General Info

File name

MarsWiFi_Setup_3.1.1.2.rar

Full analysis
https://app.any.run/tasks/39be8ee2-5995-4e2a-b0c3-c474094d12d7
Verdict
Malicious activity
Analysis date
2/11/2019, 00:35:26
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v5
MD5

846d7bca8809482b04524a8c805c7b04

SHA1

bbe66c49bd7f4913c57e046a3be99754efdf7ab0

SHA256

a461f198b83ba05f9d0582d68a8e570c965639def2e092476e365a1e741885a0

SSDEEP

49152:JEnI2Zz7mv0QdpcWN/0gDmV66cqGRevJ1DsZ/Iow0hQC1+O233ANTee0G1:JCTQdni66cxox1YZwoJQxXJ81

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
on
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes the autorun value in the registry
  • MarsWiFi_Setup_3.1.1.2.exe (PID: 2192)
Changes settings of System certificates
  • marswifi.exe (PID: 3324)
Application was dropped or rewritten from another process
  • MarsWiFi_Setup_3.1.1.2.exe (PID: 2192)
Creates files in the driver directory
  • DrvInst.exe (PID: 2612)
  • marswifi.exe (PID: 3324)
Creates files in the Windows directory
  • DrvInst.exe (PID: 2612)
  • zkdrvinst.exe (PID: 2692)
  • marswifi.exe (PID: 3324)
Searches for installed software
  • DrvInst.exe (PID: 2612)
Removes files from Windows directory
  • DrvInst.exe (PID: 2612)
Creates files in the program directory
  • marswifi.exe (PID: 2236)
  • MarsWiFi_Setup_3.1.1.2.exe (PID: 2192)
Creates a software uninstall entry
  • MarsWiFi_Setup_3.1.1.2.exe (PID: 2192)
Executable content was dropped or overwritten
  • marswifi.exe (PID: 3324)
  • WinRAR.exe (PID: 3584)
Low-level read access rights to disk partition
  • vssvc.exe (PID: 3776)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v5.0) (61.5%)
.rar
|   RAR compressed archive (gen) (38.4%)

Screenshots

Processes

Total processes
49
Monitored processes
11
Malicious processes
2
Suspicious processes
1

Behavior graph

+
start winrar.exe marswifi_setup_3.1.1.2.exe marswifi.exe zkdrvinst.exe no specs drvinst.exe no specs vssvc.exe no specs drvinst.exe no specs zkservice.exe no specs zkservice.exe no specs zkservice.exe no specs marswifi.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3584
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\MarsWiFi_Setup_3.1.1.2.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2192
CMD
"C:\Users\admin\Desktop\MarsWiFi_Setup_3.1.1.2\MarsWiFi_Setup_3.1.1.2.exe"
Path
C:\Users\admin\Desktop\MarsWiFi_Setup_3.1.1.2\MarsWiFi_Setup_3.1.1.2.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ZhangKong Soft
Description
zksetup
Version
1.0.0.1
Modules
Image
c:\users\admin\desktop\marswifi_setup_3.1.1.2\marswifi_setup_3.1.1.2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\program files\zksoft\marswifi\marswifi.exe
c:\program files\zksoft\marswifi\zkservice.exe
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll

PID
3324
CMD
"C:\Program Files\zksoft\marswifi\marswifi.exe" -a:inst
Path
C:\Program Files\zksoft\marswifi\marswifi.exe
Indicators
Parent process
MarsWiFi_Setup_3.1.1.2.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ZhangKong Soft
Description
marswifi
Version
2.0.0.1
Modules
Image
c:\program files\zksoft\marswifi\marswifi.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\program files\zksoft\marswifi\msvcp80.dll
c:\program files\zksoft\marswifi\msvcr80.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\version.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmapi.dll
c:\program files\zksoft\marswifi\dump.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\apphelp.dll
c:\program files\zksoft\marswifi\drivers\zkdrvinst.exe

PID
2692
CMD
"C:\Program Files\zksoft\marswifi\drivers\zkdrvinst.exe" -v -l zknetdrv.inf -c s -i zknetdrv
Path
C:\Program Files\zksoft\marswifi\drivers\zkdrvinst.exe
Indicators
No indicators
Parent process
marswifi.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
ZK Internet Technology Co., Ltd.
Description
driver install
Version
1,0,0,1
Modules
Image
c:\program files\zksoft\marswifi\drivers\zkdrvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\newdev.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\drvstore.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\netcfgx.dll
c:\windows\system32\slc.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\drivers\pacer.sys
c:\windows\system32\tcpipcfg.dll
c:\windows\system32\lltdres.dll
c:\windows\system32\rascfg.dll
c:\windows\system32\sstpsvc.dll
c:\windows\system32\ndiscapcfg.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\mprmsg.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\spfileq.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshnetbs.dll

PID
2612
CMD
DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{18fb58f0-a63b-526c-a120-791a0c847d6a}\zknetdrv.inf" "0" "6aa438bf7" "000005AC" "WinSta0\Default" "000002D0" "208" "C:\Program Files\zksoft\marswifi\drivers\win7"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\drvstore.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\spinf.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll

PID
3776
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
1948
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005C8" "000005C4"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

PID
2188
CMD
"C:\Program Files\zksoft\marswifi\zkservice.exe" /install /name zkservice /dispname zksrvc /description "zk net core service" /order zkservice
Path
C:\Program Files\zksoft\marswifi\zkservice.exe
Indicators
No indicators
Parent process
MarsWiFi_Setup_3.1.1.2.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
ZhangKong Soft
Description
zk core service
Version
1.0.0.1
Modules
Image
c:\program files\zksoft\marswifi\zkservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3112
CMD
"C:\Program Files\zksoft\marswifi\zkservice.exe" /start zkservice
Path
C:\Program Files\zksoft\marswifi\zkservice.exe
Indicators
No indicators
Parent process
MarsWiFi_Setup_3.1.1.2.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
ZhangKong Soft
Description
zk core service
Version
1.0.0.1
Modules
Image
c:\program files\zksoft\marswifi\zkservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
340
CMD
"C:\Program Files\zksoft\marswifi\zkservice.exe" /service zkservice
Path
C:\Program Files\zksoft\marswifi\zkservice.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
ZhangKong Soft
Description
zk core service
Version
1.0.0.1
Modules
Image
c:\program files\zksoft\marswifi\zkservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll

