0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
Size

15.8MB
MD5

9295f9f0f78b9d5fa9a2fc35df0375f8
SHA1

7f7e3eda0d4ae74bf478af0adbf1acbb91d120c5
SHA256

0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba
SHA512

eda20c302be4e1d45d9ea4371d3ffda7879f361384cbc4e9c3afd4d0c03a1015a117ec5cb9291461a65afa4f70f3b808340c3a821bb74765e6ad259406732b16
SSDEEP

393216:nnh8jy6vL6wNUC91GQCjYvJbJEtl8vPpDmRzMuTPy6Ya4G:nKp3HGhjkJEgvJ6yHa4G

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
2652	mgxitt.exe
2780	mgxitt.exe
2824	TaskSetter.exe
2720	HzzInstaller.exe
1704	hzzSrvInit.exe
2004	sllsrv.exe
2964	TaskSetter.exe
2512	sll.exe
2776	start.exe
2796	checkFirewall.exe
2816	nvsc.exe
1204	TaskSetter.exe
1256	Process not Found
1556	hzzSrvInit.exe
2232	sll.exe
1664	start.exe
2256	nvsc.exe
2896	checkFirewall.exe
3040	TaskSetter.exe

Loads dropped DLL 36 IoCs

pid	Process
2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
2624	cmd.exe
2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
2004	sllsrv.exe
2004	sllsrv.exe
2004	sllsrv.exe
2512	sll.exe
2512	sll.exe
2512	sll.exe
2512	sll.exe
2512	sll.exe
2512	sll.exe
2512	sll.exe
2512	sll.exe
2776	start.exe
2816	nvsc.exe
2512	sll.exe
2512	sll.exe
2512	sll.exe
2512	sll.exe
2512	sll.exe
2512	sll.exe
2512	sll.exe
2512	sll.exe
2512	sll.exe
2232	sll.exe
2232	sll.exe
2232	sll.exe
2232	sll.exe
2232	sll.exe
2232	sll.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_B95A585585762F8B2D72E152F328449A	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DE0101390D8E4B74E3DD39ACA5B00000_663C30C89105586D8E95482DD2BF39DF	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_E27A8B410E0EDAFAC69CF63C722B073D	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_E27A8B410E0EDAFAC69CF63C722B073D	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB5E2F83CE9B8330B0590B7CD2E5FF2E	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DE0101390D8E4B74E3DD39ACA5B00000_663C30C89105586D8E95482DD2BF39DF	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_5DFDB51029B86E246C6BBA4B4F208E9A	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_B95A585585762F8B2D72E152F328449A	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_5DFDB51029B86E246C6BBA4B4F208E9A	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7	sllsrv.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\msvcp90.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\dxbase.dll	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\sll.exe	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\drivers	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\Browser\System.Data.SQLite.Linq.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\ctlexe\drivers\win7_x86\tmctldrv.sys	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\mail\sys\mailmon_wfp_Win8.sys	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\wx\wxmsdk.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\pscfg.dat	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\file.bat	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
File created	C:\Program Files (x86)\Common Files\System Sll\AntiDivulge\bansf64.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\fmtm\start.exe	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\mail\sys\mailmon_wfp_win10.sys	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\shChange\shChange4.exe	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\metemp.db	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\ctlexe\drivers	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\AntiDivulge\Config.txt	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\Browser\HistoryWindowsForms40.exe.config	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\drivers\win7_amd64\ptprc.sys	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\msvcp90.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\mail\sys\mailmon64_wfp_Win81.sys	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\Browser\History360	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\x64	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\AntiDivulge\AntiDivulge64.exe	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\drivers\win7_amd64\ptprc.sys	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\IMHKSDK\AvFltSdk64.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\Browser\HistoryWindowsForms.exe.config	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\shomectl.dll	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\startDLP.exe	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\OMCS.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\wx	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\mail\sys\mailmon_wfp_win10.inf	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\ctlexe\drivers\win7_amd64\tmctldrv.sys	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\IMHKSDK\IMHKCore64.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\mail\sys\mailmon64_wfp_win10.sys	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\Browser\x64\SQLite.Interop.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\fmtm\x64\fmtm.exe	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\hgzDriver.sys	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\sllsrv.exe	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\VideoEngineCore.dll	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\mgxitt.exe	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\IMHKSDK	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\Browser\LeaveHistory.db	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\IMHKSDK.NET.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\msvcr100.dll	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\ctlexe\drivers\win7_ia64	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\mail\sys\mailmon_wfp_win10.cat	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\IMHKSDK\AvFlt32.sys	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\ID.rdb	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\startDLP.exe	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\fmtm\x86\fmtm.exe	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\shChange\Newtonsoft.Json.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\ESBasic.xml	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\hgzProtectService.dll	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\hzzSrvInit.exe	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\uninstall.exe	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\ygport.exe	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\ooRecord	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\AntiDivulge\bansf64.dll	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\Browser\HistoryHelp.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\Browser\HistoryWindowsForms40.exe	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\ESFramework.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\Browser\System.Data.SQLite.xml	mgxitt.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2508	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sllsrv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sllsrv.exe

