000-memory.dmp
memory/2320-1604-0x000000000AA40000-0x000000000ADA0000-memory.dmp
memory/2320-1603-0x000000000A6E0000-0x000000000AA3A000-memory.dmp
memory/2320-1605-0x0000000008100000-0x0000000008168000-memory.dmp
memory/2320-1606-0x0000000008170000-0x000000000818A000-memory.dmp
C:\Windows\SysWOW64\commpro.dll
| MD5 | 828bd419d3c3c4c4c1467e7efb590fd7 |
| SHA1 | 5cbca9c37e04bc54003ddca3c28e935af6f9c603 |
| SHA256 | c64cecca165db8cfbf6bd6c99fd139d5bcf82d0d8926c7281902d77beca61c6f |
| SHA512 | fb24066b4b0558cd914d2998aed6361fda1558941ff257e46f9d9cd8ae24b69b3bb5832f7c08ed4fccaf4b09cbfb6cb7f8b42526c6bf013e0374d7df3b611461 |
C:\Windows\SysWOW64\rscagent.dll
| MD5 | fcb235c79bb0979b99a471fb60ff4e20 |
| SHA1 | b26906b379ef324a24aab6a40729efbf53c24702 |
| SHA256 | 0a1170824c160f3520260fda8e0172f09e5ae8a52485b932f87f7c5dcb7a297c |
| SHA512 | dffee19da85966037e5100f32c2b58b339bba81b338419c9303df3608c7458b649de0c41ef6c68a82a3b62915752410c9bedb06b204cbd9fd0345adba2ac0791 |
C:\Windows\SysWOW64\zkemkeeper.dll
| MD5 | 3231d0b478e3304c12daca897895f760 |
| SHA1 | 876f6bc1c05f4c273fa612390b493012522d906e |
| SHA256 | 3dfde9ffaa85e71b51207fdf0d3dcd746920dcafad7eb298b10d9b30bda06852 |
| SHA512 | 6dda01efe97adf421c70a726135e476d48439219618f45e5395ad766ed649416bbf7f4efaa5abcd8e58e5c930017889a3f084a9afae05f6df2e41912e0bdc495 |
C:\Windows\SysWOW64\ZKCommuCryptoClient.dll
| MD5 | bec7b5aa9fcf7e45642a031003e0f600 |
| SHA1 | fcc9eef3716aaf670c4cb52e7c1cc93ed61466e1 |
| SHA256 | 1dd347bda2c3fe594bc30c038325bfe5ce30978603f30bfe96c441af3c971f8e |
| SHA512 | c43d3cd341d2988c3495dcc53a928c2d248cceeec773d01929c068eef21a8ee41b8b0bc13c937c836c218c075237e3c3660933623c634976d64610528b63c1b4 |
C:\Windows\SysWOW64\usbstd.dll
| MD5 | 6bed769c8749572585b77fb2466b48f7 |
| SHA1 | ea73ca63c23bcdafd326d5d2014cc0a5ce720acc |
| SHA256 | 7c16210299aba8b0dd209d7d708a911db73ba20fd685fa42f87ca6525b831bfa |
| SHA512 | 9083c9f729bb394ef9aa8eebbb8b9262095ef7c8bbdb48f8e7f72a5beb2ff8eaff657fdab0217a1827a5f0807fbc33879426974f6728f9034b223cc1b08cee0d |
C:\Windows\SysWOW64\usbcomm.dll
| MD5 | 192a3f959976b85af6defef3f3f6f565 |
| SHA1 | 308c4c489d8b7c9df8214945e0a250cbee10307d |
| SHA256 | 0d8fa044c00744db17d326e08d8bf9de06a70f410b844b1834ba8fe6534acda4 |
| SHA512 | 2b04a5e5d25ba02e92056df5353472b0352fa1614617dd5615c518b04a01c72a974f2c8ed57ab369da839661208cd61fdeec71bb883b06e5e7d47ed357a10601 |
C:\Windows\SysWOW64\tcpcomm.dll
| MD5 | 364b784929e976115aac87fa09472b05 |
| SHA1 | af615fb20e3ba2b512af04f6164ad009c289cc2f |