PID
2236
CMD
"C:\Program Files\zksoft\marswifi\marswifi.exe" -f:installer
Path
C:\Program Files\zksoft\marswifi\marswifi.exe
Indicators
Parent process
MarsWiFi_Setup_3.1.1.2.exe
User
admin
Integrity Level
HIGH
Version:
Company
ZhangKong Soft
Description
marswifi
Version
2.0.0.1
Modules
Image
c:\program files\zksoft\marswifi\marswifi.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\program files\zksoft\marswifi\msvcp80.dll
c:\program files\zksoft\marswifi\msvcr80.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmapi.dll
c:\program files\zksoft\marswifi\dump.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\windowscodecs.dll
c:\program files\zksoft\marswifi\zkwificore.dll
c:\program files\zksoft\marswifi\raapapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\program files\zksoft\marswifi\rtllib.dll
c:\windows\system32\wtsapi32.dll
c:\program files\zksoft\marswifi\rtlihvoid.dll
c:\windows\system32\wlanui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\eappcfg.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\onex.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\wlanhlp.dll
c:\windows\system32\atl.dll
c:\windows\system32\dui70.dll
c:\windows\system32\credui.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\zksoft\marswifi\zkcore.dll
c:\windows\system32\netshell.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\slc.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll

Registry activity

Total events
1013
Read events
722
Write events
289
Delete events
2

Modification events

PID
Process
Operation
Key
Name
Value
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3584
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\Desktop\MarsWiFi_Setup_3.1.1.2.rar
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\Desktop\MarsWiFi_Setup_3.1.1.2
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\Desktop
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000100103000000000039000000B40200000000000001000000
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000003401010000000000160000002A0000000000000002000000
3584
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000200101000000000016000000640000000000000003000000
2192
MarsWiFi_Setup_3.1.1.2.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\temp
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\temp
ver
3.1.1.2
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\temp
channel
4149
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\temp
product
wifi
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\temp
lang
0
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\temp
coverinst
0
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\temp
guid
{22120718-D9A1-4AC2-83C8-A2EE42EF867F}
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\marswifi
DisplayIcon
C:\Program Files\zksoft\marswifi\marswifi.exe
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\marswifi
DisplayName
Mars WiFi
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\marswifi
Publisher
ZK Corporation
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\marswifi
URLInfoAbout
http://www.zkytech.com
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\marswifi
EstimatedSize
3910
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\marswifi
DisplayVersion
3.1.1.2
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\marswifi
UninstallString
C:\Program Files\zksoft\marswifi\unist000.exe
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi
instpath
C:\Program Files\zksoft\marswifi
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi
ver
3.1.1.2
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi
channel
4149
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi
product
wifi
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi
lang
0
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi
time
1549841816
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi
guid
{22120718-D9A1-4AC2-83C8-A2EE42EF867F}
2192
MarsWiFi_Setup_3.1.1.2.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
marswifi
"C:\Program Files\zksoft\marswifi\marswifi.exe" /autorun
3324
marswifi.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\EEBBA1954ECB13F2D04296BC1F2AE7D90EF068A9
Blob
030000000100000014000000EEBBA1954ECB13F2D04296BC1F2AE7D90EF068A904000000010000001000000067BE1B156403C601A3AB94409F5C5385140000000100000014000000E57A9D9FD99D0766221B592C2B6D346EE96891611900000001000000100000002F2D5AE02BF9156F6273388FAA0CD96E0F0000000100000014000000B776C87BDBB58FAFE194B23135AE539C26FAC7C520000000010000004B050000308205473082042FA0030201020210174F5ED0D0E967F22859B2D88975BFA6300D06092A864886F70D01010505003081B4310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E311F301D060355040B1316566572695369676E205472757374204E6574776F726B313B3039060355040B13325465726D73206F66207573652061742068747470733A2F2F7777772E766572697369676E2E636F6D2F727061202863293130312E302C06035504031325566572695369676E20436C617373203320436F6465205369676E696E672032303130204341301E170D3135303531393030303030305A170D3136303631373233353935395A3081A3310B300906035504061302434E3110300E06035504080C076265696A696E673110300E06035504070C076265696A696E67312D302B060355040A0C24E58C97E4BAACE6809DE699BAE6B3B0E5858BE68A80E69CAFE69C89E99990E585ACE58FB831123010060355040B0C09E68A80E69CAFE983A8312D302B06035504030C24E58C97E4BAACE6809DE699BAE6B3B0E5858BE68A80E69CAFE69C89E99990E585ACE58FB830820122300D06092A864886F70D01010105000382010F003082010A0282010100DED92F2B1A9BD4A64F9F3DE0728AB3A6A3C29F97EE93A775AE29A4088229C621A98205BDFA4373D4E45EA0F35075CD9CA04E5DC6FF192944C6F1DBC0F8F9F3A596493840394255CBA61F960BE91E3A6EEF351135DEA62D999A2E9FB9D515BB055BDB3756848D502B2B477936A9F7BCA3807F86605981C90BE7EC8711FA4329694C9A40BBD8A854F5957CF35170FBC517480DCA6DDB8A8B10186C52B594AFC9DBCF2C50910FAE4B2496F733A6CBC338476EE16AEE2E991D6F74A155BD1D462D83C1D55D88C73A39C5571EEF08A9323657450D89E62A74E7522A482DA09B3F9F309A119AB744AED86A98C7166A9D83A55883FBDB23EA6547109B71490B6AAB6D010203010001A38201623082015E30090603551D1304023000300E0603551D0F0101FF040403020780302B0603551D1F042430223020A01EA01C861A687474703A2F2F73662E73796D63622E636F6D2F73662E63726C30660603551D20045F305D305B060B6086480186F84501071703304C302306082B06010505070201161768747470733A2F2F642E73796D63622E636F6D2F637073302506082B0601050507020230190C1768747470733A2F2F642E73796D63622E636F6D2F72706130130603551D25040C300A06082B06010505070303305706082B06010505070101044B3049301F06082B060105050730018613687474703A2F2F73662E73796D63642E636F6D302606082B06010505073002861A687474703A2F2F73662E73796D63622E636F6D2F73662E637274301F0603551D23041830168014CF99A9EA7B26F44BC98E8FD7F00526EFE3D2A79D301D0603551D0E04160414E57A9D9FD99D0766221B592C2B6D346EE9689161300D06092A864886F70D0101050500038201010018C621B191C341171B0F75095F95A53019A8457982108281268FAE615F1D7434E1401E2A3CAE3466F68AC97AB9470701E80202FCD2A028032F5B7D9ECFDCC0333CB6148738E03EAE66BE23730F306CB067C9E44F80E184F62064707DBABFFD6E78708FAD7925305E15F48357D2EBF9D1D53587945CE3F5F5BCFDF0C615DE3C1D31BB5000CF4C45EC28A9F591D1C71CE2C152AD69961973CBE7F8C5C767C7F44271DF70BF07A6A54A658FEE467F882E145947944ECDAA159729B7B06773C3132BBB96D14F41B099EEFB2949D698BDD4946E39FC87E5D750C12067D5DF0A90CEFAB68FB64395EE9A49E86708693E0073F1DC5C612FE1636B81A80089429D328F8C
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
setupapi.dev.log
4096
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NetCfgLockHolder
