metasploit | 0a11849292307d1833c857ca39eb21deb2af5aa1d1a0228e8bd6797b46c6cb47

Analysis

max time kernel
135s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-04-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe
Size

2.0MB
MD5

e1f12fc65552ebcd26542e8bf3f985b8
SHA1

eee4e3f34247e50a8dacce6e15ca605983abdfc0
SHA256

0a11849292307d1833c857ca39eb21deb2af5aa1d1a0228e8bd6797b46c6cb47
SHA512

a84cc25c036fc7cb24696862cf3e5259c58b2e211fc8f1b580c808be4cd2c58938cc737b43b49cf588928b319447fe44c1ab39b4f4973c499f830f49bdab321f
SSDEEP

49152:t/7sIyhWajeDefr8VlaQnBllYb20+1k+1cAzS+vc:t/KWacVYQBllYW

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

192.168.222.129:1734

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Amazon Games UI.exeAmazon Games Services.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	Amazon Games UI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	Amazon Games Services.exe

Executes dropped EXE 5 IoCs

Processes:

Amazon Games.exeAmazon Games Services.exeAmazon Games UI.exeAmazon Games UI.exeAmazon Games UI.exe

pid process

2016 Amazon Games.exe
2176 Amazon Games Services.exe
1648 Amazon Games UI.exe
2744 Amazon Games UI.exe
2920 Amazon Games UI.exe

Loads dropped DLL 64 IoCs

Processes:

2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exeAmazon Games.exeAmazon Games Services.exeAmazon Games UI.exe

pid	process
2808	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe
2808	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe
2808	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe
2808	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe
2808	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe
2016	Amazon Games.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2016	Amazon Games.exe
2176	Amazon Games Services.exe
1648	Amazon Games UI.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe
2176	Amazon Games Services.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

Amazon Games.exeAmazon Games Services.exeAmazon Games UI.exe

pid	process
2016	Amazon Games.exe
2016	Amazon Games.exe
2016	Amazon Games.exe
2016	Amazon Games.exe
2016	Amazon Games.exe
2016	Amazon Games.exe
2016	Amazon Games.exe
2016	Amazon Games.exe
2176	Amazon Games Services.exe
2920	Amazon Games UI.exe
2176	Amazon Games Services.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Amazon Games Services.exe

description pid process

Token: SeDebugPrivilege 2176 Amazon Games Services.exe

description	pid	process
Token: SeDebugPrivilege	2176	Amazon Games Services.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exeAmazon Games.exeAmazon Games UI.exe

description	pid	process	target process
PID 2808 wrote to memory of 2016	2808	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe	Amazon Games.exe
PID 2808 wrote to memory of 2016	2808	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe	Amazon Games.exe
PID 2808 wrote to memory of 2016	2808	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe	Amazon Games.exe
PID 2808 wrote to memory of 2016	2808	2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe	Amazon Games.exe
PID 2016 wrote to memory of 2176	2016	Amazon Games.exe	Amazon Games Services.exe
PID 2016 wrote to memory of 2176	2016	Amazon Games.exe	Amazon Games Services.exe
PID 2016 wrote to memory of 2176	2016	Amazon Games.exe	Amazon Games Services.exe
PID 2016 wrote to memory of 2176	2016	Amazon Games.exe	Amazon Games Services.exe
PID 2016 wrote to memory of 1648	2016	Amazon Games.exe	Amazon Games UI.exe
PID 2016 wrote to memory of 1648	2016	Amazon Games.exe	Amazon Games UI.exe
PID 2016 wrote to memory of 1648	2016	Amazon Games.exe	Amazon Games UI.exe
PID 2016 wrote to memory of 1648	2016	Amazon Games.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2744	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2920	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2920	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2920	1648	Amazon Games UI.exe	Amazon Games UI.exe
PID 1648 wrote to memory of 2920	1648	Amazon Games UI.exe	Amazon Games UI.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_e1f12fc65552ebcd26542e8bf3f985b8_cobalt-strike_magniber.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2808