Modifies system certificate store 2 TTPs 8 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	sllsrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	sllsrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	sllsrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	sllsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	sllsrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	sllsrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	sllsrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	sllsrv.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
2004	sllsrv.exe
2964	TaskSetter.exe
2004	sllsrv.exe
2004	sllsrv.exe
2004	sllsrv.exe
1204	TaskSetter.exe
2004	sllsrv.exe
2004	sllsrv.exe
2004	sllsrv.exe
2004	sllsrv.exe
3040	TaskSetter.exe
2004	sllsrv.exe
2004	sllsrv.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	2652	mgxitt.exe
Token: 35	2652	mgxitt.exe
Token: SeSecurityPrivilege	2652	mgxitt.exe
Token: SeSecurityPrivilege	2652	mgxitt.exe
Token: SeRestorePrivilege	2780	mgxitt.exe
Token: 35	2780	mgxitt.exe
Token: SeSecurityPrivilege	2780	mgxitt.exe
Token: SeSecurityPrivilege	2780	mgxitt.exe
Token: SeDebugPrivilege	2512	sll.exe
Token: SeDebugPrivilege	2232	sll.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2816	nvsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2624	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	28
PID 2056 wrote to memory of 2624	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	28
PID 2056 wrote to memory of 2624	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	28
PID 2056 wrote to memory of 2624	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	28
PID 2624 wrote to memory of 2652	2624	cmd.exe	30
PID 2624 wrote to memory of 2652	2624	cmd.exe	30
PID 2624 wrote to memory of 2652	2624	cmd.exe	30
PID 2624 wrote to memory of 2652	2624	cmd.exe	30
PID 2624 wrote to memory of 2780	2624	cmd.exe	31
PID 2624 wrote to memory of 2780	2624	cmd.exe	31
PID 2624 wrote to memory of 2780	2624	cmd.exe	31
PID 2624 wrote to memory of 2780	2624	cmd.exe	31
PID 2056 wrote to memory of 2824	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	32
PID 2056 wrote to memory of 2824	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	32
PID 2056 wrote to memory of 2824	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	32
PID 2056 wrote to memory of 2824	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	32
PID 2056 wrote to memory of 2720	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	33
PID 2056 wrote to memory of 2720	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	33
PID 2056 wrote to memory of 2720	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	33
PID 2056 wrote to memory of 2720	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	33
PID 2056 wrote to memory of 2720	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	33
PID 2056 wrote to memory of 2720	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	33
PID 2056 wrote to memory of 2720	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	33
PID 2056 wrote to memory of 1704	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	34
PID 2056 wrote to memory of 1704	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	34
PID 2056 wrote to memory of 1704	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	34
PID 2056 wrote to memory of 1704	2056	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	34
PID 1704 wrote to memory of 2400	1704	hzzSrvInit.exe	36
PID 1704 wrote to memory of 2400	1704	hzzSrvInit.exe	36
PID 1704 wrote to memory of 2400	1704	hzzSrvInit.exe	36
PID 1704 wrote to memory of 2400	1704	hzzSrvInit.exe	36
PID 2400 wrote to memory of 2508	2400	cmd.exe	38
PID 2400 wrote to memory of 2508	2400	cmd.exe	38
PID 2400 wrote to memory of 2508	2400	cmd.exe	38
PID 2400 wrote to memory of 2508	2400	cmd.exe	38
PID 2824 wrote to memory of 2428	2824	TaskSetter.exe	39
PID 2824 wrote to memory of 2428	2824	TaskSetter.exe	39
PID 2824 wrote to memory of 2428	2824	TaskSetter.exe	39
PID 2824 wrote to memory of 2428	2824	TaskSetter.exe	39
PID 2428 wrote to memory of 1884	2428	cmd.exe	41
PID 2428 wrote to memory of 1884	2428	cmd.exe	41
PID 2428 wrote to memory of 1884	2428	cmd.exe	41
PID 2428 wrote to memory of 1884	2428	cmd.exe	41
PID 2392 wrote to memory of 2964	2392	taskeng.exe	43
PID 2392 wrote to memory of 2964	2392	taskeng.exe	43
PID 2392 wrote to memory of 2964	2392	taskeng.exe	43
PID 2392 wrote to memory of 2964	2392	taskeng.exe	43
PID 2004 wrote to memory of 2512	2004	sllsrv.exe	44
PID 2004 wrote to memory of 2512	2004	sllsrv.exe	44
PID 2004 wrote to memory of 2512	2004	sllsrv.exe	44
PID 2004 wrote to memory of 2512	2004	sllsrv.exe	44
PID 2512 wrote to memory of 2776	2512	sll.exe	45
PID 2512 wrote to memory of 2776	2512	sll.exe	45
PID 2512 wrote to memory of 2776	2512	sll.exe	45
PID 2512 wrote to memory of 2776	2512	sll.exe	45
PID 2512 wrote to memory of 2796	2512	sll.exe	46
PID 2512 wrote to memory of 2796	2512	sll.exe	46
PID 2512 wrote to memory of 2796	2512	sll.exe	46
PID 2512 wrote to memory of 2796	2512	sll.exe	46
PID 2776 wrote to memory of 2816	2776	start.exe	47
PID 2776 wrote to memory of 2816	2776	start.exe	47
PID 2776 wrote to memory of 2816	2776	start.exe	47
PID 2776 wrote to memory of 2816	2776	start.exe	47
PID 2392 wrote to memory of 1204	2392	taskeng.exe	51

