ardamax | 9ddd4c82e71888f24d83cae5b83c8ca78e4c6f95badd4cecf854a0065204c74d

Analysis

max time kernel
132s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2025 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Size

9.8MB
MD5

488305a7b3190c2c0fc6166a532b98d5
SHA1

5675580b0f37a5428acd9570457dc561068bffdb
SHA256

9ddd4c82e71888f24d83cae5b83c8ca78e4c6f95badd4cecf854a0065204c74d
SHA512

1f14d8b7ac8b0117987ce8e4b8e33ecf6936fbff3d5e169f4109717836a473218194c9e09181c47cd43faded5e41033c51d5ccfbb01c65a57c92e2796af71ecf
SSDEEP

196608:1zS1+mVNJzKCoBNdUMKnHlawrBaAQeNzeNGdzcW/NM9r+qRP:1zSLVHu77uMCFawVaATaNGdoW1qRP

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Downloads MZ/PE file 1 IoCs

flow	pid	Process
42	1552	Process not Found

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	MSI54D7.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	SRO_R.exe

Executes dropped EXE 3 IoCs

pid	Process
4324	MSI54D7.tmp
2452	SRO_R.exe
4168	TEV.exe

Loads dropped DLL 14 IoCs

pid	Process
3348	MsiExec.exe
3348	MsiExec.exe
3348	MsiExec.exe
3348	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
1840	MsiExec.exe
4168	TEV.exe
4168	TEV.exe
3380	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
3380	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TEV Start = "C:\\ProgramData\\CFQPBU\\TEV.exe"	TEV.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\G:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\T:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\T:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\U:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\R:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\V:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\X:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Y:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\J:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\V:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Z:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Q:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\I:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\A:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\G:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\L:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\N:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\O:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\R:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Z:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\N:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\L:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\S:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Q:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\E:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\H:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\O:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\U:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\Y:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\K:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\P:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\S:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\W:	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Net2e\Silkroad 3Job\32-bit\SRO_R.exe	msiexec.exe
File created	C:\Program Files\Net2e\Silkroad 3Job\silkroad.exe	msiexec.exe
File created	C:\Program Files\Net2e\Silkroad 3Job\sro_client.exe	msiexec.exe
File created	C:\Program Files\Net2e\Silkroad 3Job\SRO_R.exe	msiexec.exe
File created	C:\Program Files\Net2e\Silkroad 3Job\32-bit\silkroad.exe	msiexec.exe
File created	C:\Program Files\Net2e\Silkroad 3Job\32-bit\sro_client.exe	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e584bba.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e584bba.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C27.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D288FDB9-1F34-4684-9051-80ECB18B0C23}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D90.tmp	msiexec.exe
File created	C:\Windows\Installer\e584bbc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI54D7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4CF3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4EBA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI514C.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TEV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI54D7.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SRO_R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1508	MicrosoftEdgeUpdate.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000831b10edf759dd800000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000831b10ed0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900831b10ed000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d831b10ed000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000831b10ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Net2e\\Silkroad 3Job 1.0.0\\install\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\ProductName = "Silkroad 3Job"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\PackageCode = "E6FE750F0975D104F9C7C4D8D26FBC9F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\Language = "1066"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2E088BC626908443843D0FA79E51C27\9BDF882D43F14864091508CE1BB8C032	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BDF882D43F14864091508CE1BB8C032	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MSI54D7.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2E088BC626908443843D0FA79E51C27	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\PackageName = "ChayNhieuAcc_Sro3job_Net2e.x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9BDF882D43F14864091508CE1BB8C032\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Net2e\\Silkroad 3Job 1.0.0\\install\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9BDF882D43F14864091508CE1BB8C032\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3688	msiexec.exe
3688	msiexec.exe
4168	TEV.exe
4168	TEV.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4168	TEV.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3688	msiexec.exe
Token: SeCreateTokenPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeLockMemoryPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeIncreaseQuotaPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeMachineAccountPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeTcbPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSecurityPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeTakeOwnershipPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeLoadDriverPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemProfilePrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemtimePrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeProfSingleProcessPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeIncBasePriorityPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreatePagefilePrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreatePermanentPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeBackupPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeRestorePrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeShutdownPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeDebugPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeAuditPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemEnvironmentPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeChangeNotifyPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeRemoteShutdownPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeUndockPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSyncAgentPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeEnableDelegationPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeManageVolumePrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeImpersonatePrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreateGlobalPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreateTokenPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeLockMemoryPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeIncreaseQuotaPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeMachineAccountPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeTcbPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSecurityPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeTakeOwnershipPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeLoadDriverPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemProfilePrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemtimePrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeProfSingleProcessPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeIncBasePriorityPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreatePagefilePrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreatePermanentPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeBackupPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeRestorePrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeShutdownPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeDebugPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeAuditPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSystemEnvironmentPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeChangeNotifyPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeRemoteShutdownPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeUndockPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeSyncAgentPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeEnableDelegationPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeManageVolumePrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeImpersonatePrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreateGlobalPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeCreateTokenPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeAssignPrimaryTokenPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeLockMemoryPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeIncreaseQuotaPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
Token: SeMachineAccountPrivilege	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4168	TEV.exe
4168	TEV.exe
4168	TEV.exe
4168	TEV.exe
4168	TEV.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 3348	3688	msiexec.exe	91
PID 3688 wrote to memory of 3348	3688	msiexec.exe	91
PID 3688 wrote to memory of 3348	3688	msiexec.exe	91
PID 1556 wrote to memory of 3380	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	101
PID 1556 wrote to memory of 3380	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	101
PID 1556 wrote to memory of 3380	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	101
PID 3688 wrote to memory of 656	3688	msiexec.exe	114
PID 3688 wrote to memory of 656	3688	msiexec.exe	114
PID 3688 wrote to memory of 1840	3688	msiexec.exe	116
PID 3688 wrote to memory of 1840	3688	msiexec.exe	116
PID 3688 wrote to memory of 1840	3688	msiexec.exe	116
PID 3688 wrote to memory of 4324	3688	msiexec.exe	119
PID 3688 wrote to memory of 4324	3688	msiexec.exe	119
PID 3688 wrote to memory of 4324	3688	msiexec.exe	119
PID 4324 wrote to memory of 2452	4324	MSI54D7.tmp	120
PID 4324 wrote to memory of 2452	4324	MSI54D7.tmp	120
PID 4324 wrote to memory of 2452	4324	MSI54D7.tmp	120
PID 2452 wrote to memory of 4168	2452	SRO_R.exe	121
PID 2452 wrote to memory of 4168	2452	SRO_R.exe	121
PID 2452 wrote to memory of 4168	2452	SRO_R.exe	121
PID 1556 wrote to memory of 4496	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	122
PID 1556 wrote to memory of 4496	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	122
PID 1556 wrote to memory of 4496	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	122
PID 1556 wrote to memory of 756	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	124
PID 1556 wrote to memory of 756	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	124
PID 1556 wrote to memory of 756	1556	2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe	124
PID 4496 wrote to memory of 3620	4496	cmd.exe	126
PID 4496 wrote to memory of 3620	4496	cmd.exe	126
PID 4496 wrote to memory of 3620	4496	cmd.exe	126
PID 756 wrote to memory of 224	756	cmd.exe	127
PID 756 wrote to memory of 224	756	cmd.exe	127
PID 756 wrote to memory of 224	756	cmd.exe	127
PID 4496 wrote to memory of 2844	4496	cmd.exe	128
PID 4496 wrote to memory of 2844	4496	cmd.exe	128
PID 4496 wrote to memory of 2844	4496	cmd.exe	128
PID 756 wrote to memory of 3800	756	cmd.exe	129
PID 756 wrote to memory of 3800	756	cmd.exe	129
PID 756 wrote to memory of 3800	756	cmd.exe	129
PID 4496 wrote to memory of 2452	4496	cmd.exe	130
PID 4496 wrote to memory of 2452	4496	cmd.exe	130
PID 4496 wrote to memory of 2452	4496	cmd.exe	130
PID 4496 wrote to memory of 3964	4496	cmd.exe	131
PID 4496 wrote to memory of 3964	4496	cmd.exe	131
PID 4496 wrote to memory of 3964	4496	cmd.exe	131
PID 756 wrote to memory of 4324	756	cmd.exe	132
PID 756 wrote to memory of 4324	756	cmd.exe	132
PID 756 wrote to memory of 4324	756	cmd.exe	132
PID 756 wrote to memory of 900	756	cmd.exe	133
PID 756 wrote to memory of 900	756	cmd.exe	133
PID 756 wrote to memory of 900	756	cmd.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 4 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3620	attrib.exe
224	attrib.exe
2844	attrib.exe
3800	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe" /i "C:\Users\Admin\AppData\Roaming\Net2e\Silkroad 3Job 1.0.0\install\ChayNhieuAcc_Sro3job_Net2e.x64.msi" CLIENTPROCESSID="1556" ADDLOCAL="MainFeature" SECONDSEQUENCE="1" CHAINERUIPROCESSID="1556Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\2025-02-13_488305a7b3190c2c0fc6166a532b98d5_mafia.exe" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " TARGETDIR="C:\" APPDIR="C:\Program Files\Net2e\Silkroad 3Job\" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silkroad 3Job"
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:3380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE612B.tmp.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Net2e\SILKRO~1.0\install\CHAYNH~2.MSI"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3620
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE612B.tmp.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE612B.tmp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" cls"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE617A.tmp.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Net2e\SILKRO~1.0\install\CHAYNH~2.MSI"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:224
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE617A.tmp.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE617A.tmp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" cls"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:900

