Malware Analysis Report

2024-09-22 21:56

Sample ID 240704-ee672avenb
Target 248950cf7a2d01e99e1e815c7dc5b28c_JaffaCakes118
SHA256 18f501c16c958abd19fafa10b1fb5baac2387a51807eb9229fa1cbe4a663b9b6
Tags
bitrat trojan upx discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

18f501c16c958abd19fafa10b1fb5baac2387a51807eb9229fa1cbe4a663b9b6

Threat Level: Known bad

The file 248950cf7a2d01e99e1e815c7dc5b28c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

bitrat trojan upx discovery

BitRAT

Downloads MZ/PE file

Loads dropped DLL

UPX packed file

Checks computer location settings

Executes dropped EXE

Downloads MZ/PE file

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks installed software on the system

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-04 03:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-04 03:52

Reported

2024-07-04 03:54

Platform

win7-20240508-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe"

Signatures

BitRAT

trojan bitrat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1932 set thread context of 2492 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\SysWOW64\schtasks.exe
PID 1932 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\SysWOW64\schtasks.exe
PID 1932 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\SysWOW64\schtasks.exe
PID 1932 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\SysWOW64\schtasks.exe
PID 1932 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1932 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1932 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1932 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1932 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1932 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1932 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1932 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe

"C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AGbGTkAzcl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE3CA.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 curtisusa.hopto.org udp

Files

memory/1932-0-0x0000000074E71000-0x0000000074E72000-memory.dmp

memory/1932-1-0x0000000074E70000-0x000000007541B000-memory.dmp

memory/1932-2-0x0000000074E70000-0x000000007541B000-memory.dmp

memory/1932-3-0x0000000074E70000-0x000000007541B000-memory.dmp

memory/1932-4-0x0000000074E70000-0x000000007541B000-memory.dmp

memory/1932-5-0x0000000074E70000-0x000000007541B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE3CA.tmp

MD5 e954ac93c04da27a9c76004f4264577f
SHA1 0145b5e9030744c5a5ef447c8d809e1f67f83239
SHA256 bd6d4198504e847efd8f900b8666b2606a225736de94f27e89aea51e73267ebb
SHA512 bf02f02590eb012e6f90103d3b90b0ec2ff88cebb537be4c655380ea404fa97a15e935ccb365d4819e5f0117e9f9f7fa17e08e00c767d8358a89f54f076cf0d7

memory/2492-10-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-17-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-18-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-16-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-15-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2492-11-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-12-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-19-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1932-20-0x0000000074E70000-0x000000007541B000-memory.dmp

memory/2492-21-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-22-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-28-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-30-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-29-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-31-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-32-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-33-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-34-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-35-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-36-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-37-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-38-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-39-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-40-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-41-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2492-42-0x0000000000400000-0x00000000007E4000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-04 03:52

Reported

2024-07-04 03:54

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe"

Signatures

BitRAT

trojan bitrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 628 set thread context of 2920 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe

"C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1308,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4016 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AGbGTkAzcl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBAEE.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 curtisusa.hopto.org udp
US 8.8.8.8:53 curtisusa.hopto.org udp
US 8.8.8.8:53 curtisusa.hopto.org udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 curtisusa.hopto.org udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 curtisusa.hopto.org udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 curtisusa.hopto.org udp
US 8.8.8.8:53 curtisusa.hopto.org udp
US 8.8.8.8:53 curtisusa.hopto.org udp

Files

memory/628-0-0x0000000074652000-0x0000000074653000-memory.dmp

memory/628-1-0x0000000074650000-0x0000000074C01000-memory.dmp

memory/628-2-0x0000000074650000-0x0000000074C01000-memory.dmp

memory/628-3-0x0000000074652000-0x0000000074653000-memory.dmp

memory/628-4-0x0000000074650000-0x0000000074C01000-memory.dmp

memory/628-5-0x0000000074650000-0x0000000074C01000-memory.dmp

memory/628-6-0x0000000074650000-0x0000000074C01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBAEE.tmp