C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games.exe
"C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games.exe" " /referral=strike_magniber /voice=e1f12fc65552ebcd26542e8bf3f985b8_cobalt /channelId=87d38116-4cbf-4af0-a371-a5b498975346"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\Amazon Games Services.exe
"C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\Amazon Games Services.exe" "/appIpcName=AgsLaunch-App-Pipe-2016-1" "/coreProcessIpc=CoreProcess-Desktop-2016-1" " /referral=strike_magniber /voice=e1f12fc65552ebcd26542e8bf3f985b8_cobalt /channelId=87d38116-4cbf-4af0-a371-a5b498975346"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\Amazon Games UI.exe
"C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\Amazon Games UI.exe" "--appIpcName=AgsLaunch-App-Pipe-2016-1"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\Amazon Games UI.exe
"C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\Amazon Games UI.exe" --type=gpu-process --field-trial-handle=1080,11016402433552687694,15956887269254268864,131072 --disable-features=SpareRendererForSitePerProcess --enable-gpu-rasterization --gpu-preferences=KAAAAAAAAADgAAAwAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=12262925137117088965 --mojo-platform-channel-handle=1092 --ignored=" --type=renderer " /prefetch:2
4⤵
- Executes dropped EXE
PID:2744

C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\Amazon Games UI.exe
"C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\Amazon Games UI.exe" --type=utility --field-trial-handle=1080,11016402433552687694,15956887269254268864,131072 --disable-features=SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --standard-schemes=sonic --secure-schemes=sonic --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --service-request-channel-token=12156804709064058363 --mojo-platform-channel-handle=1432 /prefetch:8
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2920

C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\Amazon Games UI.exe
"C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\Amazon Games UI.exe" --type=renderer --field-trial-handle=1080,11016402433552687694,15956887269254268864,131072 --disable-features=SpareRendererForSitePerProcess --lang=en-US --standard-schemes=sonic --secure-schemes=sonic --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --app-user-model-id=Amazon.AmazonGamesApp --app-path="C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\resources\app.asar" --enable-experimental-web-platform-features --no-sandbox --no-zygote --preload="C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\resources\app.asar\preload.js" --background-color=#000 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=7216149002826844889 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:1
4⤵
PID:2680

C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\Amazon Games UI.exe
"C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\Amazon Games UI.exe" --type=renderer --field-trial-handle=1080,11016402433552687694,15956887269254268864,131072 --disable-features=SpareRendererForSitePerProcess --lang=en-US --standard-schemes=sonic --secure-schemes=sonic --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --app-user-model-id=Amazon.AmazonGamesApp --app-path="C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\resources\app.asar" --enable-experimental-web-platform-features --no-sandbox --no-zygote --preload="C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\resources\app.asar\preload.js" --background-color=#000 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=809647678948810138 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1840 /prefetch:1
4⤵
PID:2392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
f440aec68a6f57813485d30283f57d67

SHA1
8fc50b7148636ec4f8388dc599bc273dccc8204c

SHA256
6cadac5d83cde1baa8e27da8350ba1658235c46692594c6c1ecd466e00940ad5

SHA512
fe512bb19aab3db9ffbaf7a80209d4aded1a7a0531c1acd117bda76f5dbd8eb02d061e9151071b76582d7023d03f1c5954bf110af7c8d6c3f5a0be9f61671a39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bb5562da78b7ed28674e2a88d8f1e4e0

SHA1
3d1bc727dff233e4efe96bece0143d756029fb84

SHA256
9c910200bea963c8118f6e781b8f93ff06f58791842d908e2f40b2e456612fa6

SHA512
74e353a0cfbebed952f8f717a6e91256b78074bd4a91d1de8f806a2d95d62731d52af0e0a2a775350d7c3dca41b7f2695fe529c7c983b368c7319b5622cf6d01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
819e162831b81faff2ceb717edcdb337

SHA1
96f662c60ef7f2e6f4b1eee1f7e9fec92e443166

SHA256
367ad9c68c634466cfd574cbe47d073465c3f2ed1d91211d448c5eff048143c6

SHA512
39535f006e9c209c72ac3cc6260a52bcef7736f131153089e971ac04ad122783f2b956d53eb933b0db9e7208b3c25c6e74811c0443e10db5334d6b4763f7c4d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f184cab6d3ee6041ce216c12678c29df

