File name:

ZKBioOnline.exe

Full analysis: https://app.any.run/tasks/fdb2cbea-7c42-4e6f-aa5c-032b2df01466
Verdict: Malicious activity
Analysis date: February 08, 2024, 18:32:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C5C97029065CCB2F064AC048039194A0

SHA1:

8EB334F057A3E1DAE26136347A737B4F818360BC

SHA256:

9637998D500ED4B9301BF33C369BF94191C87D61BEB2C3171F2CFDDC27B773E4

SSDEEP:

98304:yilShrpeE6dftgY+AOF3s8rbo0nBiGrQYmEV3U/7XfqRIORrev2TstP3cgMiC+MQ:XI/A4CzuXpHAwLMb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ZKBioOnline.exe (PID: 572)
      • ZKBioOnline.exe (PID: 1072)
      • ZKBioOnline.tmp (PID: 324)
      • drvinst.exe (PID: 3048)

    • Starts NET.EXE for service management

      • net.exe (PID: 3248)
      • net.exe (PID: 2380)
      • ZKBioOnline.tmp (PID: 324)
      • net.exe (PID: 3640)
      • net.exe (PID: 4036)

    • Creates a writable file in the system directory

      • ZKBioOnline.tmp (PID: 324)
      • drvinst.exe (PID: 3048)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ZKBioOnline.exe (PID: 572)
      • ZKBioOnline.exe (PID: 1072)
      • ZKBioOnline.tmp (PID: 324)
      • rundll32.exe (PID: 3016)
      • drvinst.exe (PID: 3048)

    • Reads the Windows owner or organization settings

      • ZKBioOnline.tmp (PID: 324)

    • Reads the Internet Settings

      • ZKBioOnline.tmp (PID: 324)

    • The process drops C-runtime libraries

      • ZKBioOnline.tmp (PID: 324)

    • Process drops legitimate windows executable

      • ZKBioOnline.tmp (PID: 324)

    • Drops a system driver (possible attempt to evade defenses)

      • ZKBioOnline.tmp (PID: 324)
      • rundll32.exe (PID: 3016)
      • drvinst.exe (PID: 3048)

    • Uses RUNDLL32.EXE to load library

      • ZKBioOnline.tmp (PID: 324)

    • Creates files in the driver directory

      • drvinst.exe (PID: 3048)

    • Checks Windows Trust Settings

      • drvinst.exe (PID: 3048)

    • Executes as Windows Service

      • ZKBioOnline.exe (PID: 560)
      • ZKOnlineProtect.exe (PID: 4028)

    • Starts CMD.EXE for commands execution

      • ZKBioOnline.exe (PID: 560)

  • INFO

    • Checks supported languages

      • ZKBioOnline.exe (PID: 572)
      • ZKBioOnline.tmp (PID: 1264)
      • ZKBioOnline.exe (PID: 1072)
      • ZKBioOnline.tmp (PID: 324)
      • drvinst.exe (PID: 3048)
      • ZKBioOnline.exe (PID: 3396)
      • ZKBioOnline.exe (PID: 3600)
      • ZKOnlineProtect.exe (PID: 3548)
      • ZKBioOnline.exe (PID: 560)
      • ZKOnlineProtect.exe (PID: 4028)

    • Reads the computer name

      • ZKBioOnline.tmp (PID: 1264)
      • ZKBioOnline.tmp (PID: 324)
      • drvinst.exe (PID: 3048)
      • ZKBioOnline.exe (PID: 3600)
      • ZKOnlineProtect.exe (PID: 3548)
      • ZKBioOnline.exe (PID: 560)
      • ZKOnlineProtect.exe (PID: 4028)

    • Create files in a temporary directory

      • ZKBioOnline.exe (PID: 572)
      • ZKBioOnline.exe (PID: 1072)
      • rundll32.exe (PID: 3016)

    • Creates files in the program directory

      • ZKBioOnline.tmp (PID: 324)

    • Drops the executable file immediately after the start

      • rundll32.exe (PID: 3016)