Sample Netcfg Application (netcfg.exe)
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\System32\drivers\pacer.sys,-100
Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@netcfgx.dll,-50003
Allows other computers to access resources on your computer using a Microsoft network.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@netcfgx.dll,-50002
Allows your computer to access resources on a Microsoft network.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@tcpipcfg.dll,-50002
TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\tcpipcfg.dll,-50001
Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\lltdres.dll,-4
Used to discover and locate other PCs, devices, and network infrastructure components on the network. Also used to determine network bandwidth.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\lltdres.dll,-3
Allows this PC to be discovered and located on the network.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\rascfg.dll,-32010
Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\rascfg.dll,-32009
Allows you to securely connect to a private network using the Internet.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\rascfg.dll,-32008
Allows you to securely connect to a private network using the Internet.
2692
zkdrvinst.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\sstpsvc.dll,-203
Allows you to securely connect to a private network using the Internet.
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
setupapi.app.log
4096
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi
Service
zknetdrv
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi
CoServices
zknetdrv
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi
HelpText
ZK NET Driver
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi
FilterClass
compression
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi
FilterType
2
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi\Interfaces
UpperRange
noupper
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi\Interfaces
LowerRange
nolower
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi\Interfaces
FilterMediaTypes
ethernet, wan, ppip
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi
FilterRunType
1
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\GroupOrderList
NDIS
170000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F0000001000000011000000120000001300000014000000150000001600000017000000
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}
Characteristics
262144
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}
InfPath
C:\Windows\INF\oem4.inf
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}
InfSection
Install
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}
LocDescription
@oem4.inf,%zknetdrv_desc%;ZK NET Driver
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}
Description
ZK NET Driver
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}
ComponentId
zknetdrv
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}\Ndi
TimeStamp
E307020000000A00170024003100AD01
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}
InfPath
oem4.inf
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}
InstallTimeStamp
E307020000000A00170024003100BD01
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NdisWan\Linkage
Bind
\Device\{DCB14C61-690D-46F7-8A89-150432FA5C44}
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NdisWan\Linkage
Route
"{DCB14C61-690D-46F7-8A89-150432FA5C44}"
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NdisWan\Linkage
Export
\Device\NdisWan_{DCB14C61-690D-46F7-8A89-150432FA5C44}
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005
NetCfgInstanceId
{F3229805-869E-479E-BA76-DD643F1D1B80}
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005\Linkage
RootDevice
NdisWanIpv6
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005\Linkage
UpperBind
Wanarpv6
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005\Linkage
Export
\Device\NdisWanIpv6
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006
NetCfgInstanceId
{72DD97A9-E544-4915-88D8-44E829C34F68}
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006\Linkage
RootDevice
NdisWanBh
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006\Linkage
UpperBind
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006\Linkage
Export
\Device\NdisWanBh
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008
NetCfgInstanceId
{7C5653F0-144A-4534-9E34-28AC99CBA85E}
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008\Linkage
RootDevice
NdisWanIp
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008\Linkage
UpperBind
Wanarp
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008\Linkage
Export
\Device\NdisWanIp
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007
NetCfgInstanceId
{4040CF00-1B3E-486A-B407-FA14C56B6FC0}
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\Linkage
RootDevice
{4040CF00-1B3E-486A-B407-FA14C56B6FC0}
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\Linkage
UpperBind
Ndisuio
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\Linkage
Export
\Device\{4040CF00-1B3E-486A-B407-FA14C56B6FC0}
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\Linkage
FilterList
{4040CF00-1B3E-486A-B407-FA14C56B6FC0}-{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}-0000
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008\Linkage
FilterList
{7C5653F0-144A-4534-9E34-28AC99CBA85E}-{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}-0000
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006\Linkage
FilterList
{72DD97A9-E544-4915-88D8-44E829C34F68}-{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}-0000
2692
zkdrvinst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005\Linkage
FilterList
{F3229805-869E-479E-BA76-DD643F1D1B80}-{ECF6F105-22E8-4DD6-BF3D-BF92A1A61BD7}-0000
2692
zkdrvinst.exe
delete key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NetCfgLockHolder
2612
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Enter)
400000000000000066AAA57299C1D401340A0000180A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Enter)
400000000000000066AAA57299C1D401340A0000180A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
LastIndex
20
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Enter)
40000000000000009256137399C1D401340A0000180A0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Enter)
4000000000000000ECB8157399C1D401340A0000F0050000E803000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Leave)
40000000000000003821427499C1D401340A0000F0050000E803000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Leave)
4000000000000000EABC157B99C1D401340A0000180A0000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Enter)
4000000000000000EABC157B99C1D401340A0000180A0000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Leave)
4000000000000000C8F62F7B99C1D401340A0000180A0000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Enter)
4000000000000000A6304A7B99C1D401340A00005C0F0000E903000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Leave)
4000000000000000547D777B99C1D401340A00005C0F0000E903000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Enter)
4000000000000000547D777B99C1D401340A00007C0F0000F903000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Leave)
40000000000000001669837B99C1D401340A00007C0F0000F903000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Enter)
