0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
Size

15.8MB
MD5

9295f9f0f78b9d5fa9a2fc35df0375f8
SHA1

7f7e3eda0d4ae74bf478af0adbf1acbb91d120c5
SHA256

0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba
SHA512

eda20c302be4e1d45d9ea4371d3ffda7879f361384cbc4e9c3afd4d0c03a1015a117ec5cb9291461a65afa4f70f3b808340c3a821bb74765e6ad259406732b16
SSDEEP

393216:nnh8jy6vL6wNUC91GQCjYvJbJEtl8vPpDmRzMuTPy6Ya4G:nKp3HGhjkJEgvJ6yHa4G

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	hzzSrvInit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	TaskSetter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	sll.exe

Executes dropped EXE 17 IoCs

pid	Process
3484	mgxitt.exe
3180	mgxitt.exe
2156	TaskSetter.exe
180	HzzInstaller.exe
4480	hzzSrvInit.exe
864	sllsrv.exe
2644	TaskSetter.exe
3040	sll.exe
4832	start.exe
3516	nvsc.exe
2080	checkFirewall.exe
2660	Process not Found
2516	Process not Found
2096	TaskSetter.exe
224	hzzSrvInit.exe
3648	Process not Found
1712	TaskSetter.exe

Loads dropped DLL 37 IoCs

pid	Process
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
864	sllsrv.exe
864	sllsrv.exe
864	sllsrv.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3516	nvsc.exe
3528	Process not Found
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe
3040	sll.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_E27A8B410E0EDAFAC69CF63C722B073D	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_B95A585585762F8B2D72E152F328449A	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DE0101390D8E4B74E3DD39ACA5B00000_663C30C89105586D8E95482DD2BF39DF	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_5DFDB51029B86E246C6BBA4B4F208E9A	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_5DFDB51029B86E246C6BBA4B4F208E9A	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_B95A585585762F8B2D72E152F328449A	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DE0101390D8E4B74E3DD39ACA5B00000_663C30C89105586D8E95482DD2BF39DF	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_E27A8B410E0EDAFAC69CF63C722B073D	sllsrv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	sllsrv.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\IMHKSDK\IMHKCore32.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\x64\nvsc.exe	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\JustLib.xml	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\JustLib.Win10.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\ptprocctl.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\ygport.exe	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\IMHKSDK\AvFlt64.sys	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\metemp.db	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\pscfg.dat	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\msvcm90.dll	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\AntiDivulge\Config.txt	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\ESBasic.xml	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\InstallSvr.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\fmtm\pipmd.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\udisk\poflt32.inf	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\Browser\Newtonsoft.Json.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\mail\sys\mailmon64_wfp_Win7.sys	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\check.txt	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\EULA.rtf	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\JustLib.xml	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\logs\log.txt	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\Browser\History360\history360.exe	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\IMHKSDK\IMHKCore64.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\hgzProtectService.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\Browser\History360	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\Browser\HistoryWindowsForms.exe.config	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\Browser\HistoryWindowsForms.exe.config	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\Browser\Newtonsoft.Json.xml	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\Browser\System.Data.SQLite.xml	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\mail\sys\mailmon64_wfp_win10.cat	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\fmtm\ctldll.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\metemp.db	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\uwaufnjs.dat	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
File created	C:\Program Files (x86)\Common Files\System Sll\sllsrv.exe	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\AntiDivulge	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\AntiDivulge\bansf32.dll	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\IMHKSDK\IMHKSDK32.dll	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\mail\sys\mailmon64_wfp_Win81.sys	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\mail\sys\mailmon_wfp_Win81.sys	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\avformat.dll	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\oxsbaszf.dll	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\IMHKSDK\AvFlt64.sys	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\hgzDriver64.sys	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\mail\sys\mailmon_wfp_win10.cat	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\avutil.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\start.exe	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\mail\sys\mailmon_wfp_win10.sys	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\udisk\usmanager.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\OMCS.xml	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\drivers\win7_amd64\ptprc.sys	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\wx	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\x64	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\logs\log.txt	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\mail\sys\mailmon_wfp_win10.sys	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\x86\glbdll.dll	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\sysim.db	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\AudioEngineCore.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\drivers\win7_x86	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\fdmodlue.dll	mgxitt.exe
File opened for modification	C:\Program Files (x86)\Common Files\System Sll\shomectl.dll	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\ESFramework.dll	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\mail\sys\mailmon_wfp_win10.inf	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\Browser\HistoryWindowsForms40.exe	mgxitt.exe
File created	C:\Program Files (x86)\Common Files\System Sll\udisk\usmanager.dll	mgxitt.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3128	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sllsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sllsrv.exe

