Analysis Overview
SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
Threat Level: Known bad
The file AA_v3.exe was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
FlawedAmmyy RAT
Ammyyadmin family
Blocklisted process makes network request
Checks computer location settings
Loads dropped DLL
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-19 19:34
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-19 19:34
Reported
2023-10-19 19:40
Platform
win10v2004-20230915-en
Max time kernel
317s
Max time network
324s
Command Line
Signatures
FlawedAmmyy RAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5037AC1E573F140500110A0B67548B5E | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5037AC1E573F140500110A0B67548B5E | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 37bde28ad01c2d361bc9418cf80543fd547f9ed1b14d25368d2ddb6610af3f315686f678f138b71b2d6c579f5788e8e97df4d94b80d77e6ae4a4515382aae4755a933549 | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
C:\Windows\SYSTEM32\rundll32.exe
rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
C:\Windows\SYSTEM32\rundll32.exe
rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" /nowindow
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" /nowindow
C:\Windows\SYSTEM32\rundll32.exe
rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp | |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ammyy.com | udp |
| DE | 136.243.18.118:80 | www.ammyy.com | tcp |
| US | 8.8.8.8:53 | 118.18.243.136.in-addr.arpa | udp |
| DE | 136.243.18.118:443 | www.ammyy.com | tcp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.174.42.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.101.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| DE | 85.10.193.215:80 | tcp | |
| US | 8.8.8.8:53 | 215.193.10.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp | |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | d772a49b4ac7976b87bbdd4397dc70a3 |
| SHA1 | 71759cd3524af30eeff14da8131d1b2ea1dcfaae |
| SHA256 | b483c9b86b08959903e7063c0d7760f9031cc39ea2e4ce97dcccdaea3bc469e6 |
| SHA512 | 86e7af928952d312046f839dc0da656b55a65b2b6c36deed923f31656ba50cbfd1318e862bfcd6f56617d258a56b764bcc2c7ef44d8145ba7316147b4beeff96 |
C:\ProgramData\AMMYY\aa_nts.dll
| MD5 | 480a66902e6e7cdafaa6711e8697ff8c |
| SHA1 | 6ac730962e7c1dba9e2ecc5733a506544f3c8d11 |
| SHA256 | 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5 |
| SHA512 | 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5 |
C:\ProgramData\AMMYY\aa_nts.dll
| MD5 | 480a66902e6e7cdafaa6711e8697ff8c |
| SHA1 | 6ac730962e7c1dba9e2ecc5733a506544f3c8d11 |
| SHA256 | 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5 |
| SHA512 | 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5 |
C:\ProgramData\AMMYY\aa_nts.msg
| MD5 | 3f05819f995b4dafa1b5d55ce8d1f411 |
| SHA1 | 404449b79a16bfc4f64f2fd55cd73d5d27a85d71 |
| SHA256 | 7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0 |
| SHA512 | 34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026 |
memory/3324-16-0x0000000064200000-0x00000000642EE000-memory.dmp
memory/3324-30-0x0000000064200000-0x00000000642EE000-memory.dmp
memory/3324-39-0x0000000064200000-0x00000000642EE000-memory.dmp
memory/3324-51-0x0000000064200000-0x00000000642EE000-memory.dmp
memory/3324-59-0x0000000064200000-0x00000000642EE000-memory.dmp
C:\ProgramData\AMMYY\aa_nts.log
| MD5 | a0561d03218a5bdb2c012a046e3fda1e |
| SHA1 | 25993f495d354715c1d56587085abe35e87ce104 |
| SHA256 | 6360f792d0c2aa8e505ba4a6a955a738be637087a742162019595f9b3ece1d52 |
| SHA512 | e78c5f4ab0b476fa80330e7b5f88f9486e0a025830740b0f0fb8c267b0e8b5b79c314727997cfba880771a27a58772de00832a544754931658c1bf4b44919d58 |
memory/3324-69-0x0000000064200000-0x00000000642EE000-memory.dmp
memory/3324-79-0x0000000064200000-0x00000000642EE000-memory.dmp
memory/3324-93-0x0000000064200000-0x00000000642EE000-memory.dmp
memory/3324-106-0x0000000064200000-0x00000000642EE000-memory.dmp
memory/3324-119-0x0000000064200000-0x00000000642EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rh5w0e10.a2j.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4408-129-0x0000019C4C280000-0x0000019C4C2A2000-memory.dmp
