ardamax | 9ddd4c82e71888f24d83cae5b83c8ca78e4c6f95badd4cecf854a0065204c74d

Analysis

max time kernel
125s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-02-2025 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Size

9.8MB
MD5

488305a7b3190c2c0fc6166a532b98d5
SHA1

5675580b0f37a5428acd9570457dc561068bffdb
SHA256

9ddd4c82e71888f24d83cae5b83c8ca78e4c6f95badd4cecf854a0065204c74d
SHA512

1f14d8b7ac8b0117987ce8e4b8e33ecf6936fbff3d5e169f4109717836a473218194c9e09181c47cd43faded5e41033c51d5ccfbb01c65a57c92e2796af71ecf
SSDEEP

196608:1zS1+mVNJzKCoBNdUMKnHlawrBaAQeNzeNGdzcW/NM9r+qRP:1zSLVHu77uMCFawVaATaNGdoW1qRP

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Executes dropped EXE 3 IoCs

pid	Process
2940	MSI6EA1.tmp
824	SRO_R.exe
1588	TEV.exe

Loads dropped DLL 11 IoCs

pid	Process
2568	MsiExec.exe
2568	MsiExec.exe
2568	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
2940	MSI6EA1.tmp
824	SRO_R.exe
1588	TEV.exe
2844	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TEV Start = "C:\\ProgramData\\CFQPBU\\TEV.exe"	TEV.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\W:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\X:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Z:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Z:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\L:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\S:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\S:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\N:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Y:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\U:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\B:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\E:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Q:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\U:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\H:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\M:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\A:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\X:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\W:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\M:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\R:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\V:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\J:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\V:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\E:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\H:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\P:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\T:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\G:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\O:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\P:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Net2e\Silkroad 3Job\silkroad.exe	msiexec.exe
File created	C:\Program Files\Net2e\Silkroad 3Job\sro_client.exe	msiexec.exe
File created	C:\Program Files\Net2e\Silkroad 3Job\SRO_R.exe	msiexec.exe
File created	C:\Program Files\Net2e\Silkroad 3Job\32-bit\silkroad.exe	msiexec.exe
File created	C:\Program Files\Net2e\Silkroad 3Job\32-bit\sro_client.exe	msiexec.exe
File created	C:\Program Files\Net2e\Silkroad 3Job\32-bit\SRO_R.exe	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f7768f0.msi	msiexec.exe
File created	C:\Windows\Installer\f7768f1.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6AA7.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f7768f0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6B64.tmp	msiexec.exe
File created	C:\Windows\Installer\f7768f3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6EA1.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI696D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A1A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7768f1.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TEV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SRO_R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI6EA1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\Language = "1066"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Net2e\\Silkroad 3Job 1.0.0\\install\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Net2e\\Silkroad 3Job 1.0.0\\install\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\PackageName = "ChayNhieuAcc_Sro3job_Net2e.x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\ProductName = "Silkroad 3Job"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2E088BC626908443843D0FA79E51C27\9BDF882D43F14864091508CE1BB8C032	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2E088BC626908443843D0FA79E51C27	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BDF882D43F14864091508CE1BB8C032	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BDF882D43F14864091508CE1BB8C032\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\PackageCode = "E6FE750F0975D104F9C7C4D8D26FBC9F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2384	msiexec.exe
2384	msiexec.exe
1588	TEV.exe
1588	TEV.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1588	TEV.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2384	msiexec.exe
Token: SeTakeOwnershipPrivilege	2384	msiexec.exe
Token: SeSecurityPrivilege	2384	msiexec.exe
Token: SeCreateTokenPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeLockMemoryPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeIncreaseQuotaPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeMachineAccountPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeTcbPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSecurityPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeTakeOwnershipPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeLoadDriverPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemProfilePrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemtimePrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeProfSingleProcessPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeIncBasePriorityPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreatePagefilePrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreatePermanentPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeBackupPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeRestorePrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeShutdownPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeDebugPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeAuditPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemEnvironmentPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeChangeNotifyPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeRemoteShutdownPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeUndockPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSyncAgentPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeEnableDelegationPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeManageVolumePrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeImpersonatePrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreateGlobalPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreateTokenPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeLockMemoryPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeIncreaseQuotaPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeMachineAccountPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeTcbPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSecurityPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeTakeOwnershipPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeLoadDriverPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemProfilePrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemtimePrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeProfSingleProcessPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeIncBasePriorityPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreatePagefilePrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreatePermanentPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeBackupPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeRestorePrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeShutdownPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeDebugPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeAuditPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemEnvironmentPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeChangeNotifyPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeRemoteShutdownPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeUndockPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSyncAgentPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeEnableDelegationPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeManageVolumePrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeImpersonatePrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreateGlobalPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreateTokenPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeLockMemoryPrivilege	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1588	TEV.exe
1588	TEV.exe
1588	TEV.exe
1588	TEV.exe
1588	TEV.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2568	2384	msiexec.exe	32
PID 2384 wrote to memory of 2568	2384	msiexec.exe	32
PID 2384 wrote to memory of 2568	2384	msiexec.exe	32
PID 2384 wrote to memory of 2568	2384	msiexec.exe	32
PID 2384 wrote to memory of 2568	2384	msiexec.exe	32
PID 2384 wrote to memory of 2568	2384	msiexec.exe	32
PID 2384 wrote to memory of 2568	2384	msiexec.exe	32
PID 2656 wrote to memory of 2844	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	33
PID 2656 wrote to memory of 2844	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	33
PID 2656 wrote to memory of 2844	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	33
PID 2656 wrote to memory of 2844	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	33
PID 2656 wrote to memory of 2844	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	33
PID 2656 wrote to memory of 2844	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	33
PID 2656 wrote to memory of 2844	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	33
PID 2384 wrote to memory of 1616	2384	msiexec.exe	37
PID 2384 wrote to memory of 1616	2384	msiexec.exe	37
PID 2384 wrote to memory of 1616	2384	msiexec.exe	37
PID 2384 wrote to memory of 1616	2384	msiexec.exe	37
PID 2384 wrote to memory of 1616	2384	msiexec.exe	37
PID 2384 wrote to memory of 1616	2384	msiexec.exe	37
PID 2384 wrote to memory of 1616	2384	msiexec.exe	37
PID 2384 wrote to memory of 2940	2384	msiexec.exe	38
PID 2384 wrote to memory of 2940	2384	msiexec.exe	38
PID 2384 wrote to memory of 2940	2384	msiexec.exe	38
PID 2384 wrote to memory of 2940	2384	msiexec.exe	38
PID 2384 wrote to memory of 2940	2384	msiexec.exe	38
PID 2384 wrote to memory of 2940	2384	msiexec.exe	38
PID 2384 wrote to memory of 2940	2384	msiexec.exe	38
PID 2940 wrote to memory of 824	2940	MSI6EA1.tmp	39
PID 2940 wrote to memory of 824	2940	MSI6EA1.tmp	39
PID 2940 wrote to memory of 824	2940	MSI6EA1.tmp	39
PID 2940 wrote to memory of 824	2940	MSI6EA1.tmp	39
PID 824 wrote to memory of 1588	824	SRO_R.exe	41
PID 824 wrote to memory of 1588	824	SRO_R.exe	41
PID 824 wrote to memory of 1588	824	SRO_R.exe	41
PID 824 wrote to memory of 1588	824	SRO_R.exe	41
PID 2656 wrote to memory of 2692	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	42
PID 2656 wrote to memory of 2692	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	42
PID 2656 wrote to memory of 2692	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	42
PID 2656 wrote to memory of 2692	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	42
PID 2656 wrote to memory of 2060	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	44
PID 2656 wrote to memory of 2060	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	44
PID 2656 wrote to memory of 2060	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	44
PID 2656 wrote to memory of 2060	2656	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	44
PID 2692 wrote to memory of 1168	2692	cmd.exe	46
PID 2692 wrote to memory of 1168	2692	cmd.exe	46
PID 2692 wrote to memory of 1168	2692	cmd.exe	46
PID 2692 wrote to memory of 1168	2692	cmd.exe	46
PID 2060 wrote to memory of 1328	2060	cmd.exe	47
PID 2060 wrote to memory of 1328	2060	cmd.exe	47
PID 2060 wrote to memory of 1328	2060	cmd.exe	47
PID 2060 wrote to memory of 1328	2060	cmd.exe	47
PID 2692 wrote to memory of 2012	2692	cmd.exe	48
PID 2692 wrote to memory of 2012	2692	cmd.exe	48
PID 2692 wrote to memory of 2012	2692	cmd.exe	48
PID 2692 wrote to memory of 2012	2692	cmd.exe	48
PID 2060 wrote to memory of 2612	2060	cmd.exe	49
PID 2060 wrote to memory of 2612	2060	cmd.exe	49
PID 2060 wrote to memory of 2612	2060	cmd.exe	49
PID 2060 wrote to memory of 2612	2060	cmd.exe	49
PID 2692 wrote to memory of 2856	2692	cmd.exe	50
PID 2692 wrote to memory of 2856	2692	cmd.exe	50
PID 2692 wrote to memory of 2856	2692	cmd.exe	50
PID 2692 wrote to memory of 2856	2692	cmd.exe	50

