hxxps://drive[.]google[.]com/file/d/1OMsGJz3gJBP53Lpf6El5GX1krZ8NQ4Qf/view?usp=drive_link

Analysis

max time kernel
191s
max time network
195s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-10-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1OMsGJz3gJBP53Lpf6El5GX1krZ8NQ4Qf/view?usp=drive_link

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3836	setup.exe
2316	ca2_ace_certd.exe
5092	loader.exe
3144	loader.exe
3904	loader.exe
4924	loader.exe

Loads dropped DLL 12 IoCs

pid	Process
3836	setup.exe
3836	setup.exe
3836	setup.exe
3836	setup.exe
3836	setup.exe
3836	setup.exe
3836	setup.exe
3836	setup.exe
3836	setup.exe
3836	setup.exe
3836	setup.exe
2316	ca2_ace_certd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CA2Ace_Token = "C:\\Program Files (x86)\\Nacencomm\\CA2 Ace Token Manager\\ca2_ace_certd.exe"	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\7zE82A59C2D\autorun.inf	7zFM.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\7zE82A59C2D\autorun.inf	7zFM.exe
File opened for modification	C:\Users\Admin\Desktop\autorun.inf	Winword.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\ca2_ace_csp11.sig	setup.exe
File created	C:\Windows\system32\ca2_ace_csp11_s.dll	setup.exe
File created	C:\Windows\system32\ca2_ace_csp11.dll	setup.exe
File created	C:\Windows\SysWOW64\ca2_ace_csp11.sig	setup.exe
File created	C:\Windows\SysWOW64\ca2_ace_csp11_s.dll	setup.exe
File created	C:\Windows\SysWOW64\ca2_ace_csp11.dll	setup.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\CA2.cer	setup.exe
File created	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\ca2_ace_mgr.exe	setup.exe
File created	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\ca2_ace.cer	setup.exe
File created	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\CA21.reg	setup.exe
File created	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\MIC National Root.cer	setup.exe
File opened for modification	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\CA22.reg	setup.exe
File created	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\lang\ca2_ace_csp_1033.lng	setup.exe
File created	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\ca2_ace_certd.exe	setup.exe
File created	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\CA22.reg	setup.exe
File opened for modification	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\CA21.reg	setup.exe
File created	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\lang\ca2_ace_mgr_1033.lng	setup.exe
File created	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\uninst.exe	setup.exe
File created	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\ca2_ace_cfg.ini	setup.exe
File created	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\lang\ca2_ace_certd_1033.lng	setup.exe
File created	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\lang\ca2_ace_updater_1033.lng	setup.exe
File opened for modification	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\CA2.cer	setup.exe
File opened for modification	C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\MIC National Root.cer	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca2_ace_certd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133739855472209309"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Bộ cài Token CA2 ACE V3 Đỏ xanh.rar:Zone.Identifier	chrome.exe

Runs .reg file with regedit 2 IoCs

pid	Process
916	regedit.exe
4820	regedit.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3940	Winword.exe
3940	Winword.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1928	chrome.exe
1928	chrome.exe
3836	setup.exe
3836	setup.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2600	7zFM.exe
3080	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe
Token: SeShutdownPrivilege	1928	chrome.exe
Token: SeCreatePagefilePrivilege	1928	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
2600	7zFM.exe
2600	7zFM.exe
2316	ca2_ace_certd.exe
2316	ca2_ace_certd.exe
2316	ca2_ace_certd.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
1928	chrome.exe
2316	ca2_ace_certd.exe
2316	ca2_ace_certd.exe
2316	ca2_ace_certd.exe