memory/4408-133-0x00007FFE772D0000-0x00007FFE77D91000-memory.dmp
memory/4408-134-0x0000019C4C320000-0x0000019C4C330000-memory.dmp
memory/4408-135-0x0000019C4C320000-0x0000019C4C330000-memory.dmp
memory/4408-136-0x0000019C4E830000-0x0000019C4E874000-memory.dmp
memory/4408-137-0x0000019C4E900000-0x0000019C4E976000-memory.dmp
memory/4408-138-0x0000019C4E800000-0x0000019C4E81E000-memory.dmp
memory/4408-139-0x00007FFE772D0000-0x00007FFE77D91000-memory.dmp
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 3950e8c77f6f876079afff417a218503 |
| SHA1 | a128efd1e26a5eab5825f7398ef639a1a3aad0b7 |
| SHA256 | 3703d8f66bb62cc66b6b0cc9f7ab930c22bbbb111e41a903e83d78a998b52471 |
| SHA512 | 1c03bae87f49b8e9b072053b4a9cf35a23e5cffc2b473db90cd13f76c5bf2b6705d0787340bf8b1f8e1134afab3b59c242ffa843672fdd1056979cdfac4b088c |
memory/4408-142-0x0000019C4C320000-0x0000019C4C330000-memory.dmp
memory/4408-144-0x0000019C4C320000-0x0000019C4C330000-memory.dmp
memory/4408-145-0x0000019C4C320000-0x0000019C4C330000-memory.dmp
C:\ProgramData\AMMYY\aa_nts.dll
| MD5 | 480a66902e6e7cdafaa6711e8697ff8c |
| SHA1 | 6ac730962e7c1dba9e2ecc5733a506544f3c8d11 |
| SHA256 | 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5 |
| SHA512 | 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5 |
C:\ProgramData\AMMYY\aa_nts.msg
| MD5 | 3f05819f995b4dafa1b5d55ce8d1f411 |
| SHA1 | 404449b79a16bfc4f64f2fd55cd73d5d27a85d71 |
| SHA256 | 7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0 |
| SHA512 | 34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026 |
C:\ProgramData\AMMYY\aa_nts.log
| MD5 | f8369bdf58301c7795dc9ca0c256e2f1 |
| SHA1 | b075d6b5d4624c8dd913cfa0cbee4433ce2e2f8c |
| SHA256 | b3fbb2bb9303b122e72ab21431cf6bdec5d1159b662b0a30ac5993409dadebdc |
| SHA512 | 0b3ad6e140e7ce53674f0a23ac6500a055c484e2f240797d6a80db4ab4cfe1f7cc523135eead9d0fc5683bde5450b16dcd314c78da88fbd99fb6de01a62f57fd |
C:\ProgramData\AMMYY\aa_nts.ret
| MD5 | 4d2cc5f21ecc953ee327f86c7e503ce8 |
| SHA1 | 18d51fccaf93d385b331f1232a8f140b826f8948 |
| SHA256 | 101a9736765c611d056450a6622212d3a6072894fa33796636435ab697893091 |
| SHA512 | 582850a8b423a3f163d7cd3908bcc40f5b92d784c884241d88c7b228849f8acc720609d8b0d16f0dc0f30f06a5cb84ac5133868f44b1205a9ff959583b2b2807 |
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 3950e8c77f6f876079afff417a218503 |
| SHA1 | a128efd1e26a5eab5825f7398ef639a1a3aad0b7 |
| SHA256 | 3703d8f66bb62cc66b6b0cc9f7ab930c22bbbb111e41a903e83d78a998b52471 |
| SHA512 | 1c03bae87f49b8e9b072053b4a9cf35a23e5cffc2b473db90cd13f76c5bf2b6705d0787340bf8b1f8e1134afab3b59c242ffa843672fdd1056979cdfac4b088c |
C:\Users\Admin\AppData\Local\Temp\AA_v3.log
| MD5 | 431161f3584ce345e34b6c20577d94c2 |
| SHA1 | c0db169b4a4ccf863a2c21a14f95eff12c7ece42 |
| SHA256 | 74acec72ee653c674506f884acdb42d002271d42654366e9e944e3993f1667db |
| SHA512 | c43da8f6ffcb6f4484ca4be6c3b171631d1b12ad086dc87fbd71cec4f48f8bdaa57dbce515e3f4411f5f9b4071b933cea8e1105c3678ec34662900d004ae109c |
C:\ProgramData\AMMYY\aa_nts.dll
| MD5 | 480a66902e6e7cdafaa6711e8697ff8c |
| SHA1 | 6ac730962e7c1dba9e2ecc5733a506544f3c8d11 |
| SHA256 | 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5 |
| SHA512 | 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5 |
C:\ProgramData\AMMYY\aa_nts.msg
| MD5 | 3f05819f995b4dafa1b5d55ce8d1f411 |
| SHA1 | 404449b79a16bfc4f64f2fd55cd73d5d27a85d71 |
| SHA256 | 7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0 |
| SHA512 | 34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026 |
C:\ProgramData\AMMYY\aa_nts.log
| MD5 | 778d63b9fa62a1d500e683524d662686 |
| SHA1 | 90afd55cc02408a4452be0824e3b616459aa195d |
| SHA256 | 610018b97c873f157276e813fc17bd7cfee75a7d1ba239e44519d59161490517 |
| SHA512 | 65b06de14a79ad1183241b498e77d217ab3781e3fb9d8fe31f6a46c3fa4887ac158808e4821826bd803d3d5b16c7f320c2be9785dbcc15a1e6f52e9b5169dd4f |
C:\ProgramData\AMMYY\aa_nts.ret
| MD5 | 4d2cc5f21ecc953ee327f86c7e503ce8 |
| SHA1 | 18d51fccaf93d385b331f1232a8f140b826f8948 |
| SHA256 | 101a9736765c611d056450a6622212d3a6072894fa33796636435ab697893091 |
| SHA512 | 582850a8b423a3f163d7cd3908bcc40f5b92d784c884241d88c7b228849f8acc720609d8b0d16f0dc0f30f06a5cb84ac5133868f44b1205a9ff959583b2b2807 |