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 4 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2012	attrib.exe
2612	attrib.exe
1168	attrib.exe
1328	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe" /i "C:\Users\Admin\AppData\Roaming\Net2e\Silkroad 3Job 1.0.0\install\ChayNhieuAcc_Sro3job_Net2e.x64.msi" CLIENTPROCESSID="2656" ADDLOCAL="MainFeature" SECONDSEQUENCE="1" CHAINERUIPROCESSID="2656Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " TARGETDIR="C:\" APPDIR="C:\Program Files\Net2e\Silkroad 3Job\" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silkroad 3Job"
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:2844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\EXE7F9E.tmp.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Net2e\SILKRO~1.0\install\CHAYNH~2.MSI"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1168
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE7F9E.tmp.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE7F9E.tmp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" cls"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\EXE7FBF.tmp.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Net2e\SILKRO~1.0\install\CHAYNH~2.MSI"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1328
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE7FBF.tmp.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE7FBF.tmp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" cls"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2524

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A3DFC2D9A4F8C1ADD0310085DF1CA132 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2568
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A70BF129DB2E52EBABC74213AA7459AD
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1616
- C:\Windows\Installer\MSI6EA1.tmp
  "C:\Windows\Installer\MSI6EA1.tmp" "C:\Program Files\Net2e\Silkroad 3Job\SRO_R.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Program Files\Net2e\Silkroad 3Job\SRO_R.exe
    "C:\Program Files\Net2e\Silkroad 3Job\SRO_R.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\ProgramData\CFQPBU\TEV.exe
      "C:\ProgramData\CFQPBU\TEV.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:1588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:236

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C0" "0000000000000060"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7768f2.rbs

Filesize
9KB

MD5
89c3da68d5bc00a900b2bbf469e21ed8

SHA1
5c5dfc75db2c282f88733a3623f90cba29abcec2

SHA256
e60207a3ca444c3981012a5cb38cb9637a3d76d1d02db488b8aa758bb22f7ff9

SHA512
cef94320762b7fb91fda1802b5cb89c681f704bd073bd9f8dc53cbd5d33312cb10fe1a7f228ff343f42584b94ad1d6336796f4b249e8d3a1e9b9d808179287c5

Download Submit
C:\Program Files\Net2e\Silkroad 3Job\SRO_R.exe

Filesize
2.3MB

MD5
38bbc879ab82720283d9a27b3ca72490

SHA1
28ed426f5462b1eaf3dec3c50000dc47d03b5549

SHA256
546360798477f6e8ec31bf1e230a69bb78f882e71908c504b80604b00e0475cc

SHA512
1a8aa20936fafd8abac638e19fc7297df710301b2e0b7c66ebbd3b47b5606bfd83718b97c29edcc29efa3bde235d3eb59904ebafa8160c48cf3a086f4442e27b

Download Submit
C:\Program Files\Net2e\Silkroad 3Job\silkroad.exe

Filesize
760KB

MD5
89b479f1a3b42728542c322cc4891753

SHA1
7e4e99bf85be7f0700935239484267ddbd68c8d5

SHA256
33bd217912cfe5cdf585a785b0b93f83b51419f5ddc954cb95b0a40e6dcaae73

SHA512
2e4c141a45b4a1cc490b22e5f1415a7bda1dabda5843dce5a0b7e2d3b91877d300f4f86f265d6f77103be6bec12dc4ee6ba4ac8905e55c382ec474f43ffb4b83

Download Submit
C:\ProgramData\CFQPBU\TEV.00

Filesize
2KB

MD5
869c7988a9fae9365caeeabcda0e7f1a

SHA1
13bd3b73b6368ce425a8fb5673aaabe7d23325c1

SHA256
5d30f82285ce74ce9a3c2550df03e0c003fc5c9225ce256cdb0d023d39985a2c

SHA512
8fe063b771c85aeb25bfb4bb42bac4116d9857d2a987f5640042a3ac1ed167668d911eebe70a07c5fad2f7978d756d90d9fbb996d68b0438ee10664e025b6737

