Analysis
-
max time kernel
132s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2024 14:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
-
Size
10.4MB
-
MD5
185c218239b46dff1b2b4642338f373e
-
SHA1
77b794f16a8621b424355343bc5a4b04fd07f875
-
SHA256
07eb94556da6da2c55e65b5fa7b48fd983c0b448c6ffa202d44c689d49ce6da8
-
SHA512
77f579ea578865d9ab76378dc6207ee8e43647426c534616e7dff39c943d00f00ef306039d924ed45445850a68fd5bf1aa0c85d9c9ca95d0a1eb2bf2dc1955be
-
SSDEEP
196608:1zS1+mVNY/EeryIqxQcZ77QxqJ8UhPo09VSY0P7JkwGIQW5zf:1zSLVaqx77UxS8cPFWY0P7JkwmWN
Malware Config
Signatures
-
Ardamax family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation MSI4E01.tmp Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation SRO_R.exe -
Executes dropped EXE 3 IoCs
pid Process 324 MSI4E01.tmp 4368 SRO_R.exe 1164 TEV.exe -
Loads dropped DLL 14 IoCs
pid Process 2300 MsiExec.exe 2300 MsiExec.exe 2300 MsiExec.exe 2300 MsiExec.exe 3776 MsiExec.exe 3776 MsiExec.exe 3776 MsiExec.exe 3776 MsiExec.exe 1164 TEV.exe 1164 TEV.exe 1868 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe 1868 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TEV Start = "C:\\ProgramData\\CFQPBU\\TEV.exe" TEV.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\G: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\O: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\E: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\I: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\L: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\Z: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\K: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\S: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\P: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\S: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\Z: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\L: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\B: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\R: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\U: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\U: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\N: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\W: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\E: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\H: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\J: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\P: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\V: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\T: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\K: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\M: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe File opened (read-only) \??\I: 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Net2e\SilkroadR\32-bit\sro_client.exe msiexec.exe File created C:\Program Files\Net2e\SilkroadR\32-bit\SRO_R.exe msiexec.exe File created C:\Program Files\Net2e\SilkroadR\silkroad.exe msiexec.exe File created C:\Program Files\Net2e\SilkroadR\sro_client.exe msiexec.exe File created C:\Program Files\Net2e\SilkroadR\SRO_R.exe msiexec.exe File created C:\Program Files\Net2e\SilkroadR\32-bit\silkroad.exe msiexec.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{54C6EFE9-BD12-41DF-BD3C-43DCC7FD1EA4} msiexec.exe File opened for modification C:\Windows\Installer\MSI4A45.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4A65.tmp msiexec.exe File created C:\Windows\Installer\e58488d.msi msiexec.exe File opened for modification C:\Windows\Installer\e58488d.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI48FB.tmp msiexec.exe File created C:\Windows\Installer\e58488f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4E01.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI494A.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI4BDD.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TEV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI4E01.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRO_R.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\PackageCode = "B87D7B2FD80F7A64A88108FCEED0D789" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\Language = "1066" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\SourceList\PackageName = "ChayNhieuAcc_SroR_Net2e.x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\SourceList\Media\1 = "Disk1;Disk1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9EFE6C4521DBFD14DBC334CD7CDFE14A\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\ProductName = "SilkroadR" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ MSI4E01.