MD5 6e780f5c109f2c2f161bbf1734f4a470
SHA1 95ece58d142f4180079ed10f5e2aa2f223c23283
SHA256 7c172ac23493acab187508b823385b45d354927456260e0b23b37aea5aa9153e
SHA512 715fd527c286c82a80025fc0dde9f1a73a0f0523778d0babb9d915e319e423d67c726a9737506da890d60da9c7afe530de6ed0696da9708974a3beed5240b71c

memory/2920-11-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-12-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-14-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-13-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-10-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/628-16-0x0000000074650000-0x0000000074C01000-memory.dmp

memory/2920-18-0x0000000074370000-0x00000000743A9000-memory.dmp

memory/2920-19-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-25-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-26-0x0000000074750000-0x0000000074789000-memory.dmp

memory/2920-27-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-28-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-29-0x0000000074750000-0x0000000074789000-memory.dmp

memory/2920-30-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-31-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-32-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-33-0x0000000074750000-0x0000000074789000-memory.dmp

memory/2920-34-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-35-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-36-0x0000000074750000-0x0000000074789000-memory.dmp

memory/2920-38-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-37-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-39-0x0000000074750000-0x0000000074789000-memory.dmp

memory/2920-40-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-41-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-42-0x0000000074750000-0x0000000074789000-memory.dmp

memory/2920-44-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-43-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2920-45-0x0000000074750000-0x0000000074789000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 03:52

Reported

2024-07-04 03:54

Platform

win7-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe"

Signatures

BitRAT

trojan bitrat

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1760 set thread context of 1708 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe
PID 2992 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe
PID 2992 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe
PID 2992 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe
PID 2992 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe
PID 2992 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe
PID 2992 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe
PID 2992 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe
PID 2992 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe
PID 2992 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe
PID 2992 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe
PID 1760 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1760 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1760 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1760 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1760 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1760 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1760 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 1760 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe

"C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe"

C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe

"C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe"

C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe

"C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AGbGTkAzcl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF90E.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 download.amazongames.com udp
GB 18.244.114.55:443 download.amazongames.com tcp
GB 18.244.114.55:443 download.amazongames.com tcp
US 8.8.8.8:53 d34q08dqzz17tk.cloudfront.net udp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
US 8.8.8.8:53 det-ta-g7g.amazon.com udp
US 52.54.36.84:443 det-ta-g7g.amazon.com tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
US 8.8.8.8:53 device-metrics-us-2.amazon.com udp
US 8.8.8.8:53 unagi-na.amazon.com udp
US 52.46.136.40:443 unagi-na.amazon.com tcp
US 54.91.103.251:443 device-metrics-us-2.amazon.com tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
US 8.8.8.8:53 device-metrics-us-2.amazon.com udp
US 54.242.128.35:443 device-metrics-us-2.amazon.com tcp
US 8.8.8.8:53 curtisusa.hopto.org udp
US 8.8.8.8:53 d34q08dqzz17tk.cloudfront.net udp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
US 54.242.128.35:443 device-metrics-us-2.amazon.com tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
US 8.8.8.8:53 device-metrics-us-2.amazon.com udp
US 3.227.83.236:443 device-metrics-us-2.amazon.com tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp

Files

\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe

MD5 cef6d09b553a93f81942da9838b1ac57
SHA1 c32fbf54b54dadabbae600645c417c163234daf5
SHA256 d9aa21479a1a55d57839aee6310cd6853b2bc5215337aa72316a96f7be7ff3e5
SHA512 05ed612b7d2e14b034a391d45b578e0eda2b52be3b8eeccb3534872de61d05d95b4b3e7f10bfa01ef6913d29a24404c8cf635c804f9fbe2820321078d1007928

