General Info Watch the FULL Interactive Analysis at ANY.RUN!

File name

MarsWiFi_Setup_3.1.1.2.rar

Verdict
Malicious activity
Analysis date
2/11/2019, 00:35:26
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v5
MD5

846d7bca8809482b04524a8c805c7b04

SHA1

bbe66c49bd7f4913c57e046a3be99754efdf7ab0

SHA256

a461f198b83ba05f9d0582d68a8e570c965639def2e092476e365a1e741885a0

SSDEEP

49152:JEnI2Zz7mv0QdpcWN/0gDmV66cqGRevJ1DsZ/Iow0hQC1+O233ANTee0G1:JCTQdni66cxox1YZwoJQxXJ81

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
on
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes settings of System certificates
  • marswifi.exe (PID: 3324)
Application was dropped or rewritten from another process
  • MarsWiFi_Setup_3.1.1.2.exe (PID: 2192)
Changes the autorun value in the registry
  • MarsWiFi_Setup_3.1.1.2.exe (PID: 2192)
Creates files in the driver directory
  • DrvInst.exe (PID: 2612)
  • marswifi.exe (PID: 3324)
Removes files from Windows directory
  • DrvInst.exe (PID: 2612)
Creates files in the program directory
  • marswifi.exe (PID: 2236)
  • MarsWiFi_Setup_3.1.1.2.exe (PID: 2192)
Searches for installed software
  • DrvInst.exe (PID: 2612)
Creates files in the Windows directory
  • DrvInst.exe (PID: 2612)
  • zkdrvinst.exe (PID: 2692)
  • marswifi.exe (PID: 3324)
Executable content was dropped or overwritten
  • marswifi.exe (PID: 3324)
  • WinRAR.exe (PID: 3584)
Creates a software uninstall entry
  • MarsWiFi_Setup_3.1.1.2.exe (PID: 2192)
Low-level read access rights to disk partition
  • vssvc.exe (PID: 3776)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v5.0) (61.5%)
.rar
|   RAR compressed archive (gen) (38.4%)

Screenshots

Processes

Total processes
49
Monitored processes
11
Malicious processes
2
Suspicious processes
1

Behavior graph

+
start winrar.exe marswifi_setup_3.1.1.2.exe marswifi.exe zkdrvinst.exe no specs drvinst.exe no specs vssvc.exe no specs drvinst.exe no specs zkservice.exe no specs zkservice.exe no specs zkservice.exe no specs marswifi.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3584
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\MarsWiFi_Setup_3.1.1.2.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2192
CMD
"C:\Users\admin\Desktop\MarsWiFi_Setup_3.1.1.2\MarsWiFi_Setup_3.1.1.2.exe"
Path
C:\Users\admin\Desktop\MarsWiFi_Setup_3.1.1.2\MarsWiFi_Setup_3.1.1.2.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ZhangKong Soft
Description
zksetup
Version
1.0.0.1
Modules
Image
c:\users\admin\desktop\marswifi_setup_3.1.1.2\marswifi_setup_3.1.1.2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\program files\zksoft\marswifi\marswifi.exe
c:\program files\zksoft\marswifi\zkservice.exe
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll

PID
3324
CMD
"C:\Program Files\zksoft\marswifi\marswifi.exe" -a:inst
Path
C:\Program Files\zksoft\marswifi\marswifi.exe
Indicators
Parent process
MarsWiFi_Setup_3.1.1.2.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ZhangKong Soft
Description
marswifi
Version
2.0.0.1
Modules
Image
c:\program files\zksoft\marswifi\marswifi.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\program files\zksoft\marswifi\msvcp80.dll
c:\program files\zksoft\marswifi\msvcr80.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\version.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmapi.dll
c:\program files\zksoft\marswifi\dump.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\apphelp.dll
c:\program files\zksoft\marswifi\drivers\zkdrvinst.exe

PID
2692
CMD
"C:\Program Files\zksoft\marswifi\drivers\zkdrvinst.exe" -v -l zknetdrv.inf -c s -i zknetdrv
Path
C:\Program Files\zksoft\marswifi\drivers\zkdrvinst.exe
Indicators
No indicators
Parent process
marswifi.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ZK Internet Technology Co., Ltd.
Description
driver install
Version
1,0,0,1
Modules
Image
c:\program files\zksoft\marswifi\drivers\zkdrvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\newdev.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\drvstore.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\netcfgx.dll
c:\windows\system32\slc.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\drivers\pacer.sys
c:\windows\system32\tcpipcfg.dll
c:\windows\system32\lltdres.dll
c:\windows\system32\rascfg.dll
c:\windows\system32\sstpsvc.dll
c:\windows\system32\ndiscapcfg.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\mprmsg.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\spfileq.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshnetbs.dll