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Net2e\\SilkroadR 1.0.0\\install\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2EA26921870436C4383A1BA7F69AB577\9EFE6C4521DBFD14DBC334CD7CDFE14A msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2EA26921870436C4383A1BA7F69AB577 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Net2e\\SilkroadR 1.0.0\\install\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9EFE6C4521DBFD14DBC334CD7CDFE14A msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4040 msiexec.exe 4040 msiexec.exe 1164 TEV.exe 1164 TEV.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1164 TEV.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 4040 msiexec.exe Token: SeCreateTokenPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeAssignPrimaryTokenPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeLockMemoryPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeIncreaseQuotaPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeMachineAccountPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeTcbPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeSecurityPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeTakeOwnershipPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeLoadDriverPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeSystemProfilePrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeSystemtimePrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeProfSingleProcessPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeIncBasePriorityPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeCreatePagefilePrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeCreatePermanentPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeBackupPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeRestorePrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeShutdownPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeDebugPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeAuditPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeSystemEnvironmentPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeChangeNotifyPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeRemoteShutdownPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeUndockPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeSyncAgentPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeEnableDelegationPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeManageVolumePrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeImpersonatePrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeCreateGlobalPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeCreateTokenPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeAssignPrimaryTokenPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeLockMemoryPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeIncreaseQuotaPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeMachineAccountPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeTcbPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeSecurityPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeTakeOwnershipPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeLoadDriverPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeSystemProfilePrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeSystemtimePrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeProfSingleProcessPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeIncBasePriorityPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeCreatePagefilePrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeCreatePermanentPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeBackupPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeRestorePrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeShutdownPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeDebugPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeAuditPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeSystemEnvironmentPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeChangeNotifyPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeRemoteShutdownPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeUndockPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeSyncAgentPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeEnableDelegationPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeManageVolumePrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeImpersonatePrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeCreateGlobalPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeCreateTokenPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeAssignPrimaryTokenPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeLockMemoryPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeIncreaseQuotaPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe Token: SeMachineAccountPrivilege 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1164 TEV.exe 1164 TEV.exe 1164 TEV.exe 1164 TEV.exe 1164 TEV.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 4040 wrote to memory of 2300 4040 msiexec.exe 88 PID 4040 wrote to memory of 2300 4040 msiexec.exe 88 PID 4040 wrote to memory of 2300 4040 msiexec.exe 88 PID 1468 wrote to memory of 1868 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe 101 PID 1468 wrote to memory of 1868 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe 101 PID 1468 wrote to memory of 1868 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe 101 PID 4040 wrote to memory of 1736 4040 msiexec.exe 110 PID 4040 wrote to memory of 1736 4040 msiexec.exe 110 PID 4040 wrote to memory of 3776 4040 msiexec.exe 112 PID 4040 wrote to memory of 3776 4040 msiexec.exe 112 PID 4040 wrote to memory of 3776 4040 msiexec.exe 112 PID 4040 wrote to memory of 324 4040 msiexec.exe 114 PID 4040 wrote to memory of 324 4040 msiexec.exe 114 PID 4040 wrote to memory of 324 4040 msiexec.exe 114 PID 324 wrote to memory of 4368 324 MSI4E01.tmp 115 PID 324 wrote to memory of 4368 324 MSI4E01.tmp 115 PID 324 wrote to memory of 4368 324 MSI4E01.tmp 115 PID 4368 wrote to memory of 1164 4368 SRO_R.exe 116 PID 4368 wrote to memory of 1164 4368 SRO_R.exe 116 PID 4368 wrote to memory of 1164 4368 SRO_R.exe 116 PID 1468 wrote to memory of 716 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe 117 PID 1468 wrote to memory of 716 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe 117 PID 1468 wrote to memory of 716 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe 117 PID 1468 wrote to memory of 1404 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe 119 PID 1468 wrote to memory of 1404 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe 119 PID 1468 wrote to memory of 1404 1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe 119 PID 716 wrote to memory of 4244 716 cmd.exe 121 PID 716 wrote to memory of 4244 716 cmd.exe 121 PID 716 wrote to memory of 4244 716 cmd.exe 121 PID 716 wrote to memory of 2312 716 cmd.exe 122 PID 716 wrote to memory of 2312 716 cmd.exe 122 PID 716 wrote to memory of 2312 716 cmd.exe 122 PID 1404 wrote to memory of 1628 1404 cmd.exe 123 PID 1404 wrote to memory of 1628 1404 cmd.exe 123 PID 1404 wrote to memory of 1628 1404 cmd.exe 123 PID 716 wrote to memory of 4728 716 cmd.exe 124 PID 716 wrote to memory of 4728 716 cmd.exe 124 PID 716 wrote to memory of 4728 716 cmd.exe 124 PID 1404 wrote to memory of 1564 1404 cmd.exe 125 PID 1404 wrote to memory of 1564 1404 cmd.exe 125 PID 1404 wrote to memory of 1564 1404 cmd.exe 125 PID 716 wrote to memory of 2120 716 cmd.exe 126 PID 716 wrote to memory of 2120 716 cmd.exe 126 PID 716 wrote to memory of 2120 716 cmd.exe 126 PID 1404 wrote to memory of 3688 1404 cmd.exe 127 PID 1404 wrote to memory of 3688 1404 cmd.exe 127 PID 1404 wrote to memory of 3688 1404 cmd.exe 127 PID 1404 wrote to memory of 3592 1404 cmd.exe 128 PID 1404 wrote to memory of 3592 1404 cmd.exe 128 PID 1404 wrote to memory of 3592 1404 cmd.exe 128 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 4244 attrib.exe 2312 attrib.exe 1628 attrib.exe 1564 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe" /i "C:\Users\Admin\AppData\Roaming\Net2e\SilkroadR 1.0.0\install\ChayNhieuAcc_SroR_Net2e.x64.msi" CLIENTPROCESSID="1468" ADDLOCAL="MainFeature" SECONDSEQUENCE="1" CHAINERUIPROCESSID="1468Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " TARGETDIR="C:\" APPDIR="C:\Program Files\Net2e\SilkroadR\" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SilkroadR"2⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:1868