| SHA256 | 6db3198b11f90accbf3934a095adabaa81ca4dac3aae18b0a45b1dc785d9bf25 |
| SHA512 | f65f382214dd5ec2ec80f2ca2bee8e87622c6bbeb45059e8ea8c0a80eb914ef70266ba41afe7ce7b31d54667cbf0cef03757d31509afc63f6912fb06fc358f6b |
C:\Windows\SysWOW64\rscomm.dll
| MD5 | 8b2c16a96745ae744b7b16e7a482de01 |
| SHA1 | f4d3dbc220615c46e88494ff5a60f27862f9496c |
| SHA256 | e115131e1741e327036c807d55265147ea18d723e7a7703ddc9373e5330bda26 |
| SHA512 | db42195e929429874505081e63a5a11e14b100e130901a8454cb97426e747a663ed01ca72faabb97e4fa536ac58d3f93e485d021880e6157635ce9a8cf80262f |
C:\Windows\SysWOW64\RDTAPIs.dll
| MD5 | 19521bc3f7c700a58b53b49409676d51 |
| SHA1 | a504ab190a6834dfd9c32436d4df2fa489efde22 |
| SHA256 | 825d95e102ecbc0e6a52480c42c0125273197e4f43de9e4bea6693a2214f0a9d |
| SHA512 | 1c5ee301ef319a614d8c6800eabc9741729a1e48ebbca0e9790af3168e4c3ab3a588695c7467b74de3a28a67fb981932a6db4604481fdeb857813dfe84dad9b7 |
C:\Windows\SysWOW64\plusbcomm.dll
| MD5 | dd40e2bc0b09100b448651f339cc1836 |
| SHA1 | e58f78ed874b53841c638e303c78bc1c651bc5e4 |
| SHA256 | 5fe0a40c6a2168a0d72444f51d1848d31ccb09f0c9f1e2e9a18b160723730e8d |
| SHA512 | 2e535257cd33bdb2c975ddebdeaddc63a67109040a13253c3beb3fec17ecb374c40167f00a40da63e66b0554b351159399633c21ff2b64a8ec4aef025ed8b83f |
C:\Windows\SysWOW64\pltcpcomm.dll
| MD5 | 90b4dded7c04b0604e7f2a860b435087 |
| SHA1 | 045fd76a357c37a78a7504abe682fa889227b3d8 |
| SHA256 | ac0aa7c014ec80c167c07fc185a022dda128bd30b97809e4e604b90b836de32c |
| SHA512 | 2134845dbf3d8f625f164e3f12673a6af8e268d0b868dbf3a629b2bd5cd4365d535f9fa1cb9e94cab9a8bdf91762b0b80f1bed12baf1c7f91d6a80029660a80c |
memory/2320-1632-0x000000000B070000-0x000000000B0B8000-memory.dmp
C:\Windows\SysWOW64\plrscomm.dll
| MD5 | adbdbfa949b6b948c3141e439f279263 |
| SHA1 | 6fc0222417739da3fd4da30e46c1f4fe31938cb5 |
| SHA256 | 720fa39785a97dd3792d4811800c413abdacaca2e7bdbc43123b2cf55cbfe010 |
| SHA512 | 3a488ebe0528424ec1169891004f5113a097928546257afcb7c9bf96688b4d6460b0a5db4c245a078447532619d19576af669f90babbb36ad055d073e933ffd8 |
C:\Windows\SysWOW64\plrscagent.dll
| MD5 | f0a75bfe2c5e5487399f72886c581317 |
| SHA1 | e40dd78180fed788babc1c1a5384efbf0db8d85a |
| SHA256 | 971e2180b34ec63aa6b01583cba5d2bbfd81b8c82a9574f11a813ed4b1554def |
| SHA512 | 0b068a8eaba62a9874da6f2d5e034ace09197859f080224cc42c9bb4f175072bd4125885649f909c48a5536618852f55b69c5d97a381622af20a8d68e9407985 |
C:\Windows\SysWOW64\plcomms.dll
| MD5 | 3fcb10c4d43770ebb1e2772242ca3128 |
| SHA1 | db5da8754e4e1eb2764f702f1d7acaff09b2090d |
| SHA256 | 93d6eca4a41fc20f790721b1d339192faa8afc8dd6ee5a2d09a4aa7443641b98 |
