flawedammyy | bc483e6acdf276b57bb87317962c0091bb1421e61fa3306490b5858eabc61320

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AA_v31.exe
Size

776KB
MD5

4d4c220362f24e0ba72797572e447795
SHA1

9f902124218892aa5d61594fe7a9d524a7e7cc08
SHA256

bc483e6acdf276b57bb87317962c0091bb1421e61fa3306490b5858eabc61320
SHA512

b4eb3a17efc6626c92446387fc41a1f0c616832a8ea9fe5532fb9869590b8b188c97404de6aba566fd25f126238fe6d45f874659bcc003d2092436142008b9ee
SSDEEP

24576:B3YRddOnSok4fx2j2z5kMNbsRtrxc130jvs:+RenlHx2j2zxlkpj0

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Blocklisted process makes network request 1 IoCs

flow	pid	Process
14	2520	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation	AA_v31.exe

Loads dropped DLL 4 IoCs

pid	Process
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\34B6AF881B9D738561FC099B83DF3A01	AA_v31.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	AA_v31.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	AA_v31.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	AA_v31.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\34B6AF881B9D738561FC099B83DF3A01	AA_v31.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v31.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	AA_v31.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	AA_v31.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	AA_v31.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{10A6AA4A-3CE4-41FB-96A7-F95861D1E77D}\WpadDecisionReason = "1"	AA_v31.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{10A6AA4A-3CE4-41FB-96A7-F95861D1E77D}\WpadNetworkName = "Network 3"	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AA_v31.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-ea-c8-9f-e4-e3	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	AA_v31.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0109000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{10A6AA4A-3CE4-41FB-96A7-F95861D1E77D}	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	AA_v31.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-ea-c8-9f-e4-e3\WpadDecision = "0"	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	AA_v31.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	AA_v31.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{10A6AA4A-3CE4-41FB-96A7-F95861D1E77D}\WpadDecision = "0"	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	AA_v31.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 90b417315f3a4532bbe71eae594eb112f8d872e847d5608566545eeb912c336739d8dc03bf2ce08ac6c61ff6ff24ccdfa8ecad5eb0c73311eb9d517380f5ab36900be4fc51a9c7e7bd66b7	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{10A6AA4A-3CE4-41FB-96A7-F95861D1E77D}\ae-ea-c8-9f-e4-e3	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	AA_v31.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{10A6AA4A-3CE4-41FB-96A7-F95861D1E77D}\WpadDecisionTime = e0caca73b32bdb01	AA_v31.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	AA_v31.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	AA_v31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	AA_v31.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2520	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2636	AA_v31.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2636	AA_v31.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2636	3060	AA_v31.exe	31
PID 3060 wrote to memory of 2636	3060	AA_v31.exe	31
PID 3060 wrote to memory of 2636	3060	AA_v31.exe	31
PID 3060 wrote to memory of 2636	3060	AA_v31.exe	31
PID 2636 wrote to memory of 2520	2636	AA_v31.exe	32
PID 2636 wrote to memory of 2520	2636	AA_v31.exe	32
PID 2636 wrote to memory of 2520	2636	AA_v31.exe	32
PID 2636 wrote to memory of 2520	2636	AA_v31.exe	32

C:\Users\Admin\AppData\Local\Temp\AA_v31.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v31.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2848

C:\Users\Admin\AppData\Local\Temp\AA_v31.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v31.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\AA_v31.exe
  "C:\Users\Admin\AppData\Local\Temp\AA_v31.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\ProgramData\AMMYY\aa_nts.log

Filesize
4KB

MD5
6111315525aed943657e955b1904f506

SHA1
605dc02adfe8eaa13623f289aedb344d26d5681a

SHA256
7c53e14100c2eb6020dec257db26a2371b4ace42520946047484482233117343

SHA512
a01e20f929bdbbe52579020add2023fa2a98258e477a0f7c6aa5dd8f662cd3f7f639bcc79dfd3d228dd9a9497553309a38bdb6719512bc3acb6982e1e10a3f82

Download Submit
C:\ProgramData\AMMYY\aa_nts.msg

Filesize
45B

MD5
8e9f5e53ed616f9a6b0e9cd63ddf213b

SHA1
d6a4591cc6ba8e7825cc8e46fc084d59871c72f3

SHA256
bf832bfa5968ca3ffde3343f5f665d031761fad828e72f5e774e0d50cfd52cbc

SHA512
91d834b30719902987ae060e700db0ded85ea6a84c26b57ba81660c7b262771b664f7ef227782f57a9d0fb23f41a832a9a66f4291db197239e34b2d3217a78cc

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
318B

MD5
2b78fbedf64da79335b653dbaff8e0cc

SHA1
88452575315a3124204974bc2b814b675cf8aed9

SHA256
9e5ee2a16ea006220f675a2c3aa215296a1ed6a044dbd6839b20a81f7e915311

SHA512
311bd30acc883e0898fa4c26a5c22e9a9ce0ca1c15d03a97f4b82c04671ec36cc2d8fda7e86aecb3080abda064e9749d5af58ed8926237ba2ee74c7e7170dab3

Download Submit
memory/2520-59-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2520-42-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2520-27-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2520-21-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2520-76-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2520-93-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2520-110-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2520-127-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2520-143-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download