Malware analysis BlueStacksInstaller_5.22.91.1029_native_d5d3795be68b298679f4f99b22cfc26d_MzsxNSwwOzUsMTsxNSw0OzE1LDU7MTU=.exe Malicious activity

Add for printing

File name:	BlueStacksInstaller_5.22.91.1029_native_d5d3795be68b298679f4f99b22cfc26d_MzsxNSwwOzUsMTsxNSw0OzE1LDU7MTU=.exe
Full analysis:	https://app.any.run/tasks/277ec35a-db35-4ee1-93ec-d871333067c3
Verdict:	Malicious activity
Analysis date:	July 25, 2025, 18:40:54
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	FE24896CA6F565EACE0A62662EA0FBAE
SHA1:	AB26292AEE7D5F3E8D5179526A290B3039A6BFC7
SHA256:	1E633AA51F1A1652A2F71AAFA6C2A3E7EF3D261DC1623D4A10D1C15CBE92D012
SSDEEP:	49152:vnVQhBuOT8fZ8lW1s9rOTH+glOwutAh4fagnfHCZD4pgYSnpzsvD:NeT8fClWOrO6bwAAYnPyt3pzsb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - BlueStacksServices.exe (PID: 1864)
- Opens a text file (SCRIPT)
  - cscript.exe (PID: 4648)
  - cscript.exe (PID: 4456)
  - cscript.exe (PID: 1028)
  - cscript.exe (PID: 6620)
  - cscript.exe (PID: 3820)
SUSPICIOUS
- Executable content was dropped or overwritten
  - 277ec35a-db35-4ee1-93ec-d871333067c3.exe (PID: 4072)
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
  - BlueStacksInstaller.exe (PID: 6472)
  - 277ec35a-db35-4ee1-93ec-d871333067c3.exe (PID: 5236)
  - BlueStacksServicesSetup.exe (PID: 6656)
  - BlueStacksServices.exe (PID: 1864)
- Reads security settings of Internet Explorer
  - 277ec35a-db35-4ee1-93ec-d871333067c3.exe (PID: 4072)
  - BlueStacksInstaller.exe (PID: 6680)
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
  - BlueStacksInstaller.exe (PID: 6472)
  - 277ec35a-db35-4ee1-93ec-d871333067c3.exe (PID: 5236)
  - BlueStacksServicesSetup.exe (PID: 6656)
- Reads the date of Windows installation
  - BlueStacksInstaller.exe (PID: 6680)
  - BlueStacksInstaller.exe (PID: 6472)
- Application launched itself
  - BlueStacksInstaller.exe (PID: 6680)
  - BlueStacksServices.exe (PID: 1864)
- Drops 7-zip archiver for unpacking
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
  - BlueStacksServicesSetup.exe (PID: 6656)
- The process creates files with name similar to system file names
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
  - BlueStacksServicesSetup.exe (PID: 6656)
- Malware-specific behavior (creating "System.dll" in Temp)
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
  - BlueStacksServicesSetup.exe (PID: 6656)
- The process drops C-runtime libraries
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
- Executing commands from a ".bat" file
  - wscript.exe (PID: 5616)
- Uses NETSH.EXE to delete a firewall rule or allowed programs
  - cmd.exe (PID: 4768)
- The process executes VB scripts
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
- Starts CMD.EXE for commands execution
  - wscript.exe (PID: 5616)
  - BlueStacksServicesSetup.exe (PID: 6656)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 5616)
- Creates a software uninstall entry
  - BlueStacksInstaller.exe (PID: 6472)
  - BlueStacksServicesSetup.exe (PID: 6656)
- Searches for installed software
  - BlueStacksInstaller.exe (PID: 6472)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - cmd.exe (PID: 4768)
- Get information on the list of running processes
  - BlueStacksServicesSetup.exe (PID: 6656)
  - cmd.exe (PID: 4748)
- Process drops legitimate windows executable
  - BlueStacksServicesSetup.exe (PID: 6656)
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
- Gets full path of the running script (SCRIPT)
  - cscript.exe (PID: 4648)
  - cscript.exe (PID: 4456)
  - cscript.exe (PID: 6620)
  - cscript.exe (PID: 3820)
  - cscript.exe (PID: 1028)
- Writes binary data to a Stream object (SCRIPT)
  - cscript.exe (PID: 4648)
  - cscript.exe (PID: 4456)
  - cscript.exe (PID: 3820)
- Creates FileSystem object to access computer's file system (SCRIPT)
  - cscript.exe (PID: 4648)
  - cscript.exe (PID: 4456)
  - cscript.exe (PID: 1028)
  - cscript.exe (PID: 3820)
  - cscript.exe (PID: 6620)
- Reads data from a binary Stream object (SCRIPT)
  - cscript.exe (PID: 4648)
  - cscript.exe (PID: 4456)
  - cscript.exe (PID: 6620)
  - cscript.exe (PID: 1028)
  - cscript.exe (PID: 3820)
INFO
- Checks supported languages
  - 277ec35a-db35-4ee1-93ec-d871333067c3.exe (PID: 4072)
  - BlueStacksInstaller.exe (PID: 6680)
