ardamax | 07eb94556da6da2c55e65b5fa7b48fd983c0b448c6ffa202d44c689d49ce6da8

Analysis

max time kernel
132s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Size

10.4MB
MD5

185c218239b46dff1b2b4642338f373e
SHA1

77b794f16a8621b424355343bc5a4b04fd07f875
SHA256

07eb94556da6da2c55e65b5fa7b48fd983c0b448c6ffa202d44c689d49ce6da8
SHA512

77f579ea578865d9ab76378dc6207ee8e43647426c534616e7dff39c943d00f00ef306039d924ed45445850a68fd5bf1aa0c85d9c9ca95d0a1eb2bf2dc1955be
SSDEEP

196608:1zS1+mVNY/EeryIqxQcZ77QxqJ8UhPo09VSY0P7JkwGIQW5zf:1zSLVaqx77UxS8cPFWY0P7JkwmWN

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exeMSI4E01.tmpSRO_R.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	MSI4E01.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SRO_R.exe

Executes dropped EXE 3 IoCs

Processes:

MSI4E01.tmpSRO_R.exeTEV.exe

pid process

324 MSI4E01.tmp
4368 SRO_R.exe
1164 TEV.exe

pid	process
324	MSI4E01.tmp
4368	SRO_R.exe
1164	TEV.exe

Loads dropped DLL 14 IoCs

Processes:

MsiExec.exeMsiExec.exeTEV.exe2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe

pid	process
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
3776	MsiExec.exe
3776	MsiExec.exe
3776	MsiExec.exe
3776	MsiExec.exe
1164	TEV.exe
1164	TEV.exe
1868	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
1868	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TEV.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TEV Start = "C:\\ProgramData\\CFQPBU\\TEV.exe"	TEV.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\T:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\G:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\O:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\E:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\I:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\L:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\Z:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\K:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\S:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\P:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\S:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\Z:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\L:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\B:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\R:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\U:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\U:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\N:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\W:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\E:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\H:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\J:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\P:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\V:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\T:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\K:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\M:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
File opened (read-only)	\??\I:	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe

Drops file in Program Files directory 6 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\Net2e\SilkroadR\32-bit\sro_client.exe	msiexec.exe
File created	C:\Program Files\Net2e\SilkroadR\32-bit\SRO_R.exe	msiexec.exe
File created	C:\Program Files\Net2e\SilkroadR\silkroad.exe	msiexec.exe
File created	C:\Program Files\Net2e\SilkroadR\sro_client.exe	msiexec.exe
File created	C:\Program Files\Net2e\SilkroadR\SRO_R.exe	msiexec.exe
File created	C:\Program Files\Net2e\SilkroadR\32-bit\silkroad.exe	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{54C6EFE9-BD12-41DF-BD3C-43DCC7FD1EA4}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A45.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A65.tmp	msiexec.exe
File created	C:\Windows\Installer\e58488d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58488d.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI48FB.tmp	msiexec.exe
File created	C:\Windows\Installer\e58488f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E01.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI494A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BDD.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exeMsiExec.exeTEV.exeattrib.execmd.exe2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exeMSI4E01.tmpSRO_R.exeattrib.execmd.exeMsiExec.exeattrib.exeattrib.execmd.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TEV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI4E01.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SRO_R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exeMSI4E01.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\PackageCode = "B87D7B2FD80F7A64A88108FCEED0D789"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\Language = "1066"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\SourceList\PackageName = "ChayNhieuAcc_SroR_Net2e.x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9EFE6C4521DBFD14DBC334CD7CDFE14A\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\ProductName = "SilkroadR"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MSI4E01.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Net2e\\SilkroadR 1.0.0\\install\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2EA26921870436C4383A1BA7F69AB577\9EFE6C4521DBFD14DBC334CD7CDFE14A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2EA26921870436C4383A1BA7F69AB577	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Net2e\\SilkroadR 1.0.0\\install\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9EFE6C4521DBFD14DBC334CD7CDFE14A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9EFE6C4521DBFD14DBC334CD7CDFE14A	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exeTEV.exe