\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe

MD5 02be3726c0a90958a3c30577d3b3a131
SHA1 bedbab8bd74a9d7313ba32ca033c81ec32c04706
SHA256 1a99f1054e51fe86416c59e5c526d69776fdabd7bb9831dbaab8582322121c7a
SHA512 662eaa8d3b112ef981d27832a2a46b0ecb55e2d1dcf49fe1fbd134e3c4e02758bc9ad3db2e25f53fc174e2083dd278967f405a768fdd814612c9a43bc6d1c713

memory/1760-13-0x00000000745D1000-0x00000000745D2000-memory.dmp

memory/1760-15-0x00000000745D0000-0x0000000074B7B000-memory.dmp

memory/1760-14-0x00000000745D0000-0x0000000074B7B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2915.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar29B8.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5ebe8515c26528d6f0a7b621446b0e0
SHA1 aadd38a69b1b02b203b36b8c9a25397133190427
SHA256 1efed1171a92e8a8aecebc0b2f190a9d948e7d634190bfe8aa2189432b59d93b
SHA512 fbdc92aa0e2315edd2ef7938538986e2fa8417a129cdfeb31251643a294933308eff69a2576542337c1871565f3c9107ca5e4ad5f2aca34ca2a8d5aeaa77f24b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6313a83c094e9e77cb8c253415df3a10
SHA1 2386870da0c6424569b466899710634d3369cc1e
SHA256 d3c12856a15e6af27e088895cbebbb3423e3b2c93a684d9cb38f8b56b0b7a333
SHA512 ce1e790c05f8872f19459f634e639023b7c9b992f132f5640711428a6aebf651fe584d78beecad561e6e9c0692b535707d72e821efa3520c72f026a158791ff8

memory/1760-317-0x00000000745D0000-0x0000000074B7B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF90E.tmp

MD5 e954ac93c04da27a9c76004f4264577f
SHA1 0145b5e9030744c5a5ef447c8d809e1f67f83239
SHA256 bd6d4198504e847efd8f900b8666b2606a225736de94f27e89aea51e73267ebb
SHA512 bf02f02590eb012e6f90103d3b90b0ec2ff88cebb537be4c655380ea404fa97a15e935ccb365d4819e5f0117e9f9f7fa17e08e00c767d8358a89f54f076cf0d7

memory/1708-383-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-387-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-392-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-391-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1760-393-0x00000000745D0000-0x0000000074B7B000-memory.dmp

memory/1708-385-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-390-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-389-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1708-406-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-407-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-413-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-419-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-418-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-438-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-439-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-447-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-446-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-486-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-487-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-629-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-628-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-743-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1708-742-0x0000000000400000-0x00000000007E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 03:52

Reported

2024-07-04 03:54

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe"

Signatures

BitRAT

trojan bitrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2812 set thread context of 3508 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 676 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe
PID 676 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe
PID 676 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe
PID 676 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe
PID 676 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe
PID 676 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe
PID 1404 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\Amazon Games Setup.exe
PID 1404 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\Amazon Games Setup.exe
PID 1404 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe C:\Users\Admin\AppData\Local\Temp\Amazon Games Setup.exe
PID 2812 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\SysWOW64\schtasks.exe
PID 2812 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\SysWOW64\schtasks.exe
PID 2812 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\SysWOW64\schtasks.exe
PID 2812 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 2812 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 2812 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 2812 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 2812 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 2812 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 2812 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe

"C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe"

C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe

"C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe"

C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe

"C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe"