  - HD-CheckCpu.exe (PID: 4748)
  - BlueStacksInstaller.exe (PID: 6472)
  - HD-CheckCpu.exe (PID: 2504)
  - HD-CheckCpu.exe (PID: 4540)
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
  - 277ec35a-db35-4ee1-93ec-d871333067c3.exe (PID: 5236)
  - HD-CheckCpu.exe (PID: 1036)
  - BlueStacksServicesSetup.exe (PID: 6656)
  - BlueStacksInstaller.exe (PID: 4752)
  - BlueStacksServices.exe (PID: 1864)
  - BlueStacksServices.exe (PID: 6388)
  - BlueStacksServices.exe (PID: 1520)
- Create files in a temporary directory
  - 277ec35a-db35-4ee1-93ec-d871333067c3.exe (PID: 4072)
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
  - 277ec35a-db35-4ee1-93ec-d871333067c3.exe (PID: 5236)
  - BlueStacksServicesSetup.exe (PID: 6656)
  - BlueStacksServices.exe (PID: 1864)
- Process checks computer location settings
  - 277ec35a-db35-4ee1-93ec-d871333067c3.exe (PID: 4072)
  - BlueStacksInstaller.exe (PID: 6680)
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
  - 277ec35a-db35-4ee1-93ec-d871333067c3.exe (PID: 5236)
  - BlueStacksInstaller.exe (PID: 6472)
- Reads the machine GUID from the registry
  - BlueStacksInstaller.exe (PID: 6680)
  - BlueStacksInstaller.exe (PID: 6472)
  - BlueStacksInstaller.exe (PID: 4752)
  - BlueStacksServices.exe (PID: 1864)
- Reads the computer name
  - 277ec35a-db35-4ee1-93ec-d871333067c3.exe (PID: 4072)
  - BlueStacksInstaller.exe (PID: 6680)
  - BlueStacksInstaller.exe (PID: 6472)
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
  - 277ec35a-db35-4ee1-93ec-d871333067c3.exe (PID: 5236)
  - BlueStacksInstaller.exe (PID: 4752)
  - BlueStacksServicesSetup.exe (PID: 6656)
  - BlueStacksServices.exe (PID: 1864)
  - BlueStacksServices.exe (PID: 6388)
  - BlueStacksServices.exe (PID: 1520)
- Reads Environment values
  - BlueStacksInstaller.exe (PID: 6680)
  - BlueStacksInstaller.exe (PID: 6472)
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
  - BlueStacksInstaller.exe (PID: 4752)
  - BlueStacksServices.exe (PID: 1864)
- Checks proxy server information
  - BlueStacksInstaller.exe (PID: 6680)
  - BlueStacksInstaller.exe (PID: 6472)
  - BlueStacksInstaller.exe (PID: 4752)
  - BlueStacksServices.exe (PID: 1864)
- Reads the software policy settings
  - BlueStacksInstaller.exe (PID: 6680)
  - BlueStacksInstaller.exe (PID: 6472)
  - BlueStacksInstaller.exe (PID: 4752)
- Creates files or folders in the user directory
  - BlueStacksInstaller.exe (PID: 6680)
  - BlueStacksInstaller.exe (PID: 6472)
  - BlueStacksServicesSetup.exe (PID: 6656)
  - BlueStacksServices.exe (PID: 1864)
- Disables trace logs
  - BlueStacksInstaller.exe (PID: 6680)
  - BlueStacksInstaller.exe (PID: 6472)
  - BlueStacksInstaller.exe (PID: 4752)
- Creates files in the program directory
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
  - BlueStacksInstaller.exe (PID: 6472)
- Reads product name
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
  - BlueStacksServices.exe (PID: 1864)
- The sample compiled with english language support
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
  - 277ec35a-db35-4ee1-93ec-d871333067c3.exe (PID: 4072)
  - BlueStacksInstaller.exe (PID: 6472)
  - BlueStacksServicesSetup.exe (PID: 6656)
- The sample compiled with chinese language support
  - BSX-Setup-5.22.91.1029_nxt.exe (PID: 6980)
- Manual execution by a user
  - BlueStacksServicesSetup.exe (PID: 6656)
  - BlueStacksServices.exe (PID: 1864)
- Launching a file from a Registry key
  - BlueStacksServices.exe (PID: 1864)
- Reads security settings of Internet Explorer
  - cscript.exe (PID: 4648)
  - cscript.exe (PID: 4456)
  - cscript.exe (PID: 3820)
  - cscript.exe (PID: 6620)
  - cscript.exe (PID: 1028)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:07:19 13:21:27+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	133632
InitializedDataSize:	224768
UninitializedDataSize:	-
EntryPoint:	0x1a5b2
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	19.0.0.0
ProductVersionNumber:	19.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	now.gg, Inc.
FileDescription:	BlueStacks Setup
FileVersion:	5
InternalName:	BlueStacks Installer
LegalCopyright:	Copyright (c) 2010-2021 Bluestacks from Now.gg, Inc.
OriginalFileName:	BlueStacksInstaller.exe
ProductName:	BlueStacks 5
ProductVersion:	5