SHA1
95678dee79be3c7ae7eea30b5bea0016c5415fe7

SHA256
9950f440f4374b966df37085f8f07efc8094307288286af85cb0a79ac290f094

SHA512
9aea2fbab91b418d1c0f70ad214c03782ebbeae09048d569286dc21def3977d83aa99c768ac9a53536da32d0ddc1b4b5215a9a447bf7e76fcc356ac49da9ff5b

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\Amazon Games Services.exe
Filesize
164KB

MD5
fe23656081c5bd7b8ae9ae2b9d839626

SHA1
b9ffcbe686da844867de4ec7d6ed7cd7461a7932

SHA256
8fd08ad4c69a69de51c4cb636ca793b60d9008eb27fa3ee8fae2685dab082d4b

SHA512
23f892c00847f73d4a1a627ef0677c4808d2ff5ff330a6795f5949e572eb189549c96b1bc0f043cec251cb1b66e834690a6ab295dbc6a9ab1bd2c39b0dfc715f

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\System.Runtime.dll
Filesize
42KB

MD5
2a2145894b1e24529c3ec57fe204bd07

SHA1
0cfb1d48f6bfebe85abce1443193ad8f818318dd

SHA256
36764292c645fbbc92c31ecb3338f26093ac0f7e69f5c8f9b817b7b6f9f49ce2

SHA512
7c2ace08599763e6f2105ad30c7d9df1b38ac9febb7816d98957960a6c3138e2978614b084d82a36bb495bf0d2e135fd660ea1c906efd3aa4ebef4104f717da1

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\api-ms-win-core-file-l1-2-0.dll
Filesize
11KB

MD5
2f3ed68e88962a3db91fddff116043c6

SHA1
f89f28cd1a2afb247c483ec5d3373687acd9f0f3

SHA256
94285b076bc56f70b600340cb8e462fa860745a4e259a01a5faf200365b626eb

SHA512
99965f02106a278ccffa953849546008595a38eaa21e81f6b72d8635931b6e32bdb44c96e4ed52df374ed765138ff5e2a97d6dd1878e9bb062d7d5b7332bd247

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\api-ms-win-core-file-l2-1-0.dll
Filesize
11KB

MD5
5ee963beea8ab70e4837b3ddc3dfa780

SHA1
08d253b2d5d44f4f01c5c8cd32a53202f46ea050

SHA256
7ec7ff7c30d637a2b2bdf202befc401d9840bd38aaf10633c7cbf03aaed80ba3

SHA512
c1cfc308a25196c1661e579f270aebb40685fbb478590be155a65cd79dda03d70ef53211fff6e1fc0c07b620ea92e05db8529b707c41e0aa7f3f82f23d764fdf

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\api-ms-win-core-localization-l1-2-0.dll
Filesize
14KB

MD5
1d309498972c67db409bff7c34ad30af

SHA1
0bc9a4d52e482129bb3e52ad6c6b12bcb3f9f27f

SHA256
2f0973102f1d2e78158e80b0eea8a5f63085cb3088624227bc89c337dcea96d3

SHA512
933380e33119a42de01d06ea2aa9970f1db5f3a9a9dcdd08d35e18ed6365f75b94cf3a146f11e6f3f3c8da118f46a6224f3fd0e2c1736c9d667b948dca794d4f

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
11KB

MD5
3041be8b8f3e2e99d6f7fafcaf428648

SHA1
9ff03d218278bd12fc1406d21d58f5c4dca8e3c2

SHA256
7f1a83c6b5d0a856ea8c7952fd4c637a9ac7e663a620571afdcec7af6c68a960

SHA512
dcb59dd2ebafa0ac64fc35dbf6b9ce3c22bd857a93e64bd64b53c9c35dec3c026b6d25c9a848968dd00cb8dd01b4b6755fa2273b540e1db7ccfce32a2a97f112

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\api-ms-win-core-synch-l1-2-0.dll
Filesize
11KB