Download Submit
C:\ProgramData\THF\TEV.004

Filesize
935B

MD5
5a09a988bceff42071d64ec73c1cb047

SHA1
f5452bcbd476cf2384bdf3ed5a91a661fad4a9a7

SHA256
2055300ec228785c0f35735b99f315d6001827d4f66e20b77273ac0351308051

SHA512
c2e62a1a6bf6860bce452f9426a3316116dbad14f28776f2380a60232163a48ffe5068d38d1add7f35ec583aa677aa96cd3b0d895dddf678f3a58ccf4041629a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2656\background.jpg

Filesize
207KB

MD5
019a43c583d1b218b1d21a2b3cdfc5e3

SHA1
630c669316b7d3f926270dbe88649e36df879d81

SHA256
8c1e8e951b986cb33ba7e0653610599e9cde64b5a006e02bc76274b188bb1406

SHA512
276de722cfad59252dc096ba51d46b5f7edd4407a73cf9bd7978cc95d2ed08b71c5f7517ef65b3bb0a5dae984c470567a64149149b47d0036a4821bbad4b9b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2656\collecting.jpg

Filesize
1KB

MD5
9a740549bd117bc16f6acb8d884604d2

SHA1
da20e48acde3a7097f8335541de40fe94c600e0a

SHA256
0daed44a8e14750614afda54781621d400fed0d2ecee9a4a402f5964d3cd3f5a

SHA512
3da47437f97e28b4f7fbb0abff44a4811b96d8511ac736dabd24b598a98b274a2e8fb9c9475a08de3478cd41683ba60db771ce409e2aba2799f866ec813a3e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2656\finalizing.jpg

Filesize
1KB

MD5
02f6bbe060f32e49e3caf2de8e60ec7f

SHA1
4674875a4f264a947da6bf6f626b9bd50325d034

SHA256
20072ae2e122a6407dac4771544158d7bcecebf98404c22001b0e69f79c8580d

SHA512
daaadbf113af1af0315333089e8b6ff4891d1fe0fa95e5ecaeaf763da593bcb4a8e1a1a940f44a3a5b6e22a9296cab1fa56e4d533cd938f434b565d6323fb588

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2656\installing.jpg

Filesize
1KB

MD5
a98e2f7d5dc055ad4b4b6d92126d9190

SHA1
c2db85dcf7bf991e8bba0d39f952748dc98d41d6

SHA256
65751616edb29437b01cd352b8651835ca585942a78adaac589f9f8c16039470

SHA512
c10aa6fe00361ab2fd6d78496fd20cb2361f235563156d4c41ec6e2e86207c964cdc3b303b927fc64a3fe86d4f5930c0c775e8d0e213f0d63a79f22133128fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2656\preparing.jpg

Filesize
1KB

MD5
d20270537ae700b03b988fc7471c820e

SHA1
3b68b1be0a7d30df6ed8952c34794e90102b77df

SHA256
a8c29d7365a7ed4191b20d08be6274215f5f12be420e826852205c4f3755dbb4

SHA512
f8245bff51757d1d44f4da5dece49f6b96d704e72a2b6d2edfa517029a69eb410cdea3945a2c3c29a32e6e9e0cb1a0b0938c4f7d3711446ec963913b4e6a3780

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXE7F9E.tmp.bat

Filesize
406B

MD5
c03b14c4a45609e4d948c95f5d28bf27

SHA1
1e378abc6cc0d0286f14499040775e735b8b1c6b

SHA256
2e6ee39eaeb365da1d05a535420826ea4b6ca1178143c310cbad9d243f1ad883

SHA512
95521da155196f10975b6f58265046243dbcd94f3ccabd5eb22197bc4b932ec8f4cd8f2d83e0768d32a39d84478b865a0ca6475b51741253baf6071ef77da443

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXE7FBF.tmp.bat

Filesize
406B

MD5
637a67cab1616d83a516cc84b4e593e9

SHA1
bb1c36c8131b179a478f200c1fff04f57c92669c

SHA256
09a2468f1485252200f0dc4338f268884042e42897fdbdae140d9789e342c8a7

SHA512
540cf817931fc28d09dd88bba92a33eb775986474ae6b9aad25f454e95febd5d4971ccf074a922a36a9c35d88a3eadcb63da90a238288f9cde0f96dbeb4bc949