C:\Users\Admin\AppData\Local\Temp\Amazon Games Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Amazon Games Setup.exe" "/nopatch"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AGbGTkAzcl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7A1D.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 download.amazongames.com udp
GB 18.244.114.105:443 download.amazongames.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 det-ta-g7g.amazon.com udp
US 174.129.165.207:443 det-ta-g7g.amazon.com tcp
US 8.8.8.8:53 105.114.244.18.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 207.165.129.174.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 device-metrics-us-2.amazon.com udp
US 8.8.8.8:53 unagi-na.amazon.com udp
US 174.129.165.207:443 det-ta-g7g.amazon.com tcp
US 8.8.8.8:53 gaming.amazon.com udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 44.215.130.143:443 gaming.amazon.com tcp
US 44.193.236.65:443 device-metrics-us-2.amazon.com tcp
US 52.46.129.152:443 unagi-na.amazon.com tcp
US 174.129.165.207:443 det-ta-g7g.amazon.com tcp
US 8.8.8.8:53 143.130.215.44.in-addr.arpa udp
US 174.129.165.207:443 det-ta-g7g.amazon.com tcp
US 44.215.130.143:443 gaming.amazon.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 65.236.193.44.in-addr.arpa udp
US 44.193.236.65:443 device-metrics-us-2.amazon.com tcp
US 52.46.129.152:443 unagi-na.amazon.com tcp
US 8.8.8.8:53 152.129.46.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 174.129.165.207:443 det-ta-g7g.amazon.com tcp
US 8.8.8.8:53 pg.distribution.games.a2z.com udp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
US 8.8.8.8:53 73.153.172.18.in-addr.arpa udp
US 44.193.236.65:443 device-metrics-us-2.amazon.com tcp
US 52.46.137.248:443 unagi-na.amazon.com tcp
US 8.8.8.8:53 248.137.46.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 curtisusa.hopto.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 curtisusa.hopto.org udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 pg.distribution.games.a2z.com udp
GB 18.172.153.47:443 pg.distribution.games.a2z.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 47.153.172.18.in-addr.arpa udp
US 8.8.8.8:53 device-metrics-us-2.amazon.com udp
US 8.8.8.8:53 curtisusa.hopto.org udp
US 44.199.138.71:443 device-metrics-us-2.amazon.com tcp
US 8.8.8.8:53 71.138.199.44.in-addr.arpa udp
GB 18.172.153.47:443 pg.distribution.games.a2z.com tcp
US 8.8.8.8:53 curtisusa.hopto.org udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 curtisusa.hopto.org udp
GB 18.172.153.47:443 pg.distribution.games.a2z.com tcp
US 8.8.8.8:53 curtisusa.hopto.org udp
US 44.199.138.71:443 device-metrics-us-2.amazon.com tcp
US 8.8.8.8:53 curtisusa.hopto.org udp
US 8.8.8.8:53 curtisusa.hopto.org udp
US 8.8.8.8:53 170.253.116.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe

MD5 cef6d09b553a93f81942da9838b1ac57
SHA1 c32fbf54b54dadabbae600645c417c163234daf5
SHA256 d9aa21479a1a55d57839aee6310cd6853b2bc5215337aa72316a96f7be7ff3e5
SHA512 05ed612b7d2e14b034a391d45b578e0eda2b52be3b8eeccb3534872de61d05d95b4b3e7f10bfa01ef6913d29a24404c8cf635c804f9fbe2820321078d1007928

C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe

MD5 02be3726c0a90958a3c30577d3b3a131
SHA1 bedbab8bd74a9d7313ba32ca033c81ec32c04706
SHA256 1a99f1054e51fe86416c59e5c526d69776fdabd7bb9831dbaab8582322121c7a
SHA512 662eaa8d3b112ef981d27832a2a46b0ecb55e2d1dcf49fe1fbd134e3c4e02758bc9ad3db2e25f53fc174e2083dd278967f405a768fdd814612c9a43bc6d1c713

memory/2812-22-0x0000000073B12000-0x0000000073B13000-memory.dmp

memory/2812-24-0x0000000073B10000-0x00000000740C1000-memory.dmp

memory/2812-23-0x0000000073B10000-0x00000000740C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Amazon Games Setup.exe

MD5 3f1a9950778e30d7e742506da20c0c14
SHA1 e61f35b01bd30aeb144b9136b52239956e0f1d7e
SHA256 f6e6eb9e27a83689960f2438d86512092db2532c97d460e9b2e6a23834fa48f3
SHA512 43f84f1d28bf6ebbf338970c20ecbb153bdbf4d199d036136663c26a504d6ad454dc18cb108e90b4329c74b483e82b513462e119d1f8df01b2e926e123c38808