MD5
e162b53ff1f872345471989d20374f36

SHA1
232c1427096188e791ab0db44bf309cbefe20413

SHA256
3f61c83e3dcbe7f03195efcbabd9fd1ca75ee6359828e45733a53cc1fb1183f6

SHA512
2d60d609cb281cd4f2fa1c6369d2f75afa0d9f43df681a5f42e85f51d5bf57bb4e23c8e041b3fbae703706b8f82db9d27d1f650cf5bb9088e4f222ce1734ffd9

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\api-ms-win-core-timezone-l1-1-0.dll
Filesize
11KB

MD5
a99dafdd0eb1668ae60d4898338dbed3

SHA1
504687e909f0730e3c4db6ee14578b055e99743d

SHA256
ed383bc5365e2d9ff18c0867d4e2f8682ced6e45b0875b55cfcfb7bc87e6b301

SHA512
72af70f554a66280d6ac53a0cac342dc6e0b7fb8975757a404576101fd0f7445a1bcc8778fe5d7084f382a843710af4c94a9fcb9c230931b0b8b5e5ad3dcfa53

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\api-ms-win-crt-filesystem-l1-1-0.dll
Filesize
13KB

MD5
e795f694529fc430e0b0e25884e6a24e

SHA1
6c86a0bd746f55fd731a30f378e5f21c4fb2e2b7

SHA256
0ebae37459eb25ef518c47c454e6af81b076d0fdc5fed1674806551259435584

SHA512
c71622d473c68d7ae87cba663f38c08fb1b4ec0786e364f6863fbdf2711a7faac1e5cd18ba0912c318627cd58d7fc836ef0dd993a9444c846ec298502e04fc66

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\api-ms-win-crt-locale-l1-1-0.dll
Filesize
11KB

MD5
49c9af5961980346905239d9988cd041

SHA1
d679539617cf74ec04d75f450ef93d94abecac28

SHA256
f7cb5d3347d5a13b8bcce06821ba75043fce87f298131e23155753b56a48297e

SHA512
f2e04aff6d502d47946d8f0f9337e81fcc9c23608163d276c3cd304b3ef42e4d07d6f00e3606a6c2f2eadefc23fda3af55c1cefb7912def815e5c339208719b0

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\api-ms-win-crt-math-l1-1-0.dll
Filesize
21KB

MD5
b330487f1ccd5fc821fa117f8b57a5b4

SHA1
c32a5df20c4380aa5666011d860c1ce2fbfd354c

SHA256
5e40b97f5e5a1577bf30e91dfacc0e74e1cffb6c2beb270777cc0a5db065947f

SHA512
a5e4f57a94ec1bca577288458413627ec9b2c5d7b71d5f27a2c153002a9dd4dbdd128c89c35623b3f038a94844a50622ff65751476a5eef932765a96cb3ecc1c

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\api-ms-win-crt-runtime-l1-1-0.dll
Filesize
16KB

MD5
0792930cced35a6b7afd0548a380d5d1

SHA1
45139b80525961c5aadffc3b4e44720f144da878

SHA256
f0e0d8b65a8cf88355a7c2fd401cee5ff4bcb7965a888f4361ad14a054517fd7

SHA512
df1ca5b417e5ec7a6600eee4e5ebb8de557ccd7883174ca47e4b69e0138c6af4afeae0cb2d2f8c3b32c128e92c725dcd4739d40911e15571bc5573289796f3d5

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\api-ms-win-crt-utility-l1-1-0.dll
Filesize
11KB

MD5
1d8042874eddebe39e60fbf8e1dfd3d0

SHA1
aac2ee2ea006022646b6c0d7cea93e248cff62f1

SHA256
4e71c955de0a9e71ecd6749d73f6f07364bea34c125a61261a9efe2b76ba98e5

SHA512
a74eaafaf0643935a5de9138059b08d972a05cae3f859fe7da28a370e2a4fb46ae00d8b986afa06f353eef2db104e60a5f40f07a5a87ccbe644e8f433b29b621

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\Amazon Games UI.exe
Filesize
49.1MB