| SHA512 | 2eb0108c0cbdce71310bf464ba56f5e29eec0bcb8e64fe6630b95ba6a30c1573cab4fd87eb073a0fdea0a7e567d4eaa11db168bbf083874cd4cee420205244cc |
C:\Windows\SysWOW64\plcommpro.dll
| MD5 | 08040571c103050308f38ef2fdcd657d |
| SHA1 | a003e5b5645a601a2958d582ef3fcb6a02a91006 |
| SHA256 | 760338d21e26365b4c726d93ff6a8279a47e4b1d4a16d5ffab17c10c628f2af8 |
| SHA512 | 5c179be30148dbd78e7ada10937bcdce01f56a06725e954369c2e17bd77bf8ca4facd299c8f7ff556a6fa715483c6e49f91c327b1a33c7dfa2dfa85b940b01f9 |
C:\Windows\SysWOW64\p4pcomm.dll
| MD5 | 76cbc221ce8f7025a73209996b57e15a |
| SHA1 | d7d6dfc704bf0cba64d30f6f28e2023ca0dc6bab |
| SHA256 | 182dab50f936c7bd5e70c05d478b35e0ca5bf13397f983b3468352421e89f9cf |
| SHA512 | 153c95a8149bd990e0013e24f70a29e700eaf28f0a280af4b9e341c84907319ee41c9e34f8822d2a7c3ebf8fece930e1cc05fec9b481d66be3f39334618bdd7e |
C:\Windows\SysWOW64\p4p.dll
| MD5 | 6b506ed4da3392f9156852df33219009 |
| SHA1 | 4237e716d77c8314d603524784382f857437dd09 |
| SHA256 | ffe70331c087621a2967fe2b2672d64931b906695f03d3c87552fb5d61a704ec |
| SHA512 | 010457a874f3d2dae6fd8e9dc2aba4c69577b54389b45744d17232436aeccc0d07ce8266bc2589c200c44bc3734df2a041a16ab2fea53cb882765d5a577099fe |
C:\Windows\SysWOW64\libareacode.dll
| MD5 | 0df0b735d7c59687d55465d1e39178a4 |
| SHA1 | af70f8e696353d184295ff465ded7ec5e94a9716 |
| SHA256 | 857f7d10ac7929ac92bd347eecc134d83fcb98daf5800bbdb67e646c10df7489 |
| SHA512 | 01d72d3617f3eef71480ce5004f867bded5a6b91b2f599bb2cdda7c3ab0d607c9761c741114fb138484512a37841fc24ed68859779560814a0151338665e5253 |
C:\Windows\SysWOW64\IOTCAPIs.dll
| MD5 | ebbec369b0257007e1b4dbcedabc222b |
| SHA1 | e7d968f0374178bb918e7db50cd56664341bf5cc |
| SHA256 | db4e4a48566a7ec7da0f1ec8dddb237c43c17c00ffe871b96a8ddd54e1d082d7 |
| SHA512 | 248a2f74ee4ae844b542934eefcdff3febd096d3586776dff71051f697ffafcac3f4f97da7999d48913d276a404715eaca33b4b9b9648de4323cb71d7d388d5d |
C:\Windows\SysWOW64\comms.dll
| MD5 | 15c6e3c1b83d19c74c9f15f173d6a54a |
| SHA1 | 819b966af9d1d69b22dcefc92d448705ccd734bc |
| SHA256 | 096d7c6f697f9bcf1273db5e5452085279a270f2cf5a353c1b3bd483bb30ca9f |
| SHA512 | 0c06e8cc2e75bf012d56e619529ac69995614e6afdf164506a0ee1181851801e4da473cb0472f114bfc96edbbf00f11e4040635c0e1e04c081f6a5389885e943 |
C:\Windows\SysWOW64\zkemsdk.dll
| MD5 | a2d5bb4d7048b20b71569ebd2815675c |
| SHA1 | 0b7561f6be58271b88dcc670f3bb23953a437b35 |
| SHA256 | 51110bd61d574107398d433b57a40930e8eb2fa07640c3dfe2f01e344d5a14dc |
| SHA512 | da1157ef8d430c994a826d6e89f9a2016ee75d8366d22a9b7904b904b7404c33e437759168952597fa1f628dd222f63b7bc2df6e0c57c30238c81837a925dca3 |