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C88E5F303F6A3F215269EB0BA2867147 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3348
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:656
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1978079F47E4E2E60D05CDD1C9D7BBCA
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1840
- C:\Windows\Installer\MSI54D7.tmp
  "C:\Windows\Installer\MSI54D7.tmp" "C:\Program Files\Net2e\Silkroad 3Job\SRO_R.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Program Files\Net2e\Silkroad 3Job\SRO_R.exe
    "C:\Program Files\Net2e\Silkroad 3Job\SRO_R.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\ProgramData\CFQPBU\TEV.exe
      "C:\ProgramData\CFQPBU\TEV.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:4168

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0NFRTk2RTctRERFNi00NUJGLTlCRDEtMEQwRkQyM0FBMTQ4fSIgdXNlcmlkPSJ7MUUzRkNDRUUtRTU3RC00NTQyLUI2RTQtNTAwNEQxMTRGNkJDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjAxRTYxRTQtMkM2MC00OTkyLTg4QjYtNkY0MEU0NDEzNEM5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTg4MDI2Mzg0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e584bbb.rbs

Filesize
9KB

MD5
638a613e7a00376aa02a4bb09a707064

SHA1
c9a1990de3799840ef7fbfe7147c3a4a37cc051b

SHA256
41df1c5cb1bcba42f9780172b35a3983c83d7615987c34778768ecb6dafc0986

SHA512
feeb9f21e281df0c63e8801c01c15db3f59ee87b29a0c6015deda3ebcd58e68aff099ea690bb7f3dbad03aee6c46dc95b92a609f756a46e753928bc4b3bbc577

Download Submit
C:\Program Files\Net2e\Silkroad 3Job\SRO_R.exe

Filesize
2.3MB

MD5
38bbc879ab82720283d9a27b3ca72490

SHA1
28ed426f5462b1eaf3dec3c50000dc47d03b5549

SHA256
546360798477f6e8ec31bf1e230a69bb78f882e71908c504b80604b00e0475cc

SHA512
1a8aa20936fafd8abac638e19fc7297df710301b2e0b7c66ebbd3b47b5606bfd83718b97c29edcc29efa3bde235d3eb59904ebafa8160c48cf3a086f4442e27b

Download Submit
C:\Program Files\Net2e\Silkroad 3Job\silkroad.exe

Filesize
760KB

MD5
89b479f1a3b42728542c322cc4891753

SHA1
7e4e99bf85be7f0700935239484267ddbd68c8d5

SHA256
33bd217912cfe5cdf585a785b0b93f83b51419f5ddc954cb95b0a40e6dcaae73

SHA512
2e4c141a45b4a1cc490b22e5f1415a7bda1dabda5843dce5a0b7e2d3b91877d300f4f86f265d6f77103be6bec12dc4ee6ba4ac8905e55c382ec474f43ffb4b83

Download Submit
C:\ProgramData\CFQPBU\TEV.00

Filesize
2KB

MD5
869c7988a9fae9365caeeabcda0e7f1a

SHA1
13bd3b73b6368ce425a8fb5673aaabe7d23325c1

SHA256
5d30f82285ce74ce9a3c2550df03e0c003fc5c9225ce256cdb0d023d39985a2c

SHA512
8fe063b771c85aeb25bfb4bb42bac4116d9857d2a987f5640042a3ac1ed167668d911eebe70a07c5fad2f7978d756d90d9fbb996d68b0438ee10664e025b6737

Download Submit
C:\ProgramData\CFQPBU\TEV.01

Filesize
79KB

MD5
582bfe4bf9de1077982664ad8ce0754a

SHA1
465eb7f460f9eb9a34572df6f17cf2cb2d8c3688

SHA256
ce4597c260250342bec2baec880a040a62b70137c3aea062ea78e80159101184

SHA512
40ca7584c33eb8a4df9b7566ee4b2cc55061e627160a99535e43b3189ff1093d3b8d55cf56156f20bec8562de9fb80f3ddfd07b878002111d22b991c05b46207