MD5
38650981b96e107a7a78e1c7caff3013

SHA1
2b8aed85790d3715aebc0419c89dd04532cecde6

SHA256
bedfb6032fba5e8221924181082d68bc6b63c2d6a88218573ea09007ac83829b

SHA512
34d54871d6b510999bfdf1d8f209cd64515e632e3652f16fe3532b3e056533b904b9b2ca2eb91b0a16f2b943d64682c3bd7813b19d0377dd1c54a05398c9006c

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\Amazon Games UI.exe
Filesize
46.6MB

MD5
a8223e1facf623a6309408e64b27ef28

SHA1
6a4c881dc37548796f7873be88ea60f71b6eda98

SHA256
1627019d9e2e1c8f08afdfa7a088721200357c5cabc706655b2f3704d426e219

SHA512
020fdf3c210c561b72c58034da68c29d79a2a37033f70d8de899ae3c7db9ee59abf615dbc754bb7e56b80787bad395b632840b625b7fe00807e2b1866ae28ce7

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\resources\static\public\core\overlay-981e9cdf8f1733c5922e.css
Filesize
334KB

MD5
e3a0425c4d9a25d022c49bdeeb15c42d

SHA1
1faf1cc8abf9bc351827551d7d4548a4edc6a29e

SHA256
577281d9bbccbef71522e3f9f930ebf0d91fb26c0459f75172910cc43e25a2b4

SHA512
35fa151affdab631cec1ab3fa810a5c14ddaf1be7dada2a9d3a48e9305acad63f7dd70303e15fc5b822f1e002562963986b84334cfb6657106cb06220cc46ab3

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\App\config\version
Filesize
40B

MD5
e5fd47d470b34f4852f4f8e054665d4e

SHA1
a3a635521bebb5802784d4bbdb9e57eedde8488c

SHA256
c5a98d833029251f42563562041e0841ebe586f47b99d34e17de7f4c9286665e

SHA512
9d6df93d25b2b3466f30cb4a25e84fedbbdfe17a5e88c7a1b57da7507742dd922d8c8e5614b32aed196c5540f6866a34c8ea8fbe15bd358eddea293cbd67255c

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\Data\Games\Sql\CommonData.sqlite
Filesize
28KB

MD5
fb0948531d6670dbab44abdcfc79335b

SHA1
4fbebb3510ca0a5446fd89153d2af95bb1b52f6f

SHA256
0e67f05bbffde815066f3a357ffb082dd33b94cc37478baa4da7b0a401009c06

SHA512
f06f49127de89ba173a33c28fbe5e44786283cb2e9b8f07af08b1263d0cb67e82f2913eae2756d6393182459c9b3bb2fa3857404d331f49fac139132778c2c20

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\Data\Logs\Native\Live-Install_2024-04-23_18-02_0.log
Filesize
688KB

MD5
fcc51579c202ac8570dfe2fc9a7f6a9b

SHA1
5ae5780103203bbb832e81b338410b121972b74f

SHA256
f5dd04081e10a6cf4c49b0c68afb65f52689c3aa8424377b54a75a9b1418ba07

SHA512
142c1ccbaa6a577fdc1da617a193a888c474bcb1c9a2e9ac72064855efd70a61703406f41e666acfec8705a09bfb5d7c792c2313c5f2fab248ef884d0983d7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar833B.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\Amazon Games Services.dll
Filesize
289KB

MD5
deba6c8e0c0d675d603a6abac1758405

SHA1
a7256d4a7edfe4cf9ef2acfb666e885b8a94af21

SHA256
e19a9367128f32949f564dc56616d4634ad76906a38df14aa54e071a16edddbd

SHA512
fe37ed5960b4d41754cf7ccf1058779689c2a35f29a38e698f880a27640cd7e853ebf6d2f4c9e9d15d98c3e363fa6cb7c7b898fc4ea60061d31d7106a7713c6c

Download Submit
\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\System.Private.CoreLib.dll
Filesize
8.2MB

MD5
d3cfe3422fb4d5a93c1cf9807debd230

SHA1
41a3f27c2e812b24bdf269c9c590b300404bd5d9

SHA256
5064262dc838d4fdd458a70312f6945f56e153519fa4d6808b34738018753625

SHA512
e659f1290ce7b139d89eafea18d879ee029d82d361d9b3aa511b63aadc00a73f1821505e61633fe2aefcc8d73016471336b88ecf17d15c8aff9c5ac1299db21e