C:\Users\Admin\AppData\Local\Temp\0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
"C:\Users\Admin\AppData\Local\Temp\0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\Common Files\System Sll\file.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Program Files (x86)\Common Files\System Sll\mgxitt.exe
    mgxitt.exe x oxsbaszf.dll -p123456789
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Program Files (x86)\Common Files\System Sll\mgxitt.exe
    mgxitt.exe x uwaufnjs.dat -p123456789
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe
  "C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe" /install
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Schtasks /run /tn "System Sll"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\SysWOW64\schtasks.exe
      Schtasks /run /tn "System Sll"
      4⤵
      PID:1884
- C:\Program Files (x86)\Common Files\System Sll\HzzInstaller.exe
  "C:\Program Files (x86)\Common Files\System Sll\HzzInstaller.exe" /install
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Program Files (x86)\Common Files\System Sll\hzzSrvInit.exe
  "C:\Program Files (x86)\Common Files\System Sll\hzzSrvInit.exe" /install
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c SC description "sllService" "hzz ctl check module"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\SysWOW64\sc.exe
      SC description "sllService" "hzz ctl check module"
      4⤵
      Launches sc.exe
      PID:2508

C:\Program Files (x86)\Common Files\System Sll\sllsrv.exe
"C:\Program Files (x86)\Common Files\System Sll\sllsrv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Program Files (x86)\Common Files\System Sll\sll.exe
  "C:\Program Files (x86)\Common Files\System Sll\sll.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Program Files (x86)\Common Files\System Sll\start.exe
    "C:\Program Files (x86)\Common Files\System Sll\start.exe" hide
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Program Files (x86)\Common Files\System Sll\x64\nvsc.exe
      "C:\Program Files (x86)\Common Files\System Sll\x64\nvsc.exe" hide
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2816
- - C:\Program Files (x86)\Common Files\System Sll\checkFirewall.exe
    "C:\Program Files (x86)\Common Files\System Sll\checkFirewall.exe" C:\Program Files (x86)\Common Files\System Sll\sll.exe
    3⤵
    - Executes dropped EXE
    PID:2796
- - C:\Program Files (x86)\Common Files\System Sll\hzzSrvInit.exe
    "C:\Program Files (x86)\Common Files\System Sll\hzzSrvInit.exe" /install
    3⤵
    - Executes dropped EXE
    PID:1556
- C:\Program Files (x86)\Common Files\System Sll\sll.exe
  "C:\Program Files (x86)\Common Files\System Sll\sll.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- - C:\Program Files (x86)\Common Files\System Sll\start.exe
    "C:\Program Files (x86)\Common Files\System Sll\start.exe" hide
    3⤵
    - Executes dropped EXE
    PID:1664
  - - C:\Program Files (x86)\Common Files\System Sll\x64\nvsc.exe
      "C:\Program Files (x86)\Common Files\System Sll\x64\nvsc.exe" hide
      4⤵
      Executes dropped EXE
      PID:2256
- - C:\Program Files (x86)\Common Files\System Sll\checkFirewall.exe
    "C:\Program Files (x86)\Common Files\System Sll\checkFirewall.exe" C:\Program Files (x86)\Common Files\System Sll\sll.exe
    3⤵
    - Executes dropped EXE
    PID:2896