pid process

4040 msiexec.exe
4040 msiexec.exe
1164 TEV.exe
1164 TEV.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TEV.exe

pid process

1164 TEV.exe

pid	process
4040	msiexec.exe
4040	msiexec.exe
1164	TEV.exe
1164	TEV.exe

pid	process
1164	TEV.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exe2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe

description	pid	process
Token: SeSecurityPrivilege	4040	msiexec.exe
Token: SeCreateTokenPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeLockMemoryPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeIncreaseQuotaPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeMachineAccountPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeTcbPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeSecurityPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeTakeOwnershipPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeLoadDriverPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeSystemProfilePrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeSystemtimePrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeProfSingleProcessPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeIncBasePriorityPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeCreatePagefilePrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeCreatePermanentPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeBackupPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeRestorePrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeShutdownPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeDebugPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeAuditPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeSystemEnvironmentPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeChangeNotifyPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeRemoteShutdownPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeUndockPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeSyncAgentPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeEnableDelegationPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeManageVolumePrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeImpersonatePrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeCreateGlobalPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeCreateTokenPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeLockMemoryPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeIncreaseQuotaPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeMachineAccountPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeTcbPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeSecurityPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeTakeOwnershipPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeLoadDriverPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeSystemProfilePrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeSystemtimePrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeProfSingleProcessPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeIncBasePriorityPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeCreatePagefilePrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeCreatePermanentPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeBackupPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeRestorePrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeShutdownPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeDebugPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeAuditPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeSystemEnvironmentPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeChangeNotifyPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeRemoteShutdownPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeUndockPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeSyncAgentPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeEnableDelegationPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeManageVolumePrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeImpersonatePrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeCreateGlobalPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeCreateTokenPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeLockMemoryPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeIncreaseQuotaPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Token: SeMachineAccountPrivilege	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe

pid process

1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
1468 2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

TEV.exe

pid process

1164 TEV.exe
1164 TEV.exe
1164 TEV.exe
1164 TEV.exe
1164 TEV.exe

pid	process
1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe

pid	process
1164	TEV.exe
1164	TEV.exe
1164	TEV.exe
1164	TEV.exe
1164	TEV.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

msiexec.exe2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exeMSI4E01.tmpSRO_R.execmd.execmd.exe