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

182

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

512

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

HD-CheckCpu.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1028

cscript.exe //Nologo C:\Users\admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regPutValue.wsf A

C:\Windows\System32\cscript.exe

—

BlueStacksServices.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Console Based Script Host

Exit code:

Version:

5.812.10240.16384

Modules

Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1036

"C:\Users\admin\AppData\Local\Temp\7zS4749FBC9\HD-CheckCpu.exe" --cmd checkHypervEnabled

C:\Users\admin\AppData\Local\Temp\7zS4749FBC9\HD-CheckCpu.exe

—

BlueStacksInstaller.exe

User:

admin

Integrity Level:

HIGH

Exit code:

4294967295

Modules

Images
c:\users\admin\appdata\local\temp\7zs4749fbc9\hd-checkcpu.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\kernel.appcore.dll

1040

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1520

"C:\Users\admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\bluestacks-services" --mojo-platform-channel-handle=2052 --field-trial-handle=1748,i,14474647931351215110,12681604304659287914,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Users\admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe

—

BlueStacksServices.exe

User:

admin

Company:

now.gg, Inc.

Integrity Level:

MEDIUM

Description:

BlueStacks Services

Version:

3.0.9.173

Modules

Images
c:\users\admin\appdata\local\programs\bluestacks-services\bluestacksservices.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1632

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1668

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1864

"C:\Users\admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --hidden --initialLaunch

C:\Users\admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe

explorer.exe

User:

admin

Company:

now.gg, Inc.

Integrity Level:

MEDIUM

Description:

BlueStacks Services

Version:

3.0.9.173

Modules

Images
c:\users\admin\appdata\local\programs\bluestacks-services\bluestacksservices.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2064

netsh advfirewall firewall delete rule name="BlueStacksWeb"

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll

2428

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

HD-CheckCpu.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

11 568

Read events

11 502

Write events

Delete events

Modification events


(PID) Process:	(6680) BlueStacksInstaller.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\BlueStacks_nxt
Operation:	write	Name:	IsNewMachineIdCreated
Value: 1
(PID) Process:	(6680) BlueStacksInstaller.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\BlueStacksInstaller
Operation:	write	Name:	MachineID
Value: 02f02e13-0cff-4fbc-b5ec-3d9ee9fafb91
(PID) Process:	(6680) BlueStacksInstaller.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\BlueStacksInstaller
Operation:	write	Name:	VersionMachineId_5.22.91.1029
Value: 738ad3d4-4a5c-4925-9dbd-c5a5f24695eb
(PID) Process:	(6680) BlueStacksInstaller.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\BlueStacks_nxt
Operation:	write	Name:	MiCampaignJson
Value: { "app_url": "", "campaign_name": "", "exit_utm_campaign": "", "app_icon_url": "", "app_pkg": "", "app_name": "", "promoter_id": "", "fle_tag": "", "incompatible": "", "bsx_data": null }
(PID) Process:	(6680) BlueStacksInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BlueStacksInstaller_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6680) BlueStacksInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BlueStacksInstaller_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6680) BlueStacksInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BlueStacksInstaller_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6680) BlueStacksInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BlueStacksInstaller_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6680) BlueStacksInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BlueStacksInstaller_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6680) BlueStacksInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BlueStacksInstaller_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576