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
3836	setup.exe
2316	ca2_ace_certd.exe
2316	ca2_ace_certd.exe
2316	ca2_ace_certd.exe
2316	ca2_ace_certd.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3080	OpenWith.exe
3940	Winword.exe
3940	Winword.exe
3940	Winword.exe
3940	Winword.exe
3940	Winword.exe
3940	Winword.exe
3940	Winword.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 3232	1928	chrome.exe	79
PID 1928 wrote to memory of 3232	1928	chrome.exe	79
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 4880	1928	chrome.exe	81
PID 1928 wrote to memory of 3016	1928	chrome.exe	82
PID 1928 wrote to memory of 3016	1928	chrome.exe	82
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83
PID 1928 wrote to memory of 2056	1928	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1OMsGJz3gJBP53Lpf6El5GX1krZ8NQ4Qf/view?usp=drive_link
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2a5dcc40,0x7ffc2a5dcc4c,0x7ffc2a5dcc58
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,14845259403056863666,7882421150763571459,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1808 /prefetch:2
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,14845259403056863666,7882421150763571459,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2068,i,14845259403056863666,7882421150763571459,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2384 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,14845259403056863666,7882421150763571459,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,14845259403056863666,7882421150763571459,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3528,i,14845259403056863666,7882421150763571459,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4396 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4560,i,14845259403056863666,7882421150763571459,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3648,i,14845259403056863666,7882421150763571459,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5176,i,14845259403056863666,7882421150763571459,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=988,i,14845259403056863666,7882421150763571459,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2340

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2820

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Bộ cài Token CA2 ACE V3 Đỏ xanh.rar"
1⤵
- Drops autorun.inf file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2600

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3836
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s "C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\CA21.reg"
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:916
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s "C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\CA22.reg"
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:4820
- C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\ca2_ace_certd.exe
  "C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\ca2_ace_certd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -s SCardSvr
1⤵
PID:1740

C:\Users\Admin\Desktop\loader.exe
"C:\Users\Admin\Desktop\loader.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5092

C:\Users\Admin\Desktop\loader.exe
"C:\Users\Admin\Desktop\loader.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3144

C:\Users\Admin\Desktop\loader.exe
"C:\Users\Admin\Desktop\loader.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3904

C:\Users\Admin\Desktop\loader.exe
"C:\Users\Admin\Desktop\loader.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3080
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Desktop\autorun.inf"
  2⤵
  - Drops autorun.inf file
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\CA21.reg

Filesize
7KB

MD5
6b4b4e91aaeb770d74b8d3ab04c9f93b

SHA1
6b1185bbd75daa994a06e25f871624ae9f136f40

SHA256
197fa55f77becc1ec51a7f745c3929bd11b75a9fc2b84758ee60049a56bab468

SHA512
57185991514e3741ec00284010ef133aa3a6f68b30379017fa42344e0e8473c55f8a73e22b93a746426f503c599d94fcae7d81eaaa7289bf68af08dcc543daa0

Download Submit
C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\CA22.reg

Filesize
8KB

MD5
fe69625930d9c3125c482e93ac296fad

SHA1
c1065596e874ee2bfdfb4d35aed17056c54d1274

SHA256
d59393db75b401cb0e4eea9e2686ab394e01a185f81c3c8a45b7e01abb0107b6

SHA512
57714ca1651f972cd88f326e17f7bf461536f17aae93a6425c605b966bc27ba6f13f03d4a9485f2e611a4ea3309411dd614ec573b4678a4d8c99958c85a554b0

Download Submit
C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\ca2_ace_certd.exe

Filesize
1005KB

MD5
b1a2f690f0f9c5f0614e9914ec46e2eb

SHA1
beabc6cb7650340632d7e4df65a9ad81601583a1

SHA256
be8bb333323e6f74fe3dd79c4a4830fe355d8694fc0313834bc3038d9f89766c

SHA512
6be58d81ddf7e2fb9fc12df4addb4d455ef4cc547cfd2aaecde6dcc20167b6a5ef1dbc35ba4a01b0946b70f1d6578625b70e5fcd6ffcdbc39ff940111784f99b

Download Submit
C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\ca2_ace_cfg.ini