memory/2320-1636-0x000000000B130000-0x000000000B193000-memory.dmp
memory/2320-1640-0x000000000B200000-0x000000000B230000-memory.dmp
memory/2320-1644-0x000000000B1A0000-0x000000000B1AC000-memory.dmp
memory/2320-1645-0x000000000B1B0000-0x000000000B1BE000-memory.dmp
C:\ZKTeco\ZKAccess3.5\Languages\emnetman_en.xml
| MD5 | 92e522fd6545058d864b21b77b8619a0 |
| SHA1 | 9cc4f134f8518c50b7c89d74ebc47fbf2ab76aff |
| SHA256 | 3d976c84865aa61d55abb63d5f3d54a5e804ab139036a135d5021d242d5de0dd |
| SHA512 | 345708503b16dfe004a66aee7bd20a221fa054f2417ab64aec0f624ec35afd2793e6dbc9a9cfff834aadfbaf9d34360561ed112a38d8d18e42acee89e91e220f |
memory/2320-1648-0x000000000B790000-0x000000000B7F8000-memory.dmp
memory/2320-1651-0x000000000B340000-0x000000000B34E000-memory.dmp
memory/2320-1650-0x000000000B890000-0x000000000B8FA000-memory.dmp
memory/2320-1649-0x000000000B3D0000-0x000000000B410000-memory.dmp
memory/2320-1652-0x000000000B900000-0x000000000B98C000-memory.dmp
memory/2320-1654-0x000000000BAF0000-0x000000000BB1E000-memory.dmp
memory/2320-1655-0x000000000BB40000-0x000000000BB60000-memory.dmp
C:\ZKTeco\ZKAccess3.5\Access.ldb
| MD5 | 9c1ea0bea2ba416274f7e55e00a33ba3 |
| SHA1 | 40894fba8cee86694fa3e3e72f8595a2979e5115 |
| SHA256 | d51d3f403d2cdb64e9153541c359e393f2f9cfd9d660ba0fe97e972d2ca32480 |
| SHA512 | 25af1875d9cc7b9361549b286ea97bb6c7c1e15259a17200d3c82acae98ccbf34a101817ac0580982f1ed24b9735e8b12af2522ce6e3145be96ab28bbef72f15 |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | dba25e326687e18486cc2c91ede9961a |
| SHA1 | b4998e667dba2b8d440b2719661538a1e84b5c62 |
| SHA256 | fab3b940a190d4d3512f0857627ec6808fec300f207b064b2f37e328e2be8d9e |
| SHA512 | a0d485bfcf85db25032adaf28996663bbbe647069d5e810df91f5abe71165fdabed637cffc89b83d20845491d4e5d62b163c19191797ecf01ddf8c6586a98a57 |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | 752eed990925ebfc24a768b48d25a667 |
| SHA1 | 0137cb3e8dddcd311fcd204cacf0900a7020456c |
| SHA256 | cf0dfb94e544750390e14200c5b20e367710b0d46fd4b4fd8807af7178691e42 |
| SHA512 | b72ab6a2cce949958b17a6aa64f6bfea358f52650feaab0e063fcd504c983193b8bfd3e71aab16fe05e0595773125529bd806dd38f2326028a6e3039762a1c5c |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | b96171739e39b38812d80ebfe399fd17 |
| SHA1 | 5530ff5322ecc9d252e5d3b9638a7604d1bdab69 |
| SHA256 | 58b33ad9e0bdf27e2be6761ceb423d3345fb0c8620df99a57dfb05ff47b99bf0 |
| SHA512 | 864b2a6ef94098d358202866acacb3a80d846d4adb2356ce8806d9effeb7f8130422e0f660297a8ee0f8dc3a11ab5697bff0ecea06891c79dbfe002548997aa2 |