Add for printing

Executable files

331

Suspicious files

Text files

428

Unknown types

173

Dropped files

PID	Process	Filename		Type
4072	277ec35a-db35-4ee1-93ec-d871333067c3.exe	C:\Users\admin\AppData\Local\Temp\7zS8EFC1DF8\Assets\backicon.png		image
		MD5:7FF5DC8270B5FA7EF6C4A1420BD67A7F	SHA256:FA64884054171515E97B78AAA1AAD1EC5BAA9D1DAF9C682E0B3FB4A41A9CB1C1
4072	277ec35a-db35-4ee1-93ec-d871333067c3.exe	C:\Users\admin\AppData\Local\Temp\7zS8EFC1DF8\Assets\checked_gray_hover.png		image
		MD5:EA22933E94C7AB813B639627F2B38286	SHA256:D7C79677D2EF897FA0AD1EFC90E916C46DA29F571208F78F24505603B7165C20
4072	277ec35a-db35-4ee1-93ec-d871333067c3.exe	C:\Users\admin\AppData\Local\Temp\7zS8EFC1DF8\Assets\custom.png		image
		MD5:03B17F0B1C067826B0FCC6746CCED2CB	SHA256:FBECE8BB5F4DFA55DCFBF41151B10608AF807B9477E99ACF0940954A11E68F7B
4072	277ec35a-db35-4ee1-93ec-d871333067c3.exe	C:\Users\admin\AppData\Local\Temp\7zS8EFC1DF8\Assets\close_red_click.png		image
		MD5:6DB7460B73A6641C7621D0A6203A0A90	SHA256:D5A7E6FC5E92E0B29A4F65625030447F3379B4E3AC4BED051A0646A7932CE0CD
4072	277ec35a-db35-4ee1-93ec-d871333067c3.exe	C:\Users\admin\AppData\Local\Temp\7zS8EFC1DF8\Assets\discord_icon.png		image
		MD5:9354BC445E979C2DE9B9EEDD9B7C8318	SHA256:C29B35C6BE50F9E34F1120BD346CE01884F0C7BA1121C866D95B24E46E420B0C
4072	277ec35a-db35-4ee1-93ec-d871333067c3.exe	C:\Users\admin\AppData\Local\Temp\7zS8EFC1DF8\Assets\exit_close_hover.png		image
		MD5:92C2BF222D6AB81FE7A0C072BF31C107	SHA256:BCC053A9A087E077D58114106D29701A34F7851F4052F3157102811355D3E709
4072	277ec35a-db35-4ee1-93ec-d871333067c3.exe	C:\Users\admin\AppData\Local\Temp\7zS8EFC1DF8\Assets\discord_icon_hover.png		image
		MD5:C11CC6A9EDFF1694A71584413DD47DFD	SHA256:6B126C8A7015C2274E6A2AC969E0F31ECAE421E1652B446B2AAFD2B03D0DC3F5
4072	277ec35a-db35-4ee1-93ec-d871333067c3.exe	C:\Users\admin\AppData\Local\Temp\7zS8EFC1DF8\Assets\error_icon.png		image
		MD5:DAB2C4538A83422B5DEAE0E0DE9B7A30	SHA256:666AD4FE456216DDC06618967846ED31F81D8DB5BE97DA6531842C0667352B89
4072	277ec35a-db35-4ee1-93ec-d871333067c3.exe	C:\Users\admin\AppData\Local\Temp\7zS8EFC1DF8\Assets\change.png		image
		MD5:57092634754FC26E5515E3ED5CA7D461	SHA256:8E5847487DA148EBB3EA029CC92165AFD215CDC08F7122271E13EB37F94E6DC1
4072	277ec35a-db35-4ee1-93ec-d871333067c3.exe	C:\Users\admin\AppData\Local\Temp\7zS8EFC1DF8\Assets\exit_close.png		image
		MD5:26EB04B9E0105A7B121EA9C6601BBF2A	SHA256:7AAEF329BA9FA052791D1A09F127551289641EA743BABA171DE55FAA30EC1157

