ardamax | 9ddd4c82e71888f24d83cae5b83c8ca78e4c6f95badd4cecf854a0065204c74d

Analysis

max time kernel
126s
max time network
120s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
13-02-2025 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Size

9.8MB
MD5

488305a7b3190c2c0fc6166a532b98d5
SHA1

5675580b0f37a5428acd9570457dc561068bffdb
SHA256

9ddd4c82e71888f24d83cae5b83c8ca78e4c6f95badd4cecf854a0065204c74d
SHA512

1f14d8b7ac8b0117987ce8e4b8e33ecf6936fbff3d5e169f4109717836a473218194c9e09181c47cd43faded5e41033c51d5ccfbb01c65a57c92e2796af71ecf
SSDEEP

196608:1zS1+mVNJzKCoBNdUMKnHlawrBaAQeNzeNGdzcW/NM9r+qRP:1zSLVHu77uMCFawVaATaNGdoW1qRP

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Executes dropped EXE 3 IoCs

pid	Process
776	MSI1C0F.tmp
1996	SRO_R.exe
2404	TEV.exe

Loads dropped DLL 11 IoCs

pid	Process
2808	MsiExec.exe
2808	MsiExec.exe
2808	MsiExec.exe
2596	MsiExec.exe
2596	MsiExec.exe
2596	MsiExec.exe
776	MSI1C0F.tmp
1996	SRO_R.exe
2404	TEV.exe
1704	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TEV Start = "C:\\ProgramData\\CFQPBU\\TEV.exe"	TEV.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\N:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\O:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\K:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\H:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\U:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\M:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\I:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\W:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\V:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\X:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\B:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\H:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\S:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Z:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Q:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\R:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Y:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\R:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\P:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\W:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\J:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Z:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\S:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\G:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\I:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\J:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\L:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\L:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Y:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\U:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\A:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\O:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\T:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\X:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\V:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Net2e\Silkroad 3Job\sro_client.exe	msiexec.exe
File created	C:\Program Files\Net2e\Silkroad 3Job\SRO_R.exe	msiexec.exe
File created	C:\Program Files\Net2e\Silkroad 3Job\32-bit\silkroad.exe	msiexec.exe
File created	C:\Program Files\Net2e\Silkroad 3Job\32-bit\sro_client.exe	msiexec.exe
File created	C:\Program Files\Net2e\Silkroad 3Job\32-bit\SRO_R.exe	msiexec.exe
File created	C:\Program Files\Net2e\Silkroad 3Job\silkroad.exe	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI14A9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI174A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C0F.tmp	msiexec.exe
File created	C:\Windows\Installer\f77142f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77142d.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f77142d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI168E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1865.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f77142c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77142c.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI1C0F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TEV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SRO_R.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\ProductName = "Silkroad 3Job"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\PackageCode = "E6FE750F0975D104F9C7C4D8D26FBC9F"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2E088BC626908443843D0FA79E51C27	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2E088BC626908443843D0FA79E51C27\9BDF882D43F14864091508CE1BB8C032	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\Language = "1066"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Net2e\\Silkroad 3Job 1.0.0\\install\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BDF882D43F14864091508CE1BB8C032	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BDF882D43F14864091508CE1BB8C032\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\PackageName = "ChayNhieuAcc_Sro3job_Net2e.x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Net2e\\Silkroad 3Job 1.0.0\\install\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2284	msiexec.exe
2284	msiexec.exe
2404	TEV.exe
2404	TEV.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2404	TEV.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2284	msiexec.exe
Token: SeTakeOwnershipPrivilege	2284	msiexec.exe
Token: SeSecurityPrivilege	2284	msiexec.exe
Token: SeCreateTokenPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeLockMemoryPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeIncreaseQuotaPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeMachineAccountPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeTcbPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSecurityPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeTakeOwnershipPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeLoadDriverPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemProfilePrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemtimePrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeProfSingleProcessPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeIncBasePriorityPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreatePagefilePrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreatePermanentPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeBackupPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeRestorePrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeShutdownPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeDebugPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeAuditPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemEnvironmentPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeChangeNotifyPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeRemoteShutdownPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeUndockPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSyncAgentPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeEnableDelegationPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeManageVolumePrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeImpersonatePrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreateGlobalPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreateTokenPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeLockMemoryPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeIncreaseQuotaPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeMachineAccountPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeTcbPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSecurityPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeTakeOwnershipPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeLoadDriverPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemProfilePrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemtimePrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeProfSingleProcessPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeIncBasePriorityPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreatePagefilePrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreatePermanentPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeBackupPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeRestorePrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeShutdownPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeDebugPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeAuditPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemEnvironmentPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeChangeNotifyPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeRemoteShutdownPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeUndockPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSyncAgentPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeEnableDelegationPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeManageVolumePrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeImpersonatePrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreateGlobalPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreateTokenPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeLockMemoryPrivilege	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2404	TEV.exe
2404	TEV.exe
2404	TEV.exe
2404	TEV.exe
2404	TEV.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2808	2284	msiexec.exe	31
PID 2284 wrote to memory of 2808	2284	msiexec.exe	31
PID 2284 wrote to memory of 2808	2284	msiexec.exe	31
PID 2284 wrote to memory of 2808	2284	msiexec.exe	31
PID 2284 wrote to memory of 2808	2284	msiexec.exe	31
PID 2284 wrote to memory of 2808	2284	msiexec.exe	31
PID 2284 wrote to memory of 2808	2284	msiexec.exe	31
PID 2624 wrote to memory of 1704	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	33
PID 2624 wrote to memory of 1704	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	33
PID 2624 wrote to memory of 1704	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	33
PID 2624 wrote to memory of 1704	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	33
PID 2624 wrote to memory of 1704	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	33
PID 2624 wrote to memory of 1704	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	33
PID 2624 wrote to memory of 1704	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	33
PID 2284 wrote to memory of 2596	2284	msiexec.exe	37
PID 2284 wrote to memory of 2596	2284	msiexec.exe	37
PID 2284 wrote to memory of 2596	2284	msiexec.exe	37
PID 2284 wrote to memory of 2596	2284	msiexec.exe	37
PID 2284 wrote to memory of 2596	2284	msiexec.exe	37
PID 2284 wrote to memory of 2596	2284	msiexec.exe	37
PID 2284 wrote to memory of 2596	2284	msiexec.exe	37
PID 2284 wrote to memory of 776	2284	msiexec.exe	38
PID 2284 wrote to memory of 776	2284	msiexec.exe	38
PID 2284 wrote to memory of 776	2284	msiexec.exe	38
PID 2284 wrote to memory of 776	2284	msiexec.exe	38
PID 2284 wrote to memory of 776	2284	msiexec.exe	38
PID 2284 wrote to memory of 776	2284	msiexec.exe	38
PID 2284 wrote to memory of 776	2284	msiexec.exe	38
PID 776 wrote to memory of 1996	776	MSI1C0F.tmp	39
PID 776 wrote to memory of 1996	776	MSI1C0F.tmp	39
PID 776 wrote to memory of 1996	776	MSI1C0F.tmp	39
PID 776 wrote to memory of 1996	776	MSI1C0F.tmp	39
PID 1996 wrote to memory of 2404	1996	SRO_R.exe	41
PID 1996 wrote to memory of 2404	1996	SRO_R.exe	41
PID 1996 wrote to memory of 2404	1996	SRO_R.exe	41
PID 1996 wrote to memory of 2404	1996	SRO_R.exe	41
PID 2624 wrote to memory of 2820	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	42
PID 2624 wrote to memory of 2820	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	42
PID 2624 wrote to memory of 2820	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	42
PID 2624 wrote to memory of 2820	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	42
PID 2624 wrote to memory of 2384	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	44
PID 2624 wrote to memory of 2384	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	44
PID 2624 wrote to memory of 2384	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	44
PID 2624 wrote to memory of 2384	2624	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	44
PID 2820 wrote to memory of 1956	2820	cmd.exe	46
PID 2820 wrote to memory of 1956	2820	cmd.exe	46
PID 2820 wrote to memory of 1956	2820	cmd.exe	46
PID 2820 wrote to memory of 1956	2820	cmd.exe	46
PID 2384 wrote to memory of 1344	2384	cmd.exe	47
PID 2384 wrote to memory of 1344	2384	cmd.exe	47
PID 2384 wrote to memory of 1344	2384	cmd.exe	47
PID 2384 wrote to memory of 1344	2384	cmd.exe	47
PID 2820 wrote to memory of 2292	2820	cmd.exe	48
PID 2820 wrote to memory of 2292	2820	cmd.exe	48
PID 2820 wrote to memory of 2292	2820	cmd.exe	48
PID 2820 wrote to memory of 2292	2820	cmd.exe	48
PID 2384 wrote to memory of 2132	2384	cmd.exe	49
PID 2384 wrote to memory of 2132	2384	cmd.exe	49
PID 2384 wrote to memory of 2132	2384	cmd.exe	49
PID 2384 wrote to memory of 2132	2384	cmd.exe	49
PID 2820 wrote to memory of 828	2820	cmd.exe	50
PID 2820 wrote to memory of 828	2820	cmd.exe	50
PID 2820 wrote to memory of 828	2820	cmd.exe	50
PID 2820 wrote to memory of 828	2820	cmd.exe	50