PID
2612
CMD
DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{18fb58f0-a63b-526c-a120-791a0c847d6a}\zknetdrv.inf" "0" "6aa438bf7" "000005AC" "WinSta0\Default" "000002D0" "208" "C:\Program Files\zksoft\marswifi\drivers\win7"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\drvstore.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\spinf.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll

PID
3776
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
1948
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005C8" "000005C4"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

PID
2188
CMD
"C:\Program Files\zksoft\marswifi\zkservice.exe" /install /name zkservice /dispname zksrvc /description "zk net core service" /order zkservice
Path
C:\Program Files\zksoft\marswifi\zkservice.exe
Indicators
No indicators
Parent process
MarsWiFi_Setup_3.1.1.2.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
ZhangKong Soft
Description
zk core service
Version
1.0.0.1
Modules
Image
c:\program files\zksoft\marswifi\zkservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3112
CMD
"C:\Program Files\zksoft\marswifi\zkservice.exe" /start zkservice
Path
C:\Program Files\zksoft\marswifi\zkservice.exe
Indicators
No indicators
Parent process
MarsWiFi_Setup_3.1.1.2.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
ZhangKong Soft
Description
zk core service
Version
1.0.0.1
Modules
Image
c:\program files\zksoft\marswifi\zkservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
340
CMD
"C:\Program Files\zksoft\marswifi\zkservice.exe" /service zkservice
Path
C:\Program Files\zksoft\marswifi\zkservice.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
ZhangKong Soft
Description
zk core service
Version
1.0.0.1
Modules
Image
c:\program files\zksoft\marswifi\zkservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll

PID
2236
CMD
"C:\Program Files\zksoft\marswifi\marswifi.exe" -f:installer
Path
C:\Program Files\zksoft\marswifi\marswifi.exe
Indicators
Parent process
MarsWiFi_Setup_3.1.1.2.exe
User
admin
Integrity Level
HIGH
Version:
Company
ZhangKong Soft
Description
marswifi
Version
2.0.0.1
Modules
Image
c:\program files\zksoft\marswifi\marswifi.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\program files\zksoft\marswifi\msvcp80.dll
c:\program files\zksoft\marswifi\msvcr80.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmapi.dll
c:\program files\zksoft\marswifi\dump.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\windowscodecs.dll
c:\program files\zksoft\marswifi\zkwificore.dll
c:\program files\zksoft\marswifi\raapapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\program files\zksoft\marswifi\rtllib.dll
c:\windows\system32\wtsapi32.dll
c:\program files\zksoft\marswifi\rtlihvoid.dll
c:\windows\system32\wlanui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\eappcfg.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\onex.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\wlanhlp.dll
c:\windows\system32\atl.dll
c:\windows\system32\dui70.dll
c:\windows\system32\credui.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\zksoft\marswifi\zkcore.dll
c:\windows\system32\netshell.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\slc.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll

Registry activity

Total events
1013
Read events
722
Write events
289
Delete events
2

Modification events

PID
Process
Operation
Key
Name
Value
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3584
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\Desktop\MarsWiFi_Setup_3.1.1.2.rar
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\Desktop\MarsWiFi_Setup_3.1.1.2
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\Desktop
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000100103000000000039000000B40200000000000001000000
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000003401010000000000160000002A0000000000000002000000
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000200101000000000016000000640000000000000003000000
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\temp
ver
3.1.1.2
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\temp
channel
4149
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\temp
product
wifi
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\temp
lang
0
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\temp
coverinst
0
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\temp
guid
{22120718-D9A1-4AC2-83C8-A2EE42EF867F}
2192
MarsWiFi_Setup_3.1.1.2.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\temp
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\marswifi
DisplayIcon
C:\Program Files\zksoft\marswifi\marswifi.exe
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\marswifi
DisplayName
Mars WiFi
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\marswifi
Publisher
ZK Corporation
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\marswifi
URLInfoAbout
http://www.zkytech.com
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\marswifi
EstimatedSize
3910
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\marswifi
DisplayVersion
3.1.1.2
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\marswifi
UninstallString
C:\Program Files\zksoft\marswifi\unist000.exe
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi
instpath
C:\Program Files\zksoft\marswifi
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi
ver
3.1.1.2
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi
channel
4149
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi
product
wifi
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi
lang
0
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi
time
1549841816
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi
guid
{22120718-D9A1-4AC2-83C8-A2EE42EF867F}
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
marswifi
"C:\Program Files\zksoft\marswifi\marswifi.exe" /autorun
3324
marswifi.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EEBBA1954ECB13F2D04296BC1F2AE7D90EF068A9
Blob
030000000100000014000000EEBBA1954ECB13F2D04296BC1F2AE7D90EF068A904000000010000001000000067BE1B156403C601A3AB94409F5C5385140000000100000014000000E57A9D9FD99D0766221B592C2B6D346EE96891611900000001000000100000002F2D5AE02BF9156F6273388FAA0CD96E0F0000000100000014000000B776C87BDBB58FAFE194B23135AE539C26FAC7C520000000010000004B050000308205473082042FA0030201020210174F5ED0D0E967F22859B2D88975BFA6300D06092A864886F70D01010505003081B4310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E311F301D060355040B1316566572695369676E205472757374204E6574776F726B313B3039060355040B13325465726D73206F66207573652061742068747470733A2F2F7777772E766572697369676E2E636F6D2F727061202863293130312E302C06035504031325566572695369676E20436C617373203320436F6465205369676E696E672032303130204341301E170D3135303531393030303030305A170D3136303631373233353935395A3081A3310B300906035504061302434E3110300E06035504080C076265696A696E673110300E06035504070C076265696A696E67312D302B060355040A0C24E58C97E4BAACE6809DE699BAE6B3B0E5858BE68A80E69CAFE69C89E99990E585ACE58FB831123010060355040B0C09E68A80E69CAFE983A8312D302B06035504030C24E58C97E4BAACE6809DE699BAE6B3B0E5858BE68A80E69CAFE69C89E99990E585ACE58FB830820122300D06092A864886F70D01010105000382010F003082010A0282010100DED92F2B1A9BD4A64F9F3DE0728AB3A6A3C29F97EE93A775AE29A4088229C621A98205BDFA4373D4E45EA0F35075CD9CA04E5DC6FF192944C6F1DBC0F8F9F3A596493840394255CBA61F960BE91E3A6EEF351135DEA62D999A2E9FB9D515BB055BDB3756848D502B2B477936A9F7BCA3807F86605981C90BE7EC8711FA4329694C9A40BBD8A854F5957CF35170FBC517480DCA6DDB8A8B10186C52B594AFC9DBCF2C50910FAE4B2496F733A6CBC338476EE16AEE2E991D6F74A155BD1D462D83C1D55D88C73A39C5571EEF08A9323657450D89E62A74E7522A482DA09B3F9F309A119AB744AED86A98C7166A9D83A55883FBDB23EA6547109B71490B6AAB6D010203010001A38201623082015E30090603551D1304023000300E0603551D0F0101FF040403020780302B0603551D1F042430223020A01EA01C861A687474703A2F2F73662E73796D63622E636F6D2F73662E63726C30660603551D20045F305D305B060B6086480186F84501071703304C302306082B06010505070201161768747470733A2F2F642E73796D63622E636F6D2F637073302506082B0601050507020230190C1768747470733A2F2F642E73796D63622E636F6D2F72706130130603551D25040C300A06082B06010505070303305706082B06010505070101044B3049301F06082B060105050730018613687474703A2F2F73662E73796D63642E636F6D302606082B06010505073002861A687474703A2F2F73662E73796D63622E636F6D2F73662E637274301F0603551D23041830168014CF99A9EA7B26F44BC98E8FD7F00526EFE3D2A79D301D0603551D0E04160414E57A9D9FD99D0766221B592C2B6D346EE9689161300D06092A864886F70D0101050500038201010018C621B191C341171B0F75095F95A53019A8457982108281268FAE615F1D7434E1401E2A3CAE3466F68AC97AB9470701E80202FCD2A028032F5B7D9ECFDCC0333CB6148738E03EAE66BE23730F306CB067C9E44F80E184F62064707DBABFFD6E78708FAD7925305E15F48357D2EBF9D1D53587945CE3F5F5BCFDF0C615DE3C1D31BB5000CF4C45EC28A9F591D1C71CE2C152AD69961973CBE7F8C5C767C7F44271DF70BF07A6A54A658FEE467F882E145947944ECDAA159729B7B06773C3132BBB96D14F41B099EEFB2949D698BDD4946E39FC87E5D750C12067D5DF0A90CEFAB68FB64395EE9A49E86708693E0073F1DC5C612FE1636B81A80089429D328F8C
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
setupapi.dev.log
4096
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NetCfgLockHolder
Sample Netcfg Application (netcfg.exe)
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\System32\drivers\pacer.sys,-100
Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@netcfgx.dll,-50003
Allows other computers to access resources on your computer using a Microsoft network.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@netcfgx.dll,-50002
Allows your computer to access resources on a Microsoft network.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@tcpipcfg.dll,-50002
TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\tcpipcfg.dll,-50001
Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\lltdres.dll,-4
Used to discover and locate other PCs, devices, and network infrastructure components on the network. Also used to determine network bandwidth.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\lltdres.dll,-3
Allows this PC to be discovered and located on the network.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\rascfg.dll,-32010
Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\rascfg.dll,-32009