description	pid	process	target process
PID 4040 wrote to memory of 2300	4040	msiexec.exe	MsiExec.exe
PID 4040 wrote to memory of 2300	4040	msiexec.exe	MsiExec.exe
PID 4040 wrote to memory of 2300	4040	msiexec.exe	MsiExec.exe
PID 1468 wrote to memory of 1868	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
PID 1468 wrote to memory of 1868	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
PID 1468 wrote to memory of 1868	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
PID 4040 wrote to memory of 1736	4040	msiexec.exe	srtasks.exe
PID 4040 wrote to memory of 1736	4040	msiexec.exe	srtasks.exe
PID 4040 wrote to memory of 3776	4040	msiexec.exe	MsiExec.exe
PID 4040 wrote to memory of 3776	4040	msiexec.exe	MsiExec.exe
PID 4040 wrote to memory of 3776	4040	msiexec.exe	MsiExec.exe
PID 4040 wrote to memory of 324	4040	msiexec.exe	MSI4E01.tmp
PID 4040 wrote to memory of 324	4040	msiexec.exe	MSI4E01.tmp
PID 4040 wrote to memory of 324	4040	msiexec.exe	MSI4E01.tmp
PID 324 wrote to memory of 4368	324	MSI4E01.tmp	SRO_R.exe
PID 324 wrote to memory of 4368	324	MSI4E01.tmp	SRO_R.exe
PID 324 wrote to memory of 4368	324	MSI4E01.tmp	SRO_R.exe
PID 4368 wrote to memory of 1164	4368	SRO_R.exe	TEV.exe
PID 4368 wrote to memory of 1164	4368	SRO_R.exe	TEV.exe
PID 4368 wrote to memory of 1164	4368	SRO_R.exe	TEV.exe
PID 1468 wrote to memory of 716	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe	cmd.exe
PID 1468 wrote to memory of 716	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe	cmd.exe
PID 1468 wrote to memory of 716	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe	cmd.exe
PID 1468 wrote to memory of 1404	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe	cmd.exe
PID 1468 wrote to memory of 1404	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe	cmd.exe
PID 1468 wrote to memory of 1404	1468	2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe	cmd.exe
PID 716 wrote to memory of 4244	716	cmd.exe	attrib.exe
PID 716 wrote to memory of 4244	716	cmd.exe	attrib.exe
PID 716 wrote to memory of 4244	716	cmd.exe	attrib.exe
PID 716 wrote to memory of 2312	716	cmd.exe	attrib.exe
PID 716 wrote to memory of 2312	716	cmd.exe	attrib.exe
PID 716 wrote to memory of 2312	716	cmd.exe	attrib.exe
PID 1404 wrote to memory of 1628	1404	cmd.exe	attrib.exe
PID 1404 wrote to memory of 1628	1404	cmd.exe	attrib.exe
PID 1404 wrote to memory of 1628	1404	cmd.exe	attrib.exe
PID 716 wrote to memory of 4728	716	cmd.exe	cmd.exe
PID 716 wrote to memory of 4728	716	cmd.exe	cmd.exe
PID 716 wrote to memory of 4728	716	cmd.exe	cmd.exe
PID 1404 wrote to memory of 1564	1404	cmd.exe	attrib.exe
PID 1404 wrote to memory of 1564	1404	cmd.exe	attrib.exe
PID 1404 wrote to memory of 1564	1404	cmd.exe	attrib.exe
PID 716 wrote to memory of 2120	716	cmd.exe	cmd.exe
PID 716 wrote to memory of 2120	716	cmd.exe	cmd.exe
PID 716 wrote to memory of 2120	716	cmd.exe	cmd.exe
PID 1404 wrote to memory of 3688	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 3688	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 3688	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 3592	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 3592	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 3592	1404	cmd.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

4244 attrib.exe
2312 attrib.exe
1628 attrib.exe
1564 attrib.exe

pid	process
4244	attrib.exe
2312	attrib.exe
1628	attrib.exe
1564	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe" /i "C:\Users\Admin\AppData\Roaming\Net2e\SilkroadR 1.0.0\install\ChayNhieuAcc_SroR_Net2e.x64.msi" CLIENTPROCESSID="1468" ADDLOCAL="MainFeature" SECONDSEQUENCE="1" CHAINERUIPROCESSID="1468Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " TARGETDIR="C:\" APPDIR="C:\Program Files\Net2e\SilkroadR\" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SilkroadR"
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:1868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE59E8.tmp.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Net2e\SILKRO~1.0\install\CHAYNH~2.MSI"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4244
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE59E8.tmp.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE59E8.tmp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" cls"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE5A27.tmp.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Net2e\SILKRO~1.0\install\CHAYNH~2.MSI"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1628
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE5A27.tmp.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE5A27.tmp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" cls"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3592

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C7553271A38588F32F2C06F17787DEC8 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2300
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1736
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5A97047982E2451CC4C22B3829F99DB8
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3776
- C:\Windows\Installer\MSI4E01.tmp
  "C:\Windows\Installer\MSI4E01.tmp" "C:\Program Files\Net2e\SilkroadR\SRO_R.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Program Files\Net2e\SilkroadR\SRO_R.exe
    "C:\Program Files\Net2e\SilkroadR\SRO_R.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\ProgramData\CFQPBU\TEV.exe
      "C:\ProgramData\CFQPBU\TEV.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:1164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58488e.rbs