C:\Windows\system32\taskeng.exe
taskeng.exe {170CB0AA-8E8B-48F0-B8F1-B58D502CAB20} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe
  "C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe" /watch
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2964
- C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe
  "C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe" /watch
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1204
- C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe
  "C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe" /watch
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System Sll\ESFramework.dll

Filesize
1.1MB

MD5
5805d3faa9a273c45329794aab1e7dea

SHA1
af0265a34d1a254c9873d753b8138c5f860b5825

SHA256
dcf3b0afd48c27b623933dbaaacba3dd27694d6c72b451c44d41a299a3fa2743

SHA512
2fe6ba2dd8fd543cc88b25021d741ac0f7bf9ccb05933e7d60afd8cd84ae02c19c0ac2ae1b95dc5d2cb4a6749f597dc9b29100521657ea36a6825cf1c4da2cb1

Download Submit
C:\Program Files (x86)\Common Files\System Sll\GetSignInfo.dll

Filesize
57KB

MD5
5dc02cc33ac9e3a37fdb7f9bd992cdaa

SHA1
43a2f1ad3497ec90cd9a446dc91ca25d3aa16f36

SHA256
0fd581199eb34969d53b22ca172b2146c90d0b6019138ecccac0b599802876d8

SHA512
2a46dfe287775996ec5995ad097d662e30449aa67d84077e37ac14dda3fb739f08efde5480619e6d97cf44c074bf7b70dd9f28fb664ffbe9be892488def56303

Download Submit
C:\Program Files (x86)\Common Files\System Sll\ID.rdb

Filesize
18B

MD5
3f711e2b762cb9c87f683855132a6ad3

SHA1
a80cb3daaaa3a659300785db7d456c880e2e86e3

SHA256
503b21a50a016fce3bbdb51dcfe9546d6379af68f6fdbded23fb0b6e52f3ba43

SHA512
0358a6dc143b78e72db6dfcde984d133fae0fcbb9372a0314f8ada2b1486851cb44eadb8b9c587acd565adb0cb21fcb7452b4ed1111eb92fa96092e5dd12b053

Download Submit
C:\Program Files (x86)\Common Files\System Sll\Remote.Core.dll

Filesize
75KB

MD5
4211e981a8c7810d1bbc5d261040e3a8

SHA1
526b5d1bb90549e0d2ce4451d2d0865510577bf2

SHA256
483476fe8ca0217afc64f965aea6715a3766a420cf266027fa5496730ce970b9

SHA512
cd43ade0cce88edf77235c0ee3066f669325aa5a592fc4fb007d3a5690376da6309e3a68cb7f4345c01290911660f338ec8b4b2e7b9266b5f6fdd1065d241b62

Download Submit
C:\Program Files (x86)\Common Files\System Sll\Remote.Model.dll

Filesize
103KB

MD5
fae3626c17ad137132c9af586b63a0a9

SHA1
54525f2264c5250a808cffd2a8d3c16f62829581

SHA256
224c6c2c757b0f5015d007ca81d90f41780f734a3674b022cbd95a4a24892d79

SHA512
e0fdb7d11f32d0e64446ff28d0206ac3a46d50ffc30c538e7a60076c027375fde2addeb8d69f34bdae8046e1a132b21a493cdb9af9d4dbcdbeeac5ec5767d965

Download Submit
C:\Program Files (x86)\Common Files\System Sll\System.Data.SQLite.dll

Filesize
1.3MB

MD5
64f9622eb9c1061c4ea0b7ab4d89f3a8

SHA1
9739907a59da137b0a437be887360d006ed05b33

SHA256
422eb3ba14add55afa10587c90a219c0b5d8a48a4d2dcc9aaa6aaf3df1c9607e

SHA512
fe3286969a564ecdef5212e9f2c0658909d6a953992226373fc0fb1e091287c42659afbb5acdbfe74e78f7fd2f218e642216077b8b4e82710470561da9ef7618

Download Submit
C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe

Filesize
404KB

MD5
a20ed76ab9cdeecc4ed75608246134f8

SHA1
32700023bc7105fe2a9f9faf550f9287b522d4da

SHA256
11da257aab1f705d2ae58b6262c2e6b3f622831915b570a08f76991057f993a4

SHA512
9ff08dc969d5b5a4f6715504e604fd5100c82358fe0a0f047a36c4bdd8406c04ce2aee0ee2b6df6124332864c539e2da4a654f787a2cc7fdaf708acff2b04a09