Modifies system certificate store 2 TTPs 8 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	sllsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	sllsrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	sllsrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	sllsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	sllsrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	sllsrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	sllsrv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	sllsrv.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
864	sllsrv.exe
864	sllsrv.exe
2644	TaskSetter.exe
2644	TaskSetter.exe
864	sllsrv.exe
864	sllsrv.exe
864	sllsrv.exe
864	sllsrv.exe
864	sllsrv.exe
864	sllsrv.exe
2096	TaskSetter.exe
2096	TaskSetter.exe
864	sllsrv.exe
864	sllsrv.exe
864	sllsrv.exe
864	sllsrv.exe
864	sllsrv.exe
864	sllsrv.exe
1712	TaskSetter.exe
1712	TaskSetter.exe
864	sllsrv.exe
864	sllsrv.exe
864	sllsrv.exe
864	sllsrv.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	3484	mgxitt.exe
Token: 35	3484	mgxitt.exe
Token: SeSecurityPrivilege	3484	mgxitt.exe
Token: SeSecurityPrivilege	3484	mgxitt.exe
Token: SeRestorePrivilege	3180	mgxitt.exe
Token: 35	3180	mgxitt.exe
Token: SeSecurityPrivilege	3180	mgxitt.exe
Token: SeSecurityPrivilege	3180	mgxitt.exe
Token: SeDebugPrivilege	3040	sll.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3040	sll.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3516	nvsc.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 1356	4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	97
PID 4108 wrote to memory of 1356	4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	97
PID 4108 wrote to memory of 1356	4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	97
PID 1356 wrote to memory of 3484	1356	cmd.exe	99
PID 1356 wrote to memory of 3484	1356	cmd.exe	99
PID 1356 wrote to memory of 3484	1356	cmd.exe	99
PID 1356 wrote to memory of 3180	1356	cmd.exe	101
PID 1356 wrote to memory of 3180	1356	cmd.exe	101
PID 1356 wrote to memory of 3180	1356	cmd.exe	101
PID 4108 wrote to memory of 2156	4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	105
PID 4108 wrote to memory of 2156	4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	105
PID 4108 wrote to memory of 2156	4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	105
PID 4108 wrote to memory of 180	4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	106
PID 4108 wrote to memory of 180	4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	106
PID 4108 wrote to memory of 180	4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	106
PID 4108 wrote to memory of 4480	4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	107
PID 4108 wrote to memory of 4480	4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	107
PID 4108 wrote to memory of 4480	4108	0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe	107
PID 2156 wrote to memory of 4140	2156	TaskSetter.exe	110
PID 2156 wrote to memory of 4140	2156	TaskSetter.exe	110
PID 2156 wrote to memory of 4140	2156	TaskSetter.exe	110
PID 4480 wrote to memory of 1132	4480	hzzSrvInit.exe	111
PID 4480 wrote to memory of 1132	4480	hzzSrvInit.exe	111
PID 4480 wrote to memory of 1132	4480	hzzSrvInit.exe	111
PID 1132 wrote to memory of 3128	1132	cmd.exe	115
PID 1132 wrote to memory of 3128	1132	cmd.exe	115
PID 1132 wrote to memory of 3128	1132	cmd.exe	115
PID 4140 wrote to memory of 4980	4140	cmd.exe	116
PID 4140 wrote to memory of 4980	4140	cmd.exe	116
PID 4140 wrote to memory of 4980	4140	cmd.exe	116
PID 864 wrote to memory of 3040	864	sllsrv.exe	118
PID 864 wrote to memory of 3040	864	sllsrv.exe	118
PID 864 wrote to memory of 3040	864	sllsrv.exe	118
PID 3040 wrote to memory of 4832	3040	sll.exe	121
PID 3040 wrote to memory of 4832	3040	sll.exe	121
PID 3040 wrote to memory of 4832	3040	sll.exe	121
PID 4832 wrote to memory of 3516	4832	start.exe	122
PID 4832 wrote to memory of 3516	4832	start.exe	122
PID 3040 wrote to memory of 2080	3040	sll.exe	123
PID 3040 wrote to memory of 2080	3040	sll.exe	123
PID 3040 wrote to memory of 2080	3040	sll.exe	123
PID 3040 wrote to memory of 224	3040	sll.exe	137
PID 3040 wrote to memory of 224	3040	sll.exe	137
PID 3040 wrote to memory of 224	3040	sll.exe	137