Allows you to securely connect to a private network using the Internet.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\rascfg.dll,-32008
Allows you to securely connect to a private network using the Internet.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\sstpsvc.dll,-203
Allows you to securely connect to a private network using the Internet.
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
setupapi.app.log
4096
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi
Service
zknetdrv
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi
CoServices
zknetdrv
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi
HelpText
ZK NET Driver
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi
FilterClass
compression
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi
FilterType
2
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi\Interfaces
UpperRange
noupper
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi\Interfaces
LowerRange
nolower
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi\Interfaces
FilterMediaTypes
ethernet, wan, ppip
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi
FilterRunType
1
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\GroupOrderList
NDIS
170000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F0000001000000011000000120000001300000014000000150000001600000017000000
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}
Characteristics
262144
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}
InfPath
C:\Windows\INF\oem4.inf
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}
InfSection
Install
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}
LocDescription
@oem4.inf,%zknetdrv_desc%;ZK NET Driver
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}
Description
ZK NET Driver
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}
ComponentId
zknetdrv
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi
TimeStamp
E307020000000A00170024003100AD01
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}
InfPath
oem4.inf
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}
InstallTimeStamp
E307020000000A00170024003100BD01
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NdisWan\Linkage
Bind
\Device\{DCB14C61-690D-46F7-8A89-150432FA5C44}
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NdisWan\Linkage
Route
"{DCB14C61-690D-46F7-8A89-150432FA5C44}"
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NdisWan\Linkage
Export
\Device\NdisWan_{DCB14C61-690D-46F7-8A89-150432FA5C44}
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005
NetCfgInstanceId
{F3229805-869E-479E-BA76-DD643F1D1B80}
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005\Linkage
RootDevice
NdisWanIpv6
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005\Linkage
UpperBind
Wanarpv6
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005\Linkage
Export
\Device\NdisWanIpv6
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006
NetCfgInstanceId
{72DD97A9-E544-4915-88D8-44E829C34F68}
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006\Linkage
RootDevice
NdisWanBh
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006\Linkage
UpperBind
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006\Linkage
Export
\Device\NdisWanBh
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008
NetCfgInstanceId
{7C5653F0-144A-4534-9E34-28AC99CBA85E}
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008\Linkage
RootDevice
NdisWanIp
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008\Linkage
UpperBind
Wanarp
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008\Linkage
Export
\Device\NdisWanIp
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007
NetCfgInstanceId
{4040CF00-1B3E-486A-B407-FA14C56B6FC0}
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\Linkage
RootDevice
{4040CF00-1B3E-486A-B407-FA14C56B6FC0}
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\Linkage
UpperBind
Ndisuio
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\Linkage
Export
\Device\{4040CF00-1B3E-486A-B407-FA14C56B6FC0}
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\Linkage
FilterList
{4040CF00-1B3E-486A-B407-FA14C56B6FC0}-{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}-0000
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008\Linkage
FilterList
{7C5653F0-144A-4534-9E34-28AC99CBA85E}-{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}-0000
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006\Linkage
FilterList
{72DD97A9-E544-4915-88D8-44E829C34F68}-{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}-0000
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005\Linkage
FilterList
{F3229805-869E-479E-BA76-DD643F1D1B80}-{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}-0000
2692
zkdrvinst.exe
delete key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NetCfgLockHolder
2612
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Enter)
400000000000000066AAA57299C1D401340A0000180A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Enter)
400000000000000066AAA57299C1D401340A0000180A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
LastIndex
20
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Enter)
40000000000000009256137399C1D401340A0000180A0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Enter)
4000000000000000ECB8157399C1D401340A0000F0050000E803000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Leave)
40000000000000003821427499C1D401340A0000F0050000E803000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Leave)
4000000000000000EABC157B99C1D401340A0000180A0000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Enter)
4000000000000000EABC157B99C1D401340A0000180A0000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Leave)
4000000000000000C8F62F7B99C1D401340A0000180A0000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Enter)
4000000000000000A6304A7B99C1D401340A00005C0F0000E903000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Leave)
4000000000000000547D777B99C1D401340A00005C0F0000E903000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Enter)
4000000000000000547D777B99C1D401340A00007C0F0000F903000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Leave)
40000000000000001669837B99C1D401340A00007C0F0000F903000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Enter)
40000000000000007EF28C7B99C1D401340A0000180A00000A04000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Leave)
400000000000000086CEED7C99C1D401340A0000A80F00000A04000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Leave)
400000000000000086CEED7C99C1D401340A0000180A0000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Leave)
400000000000000086CEED7C99C1D401340A0000180A0000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
FirstRun
0
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
LastIndex
20
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
1
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
StartNesting
0C48A37299C1D401
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
0
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
4000000000000000162E2B7399C1D401C00E0000B80C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
4000000000000000162E2B7399C1D401C00E0000C00C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
4000000000000000162E2B7399C1D401C00E0000D0080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
4000000000000000162E2B7399C1D401C00E0000E0080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
400000000000000040A3407399C1D401C00E0000D0080000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
40000000000000009A05437399C1D401C00E0000B80C0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
40000000000000009A05437399C1D401C00E0000E0080000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
4000000000000000F467457399C1D401C00E0000C00C0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
40000000000000004CCE477B99C1D401C00E0000C00C00000104000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
40000000000000004CCE477B99C1D401C00E0000C00C00000104000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
4000000000000000681C567B99C1D401C00E0000C00C0000E903000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
4000000000000000681C567B99C1D401C00E0000E0080000E903000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
4000000000000000681C567B99C1D401C00E0000B80C0000E903000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
4000000000000000D0A55F7B99C1D401C00E0000C00C0000E903000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000D0A55F7B99C1D401C00E0000C00C00000100000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
40000000000000002A08627B99C1D401C00E0000E0080000E903000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
40000000000000002A08627B99C1D401C00E0000E00800000100000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
40000000000000002A08627B99C1D401C00E0000B80C0000E903000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
40000000000000002A08627B99C1D401C00E0000B80C00000100000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
400000000000000062A47E7B99C1D401C00E0000E0080000F903000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
400000000000000062A47E7B99C1D401C00E0000C00C0000F903000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
400000000000000062A47E7B99C1D401C00E0000B80C0000F903000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
4000000000000000BC06817B99C1D401C00E0000B80C0000F903000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
40000000000000001669837B99C1D401C00E0000E0080000F903000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
40000000000000001669837B99C1D401C00E0000C00C0000F903000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
40000000000000007EF28C7B99C1D401C00E0000BC0F00000204000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
400000000000000082603D7C99C1D401C00E0000BC0F00000204000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
400000000000000082603D7C99C1D401C00E0000BC0F0000EA03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
4000000000000000ACD5527C99C1D401C00E0000600F0000EA03000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
4000000000000000ACD5527C99C1D401C00E0000580F0000EA03000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
4000000000000000ACD5527C99C1D401C00E00004C0F0000EA03000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
4000000000000000C2AB897C99C1D401C00E0000600F0000EA03000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000C2AB897C99C1D401C00E0000600F00000200000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
400000000000000076708E7C99C1D401C00E0000580F0000EA03000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
400000000000000076708E7C99C1D401C00E0000580F00000200000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
40000000000000008497957C99C1D401C00E00004C0F0000EA03000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000008497957C99C1D401C00E00004C0F00000200000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
4000000000000000CA5AB97C99C1D401C00E0000BC0F0000EA03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
4000000000000000CA5AB97C99C1D401C00E0000BC0F0000EB03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
4000000000000000CA5AB97C99C1D401C00E0000BC0F0000EC03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
40000000000000007E1FBE7C99C1D401C00E00004C0F0000EB03000001000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
40000000000000007E1FBE7C99C1D401C00E00004C0F0000EB03000000000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
40000000000000007E1FBE7C99C1D401C00E00004C0F00000300000001000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Enter)
40000000000000007E1FBE7C99C1D401C00E00002C090000FC03000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Leave)
40000000000000007E1FBE7C99C1D401C00E0000BC0F0000EC03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Enter)
40000000000000007E1FBE7C99C1D401C00E0000BC0F0000ED03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Leave)
400000000000000032E4C27C99C1D401C00E0000BC0F0000ED03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Enter)
400000000000000032E4C27C99C1D401C00E0000BC0F0000EE03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Enter)
4000000000000000E6A8C77C99C1D401C00E0000780F0000EB03000001000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Leave)
4000000000000000E6A8C77C99C1D401C00E0000780F0000EB03000000000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000E6A8C77C99C1D401C00E0000780F00000300000001000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000E6A8C77C99C1D401C00E000044090000FC03000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Leave)
40000000000000009A6DCC7C99C1D401C00E0000BC0F0000EE03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Enter)
40000000000000009A6DCC7C99C1D401C00E0000BC0F0000F003000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Leave)
40000000000000009A6DCC7C99C1D401C00E0000BC0F0000F003000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Enter)
40000000000000009A6DCC7C99C1D401C00E0000BC0F0000EF03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Enter)
40000000000000004E32D17C99C1D401C00E0000600F0000EB03000001000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Leave)
400000000000000002F7D57C99C1D401C00E0000600F0000EB03000000000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
400000000000000002F7D57C99C1D401C00E0000600F00000300000001000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Enter)
400000000000000002F7D57C99C1D401C00E0000C0060000FC03000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Leave)
400000000000000002F7D57C99C1D401C00E0000BC0F0000EF03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Leave)
400000000000000002F7D57C99C1D401C00E0000BC0F0000EB03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Enter)
400000000000000002F7D57C99C1D401C00E0000BC0F00000304000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Leave)