Download Submit
C:\Program Files (x86)\Common Files\System Sll\checkFirewall.exe

Filesize
128KB

MD5
2393e629184e72738cf6ae5a97a84efe

SHA1
23c821a38192d5f710daf925c64c4c9371bd2eb8

SHA256
39587299434a05e08ccc4f9446759950a285adfc09db023e56a1b43d0d50d64f

SHA512
140d427e9f2430925daa41095de70f80115842383534fbaae3723deece03e16b8ad954ea58684bbcb8ce2f421dbb061382e20da6fe761b313515a141abe7711d

Download Submit
C:\Program Files (x86)\Common Files\System Sll\comUpdate.exe

Filesize
1.3MB

MD5
775eeddf5d53462fc9adb4422bb17d92

SHA1
46fc9df69349cfd7f5bcc1382fe379a766a8a508

SHA256
74b579201df1093850f8db5f959dee74b93a12096c50579602e25d60952220bc

SHA512
fced037a718e0090f0fb56e58f810c974a5cd07011b363b317b1bdf49ef8d230c548fd93d0cb7e9f77028e8bb91bbeb5b10b2c897bec3108ea2b07084333892e

Download Submit
C:\Program Files (x86)\Common Files\System Sll\fdmodlue.dll

Filesize
533KB

MD5
b208d1816afa4b12e45305b142735b38

SHA1
b7922de23c28d872fc3ef168b05d4827233c511d

SHA256
83ca5dd2726560045b459519dc80de20f8ab65d57b90246a8e711a971fea041c

SHA512
a3761a361d7d9954f0850b72fd3c44fbbc68791172918f292dd688860c39ad64986e2295ccfbe8113b6a8f918521eaf6526b289682a8c533a2c7d4aa793ec95b

Download Submit
C:\Program Files (x86)\Common Files\System Sll\file.bat

Filesize
104B

MD5
f153d51505dbb3e9a190aae6a7269a72

SHA1
9d9c99e0142f200c00e8a4dcc65eeecfaa3cc17e

SHA256
19591e0a956e524775f97d628f897883e99a57cb845eab24a1be9a172bd6f458

SHA512
5c30328972573203cdfc65f9f435f7e720c7d45bc073f1971d706a112e780064416418e922b0078c78d4c5c0b798810667a5cf610bbe03472ee4e981eac08dfc

Download Submit
C:\Program Files (x86)\Common Files\System Sll\logs\log.txt

Filesize
1KB

MD5
31c2977f350f181290120736441f7633

SHA1
0b851907e89ff1cc5ee4147c585f2a40af9316ce

SHA256
367c831e9bb78ae5a0def1d60d18da3e37a9b950f1b92c6355dc7bb60525f800

SHA512
2075d62e6b3ddd429e668cc00bf46679ad6d0620283c4ef722a3bd08caf6867ed9f8ce6f47195e075f728fe9d9eccd272946d4901202f833855c234db6697cdd

Download Submit
C:\Program Files (x86)\Common Files\System Sll\oxsbaszf.dll

Filesize
5.3MB

MD5
17c6ef2dac7b6143a51a9ba446d9d1be

SHA1
64db95c08fe14a5315c5f371aa84a1d5591b13e9

SHA256
84a719c6895bd7f37302af2e97e915aa4f362443325f79cf994b352b0bc4c2e1

SHA512
14f6243ea9260932e2f51f79b3342c37c3632ab554ab11412d70209d1a076581b33ea2acbb1226ce469eb523b14b4eaa9fa658bba51720aa81cac5b539c738ad

Download Submit
C:\Program Files (x86)\Common Files\System Sll\sll.exe

Filesize
320KB

MD5
7a164ddf975c63b80ebfc4ac9198c9cc

SHA1
c6507a39cf0abaf0ce69c20f83ea39ccddae3ee4

SHA256
661cd6e209b046abf666f95630fa07b1b1060e7ea4a2c101c940d13ba87cff0e

SHA512
9a2c82b6eea9bc2cafc2202ef747ad1b50400dccf3ae038771ad3fe28cc4b25151231d7767bea254f21b268649cd334899d6560ea586d4e118ed30ed7b558880