C:\Users\Admin\AppData\Local\Temp\0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe
"C:\Users\Admin\AppData\Local\Temp\0625f84f174f72e98cb67251a549638b8997012701ae7e47d6fa348567bfd7ba.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Common Files\System Sll\file.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Program Files (x86)\Common Files\System Sll\mgxitt.exe
    mgxitt.exe x oxsbaszf.dll -p123456789
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3484
- - C:\Program Files (x86)\Common Files\System Sll\mgxitt.exe
    mgxitt.exe x uwaufnjs.dat -p123456789
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3180
- C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe
  "C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe" /install
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Schtasks /run /tn "System Sll"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\SysWOW64\schtasks.exe
      Schtasks /run /tn "System Sll"
      4⤵
      PID:4980
- C:\Program Files (x86)\Common Files\System Sll\HzzInstaller.exe
  "C:\Program Files (x86)\Common Files\System Sll\HzzInstaller.exe" /install
  2⤵
  - Executes dropped EXE
  PID:180
- C:\Program Files (x86)\Common Files\System Sll\hzzSrvInit.exe
  "C:\Program Files (x86)\Common Files\System Sll\hzzSrvInit.exe" /install
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c SC description "sllService" "hzz ctl check module"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\SysWOW64\sc.exe
      SC description "sllService" "hzz ctl check module"
      4⤵
      Launches sc.exe
      PID:3128

C:\Program Files (x86)\Common Files\System Sll\sllsrv.exe
"C:\Program Files (x86)\Common Files\System Sll\sllsrv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:864
- C:\Program Files (x86)\Common Files\System Sll\sll.exe
  "C:\Program Files (x86)\Common Files\System Sll\sll.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Program Files (x86)\Common Files\System Sll\start.exe
    "C:\Program Files (x86)\Common Files\System Sll\start.exe" hide
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Program Files (x86)\Common Files\System Sll\x64\nvsc.exe
      "C:\Program Files (x86)\Common Files\System Sll\x64\nvsc.exe" hide
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3516
- - C:\Program Files (x86)\Common Files\System Sll\checkFirewall.exe
    "C:\Program Files (x86)\Common Files\System Sll\checkFirewall.exe" C:\Program Files (x86)\Common Files\System Sll\sll.exe
    3⤵
    - Executes dropped EXE
    PID:2080
- - C:\Program Files (x86)\Common Files\System Sll\hzzSrvInit.exe
    "C:\Program Files (x86)\Common Files\System Sll\hzzSrvInit.exe" /install
    3⤵
    - Executes dropped EXE
    PID:224

C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe
"C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe" /watch
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2260,i,3303482231723870786,2954015409682154873,262144 --variations-seed-version /prefetch:8
1⤵
PID:2780

C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe
"C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe" /watch
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2096

C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe
"C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe" /watch
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System Sll\CSkin.dll

Filesize
2.6MB

MD5
7fe9a91959c97c02c57238700cf8798b

SHA1
9ac7f102fa61e976c4a0182bbdd9c0f36694d055

SHA256
05338742c94508a7a8cb2b48ba00bbf1d66bba432c7d384fffa2f571213d7b1c

SHA512
8187ec372d29f414910b030737f576d9f150dd14cd38a609ea7ae2af8b6d8112a0515ea35f876c1dfe212b009d4e24f7189873000b126b457ae9ae953debc69b

Download Submit
C:\Program Files (x86)\Common Files\System Sll\ESFramework.dll

Filesize
1.1MB

MD5
5805d3faa9a273c45329794aab1e7dea

SHA1
af0265a34d1a254c9873d753b8138c5f860b5825

SHA256
dcf3b0afd48c27b623933dbaaacba3dd27694d6c72b451c44d41a299a3fa2743

SHA512
2fe6ba2dd8fd543cc88b25021d741ac0f7bf9ccb05933e7d60afd8cd84ae02c19c0ac2ae1b95dc5d2cb4a6749f597dc9b29100521657ea36a6825cf1c4da2cb1

Download Submit
C:\Program Files (x86)\Common Files\System Sll\GetSignInfo.dll

Filesize
57KB

MD5
5dc02cc33ac9e3a37fdb7f9bd992cdaa

SHA1
43a2f1ad3497ec90cd9a446dc91ca25d3aa16f36

SHA256
0fd581199eb34969d53b22ca172b2146c90d0b6019138ecccac0b599802876d8

SHA512
2a46dfe287775996ec5995ad097d662e30449aa67d84077e37ac14dda3fb739f08efde5480619e6d97cf44c074bf7b70dd9f28fb664ffbe9be892488def56303