Filesize
272B

MD5
acfc5ed0f45299ee5357a1e7a6fcdac2

SHA1
e7197d991884e7675ddcb1c9fef3791c094dffc2

SHA256
dd992e0687702564748784f1e266f9283f7bb10188630385236944f060818b49

SHA512
11b936c305378289a18299c405dff1ead57b4f984dfcd1736772775aae450ec7259aeb8ec520f6424418718e8d244293a00452c84603360982d90016fb554cdf

Download Submit
C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\lang\ca2_ace_certd_1033.lng

Filesize
7KB

MD5
590017c865fa069dfd426f8089037f2b

SHA1
ff5831f0492653756c6e478637f0d1b17107a9a6

SHA256
6986c0e22a5e08450aab132f7c3e8fdd4501ccab5c7b7e0440e7e4d569b6a270

SHA512
f1c1bba29ed89d6ad6e7ad0c7b9e5309d5c0322627958e89f332440cb903484003268c6610d1eb9581c8f4417052250a3a397675982d4b8eebfca1ec4e1ebb7c

Download Submit
C:\Program Files (x86)\Nacencomm\CA2 Ace Token Manager\uninst.exe

Filesize
145KB

MD5
9847e1aa2f4ae94a46f0fa91b0299262

SHA1
0ef3730d99d991027d5569f0fbc2fd5a250a3df3

SHA256
b928ff3d2fba1e1aa1dcedadd0847c2762861786bdc94a6b773e717fd09ed12a

SHA512
bf2b5e1af2c858deed192b4b15ad00dd97ef1d49697bd943ee7bb5e40f616bf9dd8c1710624f2863c2e1699990351e3f2af89259b6ac66f37cd3483036a16467

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9990beca-b7bf-4612-ad76-0128ca19c0b6.tmp

Filesize
10KB

MD5
d3c9778a1e732251ee1d285b20bbf4c3

SHA1
a420df119b8b747e7ca313c1e3d4d593104e1bc3

SHA256
652d15b1578a31f7cfe7992f01d571df414f27e476afce9ae92f00c9920a1673

SHA512
d888b3396e4f5842e742a81e33562d1e5edbfb9e7ddb7ea73561e790470032ba1331c2a08ae9a041ddb9dd7f724492dd48df7d40ead8b5df9f758c3140644ff2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4eed46187c0f76b6fc333bca8e60cd85

SHA1
62b1e472b14c57623be9771da9412c2b8d03c780

SHA256
0d42a8b18ac37aae727e43fe3a426a530788a38bc71c71ba56de4008eecef4e5

SHA512
c821b2008485d6ad72547f5b38402d248eb3d3b3c48c952713d3606c1be1ed47bcc8468727b89a4ba790e72a995590d93135c6f5435b28365567f09d5da15b40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
13c24a7a8bdce401fe84e550865c377b

SHA1
2736e67b80beb78700f56afc62cc0723ea3bd398

SHA256
4927b8e5ccbd3145523cd597ef87ba620f8c71efe52ca59227fef2282167baf0

SHA512
13bef331af5e2feb476b9924b0a6b1b26d7f258a217a98626f37ec8d85dfc94e487dbacb4cab27347a3be8785cbbba832819159d14f5c9e46a4de0123e9611a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
7fb0f30f70d927db212afa95c7fd555b

SHA1
278806f5deb271a3338f25f02c0bc852ba447450

SHA256
41ece1f5273acfd469c58e54cedb1f32726d872304c2579650f997ad7bb18414

SHA512
bcafe1fb88f05a58b8443ce267794d7dd9619d2839efebf070dc16427315dcd75c5aeda31794d07f6d6b45658b5d4c72c79ab9b40785c1bd43ee6ffa588e530f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c37133de3d62472558ed9336ef15c193

SHA1
a28f85f7d9a4a0678d774343a60621296311664c

SHA256
cf2cc9496701e16a1bbe57c2252ad20e061b03d2d806fd49ed50ea611acd5410

SHA512
c71a0ed698098e38bd62918847698c2749db1ac30ad0b1e599823b2069943bf5fd36ac259b76e37f38920f1b06becdca222c95cf6f103e1632896b7747301ec5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2f8a47b5b46a504d7552ec11c8dec2d9