Download Submit
C:\Program Files (x86)\Common Files\System Sll\sll.exe

Filesize
586KB

MD5
d3f948da2a288400549a89c757e6949a

SHA1
09bb606b09547ce1b804804cd242714875f87912

SHA256
4c7d16fc6d3cd4af4595f8de443009ba5ed1267e9a97b556b2b4af5e29bfa47a

SHA512
a309252f7bd7883e7c09a492d5e834f9158921d6b0996c60d723fb4761a0c5d5db6b3b72bbdb1ba7f33e95985eacef9c4a900f7ca3e1d39e35421cf1fca37d25

Download Submit
C:\Program Files (x86)\Common Files\System Sll\sll.exe.config

Filesize
3KB

MD5
e5d4596a9d17140dcf1da9c8371d9f9a

SHA1
5df6f6b80930f92900058bba9858afe55393cd43

SHA256
5f968514d1a89877e4e814982b66563928fd9e9145be2c7dde38a4b01b0721fd

SHA512
ac0d6d66ad9417fe889f3600cd87f7af0862744d39f2b15017dbc59f1c6b6973e77b63484c6dfac26f6fa3d0fa2c3c614fccbb6c62358801ab880421bab54cb6

Download Submit
C:\Program Files (x86)\Common Files\System Sll\sllsrv.exe

Filesize
991KB

MD5
f170a1c6c473c18d1446e97c2b992c86

SHA1
0b239c1f8110fb0ea8cd2c7dbc49df9724b1f287

SHA256
c9cad4b5a77640d364dfa6fafc3f41b5af4283ea3032317cb33472d73384e52b

SHA512
02ef68cfaaeb8a283315be807c5a25c79e8c1ba8c0443b228a527da60318e153451e5c7f41a1f7abafd9eb9a1c1bb9c7a3637b9d3da07785bbae0087b9c5e591

Download Submit
C:\Program Files (x86)\Common Files\System Sll\start.exe

Filesize
115KB

MD5
9b1c7463a0903a88a0615586e727ed11

SHA1
28a6ed9aeaef320563c11935d13df67e5a920859

SHA256
5d0ffafc08e83481e3c47c015605d33c3b18f19159b1554058b7a113eb2448b7

SHA512
a56f49e702b71a515b3a084109366d075348637e9c6fe8beb39caff6a1cde789040ac5874b34142b9bc68c693ff700fe839b02db8d4180b000fc9c4070532720

Download Submit
C:\Program Files (x86)\Common Files\System Sll\swresample-0bp1.dll

Filesize
31KB

MD5
1ba33b23bb456b6cd33e609c45c13860

SHA1
099548974023e96c0a78280b5e6d1e37e1169632

SHA256
9c673b8501aba227918a56df84a89562ab57a88eba7b6970322e2ea53d61a6be

SHA512
ec330b83ff3c1f86929e25344d054f73d40542debb768388929b07c37c6cf4528bbbd4ab42fcc8be2d3375cc001e69a7d9f9a94954a103053d47d2d704d6186b

Download Submit
C:\Program Files (x86)\Common Files\System Sll\uwaufnjs.dat

Filesize
9.6MB

MD5
e7b70163d0b349b5c7f791bdf580f91b

SHA1
8fe7117dcc2b248f5edb6efcb248176e722346cc

SHA256
e3b8be56ccf88815f8d241176c0d896f9020c8cb0760b336da61c04df7053366

SHA512
972fa5fd13be703c270db781d30d87bed9023c2e4b69ca5306315ff453b07250b864b3500fd1a5aaa7bb807d6c15eb68fec30ca0824c10b55858415ace3f009d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4c7d9c32e863df491b2b9fa31b2660b

SHA1
91c127fe47f9e6e6535b42655f61e264d3567d68

SHA256
1c771bfc87fde431f2c87e4f2ac012ac0ca2ec77e724edd90fcd5b3f2dcb8948

SHA512
04e04b9e9ab3e643af92bcf09fa68de1ee1c1c6871a277bbc9e6f88b2a2bdf340d8eafc52d442e0e16973eb9e0aba3b349077a825d75a1f87750ce12ff6a6394

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d31894fcb6dac142ad0159edbc6512d

SHA1
03edf57a8585ffb22cc79b19deb10dc85b1c23fb

SHA256
05559ccea62701992c2e6de7a7114bb647d2b30f7dce7ece405e86e98d2f0841

SHA512
47f1df908975da65fba745870ce3250cc0d01dd72aea54c0c50da5159ec28f1a9120765559bf38e082d85de5a865815b585f5a05b98988344a8cc77f1cff797a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3bc5befb25a0bd49a6bfb9b43ca513df