Download Submit
C:\Program Files (x86)\Common Files\System Sll\HzzInstaller.exe

Filesize
37KB

MD5
b49ae3fa5419807a66166e9b87e9872b

SHA1
9a225b4bec307995065775df27ed89d47f61e47c

SHA256
01bc15fff5bd0e0d95ae6a794eccf903266d2ce27a7803a4cff65f65ffd13ca1

SHA512
f7c87da559a3d8e1fa9628640ceaf156b7a0c62dead801467a11152ea9c040e764c622ddcd0f123b32565b3f137750c2ce48e2ff0464df27818c7101d1926900

Download Submit
C:\Program Files (x86)\Common Files\System Sll\HzzInstaller.exe

Filesize
192KB

MD5
c6d8664bc95358c6e6b47f388948f4ac

SHA1
b52592a44e0c0df3d8c33a3c2802f24ed65393a5

SHA256
dd165c616d6050d8972f3ee2db9f250027fb01d21ebacc416e0e49c3b24f18d3

SHA512
db19406050ccf2255e3a8159d199c704e9523fd8bebc8da82564ae3abe2a5241397a283d7ddf460ecd022da13d483c4ba1c57efdd8547cdcd833b2652e7ec825

Download Submit
C:\Program Files (x86)\Common Files\System Sll\ID.rdb

Filesize
18B

MD5
3f711e2b762cb9c87f683855132a6ad3

SHA1
a80cb3daaaa3a659300785db7d456c880e2e86e3

SHA256
503b21a50a016fce3bbdb51dcfe9546d6379af68f6fdbded23fb0b6e52f3ba43

SHA512
0358a6dc143b78e72db6dfcde984d133fae0fcbb9372a0314f8ada2b1486851cb44eadb8b9c587acd565adb0cb21fcb7452b4ed1111eb92fa96092e5dd12b053

Download Submit
C:\Program Files (x86)\Common Files\System Sll\IMHKSDK.NET.dll

Filesize
25KB

MD5
8bb1f88603f81e477921997401bcc1cd

SHA1
2340fa24f98d016cda8d530a967ab65233a96c08

SHA256
2c64bcc4245dc06478a176cecd6be694b29a26ae06e59e205e66ce919e6156e9

SHA512
a3f225ced602e3e24fbd525d9f0ff9f1996a3e5cf674a4d880ec44ac891682afb97985b9eb3493a0b2230bead50e934c0d123348d7f21f91f3286dba21483069

Download Submit
C:\Program Files (x86)\Common Files\System Sll\Remote.Core.dll

Filesize
75KB

MD5
4211e981a8c7810d1bbc5d261040e3a8

SHA1
526b5d1bb90549e0d2ce4451d2d0865510577bf2

SHA256
483476fe8ca0217afc64f965aea6715a3766a420cf266027fa5496730ce970b9

SHA512
cd43ade0cce88edf77235c0ee3066f669325aa5a592fc4fb007d3a5690376da6309e3a68cb7f4345c01290911660f338ec8b4b2e7b9266b5f6fdd1065d241b62

Download Submit
C:\Program Files (x86)\Common Files\System Sll\Remote.Model.dll

Filesize
103KB

MD5
fae3626c17ad137132c9af586b63a0a9

SHA1
54525f2264c5250a808cffd2a8d3c16f62829581

SHA256
224c6c2c757b0f5015d007ca81d90f41780f734a3674b022cbd95a4a24892d79

SHA512
e0fdb7d11f32d0e64446ff28d0206ac3a46d50ffc30c538e7a60076c027375fde2addeb8d69f34bdae8046e1a132b21a493cdb9af9d4dbcdbeeac5ec5767d965

Download Submit
C:\Program Files (x86)\Common Files\System Sll\System.Data.SQLite.dll

Filesize
128KB

MD5
5400744ef6747ed5e87a0103ed56f7a5

SHA1
86e0d4f92bf58ced8a660f0063634e131ccd47fb

SHA256
6686d1be735f06e5a5e6d172818ebc882010001d55e2f087af3739df13a0d9a8

SHA512
2077ef0f9c76a3acd041d862decd26a2fd20daea24e0a3e5dff53d2ccef13dd5971768aa20f4384c6086f036e67da16b9cce6ed0661836bf6d54fefe3dd28660

Download Submit
C:\Program Files (x86)\Common Files\System Sll\System.Data.SQLite.dll