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE59E8.tmp.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\attrib.exeATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Net2e\SILKRO~1.0\install\CHAYNH~2.MSI"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4244
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE59E8.tmp.bat"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2312
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE59E8.tmp.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:4728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"3⤵
- System Location Discovery: System Language Discovery
PID:2120
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE5A27.tmp.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\attrib.exeATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Net2e\SILKRO~1.0\install\CHAYNH~2.MSI"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1628
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE5A27.tmp.bat"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE5A27.tmp.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:3688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"3⤵
- System Location Discovery: System Language Discovery
PID:3592
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C7553271A38588F32F2C06F17787DEC8 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1736
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5A97047982E2451CC4C22B3829F99DB82⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3776
-
-
C:\Windows\Installer\MSI4E01.tmp"C:\Windows\Installer\MSI4E01.tmp" "C:\Program Files\Net2e\SilkroadR\SRO_R.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Program Files\Net2e\SilkroadR\SRO_R.exe"C:\Program Files\Net2e\SilkroadR\SRO_R.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\ProgramData\CFQPBU\TEV.exe"C:\ProgramData\CFQPBU\TEV.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1164
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4988
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD52e3739e120284715f5ee1facbb0e1a6f
SHA173674055991eefc38d8fd8baf5f6bef53dc329c5
SHA256b3ce5ceaf0c41c48c5830ffd35bd6bb8f32fa1dbb510b37bd2227399af2377e3
SHA5124acb260b9e0c74076fca1dde55179d8129772d7d68939d77793bbf38e33982122314ea9219a8c4279da4c7ff202d0130cb5b4020c33f69dd59db28ba91a16f42
-
Filesize
2.3MB
MD538bbc879ab82720283d9a27b3ca72490
SHA128ed426f5462b1eaf3dec3c50000dc47d03b5549
SHA256546360798477f6e8ec31bf1e230a69bb78f882e71908c504b80604b00e0475cc
SHA5121a8aa20936fafd8abac638e19fc7297df710301b2e0b7c66ebbd3b47b5606bfd83718b97c29edcc29efa3bde235d3eb59904ebafa8160c48cf3a086f4442e27b
-
Filesize
796KB
MD57848d12390433960af0803630be759d6
SHA1f35285e2dc52893195544af8598f4f00138a5d46
SHA2563cddac8869e71e4ac294ac757428a2bf577d41a344388bae454572c66554f5a1
SHA512e613a36c4a8baf110b54c079d4db333f86cd8ba5e3a08d894b81cc09e3a02bfd63ca84b7a7ab4dd518f880d0e98602e0e7056b040d8dab713036c2cba1727525
-
Filesize
2KB
MD5869c7988a9fae9365caeeabcda0e7f1a
SHA113bd3b73b6368ce425a8fb5673aaabe7d23325c1
SHA2565d30f82285ce74ce9a3c2550df03e0c003fc5c9225ce256cdb0d023d39985a2c
SHA5128fe063b771c85aeb25bfb4bb42bac4116d9857d2a987f5640042a3ac1ed167668d911eebe70a07c5fad2f7978d756d90d9fbb996d68b0438ee10664e025b6737
-
Filesize
79KB
MD5582bfe4bf9de1077982664ad8ce0754a
SHA1465eb7f460f9eb9a34572df6f17cf2cb2d8c3688
SHA256ce4597c260250342bec2baec880a040a62b70137c3aea062ea78e80159101184
SHA51240ca7584c33eb8a4df9b7566ee4b2cc55061e627160a99535e43b3189ff1093d3b8d55cf56156f20bec8562de9fb80f3ddfd07b878002111d22b991c05b46207
-
Filesize
2.6MB
MD5bbf69aeaed386c67d946b1cb197abcac
SHA1c291c37b677c0784ead38e57ee22d704b2196730
SHA2568bd424a581e6307dce2231a459d686486937d491677827b2f3eee8110741ba2a
SHA5124e7df27a352a207f7d9c2a20835e6b3d036ce30f69b3cce74687e165f1138f15de62a6aa8ee81c777d168e5ee7202077e7e9e1c5a67e39d07b5064c7e96c3a85
-
Filesize
919B
MD5ff1412cb7193a9d1eaa587a71fa1dfd6
SHA1d309e5f0bec51d768d935556957141fdc2eb8607
SHA25678f07a3cbe6888076a2a816482fe36c5782a215eeb833194d1d04212cbc32635
SHA5122fa81be991c608da5708f002f26e78293e326f75be893ad6a530bfd5214ea4cba523e1ff16e7062f49b0327eb20e2794e180eccf938ec6583ef30009ee7aa859