C:\Users\Admin\AppData\Local\Amazon Games\Data\Logs\Native\Install_2024-07-04_03-52_0.log

MD5 18248df6727579c071d6c1bad0ec1352
SHA1 4fab1051a855cb08d25efbe14db03fb0f702b711
SHA256 9ae38c15682d5c6dc3b218682fbe385e75a45752c0055120e8196c904647cfef
SHA512 8357657cde73ccc7d9050f28e0ed152a7b3cd12536ac33a7ddecfebf3e5ff125cf4c2b39cb212b315e0bdbfbf4286a44e28560697b7b0cdadbb727819d8c7ba6

memory/2812-35-0x0000000073B12000-0x0000000073B13000-memory.dmp

memory/2812-36-0x0000000073B10000-0x00000000740C1000-memory.dmp

memory/2812-37-0x0000000073B10000-0x00000000740C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7A1D.tmp

MD5 505d58183b76cac61ecf0ce485bd996a
SHA1 607fa8d4982f4fb044d4170c0f9eec5b1311115a
SHA256 069679d4327a4e0f5abe25d710169c07961a469fd98f0a2ef8277bb1168c4258
SHA512 75d0ff3be0c961d8b944c9691f87cc9a63637e342860eea225d9c3c07fb99367acfd492fa5af65bce3c4fd98fef9f09a74e3c252b898882a5b26c6d1b662b5f7

memory/3508-149-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3508-151-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3508-150-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2812-159-0x0000000073B10000-0x00000000740C1000-memory.dmp

memory/3508-174-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3508-181-0x0000000074A40000-0x0000000074A79000-memory.dmp

memory/3508-184-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3508-190-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3508-197-0x0000000074B30000-0x0000000074B69000-memory.dmp

memory/3508-241-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3508-240-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3508-244-0x0000000074B30000-0x0000000074B69000-memory.dmp

C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\resources\static\public\core\auth-limbo-40b52b60a701b5c26a7d.css

MD5 acf81f08b85de98eca96cc1b2bbb199a
SHA1 4c089f322370d4461ffa94097d39cc148f45c4da
SHA256 e1326b0de115e4dae4d3157f50636abd85505c0995e4131d68878fedc512498e
SHA512 9220c6162e604d05c404ea9868a3564b7691e51bf7535d1628d194d3fb7bd2391cae076e5da99f664632fc0c6acd7a0807fcb2d1b4af1e2842cfb6973e2e056b

memory/3508-526-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3508-525-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3508-531-0x0000000074B20000-0x0000000074B59000-memory.dmp

memory/3508-796-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3508-797-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3508-798-0x0000000074B20000-0x0000000074B59000-memory.dmp

memory/3508-1235-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3508-1236-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3508-1249-0x0000000074B20000-0x0000000074B59000-memory.dmp

memory/3508-1643-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3508-1642-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3508-1644-0x0000000074B20000-0x0000000074B59000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-04 03:52

Reported

2024-07-04 03:54

Platform

win7-20231129-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe"