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 4 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1344	attrib.exe
1956	attrib.exe
2292	attrib.exe
2132	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe" /i "C:\Users\Admin\AppData\Roaming\Net2e\Silkroad 3Job 1.0.0\install\ChayNhieuAcc_Sro3job_Net2e.x64.msi" CLIENTPROCESSID="2624" ADDLOCAL="MainFeature" SECONDSEQUENCE="1" CHAINERUIPROCESSID="2624Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " TARGETDIR="C:\" APPDIR="C:\Program Files\Net2e\Silkroad 3Job\" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silkroad 3Job"
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\EXE284B.tmp.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Net2e\SILKRO~1.0\install\CHAYNH~2.MSI"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1956
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE284B.tmp.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE284B.tmp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" cls"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\EXE286C.tmp.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Net2e\SILKRO~1.0\install\CHAYNH~2.MSI"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1344
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE286C.tmp.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE286C.tmp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" cls"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1160

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B1BA5143F415DE293CD7C93476C0B829 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A2D0562227E124AA905FBB471C52A3F1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2596
- C:\Windows\Installer\MSI1C0F.tmp
  "C:\Windows\Installer\MSI1C0F.tmp" "C:\Program Files\Net2e\Silkroad 3Job\SRO_R.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Program Files\Net2e\Silkroad 3Job\SRO_R.exe
    "C:\Program Files\Net2e\Silkroad 3Job\SRO_R.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\ProgramData\CFQPBU\TEV.exe
      "C:\ProgramData\CFQPBU\TEV.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:836

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D8" "00000000000003CC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77142e.rbs

Filesize
9KB

MD5
150222e3f60d7d496a95183c84f3694b

SHA1
3c55eaa9d1cbad7ad672c2de9849677b041c5cf1

SHA256
b616d1667bf7e396b1a967a6b5ce6bc32d89f9fcc64128496aa745b548dd251c

SHA512
ee6f15cb83e56015f745e01797d522a068c91d0a1463128e2ab5c00ba587bb2b8e5b38f8f16d83b2da5112a695341828b9afc7e4e05b7c6af5f8f3692341aade

Download Submit
C:\Program Files\Net2e\Silkroad 3Job\SRO_R.exe

Filesize
2.3MB

MD5
38bbc879ab82720283d9a27b3ca72490

SHA1
28ed426f5462b1eaf3dec3c50000dc47d03b5549

SHA256
546360798477f6e8ec31bf1e230a69bb78f882e71908c504b80604b00e0475cc

SHA512
1a8aa20936fafd8abac638e19fc7297df710301b2e0b7c66ebbd3b47b5606bfd83718b97c29edcc29efa3bde235d3eb59904ebafa8160c48cf3a086f4442e27b

Download Submit
C:\Program Files\Net2e\Silkroad 3Job\silkroad.exe

Filesize
760KB

MD5
89b479f1a3b42728542c322cc4891753

SHA1
7e4e99bf85be7f0700935239484267ddbd68c8d5

SHA256
33bd217912cfe5cdf585a785b0b93f83b51419f5ddc954cb95b0a40e6dcaae73

SHA512
2e4c141a45b4a1cc490b22e5f1415a7bda1dabda5843dce5a0b7e2d3b91877d300f4f86f265d6f77103be6bec12dc4ee6ba4ac8905e55c382ec474f43ffb4b83

Download Submit
C:\ProgramData\CFQPBU\TEV.00

Filesize
2KB

MD5
869c7988a9fae9365caeeabcda0e7f1a

SHA1
13bd3b73b6368ce425a8fb5673aaabe7d23325c1

SHA256
5d30f82285ce74ce9a3c2550df03e0c003fc5c9225ce256cdb0d023d39985a2c

SHA512
8fe063b771c85aeb25bfb4bb42bac4116d9857d2a987f5640042a3ac1ed167668d911eebe70a07c5fad2f7978d756d90d9fbb996d68b0438ee10664e025b6737