SHA1
e5162468240e88bd00e3ab8bbcb14f9ed8ca301d

SHA256
091f87e2789e5dceee7124c201c28eba39ee2e04a4167e49b42b8bbe74832971

SHA512
4f6f607a2e9e195e2d41d4246c7166f9fd3e3c3420b2a90b91d7622421c57e8826b545c6ec31f0c173c68cc60ba4f0f872ab9576a4ba4cd01d225969655131e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
69d4c5d0d4ee661993082c8ad211d467

SHA1
0c970641c747d70f9d5124a6c1a0df81492ee39d

SHA256
3d9584dc3bc71e67402f3ed8b5a6170b6c99746ae95105963085be6c6678dd72

SHA512
1435d0ce61efea4fe5f797a35a50570903f1a6404b03897975a4a3b895e44e95a684e3dc12a3a8ccc5ec1a5722ea2d9fa5ff32d48a0ea5b03e35575b0be0a528

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1f9c499f74498904e1cbe529fba0d963

SHA1
095358171a6b51f791ceb6a5fbf09f6714db6eca

SHA256
b86ab6b4121bc07a37a0cde1a28eb826fbf6180aeed2451e439f33ec0d5794a0

SHA512
f50fac5d7c736c52ba5132ed3b11cee95053afcacda32c6a34e84a8300a5066fa8dadefd969d41f41df148ed6a55e7094dec770af10a8552052a80eb0c325d84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
130e4f9754ac28d5b4a53288df58c1e3

SHA1
14c6ddad451eac9e0627c3e72b251d6d1af41428

SHA256
939bc0ca298cf6d31581795b235edd96a4d96f2ec8f2dd3a2a01bc2942345eea

SHA512
94513ee89dbcfe9aac38371a5bee53e558a1847362df74d4ce974a248f5f75c454814059bed10cc57437606061141766f5ec33739e8ebdb4d2285d918ea7f0c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ffd3ad1e8a406d3f0a0b31abce5d7cd2

SHA1
c8b89ecd52dc4db69ed94ea76ce3d3061806b077

SHA256
244e64c22e08912bc0cddd606798d65ba51f0c149dc0f58eac352280d5262911

SHA512
5350ce0d1aaf96e5ac7e99cd6e3387c36accfbf811a079f1764661220a48e6e53788ffab014d01701beb0770d996b7f0a64fd67363c7e79ad0ec194542d31ddf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0a817c678732c9323f1837d0a409b19c

SHA1
d438c9bd525fe3936ba961a2d86d4c3ebe54613a

SHA256
6839ded907999052cfc9404280f1d15156eeba2fc20c5c86d1fe3f1804120ed2

SHA512
fa58869f84b844a53fa918ea7f02ee094c1717d4025630a2eb484e32ea86062fee6f988d9ec36055d94fe1a5f749f504ec76598f1a2b4685a9e3dd6a2b8c353a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5b8e10835e818f99833fd1ed2a65d348

SHA1
cb52e7f8b46c5f3ca24cd939afc9f9f16d08a468

SHA256
0b2e5e3865bd1e33d3ceb05936875206ce8cc2abdc91fa7fa2d736e58abd1eb1

SHA512
20a0f2961f901dfd85c7749aa80479ab062cf11a8f02fb34a547cc7a55ca31e4d4886247ab4afedd30e664af23607dc480eed9093475532ac54fabbbdf973761

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fce2ce9fdd8f5ca48ec09297c6aafbe5

SHA1
16229acf6dfc9bbbd352aab6ca518bc0ccc1cb90

SHA256
2d0b12634a5ad01b770d9b463fe050c680c4b31b62c7f769e7694b4213c69067

SHA512
0c1fa4a686fc0363e96209393b38e88c6a74e060ebd0ab18627425620be0922331d733e7ac3825c3ca5c3f9d60d5fa773b2da76ca77284a0110ed6b24743ea67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d89b9e467264a206b52f6df52dac88bf