Signatures

Downloads MZ/PE file

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe

"C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 download.amazongames.com udp
GB 18.244.114.117:443 download.amazongames.com tcp
GB 18.244.114.117:443 download.amazongames.com tcp
US 8.8.8.8:53 det-ta-g7g.amazon.com udp
US 8.8.8.8:53 d34q08dqzz17tk.cloudfront.net udp
US 52.54.36.84:443 det-ta-g7g.amazon.com tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
US 8.8.8.8:53 device-metrics-us-2.amazon.com udp
US 8.8.8.8:53 unagi-na.amazon.com udp
US 52.94.226.162:443 unagi-na.amazon.com tcp
US 52.20.206.121:443 device-metrics-us-2.amazon.com tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
US 8.8.8.8:53 device-metrics-us-2.amazon.com udp
US 54.91.103.251:443 device-metrics-us-2.amazon.com tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp
GB 13.249.247.10:443 d34q08dqzz17tk.cloudfront.net tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar10F7.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5cf590d871890639054fc3701a231e3
SHA1 39a6b82aa85d46bb60385ee9bb0904b1ece7b381
SHA256 d094220b6190e4dec5a5df12ab9f6de49129791e141fbf8eb6f2173ae655059c
SHA512 041aaa34ac9e206dddb887ec1b1a4c676ab0af5d8af9a151b59e9305004c4bc1b210562626ed7f97bd0529fb495e95e94e53a4cc5c1319e44b396c706af10a0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a730773c1a3acb1aae8d637a7d86a42b
SHA1 9e4c40030fd7670bfb3ebb735ed7c015975612b1
SHA256 8719037900a682c658c8575b0a13b61b2ca4ea6075d91b8bf1a78394798fa2f3
SHA512 dbb3700c623755b8e2953622f0afeea72c5a6b6f5f8a11d97494b11b6ff3f32b57057c7413a86e6353fa40dcab9778cf0e64dd8f36fab580f244921331839815

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 1e98c0a64ec669d3d160e49eb830139e
SHA1 7c587cc0beecd9a0c2919c73a8d79757aefa673e
SHA256 e2d13c682ebf989945694150879a95f5e310cfeb6c1e41c7bf039548032c6e10
SHA512 01a6c28bd39169cda47ac101acb59f202a361fbe0393ae3451ce5aa5dddd56dcee2dd4c14d8b46b077707042784b0fd2c76697153c81f9f19902abde44a32812

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e81a83d9967c4875e09617b61bf1e574
SHA1 4e9475949aad8b47c27651f9f90e2eb537c29e9c
SHA256 cac9e07b672d23d7e24423419b907e19446c66c48eaab6a58896e79f832f30c9
SHA512 62a50b825d561fb16e5831ccb5120f236b33141fa7b92b81e0d5f823da8daf1799cf846c2f9fb7eaa261911a2326a2f5c17da3162c6622f5c53c1cef45e4ec28

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-04 03:52

Reported

2024-07-04 03:54

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe"

Signatures

Downloads MZ/PE file

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe

"C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe"

C:\Users\Admin\AppData\Local\Temp\Amazon Games Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Amazon Games Setup.exe" "/nopatch"

C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games.exe

"C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games.exe" " /channelId=87d38116-4cbf-4af0-a371-a5b498975346"

Network

Country Destination Domain Proto
US 8.8.8.8:53 download.amazongames.com udp
GB 18.244.114.105:443 download.amazongames.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 det-ta-g7g.amazon.com udp
US 174.129.165.207:443 det-ta-g7g.amazon.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 105.114.244.18.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 207.165.129.174.in-addr.arpa udp
US 174.129.165.207:443 det-ta-g7g.amazon.com tcp
US 8.8.8.8:53 gaming.amazon.com udp
US 174.129.165.207:443 det-ta-g7g.amazon.com tcp
US 174.129.165.207:443 det-ta-g7g.amazon.com tcp
US 44.215.132.170:443 gaming.amazon.com tcp
US 8.8.8.8:53 unagi-na.amazon.com udp
US 8.8.8.8:53 device-metrics-us-2.amazon.com udp
US 52.94.242.239:443 unagi-na.amazon.com tcp
US 54.242.128.35:443 device-metrics-us-2.amazon.com tcp
US 8.8.8.8:53 170.132.215.44.in-addr.arpa udp
US 44.215.132.170:443 gaming.amazon.com tcp
US 8.8.8.8:53 pg.distribution.games.a2z.com udp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
US 8.8.8.8:53 35.128.242.54.in-addr.arpa udp
US 8.8.8.8:53 239.242.94.52.in-addr.arpa udp
US 54.242.128.35:443 device-metrics-us-2.amazon.com tcp
US 52.94.242.239:443 unagi-na.amazon.com tcp
US 8.8.8.8:53 73.153.172.18.in-addr.arpa udp
US 174.129.165.207:443 det-ta-g7g.amazon.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
US 8.8.8.8:53 device-metrics-us-2.amazon.com udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 3.227.83.236:443 device-metrics-us-2.amazon.com tcp
US 8.8.8.8:53 236.83.227.3.in-addr.arpa udp
US 8.8.8.8:53 pg.distribution.games.a2z.com udp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
US 8.8.8.8:53 device-metrics-us-2.amazon.com udp
US 54.164.163.115:443 device-metrics-us-2.amazon.com tcp
US 8.8.8.8:53 115.163.164.54.in-addr.arpa udp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
GB 18.172.153.73:443 pg.distribution.games.a2z.com tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 8.8.8.8:53 det-ta-g7g.amazon.com udp
US 52.54.36.84:443 det-ta-g7g.amazon.com tcp
US 8.8.8.8:53 gaming.amazon.com udp
US 44.215.130.143:443 gaming.amazon.com tcp
US 8.8.8.8:53 device-metrics-us-2.amazon.com udp
US 34.195.175.66:443 device-metrics-us-2.amazon.com tcp
US 52.54.36.84:443 det-ta-g7g.amazon.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Amazon Games Setup.exe