Download Submit
C:\ProgramData\THF\TEV.004

Filesize
935B

MD5
3772546e90bc9a021936881a60367d4f

SHA1
e7030fc71dfee44ad67b736e01fada648e3e7f12

SHA256
216a7f69e5180e92d9e9c80ed6dfef1e9cdb86d92f9c52aa526f8b613528fe78

SHA512
077be20f6a2eab9ddbdeac8393598eb3efc6d216503b64d5c92790367157a69b757925131e1e7c232afea44f8fc0552aa5aeaa109512e9c0171542be5f78ccd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2624\background.jpg

Filesize
207KB

MD5
019a43c583d1b218b1d21a2b3cdfc5e3

SHA1
630c669316b7d3f926270dbe88649e36df879d81

SHA256
8c1e8e951b986cb33ba7e0653610599e9cde64b5a006e02bc76274b188bb1406

SHA512
276de722cfad59252dc096ba51d46b5f7edd4407a73cf9bd7978cc95d2ed08b71c5f7517ef65b3bb0a5dae984c470567a64149149b47d0036a4821bbad4b9b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2624\collecting.jpg

Filesize
1KB

MD5
9a740549bd117bc16f6acb8d884604d2

SHA1
da20e48acde3a7097f8335541de40fe94c600e0a

SHA256
0daed44a8e14750614afda54781621d400fed0d2ecee9a4a402f5964d3cd3f5a

SHA512
3da47437f97e28b4f7fbb0abff44a4811b96d8511ac736dabd24b598a98b274a2e8fb9c9475a08de3478cd41683ba60db771ce409e2aba2799f866ec813a3e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2624\finalizing.jpg

Filesize
1KB

MD5
02f6bbe060f32e49e3caf2de8e60ec7f

SHA1
4674875a4f264a947da6bf6f626b9bd50325d034

SHA256
20072ae2e122a6407dac4771544158d7bcecebf98404c22001b0e69f79c8580d

SHA512
daaadbf113af1af0315333089e8b6ff4891d1fe0fa95e5ecaeaf763da593bcb4a8e1a1a940f44a3a5b6e22a9296cab1fa56e4d533cd938f434b565d6323fb588

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2624\installing.jpg

Filesize
1KB

MD5
a98e2f7d5dc055ad4b4b6d92126d9190

SHA1
c2db85dcf7bf991e8bba0d39f952748dc98d41d6

SHA256
65751616edb29437b01cd352b8651835ca585942a78adaac589f9f8c16039470

SHA512
c10aa6fe00361ab2fd6d78496fd20cb2361f235563156d4c41ec6e2e86207c964cdc3b303b927fc64a3fe86d4f5930c0c775e8d0e213f0d63a79f22133128fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2624\preparing.jpg

Filesize
1KB

MD5
d20270537ae700b03b988fc7471c820e

SHA1
3b68b1be0a7d30df6ed8952c34794e90102b77df

SHA256
a8c29d7365a7ed4191b20d08be6274215f5f12be420e826852205c4f3755dbb4

SHA512
f8245bff51757d1d44f4da5dece49f6b96d704e72a2b6d2edfa517029a69eb410cdea3945a2c3c29a32e6e9e0cb1a0b0938c4f7d3711446ec963913b4e6a3780

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXE284B.tmp.bat

Filesize
406B

MD5
9d3d5e3a84c161900928bc45b88242dd

SHA1
e22596c6bd8509d1be8fce2a6722eecca8c527da

SHA256
f841d94062b3046edec4eafab2010edac5f7d9da3ef12d8634055de671e67129

SHA512
b66ceb99994a3301dcf79071f2080d635c3e4df153f6827db287d1f6c7ffde2841efde48888cf80a3af6172d40e4e20ebf988f593a82147fbc8d6f52d773703c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXE286C.tmp.bat

Filesize
406B

MD5
2d1375fe743b157c0d5eac70d10b16c6

SHA1
489e2b72cb25bcf616fafd3f303a6d55c3881aa4

SHA256
b9ff877f0e27a9351002f343627202397b6a1abb189553e17e6e6fb40ef0fbde

SHA512
b764abe1f50aa53c5fb691571fa8f33adb73b71b8a66cd0bd9160a94635b16367d958095633bfed718632794ece298fc421049288380fa350588ff1e2e144d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI93A8.tmp