Download Submit
\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\api-ms-win-crt-convert-l1-1-0.dll
Filesize
15KB

MD5
b42f3df73d062dcf7c61eb3e455fe1c6

SHA1
cdba01951de434f36b9100c7db2316bd0728abac

SHA256
3d205605ed371704d2de5fa0511fb4ad2f791c81e5781ed3c4464881efd8523b

SHA512
b70c49f8494b600483a858210a5bb73c0a052460e34aa16290f32ec6af68095b38b7436fbae34273048ecd058c7fd40ce1c6184ea21171afe291c29e249253f0

Download Submit
\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\api-ms-win-crt-heap-l1-1-0.dll
Filesize
12KB

MD5
fb887fed29c62e516005fadb6838d521

SHA1
c1b783800f33aed8f67953e0816c1792e976c62a

SHA256
f989de398e969df49c108ef53f5e152eb35f7a7d0e19974aa9f24a995e5c9e11

SHA512
d895e2c83578400174bd0d316e790b1b5c7400b7e24f8ac4ab1964701821f4ae7fac4ef308e4bdd09ad774cfcd54b1f0176da0911437759439a1e2a0d99cb13d

Download Submit
\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\api-ms-win-crt-stdio-l1-1-0.dll
Filesize
17KB

MD5
38799420c40507472fd54b3ba205db3e

SHA1
84d04a2e360f16da027b84d51aab649154979232

SHA256
eec15efdf7caa058cb7f721a1c4e5d3f1c97039c4b6bfe2b32f789e10756106f

SHA512
cde6ff6b3dc908dcf932b4e308c99589af3bcfe8aa06a416db107e948616ba7517c3ef882a59fbecf2b3ea92290f90123d5a6f4c355bc1d89a5f4745ee886833

Download Submit
\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\api-ms-win-crt-string-l1-1-0.dll
Filesize
17KB

MD5
2c4f5369a8c60a6d8107f474d2942859

SHA1
9e52ae6e0397672fdbf251217cea25201f11004a

SHA256
c8138031537a27fd364f359d48db88485c4a0d668ed2983ff5f6edf0bffcd91f

SHA512
efe27d138cdae009e4aea9aaf31c899cc60389ed644f042ff3b656c3a24fc8a98420d90ad86fa16ef95bd14b918eaaab926f2ad20ad47e0831842eec2b136a29

Download Submit
\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\api-ms-win-crt-time-l1-1-0.dll
Filesize
13KB

MD5
e78951b33f1a259b3b9c0b406ac816a4

SHA1
22ab7641feab19e0d3c2992f377c4164e3f7e74b

SHA256
62886805ad32f151b6230358e1da74db1bfc8adbfdc316fda111cb8431a733d8

SHA512
9f6d378326bf9102b9983053f105c51ad09cb80f478ac97af9269bfe2633f3210a9ae56e55dee6eadc00f5f7841654a13f1d274bcf590de56ceb3e68674bcec5

Download Submit
\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\clrjit.dll
Filesize
1.0MB

MD5
e127d23181160e02391e628192b1d08a

SHA1
642c16276a9dc0c216e677be97df4e4aeb2836a6

SHA256
ce9037b6998a8171cb53cfa3725cc9bddd95ceba7fe4f9fd9fb43ac667ce4601

SHA512
7a557a26eb0442d79da66b34ff70c37d4e5d26c757493c58127265876c9c2d2da1e6cb9b70680ee4dbf3773dcb55b575010fc72b5528263f957b20f867d71465

Download Submit
\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\coreclr.dll
Filesize
4.0MB

MD5
99004b84b758edc90f90671221152667

SHA1
9a22738517dac9fc717d6f9324a24aeee6dc93e6

SHA256
ab0ee337d10c8225134603f1dc5f70631fc7a3dc49500e254efca7c60b145f67

SHA512
662c00d3bcf76eb8fb603a681ca029824ca1bb65064790da405e95db6c363ebe9cf897f8420b5f79b6653eed17aebcf81e4dfe81652f0dbe674ba4fd54c9adb0