400000000000000002F7D57C99C1D401C00E0000BC0F00000304000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Enter)
400000000000000002F7D57C99C1D401C00E0000BC0F0000FD03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Enter)
400000000000000002F7D57C99C1D401C00E0000D40A0000FD03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Leave)
40000000000000006A80DF7C99C1D401C00E0000D40A0000FD03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Leave)
40000000000000006A80DF7C99C1D401C00E0000BC0F0000FD03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Enter)
40000000000000006A80DF7C99C1D401C00E0000D40A0000FE03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Leave)
40000000000000002C6CEB7C99C1D401C00E0000D40A0000FE03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Enter)
40000000000000002C6CEB7C99C1D401C00E0000D40A0000FF03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Leave)
40000000000000002C6CEB7C99C1D401C00E0000D40A0000FF03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Enter)
40000000000000006A80DF7C99C1D401C00E0000BC0F0000FE03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Leave)
40000000000000002C6CEB7C99C1D401C00E0000BC0F0000FE03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Enter)
40000000000000002C6CEB7C99C1D401C00E0000BC0F0000FF030000010000000000000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Leave)
40000000000000002C6CEB7C99C1D401C00E0000BC0F0000FF030000000000000000000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Enter)
40000000000000002C6CEB7C99C1D401C00E0000D00A00000404000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Leave)
40000000000000002C6CEB7C99C1D401C00E0000D00A00000404000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Enter)
40000000000000002C6CEB7C99C1D401C00E0000BC0F00000504000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Leave)
400000000000000086CEED7C99C1D401C00E0000BC0F00000504000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Enter)
400000000000000086CEED7C99C1D401C00E0000BC0F0000F403000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Leave)
400000000000000086CEED7C99C1D401C00E0000BC0F0000F403000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Enter)
400000000000000086CEED7C99C1D401C00E0000BC0F0000F203000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Enter)
4000000000000000EE57F77C99C1D401C00E0000700F0000F203000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Enter)
4000000000000000EE57F77C99C1D401C00E0000600F0000F203000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000EE57F77C99C1D401C00E00002C090000FC03000000000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000EE57F77C99C1D401C00E0000C0060000FC03000000000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Enter)
4000000000000000EE57F77C99C1D401C00E0000780F0000F203000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Leave)
4000000000000000EE57F77C99C1D401C00E0000600F0000F203000000000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Leave)
4000000000000000EE57F77C99C1D401C00E0000700F0000F203000000000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000EE57F77C99C1D401C00E000044090000FC03000000000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000EE57F77C99C1D401C00E0000600F00000400000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000EE57F77C99C1D401C00E0000700F00000400000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Leave)
4000000000000000EE57F77C99C1D401C00E0000780F0000F203000000000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000EE57F77C99C1D401C00E0000780F00000400000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Leave)
4000000000000000EE57F77C99C1D401C00E0000BC0F0000F203000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Enter)
4000000000000000EE57F77C99C1D401C00E0000BC0F00000604000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Leave)
4000000000000000FEB5567D99C1D401C00E0000BC0F00000604000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Enter)
4000000000000000FEB5567D99C1D401C00E0000BC0F0000F503000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Enter)
4000000000000000CEC8697D99C1D401C00E00004C0F0000F503000001000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Enter)
4000000000000000CEC8697D99C1D401C00E0000640F0000F503000001000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Enter)
4000000000000000CEC8697D99C1D401C00E0000580F0000F503000001000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Leave)
4000000000000000CEC8697D99C1D401C00E00004C0F0000F503000000000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000CEC8697D99C1D401C00E00004C0F00000500000001000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Leave)
4000000000000000CEC8697D99C1D401C00E0000640F0000F503000000000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000CEC8697D99C1D401C00E0000640F00000500000001000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Leave)
40000000000000006435397E99C1D401C00E0000580F0000F503000000000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000006435397E99C1D401C00E0000580F00000500000001000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Leave)
40000000000000006435397E99C1D401C00E0000BC0F0000F503000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Enter)
40000000000000006435397E99C1D401C00E0000BC0F00000704000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Leave)
40000000000000009CD1557E99C1D401C00E0000BC0F00000704000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Enter)
40000000000000001282667E99C1D401C00E0000BC0F0000FB03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Enter)
40000000000000002ED0747E99C1D401C00E0000580F0000FB03000001000000050000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Enter)
40000000000000002ED0747E99C1D401C00E00004C0F0000FB03000001000000050000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Leave)
40000000000000002ED0747E99C1D401C00E0000580F0000FB03000000000000050000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Enter)
40000000000000002ED0747E99C1D401C00E0000600F0000FB03000001000000050000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Leave)
40000000000000002ED0747E99C1D401C00E00004C0F0000FB03000000000000050000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Leave)
40000000000000002ED0747E99C1D401C00E0000600F0000FB03000000000000050000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Leave)
40000000000000002ED0747E99C1D401C00E0000BC0F0000FB03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
1948
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2236
marswifi.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\setting
name
MarsWiFi7170
2236
marswifi.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\setting
password
1234567890
2236
marswifi.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\setting
wificcnt
1
2236
marswifi.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\setting
resettray
1
2236
marswifi.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\setting
wificcnt
2