Filesize
640KB

MD5
4a2fcbeac037690c120edfcfaaa285f3

SHA1
79917a329356c45b4dc9f36878685a0ee5ebad48

SHA256
a0a9b3a530669fdf91db20b8ac1ee4c21786d9d29367b15be453123b4533e394

SHA512
5a851a82694ac97e66ee9bbd9685512c6974846daae7d900ac0a81a2cdc64b973c39b75f7c8752d7bbc9ba95e2fcda452e09d786b1d769b7046713cbf0bfc57a

Download Submit
C:\Program Files (x86)\Common Files\System Sll\System.Data.SQLite.dll

Filesize
2KB

MD5
3050231fb3f12d40c9ebcda2f8cdfd69

SHA1
b903b5c35450518357e88582a75b0315e7b70b85

SHA256
58b8879ebb8cd4b25c4d5f74982b94fd057df91c8d7958d507d8034d3bc5967f

SHA512
ca55124e240bf4a0898ab3d1d0efdfc40d20a8d36f1b58b82adef844b99ed9eddd7916c2fe7a2d4492f0403364f9f9a9770d770c81400f19c710325ac2b694e9

Download Submit
C:\Program Files (x86)\Common Files\System Sll\System.Data.SQLite.dll

Filesize
1.3MB

MD5
64f9622eb9c1061c4ea0b7ab4d89f3a8

SHA1
9739907a59da137b0a437be887360d006ed05b33

SHA256
422eb3ba14add55afa10587c90a219c0b5d8a48a4d2dcc9aaa6aaf3df1c9607e

SHA512
fe3286969a564ecdef5212e9f2c0658909d6a953992226373fc0fb1e091287c42659afbb5acdbfe74e78f7fd2f218e642216077b8b4e82710470561da9ef7618

Download Submit
C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe

Filesize
404KB

MD5
a20ed76ab9cdeecc4ed75608246134f8

SHA1
32700023bc7105fe2a9f9faf550f9287b522d4da

SHA256
11da257aab1f705d2ae58b6262c2e6b3f622831915b570a08f76991057f993a4

SHA512
9ff08dc969d5b5a4f6715504e604fd5100c82358fe0a0f047a36c4bdd8406c04ce2aee0ee2b6df6124332864c539e2da4a654f787a2cc7fdaf708acff2b04a09

Download Submit
C:\Program Files (x86)\Common Files\System Sll\TaskSetter.exe

Filesize
64KB

MD5
a9f9de0dbc2ee26e41b768e07678d1c3

SHA1
61546bf67ceff401ff67a609f10b9643c3997215

SHA256
7e1289ca7465e00b67aa0aa8eb31556b1ad46d1a9c07cfc01759529248ee4434

SHA512
aa7d43c93c8b15999f8c0677914bdf180dd58d4c48c3dead4a2e9151b4c216925e7092e9a3e8d070a8a2a60cb9badb83b9e5192ac9c757f547aa28602c6931ce

Download Submit
C:\Program Files (x86)\Common Files\System Sll\checkFirewall.exe

Filesize
128KB

MD5
2393e629184e72738cf6ae5a97a84efe

SHA1
23c821a38192d5f710daf925c64c4c9371bd2eb8

SHA256
39587299434a05e08ccc4f9446759950a285adfc09db023e56a1b43d0d50d64f

SHA512
140d427e9f2430925daa41095de70f80115842383534fbaae3723deece03e16b8ad954ea58684bbcb8ce2f421dbb061382e20da6fe761b313515a141abe7711d

Download Submit
C:\Program Files (x86)\Common Files\System Sll\comUpdate.exe

Filesize
1.3MB

MD5
775eeddf5d53462fc9adb4422bb17d92

SHA1
46fc9df69349cfd7f5bcc1382fe379a766a8a508

SHA256
74b579201df1093850f8db5f959dee74b93a12096c50579602e25d60952220bc

SHA512
fced037a718e0090f0fb56e58f810c974a5cd07011b363b317b1bdf49ef8d230c548fd93d0cb7e9f77028e8bb91bbeb5b10b2c897bec3108ea2b07084333892e

Download Submit
C:\Program Files (x86)\Common Files\System Sll\fdmodlue.dll

Filesize
533KB

MD5
b208d1816afa4b12e45305b142735b38

SHA1
b7922de23c28d872fc3ef168b05d4827233c511d

SHA256
83ca5dd2726560045b459519dc80de20f8ab65d57b90246a8e711a971fea041c

SHA512
a3761a361d7d9954f0850b72fd3c44fbbc68791172918f292dd688860c39ad64986e2295ccfbe8113b6a8f918521eaf6526b289682a8c533a2c7d4aa793ec95b

