ammyyadmin | 0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
12-08-2023 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe
Size

927KB
MD5

84176f70ad3712b0ad2aa449ba8c6341
SHA1

783cb3d63e6e1933db92853f148df8828a11e5a3
SHA256

0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d
SHA512

dc8361f6c9ce7a3f23997137c54f75c906fc517bd34134e813ea1d5ec9191c16a1f2c8d233701b0d126927dfe669957723b63bf579b20e64b110ee425240cea4
SSDEEP

24576:zdcfbRjPxvNP63JaGIPszNvGfhdZ7psbX7TPYD9lDC:+P63JIPs4fFWbrMD9lO

Score

10^/10

ammyyadmin flawedammyy smokeloader backdoor bootkit persistence rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0007000000018dfb-1233.dat	family_ammyyadmin
behavioral1/files/0x0007000000018dfb-1235.dat	family_ammyyadmin
behavioral1/files/0x0007000000018dfb-1238.dat	family_ammyyadmin
behavioral1/files/0x0007000000018dfb-1239.dat	family_ammyyadmin
behavioral1/files/0x0007000000018dfb-1244.dat	family_ammyyadmin

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Deletes itself 1 IoCs

Processes:

pid	Process
1292

Executes dropped EXE 2 IoCs

Processes:

svchost.exejgwccja

pid	Process
2476	svchost.exe
676	jgwccja

Loads dropped DLL 6 IoCs

Processes:

explorer.exerundll32.exe

pid	Process
2924	explorer.exe
2924	explorer.exe
1184	rundll32.exe
1184	rundll32.exe
1184	rundll32.exe
1184	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

svchost.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe

description	pid	Process	procid_target
PID 2812 set thread context of 1960	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe	32

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe

pid	Process
2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe
2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe
2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe
2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe
1960	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe
1960	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
1292

Suspicious behavior: MapViewOfSection 33 IoCs

Processes:

0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exeexplorer.exe

pid	Process
1960	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
2924	explorer.exe
2924	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exejgwccja

description	pid	Process
Token: SeDebugPrivilege	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe
Token: SeDebugPrivilege	676	jgwccja

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

svchost.exe

pid	Process
2476	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe

description	pid	Process	procid_target
PID 2812 wrote to memory of 980	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe	30
PID 2812 wrote to memory of 980	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe	30
PID 2812 wrote to memory of 980	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe	30
PID 2812 wrote to memory of 980	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe	30
PID 2812 wrote to memory of 1248	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe	31
PID 2812 wrote to memory of 1248	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe	31
PID 2812 wrote to memory of 1248	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe	31
PID 2812 wrote to memory of 1248	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe	31
PID 2812 wrote to memory of 1960	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe	32
PID 2812 wrote to memory of 1960	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe	32
PID 2812 wrote to memory of 1960	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe	32
PID 2812 wrote to memory of 1960	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe	32
PID 2812 wrote to memory of 1960	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe	32
PID 2812 wrote to memory of 1960	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe	32
PID 2812 wrote to memory of 1960	2812	0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe	32
PID 1292 wrote to memory of 2660	1292		33
PID 1292 wrote to memory of 2660	1292		33
PID 1292 wrote to memory of 2660	1292		33
PID 1292 wrote to memory of 2660	1292		33
PID 1292 wrote to memory of 2660	1292		33
PID 1292 wrote to memory of 960	1292		34
PID 1292 wrote to memory of 960	1292		34
PID 1292 wrote to memory of 960	1292		34
PID 1292 wrote to memory of 960	1292		34
PID 1292 wrote to memory of 1748	1292		35
PID 1292 wrote to memory of 1748	1292		35
PID 1292 wrote to memory of 1748	1292		35
PID 1292 wrote to memory of 1748	1292		35
PID 1292 wrote to memory of 1748	1292		35
PID 1292 wrote to memory of 2100	1292		36
PID 1292 wrote to memory of 2100	1292		36
PID 1292 wrote to memory of 2100	1292		36
PID 1292 wrote to memory of 2100	1292		36
PID 1292 wrote to memory of 2100	1292		36
PID 1292 wrote to memory of 1580	1292		37
PID 1292 wrote to memory of 1580	1292		37
PID 1292 wrote to memory of 1580	1292		37
PID 1292 wrote to memory of 1580	1292		37
PID 1292 wrote to memory of 1580	1292		37
PID 1292 wrote to memory of 1716	1292		38
PID 1292 wrote to memory of 1716	1292		38
PID 1292 wrote to memory of 1716	1292		38
PID 1292 wrote to memory of 1716	1292		38
PID 1292 wrote to memory of 2112	1292		39
PID 1292 wrote to memory of 2112	1292		39
PID 1292 wrote to memory of 2112	1292		39
PID 1292 wrote to memory of 2112	1292		39
PID 1292 wrote to memory of 2112	1292		39
PID 1292 wrote to memory of 2144	1292		40
PID 1292 wrote to memory of 2144	1292		40
PID 1292 wrote to memory of 2144	1292		40
PID 1292 wrote to memory of 2144	1292		40
PID 1292 wrote to memory of 2620	1292		41
PID 1292 wrote to memory of 2620	1292		41
PID 1292 wrote to memory of 2620	1292		41
PID 1292 wrote to memory of 2620	1292		41
PID 1292 wrote to memory of 2620	1292		41
PID 1292 wrote to memory of 1100	1292		42
PID 1292 wrote to memory of 1100	1292		42
PID 1292 wrote to memory of 1100	1292		42
PID 1292 wrote to memory of 1100	1292		42
PID 1292 wrote to memory of 2212	1292		43
PID 1292 wrote to memory of 2212	1292		43
PID 1292 wrote to memory of 2212	1292		43