SHA1
e73c25b05ab80e193fa20446f1c706ef427beeef

SHA256
eaa2bfd29acc94c062a811b2d85f8f15fbeb393c292ec834f80a42ba2a501c54

SHA512
f686542285e93a907ecfb02a47df5b06358526e43610917a3d4452879687335a714a6b112e2de029c10412126fac9f64aa3cf0c2092fd65cc13331bb77978ea1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67800282880317efeb482669d2ddb386

SHA1
f10b8c8f686bb9b21c0cca3492809c00e1c7b7c8

SHA256
9e290d582976525f3a8ccfcce14b70b200eba413f07ac5f51832b03a5f481200

SHA512
cd16d5021a39f1bac1de9840d519c5645d4650ffc569437ee3fd275baaeb2f7954b68b5274a0d532e192f0a825257dab9ef8f02495cb43e32504e7a39ecb99a1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0984bdbe75e08f98a6efe376cba164ed

SHA1
aba9c236e56652c9e119aff47a140f37df0ade48

SHA256
47c1c5ced3133127af8467709465a72f1f35b63c1fe34bbd429c0acb65cdce18

SHA512
6b4b94c928c4ca18d5b4c682f5876453ff3b04c43aa978be0a8f32e821458db32055c572d7c36e08e68ceba9d2466f0cd5a75bdb6cf0445fc5ea62827396fbd1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5e4be324a28510a0a6fbfde55a279519

SHA1
95bbe8a703395cc010661c47967c065a65cc89f7

SHA256
92403f75573fc7697fcde8b07af5c118bc2a0ff1289da050d25efedd5c7b3c21

SHA512
9b8a1917c8978af64a5c38cdf8cb69429e264ff01d00382927018a61874cbc09b48ed718702980544fa26268f5a16b994700983bb5a716253f156a528c7ca679

Download Submit
C:\Windows\Temp\Tar7BE9.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
\Program Files (x86)\Common Files\System Sll\HzzInstaller.exe

Filesize
615KB

MD5
3860b272c678c6f6a5686989c0fee44e

SHA1
0a6d60ecddc1f5ff307ede8ae2df0f6817a3c9c5

SHA256
aaca596be2341ba043d880ae206d3a2e245b7bfb62cf66c89891c57abda3b874

SHA512
71635bb438dea3e9840f3f124ca51797e0e172182c420419049494d94a8813ca3c32b76750491fab10d7cc399cd51d90ba9dff73fa3ed85297217a483483edeb

Download Submit
\Program Files (x86)\Common Files\System Sll\IMHKSDK.NET.dll

Filesize
25KB

MD5
8bb1f88603f81e477921997401bcc1cd

SHA1
2340fa24f98d016cda8d530a967ab65233a96c08

SHA256
2c64bcc4245dc06478a176cecd6be694b29a26ae06e59e205e66ce919e6156e9

SHA512
a3f225ced602e3e24fbd525d9f0ff9f1996a3e5cf674a4d880ec44ac891682afb97985b9eb3493a0b2230bead50e934c0d123348d7f21f91f3286dba21483069

Download Submit
\Program Files (x86)\Common Files\System Sll\hzzSrvInit.exe

Filesize
576KB

MD5
99fa236aa89b667af1c25a5fb0151a79

SHA1
bbfa2ca997dbbd7807c97b1f176993e2d3643520

SHA256
91e6ffbe3d414ba04305cdf01bfb4e4af75d0eee8b5eab1660aa9aba0eb6d981

SHA512
5145c637645a6e5ee1e83011785ce6f057edd10ee68a08b3518c9bb8e4e43ffb63b3948858fd7f6f700dfd556eac5a055d26f311b2da9e34a8fef7df890ce848

Download Submit
\Program Files (x86)\Common Files\System Sll\mgxitt.exe

Filesize
802KB

MD5
8f57948e69c82bf98704f129c5460576

SHA1
33e277af0cea397252c23d310961f803be5cdf2b

SHA256
f00836a63be7ebf14e1b8c40100c59777fe3432506b330927ea1f1b7fd47ee44

SHA512
628cf68c9436721b874a87e1bff711d3b6fe5d4bd9b02411890059a7d32078a9592fc48e6e53761d17bdbd72c5eb66593b841470157a3e8b38f0b67525d73bc9

Download Submit
\Program Files (x86)\Common Files\System Sll\x64\glbdll.dll

Filesize
349KB

MD5
3d354e58edc8a6e1ba566a39b7a2be92

SHA1
58bd1c017689cfa7587b97b60d26a08326091b42

SHA256
554a53589876d93b54b21dde8066242a21ba7d7536a5db449326dc557d0c48da

SHA512
fa8a3a1a0341914c6aac4f23c93b093d9c3483fe870477eed54f8528fc893af7ae16c799b3fdbbc0e5b68d1c378fd4910df35e409a2ebc6b2ffe028cd5ec8c85