40000000000000007EF28C7B99C1D401340A0000180A00000A04000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Leave)
400000000000000086CEED7C99C1D401340A0000A80F00000A04000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Leave)
400000000000000086CEED7C99C1D401340A0000180A0000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Leave)
400000000000000086CEED7C99C1D401340A0000180A0000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
FirstRun
0
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
LastIndex
20
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
1
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
StartNesting
0C48A37299C1D401
2612
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
0
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
4000000000000000162E2B7399C1D401C00E0000B80C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
4000000000000000162E2B7399C1D401C00E0000C00C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
4000000000000000162E2B7399C1D401C00E0000D0080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
4000000000000000162E2B7399C1D401C00E0000E0080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
400000000000000040A3407399C1D401C00E0000D0080000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
40000000000000009A05437399C1D401C00E0000B80C0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
40000000000000009A05437399C1D401C00E0000E0080000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
4000000000000000F467457399C1D401C00E0000C00C0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
40000000000000004CCE477B99C1D401C00E0000C00C00000104000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
40000000000000004CCE477B99C1D401C00E0000C00C00000104000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
4000000000000000681C567B99C1D401C00E0000C00C0000E903000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
4000000000000000681C567B99C1D401C00E0000E0080000E903000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
4000000000000000681C567B99C1D401C00E0000B80C0000E903000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
4000000000000000D0A55F7B99C1D401C00E0000C00C0000E903000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000D0A55F7B99C1D401C00E0000C00C00000100000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
40000000000000002A08627B99C1D401C00E0000E0080000E903000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
40000000000000002A08627B99C1D401C00E0000E00800000100000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
40000000000000002A08627B99C1D401C00E0000B80C0000E903000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
40000000000000002A08627B99C1D401C00E0000B80C00000100000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
400000000000000062A47E7B99C1D401C00E0000E0080000F903000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
400000000000000062A47E7B99C1D401C00E0000C00C0000F903000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
400000000000000062A47E7B99C1D401C00E0000B80C0000F903000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
4000000000000000BC06817B99C1D401C00E0000B80C0000F903000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
40000000000000001669837B99C1D401C00E0000E0080000F903000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
40000000000000001669837B99C1D401C00E0000C00C0000F903000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
40000000000000007EF28C7B99C1D401C00E0000BC0F00000204000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
400000000000000082603D7C99C1D401C00E0000BC0F00000204000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
400000000000000082603D7C99C1D401C00E0000BC0F0000EA03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
4000000000000000ACD5527C99C1D401C00E0000600F0000EA03000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
4000000000000000ACD5527C99C1D401C00E0000580F0000EA03000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
4000000000000000ACD5527C99C1D401C00E00004C0F0000EA03000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
4000000000000000C2AB897C99C1D401C00E0000600F0000EA03000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000C2AB897C99C1D401C00E0000600F00000200000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
400000000000000076708E7C99C1D401C00E0000580F0000EA03000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
400000000000000076708E7C99C1D401C00E0000580F00000200000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
40000000000000008497957C99C1D401C00E00004C0F0000EA03000000000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000008497957C99C1D401C00E00004C0F00000200000001000000010000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
4000000000000000CA5AB97C99C1D401C00E0000BC0F0000EA03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
4000000000000000CA5AB97C99C1D401C00E0000BC0F0000EB03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
4000000000000000CA5AB97C99C1D401C00E0000BC0F0000EC03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
40000000000000007E1FBE7C99C1D401C00E00004C0F0000EB03000001000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
40000000000000007E1FBE7C99C1D401C00E00004C0F0000EB03000000000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
40000000000000007E1FBE7C99C1D401C00E00004C0F00000300000001000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Enter)
40000000000000007E1FBE7C99C1D401C00E00002C090000FC03000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Leave)
40000000000000007E1FBE7C99C1D401C00E0000BC0F0000EC03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Enter)
40000000000000007E1FBE7C99C1D401C00E0000BC0F0000ED03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Leave)
400000000000000032E4C27C99C1D401C00E0000BC0F0000ED03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Enter)
400000000000000032E4C27C99C1D401C00E0000BC0F0000EE03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Enter)
4000000000000000E6A8C77C99C1D401C00E0000780F0000EB03000001000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Leave)
4000000000000000E6A8C77C99C1D401C00E0000780F0000EB03000000000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000E6A8C77C99C1D401C00E0000780F00000300000001000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000E6A8C77C99C1D401C00E000044090000FC03000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Leave)
40000000000000009A6DCC7C99C1D401C00E0000BC0F0000EE03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Enter)
40000000000000009A6DCC7C99C1D401C00E0000BC0F0000F003000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Leave)
40000000000000009A6DCC7C99C1D401C00E0000BC0F0000F003000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Enter)
40000000000000009A6DCC7C99C1D401C00E0000BC0F0000EF03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Enter)
40000000000000004E32D17C99C1D401C00E0000600F0000EB03000001000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Leave)
400000000000000002F7D57C99C1D401C00E0000600F0000EB03000000000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
400000000000000002F7D57C99C1D401C00E0000600F00000300000001000000020000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Enter)
400000000000000002F7D57C99C1D401C00E0000C0060000FC03000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Leave)
400000000000000002F7D57C99C1D401C00E0000BC0F0000EF03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Leave)