Files activity

Executable files
2
Suspicious files
12
Text files
163
Unknown types
11

Dropped files

PID Process Filename Type
3584 WinRAR.exe C:\Users\admin\Desktop\MarsWiFi_Setup_3.1.1.2\MarsWiFi_Setup_3.1.1.2.exe executable
3324 marswifi.exe C:\Windows\system32\drivers\zknetdrv.sys executable
2236 marswifi.exe C:\Program Files\zksoft\marswifi\log\wifi.log text
2236 marswifi.exe C:\Program Files\zksoft\marswifi\log\wifi.log text
2192 MarsWiFi_Setup_3.1.1.2.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\marswifi\Mars WiFi.lnk lnk
2192 MarsWiFi_Setup_3.1.1.2.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\marswifi\Uninstall.lnk lnk
2192 MarsWiFi_Setup_3.1.1.2.exe C:\Users\Public\Desktop\Mars WiFi.lnk lnk
2692 zkdrvinst.exe C:\Users\Administrator\NTUSER.DAT hiv
2692 zkdrvinst.exe C:\Users\Administrator\NTUSER.DAT.LOG1 log
2692 zkdrvinst.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat hiv
2692 zkdrvinst.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 log
3776 vssvc.exe C: ––
2692 zkdrvinst.exe C:\Windows\INF\setupapi.app.log text
2692 zkdrvinst.exe C:\Windows\INF\oem4.PNF pnf
2692 zkdrvinst.exe C:\Users\admin\AppData\Local\Temp\Tar66D1.tmp ––
2692 zkdrvinst.exe C:\Users\admin\AppData\Local\Temp\Cab66D0.tmp ––
2692 zkdrvinst.exe C:\Users\admin\AppData\Local\Temp\Cab668F.tmp ––
2692 zkdrvinst.exe C:\Users\admin\AppData\Local\Temp\Tar6690.tmp ––
2692 zkdrvinst.exe C:\Windows\INF\setupapi.app.log ini
2692 zkdrvinst.exe C:\Users\admin\AppData\Local\Temp\Tar6640.tmp ––
2692 zkdrvinst.exe C:\Users\admin\AppData\Local\Temp\Cab663F.tmp ––
2692 zkdrvinst.exe C:\Users\admin\AppData\Local\Temp\Cab662D.tmp ––
2692 zkdrvinst.exe C:\Users\admin\AppData\Local\Temp\Tar662E.tmp ––
2692 zkdrvinst.exe C:\Windows\inf\setupapi.app.log ini
2692 zkdrvinst.exe C:\Windows\INF\setupapi.dev.log text
2692 zkdrvinst.exe C:\Windows\System32\CatRoot2\dberr.txt text
2612 DrvInst.exe C:\Windows\INF\setupapi.dev.log ini
2612 DrvInst.exe C:\Windows\System32\DriverStore\FileRepository\zknetdrv.inf_x86_neutral_8db548eb1284eb4f\zknetdrv.PNF pnf
2612 DrvInst.exe C:\Windows\System32\DriverStore\INFCACHE.1 binary
2612 DrvInst.exe C:\Windows\System32\DriverStore\INFCACHE.2 binary
2612 DrvInst.exe C:\Windows\System32\DriverStore\OLDCACHE.000 ––
2612 DrvInst.exe C:\Windows\System32\DriverStore\INFCACHE.0 ––
2612 DrvInst.exe C:\Windows\System32\DriverStore\infstor.dat binary
2612 DrvInst.exe C:\Windows\System32\DriverStore\infpub.dat binary
2612 DrvInst.exe C:\Windows\System32\DriverStore\infstrng.dat binary
2612 DrvInst.exe C:\Windows\INF\setupapi.dev.log ini
2612 DrvInst.exe C:\Windows\INF\oem4.inf binary
1948 DrvInst.exe C:\Windows\INF\setupapi.dev.log ini
1948 DrvInst.exe C:\Windows\INF\setupapi.dev.log ini
1948 DrvInst.exe C:\Windows\INF\setupapi.ev3 binary
1948 DrvInst.exe C:\Windows\INF\setupapi.ev1 binary
2612 DrvInst.exe C:\System Volume Information\SPP\metadata-2 ––