Download Submit
\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\hostfxr.dll
Filesize
248KB

MD5
1bc17073c940e2cb486d4c5a361c5df4

SHA1
218c6cfac172af7477039761ba03de0a899a3e29

SHA256
50a853d23c8d2832da1183abd20ae446585cebcd902858f3bd0181fa4bf3c6b6

SHA512
ace997a3e1460ba387d9a051384f981f872b6470652c64abb344a4a2c55e19388870989e6104bcae8b168df8c62d34c43853d61b9940ffff19d582f76a2ec7a5

Download Submit
\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\hostpolicy.dll
Filesize
249KB

MD5
da0f874eeee4c0f45cd0a9bd044c7db7

SHA1
c7edd0703429c6f49f7bae3a43366ef99e051d7f

SHA256
4f3934c1bcac7827078702d9ef21ecd4af5652595a115bc578d026bb03b60bd8

SHA512
c6577c80375fcc406d110254120e1d37a450ad2114b0c72a14045ee0dc064d7e3208ff599832d0ae6445c002b0993cee808153a83d47a21105f2f84cdd2aef16

Download Submit
\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games Services\ucrtbase.dll
Filesize
1.1MB

MD5
5fef2fd676d7a1ac1bbf2cc9ba5c1a29

SHA1
3716deef1ba1915e06111199b1b6ab9e1d0649a4

SHA256
1f1ce96469c20279003cf9ec59f452febed2dd7f6e6c055ae8019216105c8f3b

SHA512
d6ebd0a633075040237bd30447af9d88672163f40f2ecd4197c9b4fb191225212b789cd514ce2f81f695cc485173705582e4dbf6b8f9fc40c03936a31919e064

Download Submit
\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\Amazon Games UI.exe
Filesize
48.9MB

MD5
9025f77e3746645e95c13d3b5219f763

SHA1
ce76aa71f549314862fd68b3c3d687b9f859447f

SHA256
179122813bfde15a8b49ede74512e9fe60545ff4427b4df443452e68932411d8

SHA512
87c3611719216410150f8950ab934f9a5b391b77e4f34f71ece93ea60fd9ec477c8a930c5d423828e04c8e739e57be0e5d0210a4f79c1feef48693336e351b7a

Download Submit
\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\ffmpeg.dll
Filesize
1.9MB

MD5
a7942e3c5b8ce9c602fe8c64d9e8a42b

SHA1
eada931fd2054bcb3159aae30221d067f8bc39e3

SHA256
7d0ea22c750c6df0872a9cf76b55a62e197db1bdd6ead8ed967d627a84255994

SHA512
20699ac7a6b6d41e8748b0a13b7e949224e458d798442cf2d7fb5e2b06d4201f10378136d0ddc373ca5ecf405505565ff5e2fa6bdc86e49dd3d3b3f1a16df57e

Download Submit
\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games.exe
Filesize
1.7MB

MD5
238b9152bd1f02939e2033cb9a21a21e

SHA1
2e7c8a10e6bf4bebe8fcb42f528002d1fd0d746b

SHA256
25a9fa08338f0e155ef7ff25fc5470d8bd6c9c002326111e0fc2216709a777cd

SHA512
8dc8b9fc1e2d32f4ee83b0eb1773c4689d3e9a8aea3e686271b7b31ecf88d824207c0f81ebd36846e717d2250b7c8a291b5538fde34909632d64ae221b3defff

Download Submit
memory/1648-1965-0x0000000008610000-0x0000000008611000-memory.dmp

Filesize
4KB

Download
memory/2176-1875-0x0000000072FC0000-0x00000000733D9000-memory.dmp

Filesize
4.1MB

Download
memory/2744-1886-0x0000000006540000-0x0000000006541000-memory.dmp

Filesize
4KB

Download
memory/2808-1943-0x0000000000400000-0x0000000000607170-memory.dmp

Filesize
2.0MB

Download
memory/2808-0-0x0000000000400000-0x0000000000607170-memory.dmp

Filesize
2.0MB

Download