Download Submit
C:\Program Files (x86)\Common Files\System Sll\file.bat

Filesize
104B

MD5
f153d51505dbb3e9a190aae6a7269a72

SHA1
9d9c99e0142f200c00e8a4dcc65eeecfaa3cc17e

SHA256
19591e0a956e524775f97d628f897883e99a57cb845eab24a1be9a172bd6f458

SHA512
5c30328972573203cdfc65f9f435f7e720c7d45bc073f1971d706a112e780064416418e922b0078c78d4c5c0b798810667a5cf610bbe03472ee4e981eac08dfc

Download Submit
C:\Program Files (x86)\Common Files\System Sll\hzzSrvInit.exe

Filesize
121KB

MD5
dd67b161e5342473ecb8276c4a244ec3

SHA1
905766fac69b36eb893c3e15be53c3fa9336cc6a

SHA256
9fe8cca0f4fecfdc49fa24e9795bc8f4b69201b112e7935bff84f35df137d737

SHA512
5c5e22885c0035aea6c9ce809de9ff4875bab98b2790f26f91f133cb0fed47a63eaca4c5a296a0aaa1b2e1dbaddda82bb1dc074d4dbe070ef4fafc22b4bbdec3

Download Submit
C:\Program Files (x86)\Common Files\System Sll\hzzSrvInit.exe

Filesize
576KB

MD5
99fa236aa89b667af1c25a5fb0151a79

SHA1
bbfa2ca997dbbd7807c97b1f176993e2d3643520

SHA256
91e6ffbe3d414ba04305cdf01bfb4e4af75d0eee8b5eab1660aa9aba0eb6d981

SHA512
5145c637645a6e5ee1e83011785ce6f057edd10ee68a08b3518c9bb8e4e43ffb63b3948858fd7f6f700dfd556eac5a055d26f311b2da9e34a8fef7df890ce848

Download Submit
C:\Program Files (x86)\Common Files\System Sll\logs\log.txt

Filesize
1KB

MD5
31c2977f350f181290120736441f7633

SHA1
0b851907e89ff1cc5ee4147c585f2a40af9316ce

SHA256
367c831e9bb78ae5a0def1d60d18da3e37a9b950f1b92c6355dc7bb60525f800

SHA512
2075d62e6b3ddd429e668cc00bf46679ad6d0620283c4ef722a3bd08caf6867ed9f8ce6f47195e075f728fe9d9eccd272946d4901202f833855c234db6697cdd

Download Submit
C:\Program Files (x86)\Common Files\System Sll\mgxitt.exe

Filesize
802KB

MD5
8f57948e69c82bf98704f129c5460576

SHA1
33e277af0cea397252c23d310961f803be5cdf2b

SHA256
f00836a63be7ebf14e1b8c40100c59777fe3432506b330927ea1f1b7fd47ee44

SHA512
628cf68c9436721b874a87e1bff711d3b6fe5d4bd9b02411890059a7d32078a9592fc48e6e53761d17bdbd72c5eb66593b841470157a3e8b38f0b67525d73bc9

Download Submit
C:\Program Files (x86)\Common Files\System Sll\oxsbaszf.dll

Filesize
2.9MB

MD5
c2542c40dcecbf69049a09006afaea90

SHA1
0af82ac964cab6a1294a74f4545d0688642110c1

SHA256
c7e24194520a5196af7322b4ef9dc840268e557b7c8ad2aac3f6a3743d5a7636

SHA512
38848760b93f823f3739bb68b9e8b1069dd83c848aeab6b568af65befd650f0eb4ab7a4c73d74be98a197f08b1d339ba6653b5130097f91a4c2a2cdae04e4031

Download Submit
C:\Program Files (x86)\Common Files\System Sll\sll.exe

Filesize
586KB

MD5
d3f948da2a288400549a89c757e6949a

SHA1
09bb606b09547ce1b804804cd242714875f87912

SHA256
4c7d16fc6d3cd4af4595f8de443009ba5ed1267e9a97b556b2b4af5e29bfa47a

SHA512
a309252f7bd7883e7c09a492d5e834f9158921d6b0996c60d723fb4761a0c5d5db6b3b72bbdb1ba7f33e95985eacef9c4a900f7ca3e1d39e35421cf1fca37d25

Download Submit
C:\Program Files (x86)\Common Files\System Sll\sll.exe.config

Filesize
3KB

MD5
e5d4596a9d17140dcf1da9c8371d9f9a

SHA1
5df6f6b80930f92900058bba9858afe55393cd43

SHA256
5f968514d1a89877e4e814982b66563928fd9e9145be2c7dde38a4b01b0721fd

SHA512
ac0d6d66ad9417fe889f3600cd87f7af0862744d39f2b15017dbc59f1c6b6973e77b63484c6dfac26f6fa3d0fa2c3c614fccbb6c62358801ab880421bab54cb6