400000000000000002F7D57C99C1D401C00E0000BC0F0000EB03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Enter)
400000000000000002F7D57C99C1D401C00E0000BC0F00000304000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Leave)
400000000000000002F7D57C99C1D401C00E0000BC0F00000304000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Enter)
400000000000000002F7D57C99C1D401C00E0000BC0F0000FD03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Enter)
400000000000000002F7D57C99C1D401C00E0000D40A0000FD03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Leave)
40000000000000006A80DF7C99C1D401C00E0000D40A0000FD03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Leave)
40000000000000006A80DF7C99C1D401C00E0000BC0F0000FD03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Enter)
40000000000000006A80DF7C99C1D401C00E0000D40A0000FE03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Leave)
40000000000000002C6CEB7C99C1D401C00E0000D40A0000FE03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Enter)
40000000000000002C6CEB7C99C1D401C00E0000D40A0000FF03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Leave)
40000000000000002C6CEB7C99C1D401C00E0000D40A0000FF03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Enter)
40000000000000006A80DF7C99C1D401C00E0000BC0F0000FE03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Leave)
40000000000000002C6CEB7C99C1D401C00E0000BC0F0000FE03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Enter)
40000000000000002C6CEB7C99C1D401C00E0000BC0F0000FF030000010000000000000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Leave)
40000000000000002C6CEB7C99C1D401C00E0000BC0F0000FF030000000000000000000000000000000000000000000000000000000000000000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Enter)
40000000000000002C6CEB7C99C1D401C00E0000D00A00000404000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Leave)
40000000000000002C6CEB7C99C1D401C00E0000D00A00000404000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Enter)
40000000000000002C6CEB7C99C1D401C00E0000BC0F00000504000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Leave)
400000000000000086CEED7C99C1D401C00E0000BC0F00000504000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Enter)
400000000000000086CEED7C99C1D401C00E0000BC0F0000F403000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Leave)
400000000000000086CEED7C99C1D401C00E0000BC0F0000F403000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Enter)
400000000000000086CEED7C99C1D401C00E0000BC0F0000F203000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Enter)
4000000000000000EE57F77C99C1D401C00E0000700F0000F203000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Enter)
4000000000000000EE57F77C99C1D401C00E0000600F0000F203000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000EE57F77C99C1D401C00E00002C090000FC03000000000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000EE57F77C99C1D401C00E0000C0060000FC03000000000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Enter)
4000000000000000EE57F77C99C1D401C00E0000780F0000F203000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Leave)
4000000000000000EE57F77C99C1D401C00E0000600F0000F203000000000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Leave)
4000000000000000EE57F77C99C1D401C00E0000700F0000F203000000000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000EE57F77C99C1D401C00E000044090000FC03000000000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000EE57F77C99C1D401C00E0000600F00000400000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000EE57F77C99C1D401C00E0000700F00000400000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Leave)
4000000000000000EE57F77C99C1D401C00E0000780F0000F203000000000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000EE57F77C99C1D401C00E0000780F00000400000001000000030000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Leave)
4000000000000000EE57F77C99C1D401C00E0000BC0F0000F203000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Enter)
4000000000000000EE57F77C99C1D401C00E0000BC0F00000604000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Leave)
4000000000000000FEB5567D99C1D401C00E0000BC0F00000604000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Enter)
4000000000000000FEB5567D99C1D401C00E0000BC0F0000F503000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Enter)
4000000000000000CEC8697D99C1D401C00E00004C0F0000F503000001000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Enter)
4000000000000000CEC8697D99C1D401C00E0000640F0000F503000001000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Enter)
4000000000000000CEC8697D99C1D401C00E0000580F0000F503000001000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Leave)
4000000000000000CEC8697D99C1D401C00E00004C0F0000F503000000000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000CEC8697D99C1D401C00E00004C0F00000500000001000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Leave)
4000000000000000CEC8697D99C1D401C00E0000640F0000F503000000000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000CEC8697D99C1D401C00E0000640F00000500000001000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Leave)
40000000000000006435397E99C1D401C00E0000580F0000F503000000000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000006435397E99C1D401C00E0000580F00000500000001000000040000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Leave)
40000000000000006435397E99C1D401C00E0000BC0F0000F503000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Enter)
40000000000000006435397E99C1D401C00E0000BC0F00000704000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Leave)
40000000000000009CD1557E99C1D401C00E0000BC0F00000704000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Enter)
40000000000000001282667E99C1D401C00E0000BC0F0000FB03000001000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Enter)
40000000000000002ED0747E99C1D401C00E0000580F0000FB03000001000000050000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Enter)
40000000000000002ED0747E99C1D401C00E00004C0F0000FB03000001000000050000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Leave)
40000000000000002ED0747E99C1D401C00E0000580F0000FB03000000000000050000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Enter)
40000000000000002ED0747E99C1D401C00E0000600F0000FB03000001000000050000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Leave)
40000000000000002ED0747E99C1D401C00E00004C0F0000FB03000000000000050000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Leave)
40000000000000002ED0747E99C1D401C00E0000600F0000FB03000000000000050000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
3776
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Leave)
40000000000000002ED0747E99C1D401C00E0000BC0F0000FB03000000000000000000000000000010DB9E3BC00A7D438AAFAF5DDA1BAF750000000000000000
1948
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2236
marswifi.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\setting
name
MarsWiFi7170
2236
marswifi.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\setting
password
1234567890
2236
marswifi.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\setting
wificcnt
1
2236
marswifi.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\setting
resettray
1
2236
marswifi.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\zksoft\marswifi\setting
wificcnt
2