Download Submit
C:\ProgramData\CFQPBU\TEV.exe

Filesize
2.6MB

MD5
bbf69aeaed386c67d946b1cb197abcac

SHA1
c291c37b677c0784ead38e57ee22d704b2196730

SHA256
8bd424a581e6307dce2231a459d686486937d491677827b2f3eee8110741ba2a

SHA512
4e7df27a352a207f7d9c2a20835e6b3d036ce30f69b3cce74687e165f1138f15de62a6aa8ee81c777d168e5ee7202077e7e9e1c5a67e39d07b5064c7e96c3a85

Download Submit
C:\ProgramData\THF\TEV.004

Filesize
935B

MD5
97d5753703fe9271df547d76f4fc78d4

SHA1
7e073ed27516c6c68cfffe3c25e37618f3def8b0

SHA256
a10aab1e0da49fc5c66cd0d0c1ac045751b8efe4a8244e37c75f52b0cbaf5a33

SHA512
70c30ce325d584e8ee9513e323a25bccf4d9dc0a6a16b217a95f767f69a60a451ad1fc862f24e949977aec66616d202f0743328bec74be10d96a742f30a66cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1556\background.jpg

Filesize
207KB

MD5
019a43c583d1b218b1d21a2b3cdfc5e3

SHA1
630c669316b7d3f926270dbe88649e36df879d81

SHA256
8c1e8e951b986cb33ba7e0653610599e9cde64b5a006e02bc76274b188bb1406

SHA512
276de722cfad59252dc096ba51d46b5f7edd4407a73cf9bd7978cc95d2ed08b71c5f7517ef65b3bb0a5dae984c470567a64149149b47d0036a4821bbad4b9b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1556\collecting.jpg

Filesize
1KB

MD5
9a740549bd117bc16f6acb8d884604d2

SHA1
da20e48acde3a7097f8335541de40fe94c600e0a

SHA256
0daed44a8e14750614afda54781621d400fed0d2ecee9a4a402f5964d3cd3f5a

SHA512
3da47437f97e28b4f7fbb0abff44a4811b96d8511ac736dabd24b598a98b274a2e8fb9c9475a08de3478cd41683ba60db771ce409e2aba2799f866ec813a3e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1556\finalizing.jpg

Filesize
1KB

MD5
02f6bbe060f32e49e3caf2de8e60ec7f

SHA1
4674875a4f264a947da6bf6f626b9bd50325d034

SHA256
20072ae2e122a6407dac4771544158d7bcecebf98404c22001b0e69f79c8580d

SHA512
daaadbf113af1af0315333089e8b6ff4891d1fe0fa95e5ecaeaf763da593bcb4a8e1a1a940f44a3a5b6e22a9296cab1fa56e4d533cd938f434b565d6323fb588

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1556\installing.jpg

Filesize
1KB

MD5
a98e2f7d5dc055ad4b4b6d92126d9190

SHA1
c2db85dcf7bf991e8bba0d39f952748dc98d41d6

SHA256
65751616edb29437b01cd352b8651835ca585942a78adaac589f9f8c16039470

SHA512
c10aa6fe00361ab2fd6d78496fd20cb2361f235563156d4c41ec6e2e86207c964cdc3b303b927fc64a3fe86d4f5930c0c775e8d0e213f0d63a79f22133128fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1556\preparing.jpg

Filesize
1KB

MD5
d20270537ae700b03b988fc7471c820e

SHA1
3b68b1be0a7d30df6ed8952c34794e90102b77df

SHA256
a8c29d7365a7ed4191b20d08be6274215f5f12be420e826852205c4f3755dbb4

SHA512
f8245bff51757d1d44f4da5dece49f6b96d704e72a2b6d2edfa517029a69eb410cdea3945a2c3c29a32e6e9e0cb1a0b0938c4f7d3711446ec963913b4e6a3780

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXE612B.tmp.bat

Filesize
406B

MD5
5d99afae4dc12a2f179a3fd7d823a47e

SHA1
190ef0e31c0442f522821e4533124c73c01658b9

SHA256
8adaf7ae32661351108f0482d474167614e99edc3d8bfd12e84adbcb45a960a0

SHA512
3bfbe6486fb3d7e9fbdcc39bbcad01077e9812e6f8ba275625a47c7e06c902771f0e0057a384a8ac6b31dd0d0ef2c289bf3d6dc85040ce2c7e054fcf4c6d757c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXE617A.tmp.bat