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEA6E.tmp

Filesize
91KB

MD5
f16f35078bfb36d801f8c500ba5c1a40

SHA1
3b97e9a8daf7e2d6a9e656edede87314ee142a89

SHA256
583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff

SHA512
84e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230

Download Submit
C:\Users\Admin\AppData\Roaming\Net2e\Silkroad 3Job 1.0.0\install\ChayNhieuAcc_Sro3job_Net2e.x64.msi

Filesize
960KB

MD5
df279f36eded4286c34e3d410eedd815

SHA1
989a353712a825bd8e13fe6302b2ea14eada4dc0

SHA256
caea3de29051cb924d5476f29d151f62604b5018b0c40d659ceb1590408773e2

SHA512
d613af381d939b92bcde51bf99e7401708a65092f5e2f890d3da0da9051b5ccedcb3a892f49643f7b1de01a642edfc512c0dda492a8efd80b62e33d4f40e60d3

Download Submit
C:\Users\Admin\AppData\Roaming\Net2e\Silkroad 3Job 1.0.0\install\disk1.cab

Filesize
6.3MB

MD5
b37a918c25e558e722330f4d0d9f92fc

SHA1
1d82ccb28eee6591b2ba8e7cddc433dd365559cb

SHA256
9c661cfb943835dfd741a22a4178bd612759f3829be954eabcb254442b1ead54

SHA512
8f2d516ed64781484d1c8fc795fc7c905800dbd10cbe92adf7c4867c049c0c139027e5fc8dcd3fd386f46e7b9d33d6459fe941aa47c0b8404def4b8d9cdf882b

Download Submit
C:\Windows\Installer\MSI6AA7.tmp

Filesize
300KB

MD5
3953318d1e6d124b10805cc5919fe47e

SHA1
76dfb3240d7fd6b860d23a6d210d85adb17b7803

SHA256
0670c12c9d190d80f0e4b907041dd94ac25c93b71b121b75372e3560e7818e1b

SHA512
8937bc63d5cb685216e4fef6eef45cbdea96787d762467bfc7f8ce87b28985f4834cf67ba13e3f2194e472af1ce3ab39eb239ae2140ecab4eaf411cc95c207aa

Download Submit
C:\Windows\Installer\MSI6EA1.tmp

Filesize
14KB

MD5
aa154d2b96be7ab9f8f2588c07ba7669

SHA1
972e5f88b4408b13c88f4126106db6a495806b7f

SHA256
0ca2db61f95832d643559b51acf71a01b3caa22a975988a1669898716f657c46

SHA512
4cfe97af406075a09cea81c84340fdc141ae95ae26cc6e1a465b7cf00fafccde48e55ac01cfee18dba5e7d368dc7cb3efd1dcc819f87b770691e4205882f7e3e

Download Submit
\ProgramData\CFQPBU\TEV.01

Filesize
79KB

MD5
582bfe4bf9de1077982664ad8ce0754a

SHA1
465eb7f460f9eb9a34572df6f17cf2cb2d8c3688

SHA256
ce4597c260250342bec2baec880a040a62b70137c3aea062ea78e80159101184

SHA512
40ca7584c33eb8a4df9b7566ee4b2cc55061e627160a99535e43b3189ff1093d3b8d55cf56156f20bec8562de9fb80f3ddfd07b878002111d22b991c05b46207

Download Submit
\ProgramData\CFQPBU\TEV.exe

Filesize
2.6MB

MD5
bbf69aeaed386c67d946b1cb197abcac

SHA1
c291c37b677c0784ead38e57ee22d704b2196730

SHA256
8bd424a581e6307dce2231a459d686486937d491677827b2f3eee8110741ba2a

SHA512
4e7df27a352a207f7d9c2a20835e6b3d036ce30f69b3cce74687e165f1138f15de62a6aa8ee81c777d168e5ee7202077e7e9e1c5a67e39d07b5064c7e96c3a85

Download Submit
memory/1588-165-0x0000000001EB0000-0x0000000001EC9000-memory.dmp

Filesize
100KB

Download
memory/2656-171-0x0000000000EE0000-0x0000000000EF9000-memory.dmp

Filesize
100KB

Download
memory/2656-0-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2656-70-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2844-169-0x00000000004C0000-0x00000000004D9000-memory.dmp

Filesize
100KB

Download