Files activity

Executable files
2
Suspicious files
12
Text files
163
Unknown types
11

Dropped files

PID
Process
Filename
Type
3584
WinRAR.exe
C:\Users\admin\Desktop\MarsWiFi_Setup_3.1.1.2\MarsWiFi_Setup_3.1.1.2.exe
executable
MD5: b5a7cd45a7fd7607db90d9192d9c991c
SHA256: 0bff01c6e0c68116c6f90ce4d74d4833c3ce01cc1e5970af3df5ef45f201cbcd
3324
marswifi.exe
C:\Windows\system32\drivers\zknetdrv.sys
executable
MD5: c5b653b578045732308c555201bd6926
SHA256: d8d3b9b78b35f121bd0589b7ee00ff1c56f14efafbe3e6e6c86d3ee8b2490e28
2236
marswifi.exe
C:\Program Files\zksoft\marswifi\log\wifi.log
text
MD5: 1f7e1638f697eb9a337293da2f2a4b83
SHA256: 8ed70cdb33a513fc6e19ceea0b2a6fac9a14bca25e09db0bf87103d3f6fd04d4
2236
marswifi.exe
C:\Program Files\zksoft\marswifi\log\wifi.log
text
MD5: 96898e3a3a616ab824627cf5facf6b0c
SHA256: 682dc92e7203ed70a4c99824f8ec7c0ff75d9a6521023c07d2c17ca101762afc
2192
MarsWiFi_Setup_3.1.1.2.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\marswifi\Uninstall.lnk
lnk
MD5: 4ae02a9599e43e6534f46c41e548780f
SHA256: 364d9f8ad2d21d4926936148627d51c6f7aa2bdeaa90422ba4c71b8e6d34a7ab
2192
MarsWiFi_Setup_3.1.1.2.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\marswifi\Mars WiFi.lnk
lnk
MD5: b58e70fcfb07a0a3a249d404bbc6fc78
SHA256: 902fc5ccc79e09f4a0ca7235a52dc90ea40d324daab7e4974ef8b1fe50ced8aa
2192
MarsWiFi_Setup_3.1.1.2.exe
C:\Users\Public\Desktop\Mars WiFi.lnk
lnk
MD5: b34011d299dd3b9fe6d777686dc8728c
SHA256: 244460599ee7ff8030f2c1aa5eea5a51af0d9f0a615be376a890cfbcfca0504f
2692
zkdrvinst.exe
C:\Users\Administrator\NTUSER.DAT
hiv
MD5: d47f8276b7cc85db32cac19ed727b6bd
SHA256: e1a385955ac5535752fe4f96c45643bd96e09a829e4b0ad3a21a1d6df0e9735d
2692
zkdrvinst.exe
C:\Users\Administrator\NTUSER.DAT.LOG1
log
MD5: 321315af5dc6383e58f19b838011d40d
SHA256: c115e94f6e888e06c76723340e4fc99299b1f281fc07f449ca6a2c3e7c345ebd
2692
zkdrvinst.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat
hiv
MD5: c5ba55f82717b39b3ed109b97c696f5a
SHA256: 4636397cdc191c5816511275ac300efe93eeaf29574deea159e2875dcb81e895
2692
zkdrvinst.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
log
MD5: 83e7b7c32a5b5e7ddf0894802c6a52f2
SHA256: f73b5896ab80e9dd8101cf7737387071781a3c84404cb976650829b6c9ef2ca7
3776
vssvc.exe
C:
––
MD5:  ––
SHA256:  ––
2692
zkdrvinst.exe
C:\Windows\INF\setupapi.app.log
text
MD5: ece690c34aad59176b9579798a098900
SHA256: 34dcac123261168ed1c5b03fadf082b321167061e80739186e7aec007e6f70a2
2692
zkdrvinst.exe
C:\Windows\INF\oem4.PNF
pnf
MD5: 362c6a53522ef51010e14b7b7794e3dc
SHA256: 6e68f96826234ee74bd26857e3be553e2a86897dbe8401492bae9cfbc6c68e7f
2692
zkdrvinst.exe
C:\Users\admin\AppData\Local\Temp\Tar66D1.tmp
––
MD5:  ––
SHA256:  ––
2692
zkdrvinst.exe
C:\Users\admin\AppData\Local\Temp\Cab66D0.tmp
––
MD5:  ––
SHA256:  ––
2692
zkdrvinst.exe
C:\Users\admin\AppData\Local\Temp\Cab668F.tmp
––
MD5:  ––
SHA256:  ––
2692
zkdrvinst.exe
C:\Users\admin\AppData\Local\Temp\Tar6690.tmp
––
MD5:  ––
SHA256:  ––
2692
zkdrvinst.exe
C:\Windows\INF\setupapi.app.log
ini
MD5: bd101de395f4ba4ae7605d14805d897b
SHA256: 78014d7b8ad2d3039b8c8b072c89ce4cdea433d54a089a24e8c6081c27053577
2692
zkdrvinst.exe
C:\Users\admin\AppData\Local\Temp\Tar6640.tmp
––
MD5:  ––
SHA256:  ––
2692
zkdrvinst.exe
C:\Users\admin\AppData\Local\Temp\Cab663F.tmp
––
MD5:  ––
SHA256:  ––
2692
zkdrvinst.exe
C:\Users\admin\AppData\Local\Temp\Cab662D.tmp
––
MD5:  ––
SHA256:  ––
2692
zkdrvinst.exe
C:\Users\admin\AppData\Local\Temp\Tar662E.tmp
––
MD5:  ––
SHA256:  ––
2692
zkdrvinst.exe
C:\Windows\inf\setupapi.app.log
ini
MD5: bd101de395f4ba4ae7605d14805d897b
SHA256: 78014d7b8ad2d3039b8c8b072c89ce4cdea433d54a089a24e8c6081c27053577
2692
zkdrvinst.exe
C:\Windows\System32\CatRoot2\dberr.txt
text
MD5: 242f4416bd72615844c11256f0103858
SHA256: b030599d3b906b354407e98831599964b9106ae86cb56b8c88511a2ee1bb6f0f