Filesize
9KB

MD5
2e3739e120284715f5ee1facbb0e1a6f

SHA1
73674055991eefc38d8fd8baf5f6bef53dc329c5

SHA256
b3ce5ceaf0c41c48c5830ffd35bd6bb8f32fa1dbb510b37bd2227399af2377e3

SHA512
4acb260b9e0c74076fca1dde55179d8129772d7d68939d77793bbf38e33982122314ea9219a8c4279da4c7ff202d0130cb5b4020c33f69dd59db28ba91a16f42

Download Submit
C:\Program Files\Net2e\SilkroadR\SRO_R.exe

Filesize
2.3MB

MD5
38bbc879ab82720283d9a27b3ca72490

SHA1
28ed426f5462b1eaf3dec3c50000dc47d03b5549

SHA256
546360798477f6e8ec31bf1e230a69bb78f882e71908c504b80604b00e0475cc

SHA512
1a8aa20936fafd8abac638e19fc7297df710301b2e0b7c66ebbd3b47b5606bfd83718b97c29edcc29efa3bde235d3eb59904ebafa8160c48cf3a086f4442e27b

Download Submit
C:\Program Files\Net2e\SilkroadR\silkroad.exe

Filesize
796KB

MD5
7848d12390433960af0803630be759d6

SHA1
f35285e2dc52893195544af8598f4f00138a5d46

SHA256
3cddac8869e71e4ac294ac757428a2bf577d41a344388bae454572c66554f5a1

SHA512
e613a36c4a8baf110b54c079d4db333f86cd8ba5e3a08d894b81cc09e3a02bfd63ca84b7a7ab4dd518f880d0e98602e0e7056b040d8dab713036c2cba1727525

Download Submit
C:\ProgramData\CFQPBU\TEV.00

Filesize
2KB

MD5
869c7988a9fae9365caeeabcda0e7f1a

SHA1
13bd3b73b6368ce425a8fb5673aaabe7d23325c1

SHA256
5d30f82285ce74ce9a3c2550df03e0c003fc5c9225ce256cdb0d023d39985a2c

SHA512
8fe063b771c85aeb25bfb4bb42bac4116d9857d2a987f5640042a3ac1ed167668d911eebe70a07c5fad2f7978d756d90d9fbb996d68b0438ee10664e025b6737

Download Submit
C:\ProgramData\CFQPBU\TEV.01

Filesize
79KB

MD5
582bfe4bf9de1077982664ad8ce0754a

SHA1
465eb7f460f9eb9a34572df6f17cf2cb2d8c3688

SHA256
ce4597c260250342bec2baec880a040a62b70137c3aea062ea78e80159101184

SHA512
40ca7584c33eb8a4df9b7566ee4b2cc55061e627160a99535e43b3189ff1093d3b8d55cf56156f20bec8562de9fb80f3ddfd07b878002111d22b991c05b46207

Download Submit
C:\ProgramData\CFQPBU\TEV.exe

Filesize
2.6MB

MD5
bbf69aeaed386c67d946b1cb197abcac

SHA1
c291c37b677c0784ead38e57ee22d704b2196730

SHA256
8bd424a581e6307dce2231a459d686486937d491677827b2f3eee8110741ba2a

SHA512
4e7df27a352a207f7d9c2a20835e6b3d036ce30f69b3cce74687e165f1138f15de62a6aa8ee81c777d168e5ee7202077e7e9e1c5a67e39d07b5064c7e96c3a85

Download Submit
C:\ProgramData\THF\TEV.004

Filesize
919B

MD5
ff1412cb7193a9d1eaa587a71fa1dfd6

SHA1
d309e5f0bec51d768d935556957141fdc2eb8607

SHA256
78f07a3cbe6888076a2a816482fe36c5782a215eeb833194d1d04212cbc32635

SHA512
2fa81be991c608da5708f002f26e78293e326f75be893ad6a530bfd5214ea4cba523e1ff16e7062f49b0327eb20e2794e180eccf938ec6583ef30009ee7aa859