C:\ZKTeco\ZKAccess3.5\Logs\20240510\ex08.txt
| MD5 | 77163cce4b77e0b9f244dc29de5d9f81 |
| SHA1 | e77ba995865ed91afb0003ef9739dfdb79ad6b14 |
| SHA256 | c1e6419fe7bb627f1c0be2ecf735385cdebc33d1e334d388f4f18eaf07a367a4 |
| SHA512 | 5ae82f0e68f8c1cfbc354a63bafb804d71bb863e8f8f9d5684a444a1761d080f774725ed6696625e92a6948f148ad19b4cf6a3b1e723aa029390c00118366003 |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | 70492b1c841c1295d57f51378a24cb05 |
| SHA1 | a0879e4f75054b464bde3c1a4c419ab47f8a3ad3 |
| SHA256 | 3a2a4c58d21aed26a00d9cffa315111b79df7b554c950cd287a62939b4c6f27e |
| SHA512 | be7920b3c78e3896ff0b952abfeceab393c46ba3b91d081f3eae80a119d687ccb0c07b4011e09b910c7dff83b866eebda4c4469afb0242e92aa386be9c76d723 |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | cb9bc3ddd89bab4517157f78ee794ca5 |
| SHA1 | 4c2ac139c06f7579c19197695e3aafecc90489f9 |
| SHA256 | 15de6e1fdbae145caa3c011f1eb6be81e8f2e6d56fe350a74dbe5c573ebaaa84 |
| SHA512 | 1cd1eb325f5e8b4d513f8dea44032ce49789d405ab30d9994e5617abe9ca0220879eb7dac909e7e9f41624fff5b45c95704c134b52d9b21734097cdef8ee8166 |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | 7bf3b41fa33fe37b634607eb4b5e5975 |
| SHA1 | 1f124a8c053d1111b462d0803bb83d880056dd6b |
| SHA256 | 158ea7592f1533c9aa45c12ace157ea31be35a55f21dbc1569782fe7dd240c64 |
| SHA512 | af04b506bb50389db784d4dbf31468d15e84d682320d1a97e1aab14442b9519d9b9890673a3fc68f93e1f8e1610b742ae3f60c9f4c79a32c5e1e32c9d0d46337 |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | b511fbcccde75f513f68de61fa69d031 |
| SHA1 | 069270a19c9a48591ac41e05a1a801a0653a6af4 |
| SHA256 | 810a7da91d4719b4ad6c67635298d8eaa342fc4e12ccfd7f2ed491d3eb7b53d6 |
| SHA512 | ca77997f517d57504d67b70fc5e738c12b44ed32ebd38adb491f391e508e1ff2f6a91955e38c5993603d771439983f82bb13bbb56a8f034cb079c5f0d65fab83 |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | 1243553e61855aa67f94aea8378cb12b |
| SHA1 | 345a89a1875ce099a98bfc55d0aafc7abd93513e |
| SHA256 | 44fc6e6e08996b48a99e8bd5b73ee91b30054acd6ea09b595c90e4517d26ba21 |
| SHA512 | 800b255d4305daeb05f649493d55d7cc0323e01aa4defce7c867c08cfa4c5c74fd4c27f19e84687fa054e972b09044ae3441d137ed2c4f38ec4b6857b5eafc8a |
C:\ZKTeco\ZKAccess3.5\Access.mdb
| MD5 | f2ffa8e4f42a54016ee94a1868055881 |
| SHA1 | b95490ce37b3a5a5e158d496b2f9769549cd5bd4 |
| SHA256 | b4e90c82859ecfbf482e4c44a1bd6a5b1731de52efddcb2cc804284b1f592b10 |
| SHA512 | 31e15689ead0955179a09353864f3cefb9d6c73c7ac29526a345ed34e5191980bbe0b40f9e611c37d378f72caeae9b1c335ca35ecf73372d0c015ef8863256a7 |