Download Submit
C:\Program Files (x86)\Common Files\System Sll\sllsrv.exe

Filesize
79KB

MD5
7a2cfa06da837af6c4a6871918de7864

SHA1
ba388d38b2efe1b080d7a32deda6d1f756084572

SHA256
9fe91f7ab073433e9a627aa8bde306c29d083ab28741ff23430fdf17f2906f0e

SHA512
36d1bb9cc452c4df6b47cae9cde8aefdbbf90af737d9a37ab31bac14833fd5cade8554b6768905523ee281cf821fb55f16ac9a48c68ac4b82cb86578f8ed23dc

Download Submit
C:\Program Files (x86)\Common Files\System Sll\sllsrv.exe

Filesize
991KB

MD5
f170a1c6c473c18d1446e97c2b992c86

SHA1
0b239c1f8110fb0ea8cd2c7dbc49df9724b1f287

SHA256
c9cad4b5a77640d364dfa6fafc3f41b5af4283ea3032317cb33472d73384e52b

SHA512
02ef68cfaaeb8a283315be807c5a25c79e8c1ba8c0443b228a527da60318e153451e5c7f41a1f7abafd9eb9a1c1bb9c7a3637b9d3da07785bbae0087b9c5e591

Download Submit
C:\Program Files (x86)\Common Files\System Sll\start.exe

Filesize
115KB

MD5
9b1c7463a0903a88a0615586e727ed11

SHA1
28a6ed9aeaef320563c11935d13df67e5a920859

SHA256
5d0ffafc08e83481e3c47c015605d33c3b18f19159b1554058b7a113eb2448b7

SHA512
a56f49e702b71a515b3a084109366d075348637e9c6fe8beb39caff6a1cde789040ac5874b34142b9bc68c693ff700fe839b02db8d4180b000fc9c4070532720

Download Submit
C:\Program Files (x86)\Common Files\System Sll\swresample-0bp1.dll

Filesize
31KB

MD5
1ba33b23bb456b6cd33e609c45c13860

SHA1
099548974023e96c0a78280b5e6d1e37e1169632

SHA256
9c673b8501aba227918a56df84a89562ab57a88eba7b6970322e2ea53d61a6be

SHA512
ec330b83ff3c1f86929e25344d054f73d40542debb768388929b07c37c6cf4528bbbd4ab42fcc8be2d3375cc001e69a7d9f9a94954a103053d47d2d704d6186b

Download Submit
C:\Program Files (x86)\Common Files\System Sll\sysim.db

Filesize
320KB

MD5
902f118d07cc04b91580892c829f94a8

SHA1
eb2631382fa9160072f3c27d97d3807f417797b7

SHA256
1c8c409b658a34925e285030b0f616c1eba84511a2c2de404d2bcbec69350770

SHA512
a50fe9adf358e113b13bd72226a3295a2779e075afa2b2f2d8a2c85beff8a360d7217d8c36b6df07aa1bfbfa36dd67d649fac872bbf8178360417501e6e9c1f5

Download Submit
C:\Program Files (x86)\Common Files\System Sll\uwaufnjs.dat

Filesize
9.6MB

MD5
e7b70163d0b349b5c7f791bdf580f91b

SHA1
8fe7117dcc2b248f5edb6efcb248176e722346cc

SHA256
e3b8be56ccf88815f8d241176c0d896f9020c8cb0760b336da61c04df7053366

SHA512
972fa5fd13be703c270db781d30d87bed9023c2e4b69ca5306315ff453b07250b864b3500fd1a5aaa7bb807d6c15eb68fec30ca0824c10b55858415ace3f009d

Download Submit
C:\Program Files (x86)\Common Files\System Sll\x64\glbdll.dll

Filesize
349KB

MD5
3d354e58edc8a6e1ba566a39b7a2be92

SHA1
58bd1c017689cfa7587b97b60d26a08326091b42

SHA256
554a53589876d93b54b21dde8066242a21ba7d7536a5db449326dc557d0c48da

SHA512
fa8a3a1a0341914c6aac4f23c93b093d9c3483fe870477eed54f8528fc893af7ae16c799b3fdbbc0e5b68d1c378fd4910df35e409a2ebc6b2ffe028cd5ec8c85