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1468\background.jpg

Filesize
208KB

MD5
c11651b1901e704b6b4b49f1df62401f

SHA1
e5ce36a9b955ff5fc72e3f11cd7c62e7416ed0ea

SHA256
e9657b10049a589e014cb97952eed96baa7daffdbbcef4089da821226b420ae4

SHA512
a50ac93d1a1018d43c54580d267f57bd23aec17903fdc537a00ba20bd27b609aae81192c2b297c704edeaa7b308f41ba76bd70f851e43d327ebc05d5bcaf60c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1468\collecting.jpg

Filesize
1KB

MD5
750b3ce655a3dbc7961306d52c7b22b5

SHA1
2d5ed71c01abb38628eb81e1ac216f324a5c6f9d

SHA256
e7ff02b62f83626e7115f8a98f017fa4ec2927541c87a8555f51398d39583fbd

SHA512
d765f9008bd58e7d87392a44804945cecf04515ed5e0b134192c1e7a6e55d3509c181aa65de98d2c2afaba55e808e6cd4b625042c0a96f62ff0a64dbf88eb6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1468\finalizing.jpg

Filesize
2KB

MD5
b3d6cf5322b0a6e038fbf402b7a54f14

SHA1
7c65f0ec826cd5ec68c72a4fa79d37b0a44a2d95

SHA256
5ae1d4ab295fd065b861f319ecc62d2e5740423e2b7ffc662fdf45af9131ce40

SHA512
e6f1724c547555e58adbc22584ea834996f912cd504bacda41fd77cdb3793b57c4a93cba9610dde516a52f61448b7c78392823e159a24187f41364807ac1067b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1468\installing.jpg

Filesize
2KB

MD5
6a6ddf6728d0ba09c6e2983a97b1031c

SHA1
01352ded02319992c25d89dadc22e4631981b54e

SHA256
26ac8e8fd30e4bc4f66aaee0ce0bde0db2293012ae39f96652e9b12e1542d8be

SHA512
91a50aa21cec298b555c86b8ee5fb559f0f8e4b5160038f07d9be10be2f5920249b9eb0e1b957cd2d7dcef126115d5cbbadc74092a1c74c876db8f25e0b6bd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1468\preparing.jpg

Filesize
1KB

MD5
c420154355e85d1b2ca8cc6de2f78fde

SHA1
014707b5bc98d52e92c68b77d299e22075d2a561

SHA256
47b996f1d726dffcc482bcee2117ecaafed5df5e05cf8673bddfc769db08c3c0

SHA512
1506cd5ad09fc2cb99e2860cb94c70ec88f1ae97df8f75f5391827c9481c4e265dd0f1dc83cbd844678fd2f68c92dfe588338ea845e50e16effde24efd322143

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXE59E8.tmp.bat

Filesize
406B

MD5
d1023ee3c4eda98fccee7e5175739b0e

SHA1
5c300338133df836bd28aaa8e6a3e2b42f9f69dc

SHA256
8539b2f5f6738c569c672fd1d1edb2e0b97a1f850463e3199111d757f7a7b7aa

SHA512
011449d512eb4393cb3c96aef0f4096e901a6032f806e3b9a7112ba1a03990252daab0614beb58e33621eaf0f9676aac3918e71b8a9d52f361a08cd4567d3f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXE5A27.tmp.bat

Filesize
406B

MD5
11683ee145d38f1d720a7b76b35c61ac

SHA1
a682676996f8a83cf00a5abae3be5e79a9ae4e21

SHA256
ad7e884ca0ca1fd9fee049bd6d38b3fbdabe12e906d2da94ea3c6073e0e4f855

SHA512
537d5465e87976e73add9c70ce27bd4bd50840d65a006968db5fad236daf11f28b8901244ae7b93dda34f4283e080ed4eaada4be4d5d2dea75f8d8123b3c555c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB15F.tmp

Filesize
91KB

MD5
f16f35078bfb36d801f8c500ba5c1a40

SHA1
3b97e9a8daf7e2d6a9e656edede87314ee142a89

SHA256
583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff

SHA512
84e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230

Download Submit
C:\Users\Admin\AppData\Roaming\Net2e\SilkroadR 1.0.0\install\ChayNhieuAcc_SroR_Net2e.x64.msi