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4120	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1712	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
1712	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7032	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6680	BlueStacksInstaller.exe	34.160.86.181:443	cloud.bluestacks.com	GOOGLE	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6472	BlueStacksInstaller.exe	34.160.86.181:443	cloud.bluestacks.com	GOOGLE	US	whitelisted
6472	BlueStacksInstaller.exe	23.50.131.84:443	ak-build.bluestacks.com	Akamai International B.V.	DE	whitelisted
4120	svchost.exe	20.190.160.65:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4120	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59 20.73.194.208	whitelisted
google.com	142.250.185.238	whitelisted
cloud.bluestacks.com	34.160.86.181	whitelisted
ak-build.bluestacks.com	23.50.131.84 23.50.131.85	whitelisted
login.live.com	20.190.160.65 40.126.32.76 20.190.160.130 20.190.160.14 20.190.160.128 40.126.32.140 40.126.32.133 20.190.160.132	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
crl.microsoft.com	23.216.77.42 23.216.77.37 23.216.77.29 23.216.77.25 23.216.77.35 23.216.77.39 23.216.77.28 23.216.77.31 23.216.77.36	whitelisted
www.microsoft.com	69.192.161.161	whitelisted
client.wns.windows.com	20.59.87.225	whitelisted
slscr.update.microsoft.com	74.178.76.128	whitelisted

Threats

No threats detected

Add for printing

Process	Message
BSX-Setup-5.22.91.1029_nxt.exe	BtnOneClick
BSX-Setup-5.22.91.1029_nxt.exe	closebtn
BSX-Setup-5.22.91.1029_nxt.exe	BtnInstallFinished
BSX-Setup-5.22.91.1029_nxt.exe	btnSelectDir
BSX-Setup-5.22.91.1029_nxt.exe	DirText
BSX-Setup-5.22.91.1029_nxt.exe	C:\Program Files (x86)
BSX-Setup-5.22.91.1029_nxt.exe	CustomInstall
BSX-Setup-5.22.91.1029_nxt.exe	C:\Program Files (x86)
BSX-Setup-5.22.91.1029_nxt.exe	showInstallPage
BSX-Setup-5.22.91.1029_nxt.exe	0%

General Info

BlueStacksInstaller_5.22.91.1029_native_d5d3795be68b298679f4f99b22cfc26d_MzsxNSwwOzUsMTsxNSw0OzE1LDU7MTU=.exe

FE24896CA6F565EACE0A62662EA0FBAE

AB26292AEE7D5F3E8D5179526A290B3039A6BFC7

1E633AA51F1A1652A2F71AAFA6C2A3E7EF3D261DC1623D4A10D1C15CBE92D012

49152:vnVQhBuOT8fZ8lW1s9rOTH+glOwutAh4fagnfHCZD4pgYSnpzsvD:NeT8fClWOrO6bwAAYnPyt3pzsb

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Opens a text file (SCRIPT)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the date of Windows installation

Application launched itself

Drops 7-zip archiver for unpacking

The process creates files with name similar to system file names

Malware-specific behavior (creating "System.dll" in Temp)

The process drops C-runtime libraries

Executing commands from a ".bat" file

Uses NETSH.EXE to delete a firewall rule or allowed programs

The process executes VB scripts

Starts CMD.EXE for commands execution

Runs shell command (SCRIPT)

Creates a software uninstall entry

Searches for installed software

Uses NETSH.EXE to add a firewall rule or allowed programs

Get information on the list of running processes

Process drops legitimate windows executable

Gets full path of the running script (SCRIPT)

Writes binary data to a Stream object (SCRIPT)

Creates FileSystem object to access computer's file system (SCRIPT)

Reads data from a binary Stream object (SCRIPT)

INFO

Checks supported languages

Create files in a temporary directory

Process checks computer location settings

Reads the machine GUID from the registry

Reads the computer name

Reads Environment values

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

Disables trace logs

Creates files in the program directory

Reads product name

The sample compiled with english language support

The sample compiled with chinese language support

Manual execution by a user

Launching a file from a Registry key

Reads security settings of Internet Explorer

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information