Filesize
406B

MD5
21c25d3de111eeac9ae78ef411da4774

SHA1
12a0054c2092dea37c5efa1572b4627aeb15ba8a

SHA256
cd9a3d182025b4d7b5a28cf6dda6d15f45c6f150ecef94d3014dac959e0962c1

SHA512
4994b2402f9fb0130a6a0e8a4012960494262a8845cbd2a31857e558d7219b4a91e366a3d4cf1486fedaff923c2df18a9bdff90d40df8739341d8b6ac09cad3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB72B.tmp

Filesize
91KB

MD5
f16f35078bfb36d801f8c500ba5c1a40

SHA1
3b97e9a8daf7e2d6a9e656edede87314ee142a89

SHA256
583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff

SHA512
84e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230

Download Submit
C:\Users\Admin\AppData\Roaming\Net2e\Silkroad 3Job 1.0.0\install\ChayNhieuAcc_Sro3job_Net2e.x64.msi

Filesize
960KB

MD5
df279f36eded4286c34e3d410eedd815

SHA1
989a353712a825bd8e13fe6302b2ea14eada4dc0

SHA256
caea3de29051cb924d5476f29d151f62604b5018b0c40d659ceb1590408773e2

SHA512
d613af381d939b92bcde51bf99e7401708a65092f5e2f890d3da0da9051b5ccedcb3a892f49643f7b1de01a642edfc512c0dda492a8efd80b62e33d4f40e60d3

Download Submit
C:\Users\Admin\AppData\Roaming\Net2e\Silkroad 3Job 1.0.0\install\disk1.cab

Filesize
6.3MB

MD5
b37a918c25e558e722330f4d0d9f92fc

SHA1
1d82ccb28eee6591b2ba8e7cddc433dd365559cb

SHA256
9c661cfb943835dfd741a22a4178bd612759f3829be954eabcb254442b1ead54

SHA512
8f2d516ed64781484d1c8fc795fc7c905800dbd10cbe92adf7c4867c049c0c139027e5fc8dcd3fd386f46e7b9d33d6459fe941aa47c0b8404def4b8d9cdf882b

Download Submit
C:\Windows\Installer\MSI4EBA.tmp

Filesize
300KB

MD5
3953318d1e6d124b10805cc5919fe47e

SHA1
76dfb3240d7fd6b860d23a6d210d85adb17b7803

SHA256
0670c12c9d190d80f0e4b907041dd94ac25c93b71b121b75372e3560e7818e1b

SHA512
8937bc63d5cb685216e4fef6eef45cbdea96787d762467bfc7f8ce87b28985f4834cf67ba13e3f2194e472af1ce3ab39eb239ae2140ecab4eaf411cc95c207aa

Download Submit
C:\Windows\Installer\MSI54D7.tmp

Filesize
14KB

MD5
aa154d2b96be7ab9f8f2588c07ba7669

SHA1
972e5f88b4408b13c88f4126106db6a495806b7f

SHA256
0ca2db61f95832d643559b51acf71a01b3caa22a975988a1669898716f657c46

SHA512
4cfe97af406075a09cea81c84340fdc141ae95ae26cc6e1a465b7cf00fafccde48e55ac01cfee18dba5e7d368dc7cb3efd1dcc819f87b770691e4205882f7e3e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
ab4ec732c8ff510e5515352692c4b582

SHA1
59636e94e37a62e410f5ed821809c574a017e60a

SHA256
e68f393dd2f95d74611dd08e712bb07425f710266e21a4f7bb3f0ffcd2717d22

SHA512
2defeaff4f61da18c84f2a7961e2ef24b4a7aca8430dd874242758bc4bcff8a0c3162e24baa92887c927f56d059b645a731bb6b69f81b8336a973b0c3b7d8c0b

Download Submit
\??\Volume{ed101b83-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ca488b52-266f-449f-bbdb-d7df1850136b}_OnDiskSnapshotProp

Filesize
6KB

MD5
ccc627093b38e203b2d31e765500e804

SHA1
bd46b9c9cb1af6314adfc27b12ad7a38eb21de07

SHA256
c62358601069b47e8c77a3f9594be14cfdde69ce6cde7c0490dbf5487a8516a1

SHA512
98b7911b941c05a5c5bac5b0498099e042f840afb28d7af870117cb80899b1775c6ff2a30b56e493e5a9120f231c9e853b00a62b829d8d5af7515029b06a657b

Download Submit
memory/1556-0-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1556-188-0x0000000004CA0000-0x0000000004CB9000-memory.dmp

Filesize
100KB

Download
memory/1556-78-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/3380-183-0x0000000003AF0000-0x0000000003B09000-memory.dmp

Filesize
100KB

Download
memory/4168-180-0x0000000002C50000-0x0000000002C69000-memory.dmp

Filesize
100KB

Download