2692
zkdrvinst.exe
C:\Windows\INF\setupapi.dev.log
text
MD5: 3b66e462481f928d1ade44aa9456fa22
SHA256: 65167c55921c06a1664ab6b5c102180e6d900d293d2d2b2b4c3372d0b4fb6068
2612
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 28b14e8450af45409d56bc4f7d5f53ad
SHA256: 6eb76bcda00544be5f6540cfd5d4c185a7639ad5cd687be0d06459d04931c68f
2612
DrvInst.exe
C:\Windows\System32\DriverStore\FileRepository\zknetdrv.inf_x86_neutral_8db548eb1284eb4f\zknetdrv.PNF
pnf
MD5: 201e6f5c06c2ed8871690e068b4a91f9
SHA256: ee5e2a17ed9828e19cf7ae1fa986a516b42bb73baa8b797ff2aee1279a86aae4
2612
DrvInst.exe
C:\Windows\System32\DriverStore\INFCACHE.2
binary
MD5: 911920559abab841a5a34a42843fa70c
SHA256: 1abf48cc7f4f8849e04c1d1fe1b2ab0fd09d7510da8c3167d5fe359b6df7c2bc
2612
DrvInst.exe
C:\Windows\System32\DriverStore\INFCACHE.1
binary
MD5: 911920559abab841a5a34a42843fa70c
SHA256: 1abf48cc7f4f8849e04c1d1fe1b2ab0fd09d7510da8c3167d5fe359b6df7c2bc
2612
DrvInst.exe
C:\Windows\System32\DriverStore\OLDCACHE.000
––
MD5:  ––
SHA256:  ––
2612
DrvInst.exe
C:\Windows\System32\DriverStore\INFCACHE.0
––
MD5:  ––
SHA256:  ––
2612
DrvInst.exe
C:\Windows\System32\DriverStore\infstor.dat
binary
MD5: 48985472148d9393d1a5e4aff2ebd058
SHA256: 0df42c8663c6bcce98958900a56a6ce23a5ce51ee4ee81290e3a54c030c6cce2
2612
DrvInst.exe
C:\Windows\System32\DriverStore\infpub.dat
binary
MD5: b394dc5a5352e6ece92d485da1e976cb
SHA256: 852b9c7421b3b023276c91e996a64d95dcbd8fbe1e37bfdf87830e3f9a9d2931
2612
DrvInst.exe
C:\Windows\System32\DriverStore\infstrng.dat
binary
MD5: 96b13e7319e7315a78df80c72e181c15
SHA256: 216126313e7aa3fe3aa49c4afcbd8cb0f02b496db357322ae9952339c0eeebab
2612
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 6d8d93825f761ad16b712dbdcd05df05
SHA256: aab7a39a79cce6d6b48910c4192037d7650e44f3b6168eb303a0f77dbcc5bd40
2612
DrvInst.exe
C:\Windows\INF\oem4.inf
binary
MD5: dfcb1efa8899ab08aba8feeb62da6583
SHA256: 2e3c2d40d8ca3b4c8c3583136bb216b00d3b7e4c5432f512a4892c03cc70e20b
1948
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 5bf6410a4106939548a9fcbd99022a02
SHA256: c41c0a132c926409423f32c2de55c02554c486052bd16432b447efa2fc46d615
1948
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: cfa536f39b1b0391b45ce7cf48d9b015
SHA256: 1e3bf6076b5fed454dc0b9bb84c4acae02a1ac9665ab40cf1b3cc4c9dc2feffa
1948
DrvInst.exe
C:\Windows\INF\setupapi.ev1
binary
MD5: 78f4cef3cb8a8d8edd882be4a8d3b6b7
SHA256: ae0c123710ff00f087ae5e6ddef0d53f2bbbafb1cf382a46b571d6b1b71cd386
1948
DrvInst.exe
C:\Windows\INF\setupapi.ev3
binary
MD5: 76dcc60f78b3dff1ae3627619074f465
SHA256: 18541ac1875315c4f9eff75050c574faff83717c029dae6b366f9c6c3f0c19e0
2612
DrvInst.exe
C:\System Volume Information\SPP\metadata-2
––
MD5:  ––
SHA256:  ––
2612
DrvInst.exe
C:\System Volume Information\SPP\OnlineMetadataCache\{3b9edb10-0ac0-437d-8aaf-af5dda1baf75}_OnDiskSnapshotProp
binary
MD5: 206f4ce4bd8053d6035753513aae5834
SHA256: 0203767e7b67c5e35644475f4ce4e48cb3eb58aa4e5d8526d8ecfe7ff36db156
2612
DrvInst.exe
C:\System Volume Information\SPP\snapshot-2
binary
MD5: 206f4ce4bd8053d6035753513aae5834
SHA256: 0203767e7b67c5e35644475f4ce4e48cb3eb58aa4e5d8526d8ecfe7ff36db156
2612
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 77901cad7b11f527d1c4891e38289af6
SHA256: f206c593e979c00fc9c8964a8d3c66008d574b6406bc2609a04b9c28e1c2202c
2612
DrvInst.exe
C:\Windows\TEMP\Tar1B50.tmp
––
MD5:  ––
SHA256:  ––
2612
DrvInst.exe
C:\Windows\TEMP\Cab1B4F.tmp
––
MD5:  ––
SHA256:  ––
2612
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: b591fbe8749c8eeb2cc0ace95366bc50
SHA256: dc5b07d2a8cd3ba4532a5bc62cab8cafb7afd227e85bc93906f72b25c91fde6e
2612
DrvInst.exe
C:\Windows\TEMP\Cab1B2E.tmp
––
MD5:  ––
SHA256:  ––
2612
DrvInst.exe
C:\Windows\TEMP\Tar1B2F.tmp
––
MD5:  ––
SHA256:  ––
2612
DrvInst.exe
C:\Windows\TEMP\Cab1AFD.tmp
––
MD5:  ––