Download Submit
\Program Files (x86)\Common Files\System Sll\x64\nvsc.exe

Filesize
125KB

MD5
e01d1dcc8b86c7f854d1d886e2600d57

SHA1
3ddaddd21b456383d216382274093ba4a6270e1a

SHA256
fea7b236ffcdcf66dff2dad329e3f614b4c1d7c8391f75bc135254442c7db8aa

SHA512
687086d72d69107d8f5139eaa869126b90504ef3db3604caaa3e8d1c5f56996f52664ea3f3d8693d99871fd5c7acf646f3dabd764e8c041033296ed322c52ef1

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5EE3.tmp\SimpleSC.dll

Filesize
1.1MB

MD5
7b89329c6d8693fb2f6a4330100490a0

SHA1
851b605cdc1c390c4244db56659b6b9aa8abd22c

SHA256
1620cdf739f459d1d83411f93648f29dcf947a910cc761e85ac79a69639d127d

SHA512
ac07972987ee610a677ea049a8ec521a720f7352d8b93411a95fd4b35ec29bfd1d6ccf55b48f32cc84c3dceef05855f723a88708eb4cf23caec77e7f6596786a

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5EE3.tmp\nsExec.dll

Filesize
7KB

MD5
ec9c99216ef11cdd85965e78bc797d2c

SHA1
1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c

SHA256
c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df

SHA512
35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5EE3.tmp\nsProcess.dll

Filesize
4KB

MD5
88d3e48d1c1a051c702d47046ade7b4c

SHA1
8fc805a8b7900b6ba895d1b809a9f3ad4c730d23

SHA256
51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257

SHA512
83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

Download Submit
memory/1556-781-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1556-782-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1704-339-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1704-365-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2004-767-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2004-759-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2004-815-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2004-807-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2004-359-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2004-362-0x00000000002C0000-0x000000000034B000-memory.dmp

Filesize
556KB

Download
memory/2004-751-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2004-752-0x00000000002C0000-0x000000000034B000-memory.dmp

Filesize
556KB

Download
memory/2004-753-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2004-754-0x00000000002C0000-0x000000000034B000-memory.dmp

Filesize
556KB

Download
memory/2056-342-0x00000000026F0000-0x000000000280C000-memory.dmp

Filesize
1.1MB

Download
memory/2232-794-0x0000000000CE0000-0x0000000000D74000-memory.dmp

Filesize
592KB

Download
memory/2232-795-0x0000000073E30000-0x000000007451E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-812-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2232-811-0x0000000073E30000-0x000000007451E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-799-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2232-797-0x0000000000240000-0x0000000000256000-memory.dmp

Filesize
88KB

Download
memory/2232-798-0x0000000004D00000-0x0000000004E20000-memory.dmp

Filesize
1.1MB

Download
memory/2232-796-0x00000000001F0000-0x000000000020C000-memory.dmp

Filesize
112KB

Download
memory/2512-789-0x0000000000CC0000-0x0000000000CE0000-memory.dmp

Filesize
128KB

Download
memory/2512-722-0x0000000000300000-0x000000000031C000-memory.dmp

Filesize
112KB

Download
memory/2512-788-0x0000000009DC0000-0x000000000A064000-memory.dmp

Filesize
2.6MB

Download
memory/2512-756-0x00000000052F0000-0x0000000005330000-memory.dmp

Filesize
256KB

Download
memory/2512-791-0x0000000073E80000-0x000000007456E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-727-0x0000000000370000-0x0000000000386000-memory.dmp

Filesize
88KB

Download
memory/2512-731-0x0000000005160000-0x0000000005280000-memory.dmp

Filesize
1.1MB

Download
memory/2512-786-0x00000000069A0000-0x0000000006AEA000-memory.dmp

Filesize
1.3MB

Download
memory/2512-755-0x0000000073E80000-0x000000007456E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-718-0x0000000073E80000-0x000000007456E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-779-0x00000000008B0000-0x00000000008B8000-memory.dmp

Filesize
32KB

Download
memory/2512-723-0x00000000052F0000-0x0000000005330000-memory.dmp

Filesize
256KB

Download
memory/2512-717-0x0000000000CE0000-0x0000000000D74000-memory.dmp

Filesize
592KB

Download
memory/2720-344-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2720-340-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download