SHA1
a268256286f1285bd7b39b72e0bb825dd706398e

SHA256
2c743e966f70c917d682f20fca49efd63cff6a890839bcf00685b82f2663e651

SHA512
3e7656f5ec4ac74756e6e15b9cb456c3728fae0384ed189d437c31969fd660843d16c1f37caaa3e750ce6c46b512453935be8028c4411088453523ebb7e0095c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9fe2806442f490fa126c6861b2ab8e46

SHA1
fd3602c6509a18a484204c93e430b842f86e6e88

SHA256
30ee0811d65b9a3da3c6a3dc8abf7d8283ae4006ca1b04abef18f95f8528e212

SHA512
7087e30e67921c7f96281443a274e1fbeefec227aa9f907cd03eb4d3df6416f2271c11d9ae634f3c00635b5aaf0c21d984e94ca04e6b8dbe2e18b52a365895ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e84d3c340a871b60948d590f5af99628

SHA1
5e81d44713856b273b0a718786f0f594358d6c5c

SHA256
618399f036fbd80291d47e8e9b9e20abb821233fa61f93a8e623d42336629436

SHA512
2a3197d95a39256cf5d4dfbd9ced8cde6f1bd757ffeee21583b5526eeb4406117903cb60d8137fe06cd8ea5bf70d4f745de59aa3fdb9414f371160ed768f0415

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
766755dec74f343d4ed03addd2408ef9

SHA1
0846ab60496ba2965bcf987fef05acb9c22dd37c

SHA256
b94601e2a49d65b064a06c69fbe1a5b6e680db3408260b319d50e2e5c6f81288

SHA512
055fcdad28ad36e2c5e3c5eb58ece2da1815a61ada17abc47364f064a719b576001df18a0a2a77a54aa630f70aabb0b444e53cc0dfb8d20427c33b5d4420db57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
3ca4ccd45cb381f86da71498f3382f15

SHA1
b677a6e07134ec2b8a3c79c33bb004c4de3640ce

SHA256
8b9192870febb2851a3bfc195d0e44b0392b55b35f94c0b14374da5a8f7d5326

SHA512
213c3989626cfcd8931a478fe41c1a5bf356e66e314b9c0624125085c2b24fd843518e6d20331d8117449f6e2b85bf4377a479a2d4fefff9159e9a0b2c72706f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
a7f6bc65b04201aa6fc2289dec093101

SHA1
31fe0bdbcbdc14f2f5817b6210586ff1f4150439

SHA256
ad51bb1f44d60c8920f780277faa227a5beed5aa2e475b296175ae17ad29d676

SHA512
3721c3f20ecd2487a8c2656c1c70f8dde8f1b205d8b022c3aa21076b81a98cdad1f2c61b804ece430079769222bb273dbd144ede82cc81eb45f903459d568691

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
8d7d07757d09aa5b547823e536833f43

SHA1
2bb2d29600d5ce343cad8745e04ad4dba2709370

SHA256
ec816c0c71e862ec8c84ba6fdb5d1ba2f794ebf89f997f1d900d10fa7899e427

SHA512
a1d78e58e9fd00717f1e3785351347908c6c744b169b1282bb64538110904b3491d7a60713d06127fd87cacf98d3bd18f4c06812b897742e15f2b0e374d962bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD7A13.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2BE7.tmp\InstallOptions.dll

Filesize
15KB

MD5
67d8f4d5acdb722e9cb7a99570b3ded1

SHA1
f4a729ba77332325ea4dbdeea98b579f501fd26f

SHA256
fa8de036b1d9bb06be383a82041966c73473fc8382d041fb5c1758f991afeae7

SHA512
03999cc26a76b0de6f7e4e8a45137ee4d9c250366ac5a458110f00f7962158311eea5f22d3ee4f32f85aa6969eb143bdb8f03ca989568764ed2bc488c89b4b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2BE7.tmp\LangDLL.dll