Download Submit
C:\Program Files (x86)\Common Files\System Sll\x64\nvsc.exe

Filesize
125KB

MD5
e01d1dcc8b86c7f854d1d886e2600d57

SHA1
3ddaddd21b456383d216382274093ba4a6270e1a

SHA256
fea7b236ffcdcf66dff2dad329e3f614b4c1d7c8391f75bc135254442c7db8aa

SHA512
687086d72d69107d8f5139eaa869126b90504ef3db3604caaa3e8d1c5f56996f52664ea3f3d8693d99871fd5c7acf646f3dabd764e8c041033296ed322c52ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd75EC.tmp\SimpleSC.dll

Filesize
1.1MB

MD5
7b89329c6d8693fb2f6a4330100490a0

SHA1
851b605cdc1c390c4244db56659b6b9aa8abd22c

SHA256
1620cdf739f459d1d83411f93648f29dcf947a910cc761e85ac79a69639d127d

SHA512
ac07972987ee610a677ea049a8ec521a720f7352d8b93411a95fd4b35ec29bfd1d6ccf55b48f32cc84c3dceef05855f723a88708eb4cf23caec77e7f6596786a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd75EC.tmp\nsExec.dll

Filesize
7KB

MD5
ec9c99216ef11cdd85965e78bc797d2c

SHA1
1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c

SHA256
c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df

SHA512
35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd75EC.tmp\nsProcess.dll

Filesize
4KB

MD5
88d3e48d1c1a051c702d47046ade7b4c

SHA1
8fc805a8b7900b6ba895d1b809a9f3ad4c730d23

SHA256
51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257

SHA512
83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

Download Submit
memory/180-351-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/180-350-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/224-456-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/224-455-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/864-424-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/864-427-0x0000000001360000-0x00000000013EB000-memory.dmp

Filesize
556KB

Download
memory/864-359-0x0000000001360000-0x00000000013EB000-memory.dmp

Filesize
556KB

Download
memory/864-480-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/864-441-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/864-434-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/864-360-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/864-425-0x0000000001360000-0x00000000013EB000-memory.dmp

Filesize
556KB

Download
memory/864-426-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/3040-404-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/3040-463-0x0000000009030000-0x0000000009384000-memory.dmp

Filesize
3.3MB

Download
memory/3040-430-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/3040-486-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/3040-419-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/3040-454-0x0000000001210000-0x0000000001218000-memory.dmp

Filesize
32KB

Download
memory/3040-395-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/3040-476-0x000000000C3F0000-0x000000000C462000-memory.dmp

Filesize
456KB

Download
memory/3040-403-0x0000000005810000-0x0000000005930000-memory.dmp

Filesize
1.1MB

Download
memory/3040-399-0x00000000055D0000-0x00000000055E6000-memory.dmp

Filesize
88KB

Download
memory/3040-457-0x0000000006250000-0x000000000625A000-memory.dmp

Filesize
40KB

Download
memory/3040-393-0x0000000005170000-0x000000000518C000-memory.dmp

Filesize
112KB

Download
memory/3040-394-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/3040-461-0x0000000008E60000-0x0000000008FAA000-memory.dmp

Filesize
1.3MB

Download
memory/3040-475-0x0000000009D50000-0x0000000009D68000-memory.dmp

Filesize
96KB

Download
memory/3040-429-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/3040-464-0x0000000009390000-0x00000000093DC000-memory.dmp

Filesize
304KB

Download
memory/3040-389-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/3040-388-0x00000000007D0000-0x0000000000864000-memory.dmp

Filesize
592KB

Download
memory/3040-468-0x0000000009D70000-0x000000000A014000-memory.dmp

Filesize
2.6MB

Download
memory/3040-469-0x0000000009AC0000-0x0000000009B8E000-memory.dmp

Filesize
824KB

Download
memory/3040-470-0x0000000009420000-0x000000000945C000-memory.dmp

Filesize
240KB

Download
memory/3040-471-0x0000000008FF0000-0x0000000009011000-memory.dmp

Filesize
132KB

Download
memory/3040-472-0x0000000009B90000-0x0000000009BB2000-memory.dmp

Filesize
136KB

Download
memory/3040-473-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/3040-474-0x000000000C5E0000-0x000000000C84E000-memory.dmp

Filesize
2.4MB

Download
memory/4108-333-0x0000000002D60000-0x0000000002E7C000-memory.dmp

Filesize
1.1MB

Download
memory/4108-335-0x0000000002D60000-0x0000000002E7C000-memory.dmp

Filesize
1.1MB

Download
memory/4480-349-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/4480-363-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download