Filesize
91KB

MD5
f16f35078bfb36d801f8c500ba5c1a40

SHA1
3b97e9a8daf7e2d6a9e656edede87314ee142a89

SHA256
583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff

SHA512
84e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230

Download Submit
C:\Users\Admin\AppData\Roaming\Net2e\Silkroad 3Job 1.0.0\install\ChayNhieuAcc_Sro3job_Net2e.x64.msi

Filesize
960KB

MD5
df279f36eded4286c34e3d410eedd815

SHA1
989a353712a825bd8e13fe6302b2ea14eada4dc0

SHA256
caea3de29051cb924d5476f29d151f62604b5018b0c40d659ceb1590408773e2

SHA512
d613af381d939b92bcde51bf99e7401708a65092f5e2f890d3da0da9051b5ccedcb3a892f49643f7b1de01a642edfc512c0dda492a8efd80b62e33d4f40e60d3

Download Submit
C:\Users\Admin\AppData\Roaming\Net2e\Silkroad 3Job 1.0.0\install\disk1.cab

Filesize
6.3MB

MD5
b37a918c25e558e722330f4d0d9f92fc

SHA1
1d82ccb28eee6591b2ba8e7cddc433dd365559cb

SHA256
9c661cfb943835dfd741a22a4178bd612759f3829be954eabcb254442b1ead54

SHA512
8f2d516ed64781484d1c8fc795fc7c905800dbd10cbe92adf7c4867c049c0c139027e5fc8dcd3fd386f46e7b9d33d6459fe941aa47c0b8404def4b8d9cdf882b

Download Submit
C:\Windows\Installer\MSI1C0F.tmp

Filesize
14KB

MD5
aa154d2b96be7ab9f8f2588c07ba7669

SHA1
972e5f88b4408b13c88f4126106db6a495806b7f

SHA256
0ca2db61f95832d643559b51acf71a01b3caa22a975988a1669898716f657c46

SHA512
4cfe97af406075a09cea81c84340fdc141ae95ae26cc6e1a465b7cf00fafccde48e55ac01cfee18dba5e7d368dc7cb3efd1dcc819f87b770691e4205882f7e3e

Download Submit
\ProgramData\CFQPBU\TEV.01

Filesize
79KB

MD5
582bfe4bf9de1077982664ad8ce0754a

SHA1
465eb7f460f9eb9a34572df6f17cf2cb2d8c3688

SHA256
ce4597c260250342bec2baec880a040a62b70137c3aea062ea78e80159101184

SHA512
40ca7584c33eb8a4df9b7566ee4b2cc55061e627160a99535e43b3189ff1093d3b8d55cf56156f20bec8562de9fb80f3ddfd07b878002111d22b991c05b46207

Download Submit
\ProgramData\CFQPBU\TEV.exe

Filesize
2.6MB

MD5
bbf69aeaed386c67d946b1cb197abcac

SHA1
c291c37b677c0784ead38e57ee22d704b2196730

SHA256
8bd424a581e6307dce2231a459d686486937d491677827b2f3eee8110741ba2a

SHA512
4e7df27a352a207f7d9c2a20835e6b3d036ce30f69b3cce74687e165f1138f15de62a6aa8ee81c777d168e5ee7202077e7e9e1c5a67e39d07b5064c7e96c3a85

Download Submit
\Windows\Installer\MSI174A.tmp

Filesize
300KB

MD5
3953318d1e6d124b10805cc5919fe47e

SHA1
76dfb3240d7fd6b860d23a6d210d85adb17b7803

SHA256
0670c12c9d190d80f0e4b907041dd94ac25c93b71b121b75372e3560e7818e1b

SHA512
8937bc63d5cb685216e4fef6eef45cbdea96787d762467bfc7f8ce87b28985f4834cf67ba13e3f2194e472af1ce3ab39eb239ae2140ecab4eaf411cc95c207aa

Download Submit
memory/1704-165-0x00000000009A0000-0x00000000009B9000-memory.dmp

Filesize
100KB

Download
memory/2404-163-0x00000000003D0000-0x00000000003E9000-memory.dmp

Filesize
100KB

Download
memory/2624-167-0x00000000027A0000-0x00000000027B9000-memory.dmp

Filesize
100KB

Download
memory/2624-0-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2624-70-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download