Filesize
5KB

MD5
410a586735f45164c86bda363ad8446f

SHA1
a68d18a8c72ffaa8f8d9ed9f76ea9b0ed397821b

SHA256
b15b1fc88d1b56088b2d3738d76772a91fa186a316a3e0a154358820d0fb9005

SHA512
d12083f67df132b2be57c202601a0cf82dba4c234910e780d2723aac14ae68407b824405b04737b55104bc97750550a3271a944d647661b067ce134075e6cc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2BE7.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2BE7.tmp\UserInfo.dll

Filesize
4KB

MD5
d16e06c5de8fb8213a0464568ed9852f

SHA1
d063690dc0d2c824f714acb5c4bcede3aa193f03

SHA256
728472ba312ae8af7f30d758ab473e0772477a68fcd1d2d547dafe6d8800d531

SHA512
60502bb65d91a1a895f38bd0f070738152af58ffa4ac80bac3954aa8aad9fda9666e773988cbd00ce4741d2454bf5f2e0474ce8ea18cfe863ec4c36d09d1e27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2BE7.tmp\ioSpecial.ini

Filesize
1KB

MD5
5ba44c167cdc8e2c89057d832e05e9bf

SHA1
23727b4c1270f9c843505dca9ba390d67c467aaf

SHA256
e7e04219dfd078120f012c48bed468ee3cb6dee012960b40b38059d11eaa5f8b

SHA512
867f1bf7c0ba38697786a2927d9f6628785aad3bc374e9ef444b1766744dcd1e5a651c410a8531f4719dc7d4cfa339b26b96bb5ba40bdd982e7eeed92f008a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2BE7.tmp\ioSpecial.ini

Filesize
1KB

MD5
bf5bf9f683fde1fe9aaafb8e0a52341a

SHA1
f639aa2f5f8f2dff8be30d6d5205b71da324f1f6

SHA256
15aa61c18ab684e24095b9c86812930dea1395845cc482a85931d62a3ea35bbb

SHA512
8c3884c1205f41c5be170fcc7e33f4e8e2d4fbc109964c1a7266b6a1e156f51c999844f31e26b080becedb6ad3fec95779c877dffc120ab2a3e0a6aea1531b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2BE7.tmp\ioSpecial.ini

Filesize
1KB

MD5
1b02543e419f48abb110bf12c7f1d0ac

SHA1
a9279557706e3bd17e53334f5c6a81014e6ea554

SHA256
012fe8e7c478e6f73050822f2bdc8d7d330be5d759aaba60b6c7bc93c7a60040

SHA512
521b8218ec2dd26ecbea72fd10d97a84694b9b20098060de0331b3d43e56d49eb2fcdc0c976180cc446f1d6e38d7ebb98373d3db37c6d28520fd809cb1d3300e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz2BE7.tmp\ioSpecial.ini

Filesize
1KB

MD5
5c9bdd7a25c08539877967e1f83d1dcf

SHA1
2fa5064dd7ac6865f31270192457238b58d62bb5

SHA256
e00c8683d764070d46ead44e21a23c8ecb77a12238116ac0cc894226bfd1bf24

SHA512
264d97700eded3dba56e1e565af02edc7763694c911c60d65a51606315162082bb6a8eed79c7c8ec8f48760051bb669c4337d33a378f63e809e92f589dfeaace

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
57B

MD5
38025103f48a71805887f8c88b6da16a

SHA1
7911a636ef5215e0c36571c4f96e2d9ce28e5cd4

SHA256
388bedf88a0a2a02b740e7df0b6ba3f7683940c801302bf3cd854adb1e33dfdb

SHA512
244b8d6684ec9405feb06b2f71f298597f70309f5f5e463ae9f666b5b3c9ee4a3f1f68689c892e4f0c1ee7695d1cdc8e4daf8f88b780f2c1a7dd77bd5f952de5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Desktop\autorun.inf