Filesize
968KB

MD5
162a3c0bf3073c5a9d719d40abc2c1fc

SHA1
f618cfe1969992031456ad4932e5a3fb5af0f13e

SHA256
67353957c148bc1724cba07175216a738b924c4fa4adb5d52eaa3d99a19a321a

SHA512
c7a2ad6419d170f902a82d241fb1d35321ebe08c1fd63aa09f44b432faafaa003c3daa80cff96de122c446844d6de368c5885827587cb8b7951d3d3e3fa7acf1

Download Submit
C:\Users\Admin\AppData\Roaming\Net2e\SilkroadR 1.0.0\install\disk1.cab

Filesize
6.9MB

MD5
3e9bb7bf788f08d0194182820d423cab

SHA1
acc00292ce2f4c4e5091c4d3343672c8a0d02711

SHA256
8c0743ce218cf973d2ce755eb29213a54ea8c46771cd8ee39470cb7c573cc11a

SHA512
96639b731a61a403023aa4bf2383a04ebcfbb24ddc0977894a9372bee1669dfb7b722869df99ff9514b303b27bba7467e520ded6bc3caa86cddb5503d2fb4c74

Download Submit
C:\Windows\Installer\MSI4A65.tmp

Filesize
300KB

MD5
3953318d1e6d124b10805cc5919fe47e

SHA1
76dfb3240d7fd6b860d23a6d210d85adb17b7803

SHA256
0670c12c9d190d80f0e4b907041dd94ac25c93b71b121b75372e3560e7818e1b

SHA512
8937bc63d5cb685216e4fef6eef45cbdea96787d762467bfc7f8ce87b28985f4834cf67ba13e3f2194e472af1ce3ab39eb239ae2140ecab4eaf411cc95c207aa

Download Submit
C:\Windows\Installer\MSI4E01.tmp

Filesize
14KB

MD5
aa154d2b96be7ab9f8f2588c07ba7669

SHA1
972e5f88b4408b13c88f4126106db6a495806b7f

SHA256
0ca2db61f95832d643559b51acf71a01b3caa22a975988a1669898716f657c46

SHA512
4cfe97af406075a09cea81c84340fdc141ae95ae26cc6e1a465b7cf00fafccde48e55ac01cfee18dba5e7d368dc7cb3efd1dcc819f87b770691e4205882f7e3e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
f1127d54defd4beab10aff76bacdd598

SHA1
e75ec61292b7dbad24646e1f562496ff5605ef01

SHA256
82b682fa1a6f7cf5766574cd5caa2e7e95d93bc07dc4bd92aa4a85967f106b97

SHA512
0104e34731df80cabc4e6466eac5d10e3a8db8291a0f1db39b2650300a43bece794f1644dddd0e2b5865df4cb78d4890e6c4feff30cfced90a6919c37c220f52

Download Submit
\??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{526113fb-cbd7-44d7-a944-e4bf42c0059a}_OnDiskSnapshotProp

Filesize
6KB

MD5
12379826b3b5e3e6d0d5416a05294e8f

SHA1
5483e1e5210b64d3f4462f2eaf8b57b1fe1b6553

SHA256
f55aecb72292d6f8d0e7dcfd827216c8d192fdccf7d3bd2bfbbd6b02f11a53dd

SHA512
793577a42f614ec81ec7fff20fd504726445554acd6d547861288502806fcb11d4b9e26fa885e750a6378cee6c4f7549840983f7447d73dbb8b96c29f58a6fb4

Download Submit
memory/1164-177-0x00000000026C0000-0x00000000026D9000-memory.dmp

Filesize
100KB

Download
memory/1468-185-0x0000000005440000-0x0000000005459000-memory.dmp

Filesize
100KB

Download
memory/1468-0-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/1468-78-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/1868-180-0x0000000003220000-0x0000000003239000-memory.dmp

Filesize
100KB

Download