    • Reads the machine GUID from the registry

      • drvinst.exe (PID: 3048)
      • ZKBioOnline.exe (PID: 560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:20 00:22:17+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 41984
InitializedDataSize: 17920
UninitializedDataSize: -
EntryPoint: 0xaad0
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.2.0.36
ProductVersionNumber: 5.2.0.36
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: ZKTeco Inc.
FileDescription: ZKBIOOnline SDK Setup
FileVersion: 5.2.0.36
LegalCopyright: All Rights Reserved, 2020
ProductName: ZKBIOOnline SDK
ProductVersion: 5.2.0.36
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
21
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start zkbioonline.exe zkbioonline.tmp no specs zkbioonline.exe zkbioonline.tmp net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs rundll32.exe drvinst.exe zkbioonline.exe no specs zkbioonline.exe no specs zkonlineprotect.exe no specs net.exe no specs net1.exe no specs zkbioonline.exe cmd.exe no specs certutil.exe no specs net.exe no specs net1.exe no specs zkonlineprotect.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
324"C:\Users\admin\AppData\Local\Temp\is-D0VVE.tmp\ZKBioOnline.tmp" /SL5="$1101B4,8989358,58368,C:\Users\admin\AppData\Local\Temp\ZKBioOnline.exe" /SPAWNWND=$100166 /NOTIFYWND=$F0184 C:\Users\admin\AppData\Local\Temp\is-D0VVE.tmp\ZKBioOnline.tmp
ZKBioOnline.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-d0vve.tmp\zkbioonline.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
560"C:\Program Files\ZKBIOOnline\bin\ZKBioOnline.exe"C:\Program Files\ZKBIOOnline\bin\ZKBioOnline.exe
services.exe
User:
SYSTEM
Company:
ZKTECO CO.,LTD.
Integrity Level:
SYSTEM
Description:
ZKBionOnline
Exit code:
0
Version:
5.2.0.36
Modules
Images
c:\program files\zkbioonline\bin\zkbioonline.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\program files\zkbioonline\bin\zkdevicectl.dll
c:\program files\zkbioonline\bin\libcrypto-1_1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
572"C:\Users\admin\AppData\Local\Temp\ZKBioOnline.exe" C:\Users\admin\AppData\Local\Temp\ZKBioOnline.exe
explorer.exe
User:
admin
Company:
ZKTeco Inc.
Integrity Level:
MEDIUM
Description:
ZKBIOOnline SDK Setup
Exit code:
0
Version:
5.2.0.36
Modules
Images
c:\users\admin\appdata\local\temp\zkbioonline.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1072"C:\Users\admin\AppData\Local\Temp\ZKBioOnline.exe" /SPAWNWND=$100166 /NOTIFYWND=$F0184 C:\Users\admin\AppData\Local\Temp\ZKBioOnline.exe
ZKBioOnline.tmp
User:
admin
Company:
ZKTeco Inc.
Integrity Level:
HIGH
Description:
ZKBIOOnline SDK Setup
Exit code:
0
Version:
5.2.0.36
Modules
Images
c:\users\admin\appdata\local\temp\zkbioonline.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1196C:\Windows\system32\net1 start "ZKOnlineProtectSvr"C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
1264"C:\Users\admin\AppData\Local\Temp\is-NM2Q0.tmp\ZKBioOnline.tmp" /SL5="$F0184,8989358,58368,C:\Users\admin\AppData\Local\Temp\ZKBioOnline.exe" C:\Users\admin\AppData\Local\Temp\is-NM2Q0.tmp\ZKBioOnline.tmpZKBioOnline.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-nm2q0.tmp\zkbioonline.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2380"C:\Windows\System32\net.exe" stop ZKOnlineProtectSvrC:\Windows\System32\net.exeZKBioOnline.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
2508C:\Windows\system32\net1 stop "ZKBIOOnline Service"C:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
2556C:\Windows\system32\net1 stop ZKOnlineProtectSvrC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
3016"C:\Windows\system32\rundll32.exe" libusb0.dll,usb_install_driver_np_rundll C:\Windows\zkdrv\zkusbdevices.infC:\Windows\System32\rundll32.exe
ZKBioOnline.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
Total events
4 517
Read events
4 464
Write events
53
Delete events
0