Filesize
121B

MD5
441729a593e374476fdf985821253972

SHA1
a4d1029d453d9d1933b8053a23d50ce7e8ff2c19

SHA256
f348c9a7875ccda1636400db4c3b5ca04833190b472753bcd4f9d9d677cce3ba

SHA512
4efa260b5cb43510f3865bcee675f6784281b55caaead2cd56b6c4d52b0b49e9d2d68b048f4075e5a68a0844d04260f4d6c4e96490a67a23c598d04daf8e19b0

Download Submit
C:\Users\Admin\Desktop\loader.exe

Filesize
83KB

MD5
d04bff7e333962b28a16e0d048e6445c

SHA1
37ad8009fc4232fa3fd2eec6095fab32e9158321

SHA256
55d1cb3a8e6cbaf866f015e37c6f9b24c552e31d3e50ced9e96dbf2601c5303c

SHA512
2d2bf94edca21458150356c142f5e22cf855d1af1c794fc7e8c86329b948a3801edc51d29b604c9e03d37444ec53390697dca1f4ca4cac8490f9996f19b0211f

Download Submit
C:\Users\Admin\Desktop\setup.exe

Filesize
1.9MB

MD5
165b56552b2a3c5fe998b527a23f67f7

SHA1
c224797b47d3b746f5000049578bcd73aaccb45d

SHA256
da556608a54fd43568cd8cd871a5c369b67145a2a18ac0efef70223ccd3f17c6

SHA512
540babdfa22a9ca7677b9c3c812aa74c5f7e68fbac18c26a27a99977eea9e8f24bf6deb632857c1a8e78a67153b1bcdd630a12071960eebd914e66ba6b301fce

Download Submit
C:\Users\Admin\Downloads\Bộ cài Token CA2 ACE V3 Đỏ xanh.rar.crdownload

Filesize
1.9MB

MD5
7076f2f1ccbb963a92b5546d61ef44b6

SHA1
aca4fd7d760de738b29edad20bfbe38424cc70fd

SHA256
b522854bf34fe5327cd1471e61766c55dbe61e339003baf6d858de797fe0d28f

SHA512
8ab18a6f0080af07994e81b8f267be582922e791c402eb90c0a3cde288adfe25172fb0b303a340020245947a46ec86f9744ea65f2d931414e5a20601846a542c

Download Submit
C:\Users\Admin\Downloads\Bộ cài Token CA2 ACE V3 Đỏ xanh.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\SysWOW64\ca2_ace_csp11.dll

Filesize
862KB

MD5
230d483d87fc99790d503af0df020012

SHA1
c5010acff039b447c23c086d11ab8e2d8dde0e9a

SHA256
468ce35dd5f8401ed00a7501c672a353d4edb446d4a3fe4db92d395e3c298f52

SHA512
3dc02bdc62f492fa0b971fc3e953e0204dede2e9c60f4951680572ece38fbbcb297dfe12f16d865139349ac14ce3c8074cf7707fd7b6c1c830a555148c9001dc

Download Submit
memory/2316-443-0x000000005F000000-0x000000005F011000-memory.dmp

Filesize
68KB

Download
memory/3836-322-0x00000000052D0000-0x00000000053AF000-memory.dmp

Filesize
892KB

Download
memory/3940-489-0x00007FFC0AF10000-0x00007FFC0AF20000-memory.dmp

Filesize
64KB

Download
memory/3940-491-0x00007FFC0AF10000-0x00007FFC0AF20000-memory.dmp

Filesize
64KB

Download
memory/3940-492-0x00007FFC0AF10000-0x00007FFC0AF20000-memory.dmp

Filesize
64KB

Download
memory/3940-490-0x00007FFC0AF10000-0x00007FFC0AF20000-memory.dmp

Filesize
64KB

Download
memory/3940-488-0x00007FFC0AF10000-0x00007FFC0AF20000-memory.dmp

Filesize
64KB

Download
memory/3940-493-0x00007FFC084E0000-0x00007FFC084F0000-memory.dmp

Filesize
64KB

Download
memory/3940-494-0x00007FFC084E0000-0x00007FFC084F0000-memory.dmp

Filesize
64KB

Download