-
Filesize
208KB
MD5c11651b1901e704b6b4b49f1df62401f
SHA1e5ce36a9b955ff5fc72e3f11cd7c62e7416ed0ea
SHA256e9657b10049a589e014cb97952eed96baa7daffdbbcef4089da821226b420ae4
SHA512a50ac93d1a1018d43c54580d267f57bd23aec17903fdc537a00ba20bd27b609aae81192c2b297c704edeaa7b308f41ba76bd70f851e43d327ebc05d5bcaf60c8
-
Filesize
1KB
MD5750b3ce655a3dbc7961306d52c7b22b5
SHA12d5ed71c01abb38628eb81e1ac216f324a5c6f9d
SHA256e7ff02b62f83626e7115f8a98f017fa4ec2927541c87a8555f51398d39583fbd
SHA512d765f9008bd58e7d87392a44804945cecf04515ed5e0b134192c1e7a6e55d3509c181aa65de98d2c2afaba55e808e6cd4b625042c0a96f62ff0a64dbf88eb6eb
-
Filesize
2KB
MD5b3d6cf5322b0a6e038fbf402b7a54f14
SHA17c65f0ec826cd5ec68c72a4fa79d37b0a44a2d95
SHA2565ae1d4ab295fd065b861f319ecc62d2e5740423e2b7ffc662fdf45af9131ce40
SHA512e6f1724c547555e58adbc22584ea834996f912cd504bacda41fd77cdb3793b57c4a93cba9610dde516a52f61448b7c78392823e159a24187f41364807ac1067b
-
Filesize
2KB
MD56a6ddf6728d0ba09c6e2983a97b1031c
SHA101352ded02319992c25d89dadc22e4631981b54e
SHA25626ac8e8fd30e4bc4f66aaee0ce0bde0db2293012ae39f96652e9b12e1542d8be
SHA51291a50aa21cec298b555c86b8ee5fb559f0f8e4b5160038f07d9be10be2f5920249b9eb0e1b957cd2d7dcef126115d5cbbadc74092a1c74c876db8f25e0b6bd98
-
Filesize
1KB
MD5c420154355e85d1b2ca8cc6de2f78fde
SHA1014707b5bc98d52e92c68b77d299e22075d2a561
SHA25647b996f1d726dffcc482bcee2117ecaafed5df5e05cf8673bddfc769db08c3c0
SHA5121506cd5ad09fc2cb99e2860cb94c70ec88f1ae97df8f75f5391827c9481c4e265dd0f1dc83cbd844678fd2f68c92dfe588338ea845e50e16effde24efd322143
-
Filesize
406B
MD5d1023ee3c4eda98fccee7e5175739b0e
SHA15c300338133df836bd28aaa8e6a3e2b42f9f69dc
SHA2568539b2f5f6738c569c672fd1d1edb2e0b97a1f850463e3199111d757f7a7b7aa
SHA512011449d512eb4393cb3c96aef0f4096e901a6032f806e3b9a7112ba1a03990252daab0614beb58e33621eaf0f9676aac3918e71b8a9d52f361a08cd4567d3f67
-
Filesize
406B
MD511683ee145d38f1d720a7b76b35c61ac
SHA1a682676996f8a83cf00a5abae3be5e79a9ae4e21
SHA256ad7e884ca0ca1fd9fee049bd6d38b3fbdabe12e906d2da94ea3c6073e0e4f855
SHA512537d5465e87976e73add9c70ce27bd4bd50840d65a006968db5fad236daf11f28b8901244ae7b93dda34f4283e080ed4eaada4be4d5d2dea75f8d8123b3c555c
-
Filesize
91KB
MD5f16f35078bfb36d801f8c500ba5c1a40
SHA13b97e9a8daf7e2d6a9e656edede87314ee142a89
SHA256583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff
SHA51284e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230
-
Filesize
968KB
MD5162a3c0bf3073c5a9d719d40abc2c1fc
SHA1f618cfe1969992031456ad4932e5a3fb5af0f13e
SHA25667353957c148bc1724cba07175216a738b924c4fa4adb5d52eaa3d99a19a321a
SHA512c7a2ad6419d170f902a82d241fb1d35321ebe08c1fd63aa09f44b432faafaa003c3daa80cff96de122c446844d6de368c5885827587cb8b7951d3d3e3fa7acf1
-
Filesize
6.9MB
MD53e9bb7bf788f08d0194182820d423cab
SHA1acc00292ce2f4c4e5091c4d3343672c8a0d02711
SHA2568c0743ce218cf973d2ce755eb29213a54ea8c46771cd8ee39470cb7c573cc11a
SHA51296639b731a61a403023aa4bf2383a04ebcfbb24ddc0977894a9372bee1669dfb7b722869df99ff9514b303b27bba7467e520ded6bc3caa86cddb5503d2fb4c74
-
Filesize
300KB
MD53953318d1e6d124b10805cc5919fe47e
SHA176dfb3240d7fd6b860d23a6d210d85adb17b7803
SHA2560670c12c9d190d80f0e4b907041dd94ac25c93b71b121b75372e3560e7818e1b
SHA5128937bc63d5cb685216e4fef6eef45cbdea96787d762467bfc7f8ce87b28985f4834cf67ba13e3f2194e472af1ce3ab39eb239ae2140ecab4eaf411cc95c207aa
-
Filesize
14KB
MD5aa154d2b96be7ab9f8f2588c07ba7669
SHA1972e5f88b4408b13c88f4126106db6a495806b7f
SHA2560ca2db61f95832d643559b51acf71a01b3caa22a975988a1669898716f657c46
SHA5124cfe97af406075a09cea81c84340fdc141ae95ae26cc6e1a465b7cf00fafccde48e55ac01cfee18dba5e7d368dc7cb3efd1dcc819f87b770691e4205882f7e3e
-
Filesize
24.1MB
MD5f1127d54defd4beab10aff76bacdd598
SHA1e75ec61292b7dbad24646e1f562496ff5605ef01
SHA25682b682fa1a6f7cf5766574cd5caa2e7e95d93bc07dc4bd92aa4a85967f106b97
SHA5120104e34731df80cabc4e6466eac5d10e3a8db8291a0f1db39b2650300a43bece794f1644dddd0e2b5865df4cb78d4890e6c4feff30cfced90a6919c37c220f52
-
\??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{526113fb-cbd7-44d7-a944-e4bf42c0059a}_OnDiskSnapshotProp
Filesize6KB
MD512379826b3b5e3e6d0d5416a05294e8f
SHA15483e1e5210b64d3f4462f2eaf8b57b1fe1b6553
SHA256f55aecb72292d6f8d0e7dcfd827216c8d192fdccf7d3bd2bfbbd6b02f11a53dd
SHA512793577a42f614ec81ec7fff20fd504726445554acd6d547861288502806fcb11d4b9e26fa885e750a6378cee6c4f7549840983f7447d73dbb8b96c29f58a6fb4