C:\Users\Admin\AppData\Local\Temp\0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe
"C:\Users\Admin\AppData\Local\Temp\0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe
  C:\Users\Admin\AppData\Local\Temp\0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe
  2⤵
  PID:980
- C:\Users\Admin\AppData\Local\Temp\0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe
  C:\Users\Admin\AppData\Local\Temp\0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe
  2⤵
  PID:1248
- C:\Users\Admin\AppData\Local\Temp\0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe
  C:\Users\Admin\AppData\Local\Temp\0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1960

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2660

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:960

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1748

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2100

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1580

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1716

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2112

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2144

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2620

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1100

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2212

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1888

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2248

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2308

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2924
- C:\Users\Admin\AppData\Local\Temp\71E5.tmp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\71E5.tmp\svchost.exe -debug
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  PID:2476
- - C:\Windows\SysWOW64\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:2164
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\71E5.tmp\aa_nts.dll",run
    3⤵
    - Loads dropped DLL
    PID:1184

C:\Windows\system32\taskeng.exe
taskeng.exe {89860BE1-52BF-4350-A3C7-A6C26F7D2DE6} S-1-5-21-722410544-1258951091-1992882075-1000:MGKTNXNO\Admin:Interactive:[1]
1⤵
PID:1892
- C:\Users\Admin\AppData\Roaming\jgwccja
  C:\Users\Admin\AppData\Roaming\jgwccja
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f10946acafbab6f474c7093140ca6f3

SHA1
f924b99b829872332da661d9f5a98fb8d7472dd7

SHA256
e3f8770434f810c376cae6cba0affff967fb27c2bf18439144feda95f74157fc

SHA512
5ee9ab1b860fdb7dbce09e051c7c728c75b371c9e3b00771b66a0ae108d87350107b915646f00b90fcca62f5db6360516fee25275b62673dcbd02ee5211cca1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\71E5.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\71E5.tmp\aa_nts.msg

Filesize
46B

MD5
3f05819f995b4dafa1b5d55ce8d1f411

SHA1
404449b79a16bfc4f64f2fd55cd73d5d27a85d71

SHA256
7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0

SHA512
34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

Download Submit
C:\Users\Admin\AppData\Local\Temp\71E5.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\71E5.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\71E5.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab80A7.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8117.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\jgwccja

Filesize
927KB

MD5
84176f70ad3712b0ad2aa449ba8c6341

SHA1
783cb3d63e6e1933db92853f148df8828a11e5a3

SHA256
0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d

SHA512
dc8361f6c9ce7a3f23997137c54f75c906fc517bd34134e813ea1d5ec9191c16a1f2c8d233701b0d126927dfe669957723b63bf579b20e64b110ee425240cea4

Download Submit
C:\Users\Admin\AppData\Roaming\jgwccja

Filesize
927KB

MD5
84176f70ad3712b0ad2aa449ba8c6341

SHA1
783cb3d63e6e1933db92853f148df8828a11e5a3

SHA256
0f79da23dc318670dcd4f8709d04826420b50bbdb080a2fff7573e11a875b22d

SHA512
dc8361f6c9ce7a3f23997137c54f75c906fc517bd34134e813ea1d5ec9191c16a1f2c8d233701b0d126927dfe669957723b63bf579b20e64b110ee425240cea4