2612 DrvInst.exe C:\System Volume Information\SPP\OnlineMetadataCache\{3b9edb10-0ac0-437d-8aaf-af5dda1baf75}_OnDiskSnapshotProp binary
2612 DrvInst.exe C:\System Volume Information\SPP\snapshot-2 binary
2612 DrvInst.exe C:\Windows\INF\setupapi.dev.log ini
2612 DrvInst.exe C:\Windows\TEMP\Tar1B50.tmp ––
2612 DrvInst.exe C:\Windows\TEMP\Cab1B4F.tmp ––
2612 DrvInst.exe C:\Windows\INF\setupapi.dev.log ini
2612 DrvInst.exe C:\Windows\TEMP\Cab1B2E.tmp ––
2612 DrvInst.exe C:\Windows\TEMP\Tar1B2F.tmp ––
2612 DrvInst.exe C:\Windows\TEMP\Cab1AFD.tmp ––
2612 DrvInst.exe C:\Windows\TEMP\Tar1AFE.tmp ––
2612 DrvInst.exe C:\Windows\TEMP\Tar1AED.tmp ––
2612 DrvInst.exe C:\Windows\TEMP\Cab1AEC.tmp ––
2612 DrvInst.exe C:\Windows\System32\DriverStore\Temp\{2ef4a033-5f64-5d49-18e7-566e77ccdc4b}\zknetdrv.inf binary
2612 DrvInst.exe C:\Windows\System32\DriverStore\Temp\{2ef4a033-5f64-5d49-18e7-566e77ccdc4b}\SET1AAE.tmp ––
2612 DrvInst.exe C:\Windows\System32\DriverStore\Temp\{2ef4a033-5f64-5d49-18e7-566e77ccdc4b}\zknetdrv.cat cat
2612 DrvInst.exe C:\Windows\System32\DriverStore\Temp\{2ef4a033-5f64-5d49-18e7-566e77ccdc4b}\SET1A9E.tmp ––
2692 zkdrvinst.exe C:\Users\admin\AppData\Local\Temp\{18fb58f0-a63b-526c-a120-791a0c847d6a}\zknetdrv.inf binary
2692 zkdrvinst.exe C:\Users\admin\AppData\Local\Temp\{18fb58f0-a63b-526c-a120-791a0c847d6a}\SET1A12.tmp ––
2692 zkdrvinst.exe C:\Users\admin\AppData\Local\Temp\{18fb58f0-a63b-526c-a120-791a0c847d6a}\zknetdrv.cat cat
2692 zkdrvinst.exe C:\Windows\INF\setupapi.dev.log ini
2692 zkdrvinst.exe C:\Windows\INF\setupapi.dev.log ini
2692 zkdrvinst.exe C:\Users\admin\AppData\Local\Temp\{18fb58f0-a63b-526c-a120-791a0c847d6a}\SET1A01.tmp ––
2692 zkdrvinst.exe C:\Windows\INF\setupapi.dev.log ini
2692 zkdrvinst.exe C:\Windows\INF\setupapi.dev.log ini
2692 zkdrvinst.exe C:\Windows\INF\setupapi.dev.log ini
2236 marswifi.exe C:\Program Files\zksoft\marswifi\log\wifi.log text
2236 marswifi.exe C:\Program Files\zksoft\marswifi\log\wifi.log text

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3324 marswifi.exe POST 200 101.200.194.233:80 http://ien.zkytech.com/report/ CN
text
text
unknown
2236 marswifi.exe POST 200 101.200.194.233:80 http://ien.zkytech.com/report_open/ CN
text
text
unknown
2236 marswifi.exe POST 200 101.200.194.233:80 http://ien.zkytech.com/report_open/ CN
text
text
unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3324 marswifi.exe 101.200.194.233:80 Hangzhou Alibaba Advertising Co.,Ltd. CN unknown
2236 marswifi.exe 101.200.194.233:80 Hangzhou Alibaba Advertising Co.,Ltd. CN unknown

DNS requests

Domain IP Reputation
ien.zkytech.com 101.200.194.233
unknown

Threats

No threats detected.

Debug output strings

Process Message
marswifi.exe RtlIhvOid :: WlanOpenHandle hClientHandle
marswifi.exe RtlIhvOid :: WlanOpenHandle hClientHandle
marswifi.exe RtlIhvOid :: WlanOpenHandle hClientHandle
marswifi.exe RtlIhvOid :: WlanOpenHandle hClientHandle