Modification events

(PID) Process:(324) ZKBioOnline.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(324) ZKBioOnline.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(324) ZKBioOnline.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(324) ZKBioOnline.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3016) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3048) drvinst.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3048) drvinst.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3048) drvinst.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3048) drvinst.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
1400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D70300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB60F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D8200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3840) certutil.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
103
Suspicious files
22
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
324ZKBioOnline.tmpC:\Program Files\ZKBIOOnline\bin\is-HKBDN.tmpxml
MD5:4B266698ED3054EC09B99F61AFAACA26
SHA256:21E70CE938B5A4EF7C4D1110E46EA3414356F63FE62DE9788BDD631A5CA2E2B0
1072ZKBioOnline.exeC:\Users\admin\AppData\Local\Temp\is-D0VVE.tmp\ZKBioOnline.tmpexecutable
MD5:1AFBD25DB5C9A90FE05309F7C4FBCF09
SHA256:3BB0EE5569FE5453C6B3FA25AA517B925D4F8D1F7BA3475E58FA09C46290658C
324ZKBioOnline.tmpC:\Program Files\ZKBIOOnline\bin\uninstall_stop.battext
MD5:D80381088C9CD1B1A730FF0F44C21243
SHA256:8B13C5430E64278171018B6E397DF0830ED6C79A7348EC138C29EA159AA15FF7
324ZKBioOnline.tmpC:\Program Files\ZKBIOOnline\unins000.exeexecutable
MD5:B5BEEA0AC47E432702E60855B393E583
SHA256:5837C13DC38808FF11CC9FBFA3D528CFDE278BD9F5F8DDB9649A1CB40EFD216A
572ZKBioOnline.exeC:\Users\admin\AppData\Local\Temp\is-NM2Q0.tmp\ZKBioOnline.tmpexecutable
MD5:1AFBD25DB5C9A90FE05309F7C4FBCF09
SHA256:3BB0EE5569FE5453C6B3FA25AA517B925D4F8D1F7BA3475E58FA09C46290658C
324ZKBioOnline.tmpC:\Program Files\ZKBIOOnline\bin\is-D0DCE.tmpexecutable
MD5:DEAB74192AB5DDC9B788B9565A62B5DC
SHA256:AEB2317A57E87E607E199EC1C076C091668B96D30C7CCA4EB3CFDDDA9F86CEFE
324ZKBioOnline.tmpC:\Program Files\ZKBIOOnline\is-43RU3.tmpexecutable
MD5:B5BEEA0AC47E432702E60855B393E583
SHA256:5837C13DC38808FF11CC9FBFA3D528CFDE278BD9F5F8DDB9649A1CB40EFD216A
324ZKBioOnline.tmpC:\Program Files\ZKBIOOnline\bin\is-SPD9K.tmpexecutable
MD5:B004D352AE83A3900A99DC7ABBAAF22B
SHA256:BE55C495775B74E3165130A86ED67C090CAEF1E87A19EE9759FC82B805565756
324ZKBioOnline.tmpC:\Program Files\ZKBIOOnline\bin\is-2OMOJ.tmptext
MD5:D8D5070CD6DAE8E9A45AE736FD5C3F95
SHA256:F282BFB6731371EB0A31E1A35EB708873800EFA672956E43D7D74A4ADBF77862
324ZKBioOnline.tmpC:\Program Files\ZKBIOOnline\bin\install_start.battext
MD5:D8D5070CD6DAE8E9A45AE736FD5C3F95
SHA256:F282BFB6731371EB0A31E1A35EB708873800EFA672956E43D7D74A4ADBF77862
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
ZKBioOnline.exe
BIOKEY_INIT_SIMPLE lasterror = 0
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ZKBioOnline.exe