SHA256:  ––
2612
DrvInst.exe
C:\Windows\TEMP\Tar1AFE.tmp
––
MD5:  ––
SHA256:  ––
2612
DrvInst.exe
C:\Windows\TEMP\Tar1AED.tmp
––
MD5:  ––
SHA256:  ––
2612
DrvInst.exe
C:\Windows\TEMP\Cab1AEC.tmp
––
MD5:  ––
SHA256:  ––
2612
DrvInst.exe
C:\Windows\System32\DriverStore\Temp\{2ef4a033-5f64-5d49-18e7-566e77ccdc4b}\zknetdrv.inf
binary
MD5: dfcb1efa8899ab08aba8feeb62da6583
SHA256: 2e3c2d40d8ca3b4c8c3583136bb216b00d3b7e4c5432f512a4892c03cc70e20b
2612
DrvInst.exe
C:\Windows\System32\DriverStore\Temp\{2ef4a033-5f64-5d49-18e7-566e77ccdc4b}\SET1AAE.tmp
––
MD5:  ––
SHA256:  ––
2612
DrvInst.exe
C:\Windows\System32\DriverStore\Temp\{2ef4a033-5f64-5d49-18e7-566e77ccdc4b}\zknetdrv.cat
cat
MD5: d3bcb2cef803948ba5d376f311744d00
SHA256: 6e39c090c763d5074d9ced0eb7524ed8626bc57df5ad0aa95547c556827bf912
2612
DrvInst.exe
C:\Windows\System32\DriverStore\Temp\{2ef4a033-5f64-5d49-18e7-566e77ccdc4b}\SET1A9E.tmp
––
MD5:  ––
SHA256:  ––
2692
zkdrvinst.exe
C:\Users\admin\AppData\Local\Temp\{18fb58f0-a63b-526c-a120-791a0c847d6a}\zknetdrv.inf
binary
MD5: dfcb1efa8899ab08aba8feeb62da6583
SHA256: 2e3c2d40d8ca3b4c8c3583136bb216b00d3b7e4c5432f512a4892c03cc70e20b
2692
zkdrvinst.exe
C:\Users\admin\AppData\Local\Temp\{18fb58f0-a63b-526c-a120-791a0c847d6a}\SET1A12.tmp
––
MD5:  ––
SHA256:  ––
2692
zkdrvinst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: a527dd6848f55edbed2347bf9ae1eecd
SHA256: ec4ccf2be93ee20d2c20d8296b4ba061a76f6b1b1483a4096b1b69a4405164f3
2692
zkdrvinst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: b591fbe8749c8eeb2cc0ace95366bc50
SHA256: dc5b07d2a8cd3ba4532a5bc62cab8cafb7afd227e85bc93906f72b25c91fde6e
2692
zkdrvinst.exe
C:\Users\admin\AppData\Local\Temp\{18fb58f0-a63b-526c-a120-791a0c847d6a}\zknetdrv.cat
cat
MD5: d3bcb2cef803948ba5d376f311744d00
SHA256: 6e39c090c763d5074d9ced0eb7524ed8626bc57df5ad0aa95547c556827bf912
2692
zkdrvinst.exe
C:\Users\admin\AppData\Local\Temp\{18fb58f0-a63b-526c-a120-791a0c847d6a}\SET1A01.tmp
––
MD5:  ––
SHA256:  ––
2692
zkdrvinst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 489709e12251f2fb9b63566344bf20aa
SHA256: 09fc8c80277b5f4d5804e74fb7f0501bcaf2d482343fb88c9fea33ff7e969805
2692
zkdrvinst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 5173d8133178f3790b423df293adb707
SHA256: dce4ab36b3644db86f9e8020c276f774dc10dd879c319510b62e4be3e66fdda0
2692
zkdrvinst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 79f44949a11c92642afa25b30eced203
SHA256: 2e3703fee2cbd1927ca0a7b957dd69ee12d8db37ffc55e196e2093e9f213cb5b
2236
marswifi.exe
C:\Program Files\zksoft\marswifi\log\wifi.log
text
MD5: 828b8afe784b0543dc3cfac88c8aa14f
SHA256: bfdb6a36fad26ba40740924961b80654e3cab5b3c3aec4b186187231e3c99ed5
2236
marswifi.exe
C:\Program Files\zksoft\marswifi\log\wifi.log
text
MD5: 7af434154a492ea3fce15dd76b92c462
SHA256: 14a2501120a1a027efe43ba6073aeab8a38a178561fb7168585fe212e2e70df3

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3324 marswifi.exe POST 200 101.200.194.233:80 http://ien.zkytech.com/report/ CN
text
text
unknown
2236 marswifi.exe POST 200 101.200.194.233:80 http://ien.zkytech.com/report_open/ CN
text
text
unknown
2236 marswifi.exe POST 200 101.200.194.233:80 http://ien.zkytech.com/report_open/ CN
text
text
unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3324 marswifi.exe 101.200.194.233:80 Hangzhou Alibaba Advertising Co.,Ltd. CN unknown
2236 marswifi.exe 101.200.194.233:80 Hangzhou Alibaba Advertising Co.,Ltd. CN unknown

DNS requests

Domain IP Reputation
ien.zkytech.com 101.200.194.233
unknown

Threats

No threats detected.

Debug output strings

Process Message
marswifi.exe RtlIhvOid :: WlanOpenHandle hClientHandle
marswifi.exe RtlIhvOid :: WlanOpenHandle hClientHandle
marswifi.exe RtlIhvOid :: WlanOpenHandle hClientHandle
marswifi.exe RtlIhvOid :: WlanOpenHandle hClientHandle