Download Submit
\Users\Admin\AppData\Local\Temp\71E5.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\71E5.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\71E5.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\71E5.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\71E5.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
\Users\Admin\AppData\Local\Temp\71E5.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
memory/676-1359-0x0000000073A10000-0x00000000740FE000-memory.dmp

Filesize
6.9MB

Download
memory/960-1179-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/960-1182-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/960-1181-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1100-1207-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/1100-1210-0x00000000000E0000-0x00000000000E9000-memory.dmp

Filesize
36KB

Download
memory/1292-1160-0x000007FEF6430000-0x000007FEF6573000-memory.dmp

Filesize
1.3MB

Download
memory/1292-1161-0x000007FEBFE60000-0x000007FEBFE6A000-memory.dmp

Filesize
40KB

Download
memory/1580-1191-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/1580-1189-0x00000000000D0000-0x00000000000D7000-memory.dmp

Filesize
28KB

Download
memory/1580-1209-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/1580-1206-0x00000000000D0000-0x00000000000D7000-memory.dmp

Filesize
28KB

Download
memory/1716-1192-0x0000000000070000-0x0000000000079000-memory.dmp

Filesize
36KB

Download
memory/1716-1193-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/1716-1212-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/1748-1184-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1748-1185-0x0000000000100000-0x0000000000109000-memory.dmp

Filesize
36KB

Download
memory/1748-1198-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1888-1221-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/1888-1220-0x00000000000D0000-0x00000000000D5000-memory.dmp

Filesize
20KB

Download
memory/1888-1245-0x00000000000D0000-0x00000000000D5000-memory.dmp

Filesize
20KB

Download
memory/1960-1146-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1960-1149-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2100-1187-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/2100-1203-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/2100-1188-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/2112-1218-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/2112-1196-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/2112-1197-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2144-1201-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/2144-1223-0x00000000000F0000-0x00000000000F6000-memory.dmp

Filesize
24KB

Download
memory/2144-1200-0x00000000000F0000-0x00000000000F6000-memory.dmp

Filesize
24KB

Download
memory/2212-1213-0x00000000000E0000-0x00000000000E9000-memory.dmp

Filesize
36KB

Download
memory/2212-1215-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/2212-1241-0x00000000000E0000-0x00000000000E9000-memory.dmp

Filesize
36KB

Download
memory/2248-1248-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/2248-1224-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/2248-1225-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2308-1227-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/2308-1228-0x0000000000060000-0x000000000006D000-memory.dmp

Filesize
52KB

Download
memory/2308-1252-0x0000000000060000-0x000000000006D000-memory.dmp

Filesize
52KB

Download
memory/2476-1249-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2476-1242-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2476-1243-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/2476-1246-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2476-1350-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/2620-1205-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2620-1204-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/2660-1178-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/2660-1165-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/2660-1163-0x00000000000F0000-0x0000000000165000-memory.dmp

Filesize
468KB

Download
memory/2812-105-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-93-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-1138-0x0000000002040000-0x000000000208C000-memory.dmp

Filesize
304KB

Download
memory/2812-1137-0x0000000001DB0000-0x0000000001DE4000-memory.dmp

Filesize
208KB

Download
memory/2812-1136-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/2812-1135-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2812-1134-0x0000000074B30000-0x000000007521E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-121-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-117-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-119-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-113-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-115-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-111-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-107-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-109-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-54-0x0000000000210000-0x00000000002FE000-memory.dmp

Filesize
952KB

Download
memory/2812-103-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-55-0x0000000074B30000-0x000000007521E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-56-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/2812-101-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-99-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-97-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-95-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-1147-0x0000000074B30000-0x000000007521E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-91-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-85-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-87-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-89-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-81-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-83-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-79-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-77-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-75-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-73-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-69-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-71-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-67-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-65-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-63-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-61-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-59-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2812-57-0x0000000004720000-0x00000000047DA000-memory.dmp

Filesize
744KB

Download
memory/2812-58-0x0000000004720000-0x00000000047D3000-memory.dmp

Filesize
716KB

Download
memory/2924-1349-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/2924-1231-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2924-1230-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download