MD5 3f1a9950778e30d7e742506da20c0c14
SHA1 e61f35b01bd30aeb144b9136b52239956e0f1d7e
SHA256 f6e6eb9e27a83689960f2438d86512092db2532c97d460e9b2e6a23834fa48f3
SHA512 43f84f1d28bf6ebbf338970c20ecbb153bdbf4d199d036136663c26a504d6ad454dc18cb108e90b4329c74b483e82b513462e119d1f8df01b2e926e123c38808

C:\Users\Admin\AppData\Local\Amazon Games\Data\Logs\Native\Install_2024-07-04_03-52_0.log

MD5 3f399b5de2e03417f986d485d9ab6232
SHA1 410b011a919ffa04479bc634cb72d2f1fa321c9e
SHA256 bf9265a0f24424022691d89b4d5132f11d4e16e640674b913bebb24da29449cb
SHA512 f443eb7ac9bd2491ad2be688d38e2a0a1f04f78a9aac365739b9352b8bde153f4dd0f4dd577654d58e9458265f620892108860c47730bdb0d0f391b510c44b5a

C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\resources\static\public\core\auth-limbo-40b52b60a701b5c26a7d.css

MD5 acf81f08b85de98eca96cc1b2bbb199a
SHA1 4c089f322370d4461ffa94097d39cc148f45c4da
SHA256 e1326b0de115e4dae4d3157f50636abd85505c0995e4131d68878fedc512498e
SHA512 9220c6162e604d05c404ea9868a3564b7691e51bf7535d1628d194d3fb7bd2391cae076e5da99f664632fc0c6acd7a0807fcb2d1b4af1e2842cfb6973e2e056b

C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games.exe

MD5 31c680c73261d867169c9859b0235fc4
SHA1 5a94d51dfe4c37acebc1b51d995ea1fcc8ab5f76
SHA256 cd4de592833fb5bc3ff1897cecb02cd0b24b4db6b9b09649c444388ca4425921
SHA512 d2f85d52108ee936743e5fc2e81a124d241b223bf4f10d10c807dc00146b537a757c9f6e5451b91f605b6245e4335544d4e1e80def515d219afb17794f41cb07

C:\Users\Admin\AppData\Local\Amazon Games\Data\Logs\Native\Live-Install_2024-07-04_03-52_0.log

MD5 6a209704d28c834d47daf7065ccce050
SHA1 58becf7b2a838b68d9e00d15ee997341349f9ce2
SHA256 14781f848eacf9c5af40f08c9deab307818e7e9b2290957aab1008dbdefd59ec
SHA512 d36191e83d55894e4b0c4b53e8f53f3ad68b0140736ef55aeb2477cf397b739308c7bc47f31d92e2b8bf28749f9662a5819fed1fd18ef5089dadf323d5a72934