File name:

BlueStacksHelper.exe

Full analysis: https://app.any.run/tasks/140acb25-9bd5-4cc1-9b93-73b5d67eb9be
Verdict: Malicious activity
Analysis date: December 29, 2024, 21:21:12
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

BF7A9B14E6ED30E36E1AFC33A9371DAE

SHA1:

20F71356D43C927F85E4F18777CDD5563B545AED

SHA256:

245BC44F81AAAFE4DA66200E730E40CCEBA7FE5FB6895BDE6B291D8908553AFB

SSDEEP:

3072:5hvo6WDwTa06s8RJIifDIlCDJjgTa06s8RJIifDIlCDJjSJ4A1K:7Ks8RLDICDaKs8RLDICDA4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • dw20.exe (PID: 1160)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • BlueStacksHelper.exe (PID: 528)
      • dw20.exe (PID: 1160)

    • Reads security settings of Internet Explorer

      • BlueStacksHelper.exe (PID: 528)

    • Reads the Internet Settings

      • dw20.exe (PID: 1160)
      • BlueStacksHelper.exe (PID: 528)

    • Checks Windows Trust Settings

      • BlueStacksHelper.exe (PID: 528)

    • Reads the date of Windows installation

      • dw20.exe (PID: 1160)

  • INFO

    • Checks supported languages

      • BlueStacksHelper.exe (PID: 528)
      • dw20.exe (PID: 1160)

    • Creates files in the program directory

      • dw20.exe (PID: 1160)

    • Creates files or folders in the user directory

      • BlueStacksHelper.exe (PID: 528)

    • Reads the computer name

      • dw20.exe (PID: 1160)
      • BlueStacksHelper.exe (PID: 528)

    • Reads the machine GUID from the registry

      • dw20.exe (PID: 1160)
      • BlueStacksHelper.exe (PID: 528)

    • Reads the software policy settings

      • BlueStacksHelper.exe (PID: 528)
      • dw20.exe (PID: 1160)

    • Checks proxy server information

      • BlueStacksHelper.exe (PID: 528)
      • dw20.exe (PID: 1160)

    • Reads product name

      • dw20.exe (PID: 1160)

    • Reads CPU info

      • dw20.exe (PID: 1160)

    • Reads Environment values

      • dw20.exe (PID: 1160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:11 06:27:14+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 154624
InitializedDataSize: 137216
UninitializedDataSize: -
EntryPoint: 0x27bee
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.80.0.0
ProductVersionNumber: 1.80.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: BlueStack Systems, Inc.
FileDescription: BlueStacks Helper
FileVersion: 1.8
InternalName: BlueStacksHelper.exe
LegalCopyright: Copyright 2011 BlueStack Systems, Inc. All Rights Reserved.
OriginalFileName: BlueStacksHelper.exe
ProductName: BlueStacks
ProductVersion: 1.8
AssemblyVersion: 1.80.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start bluestackshelper.exe dw20.exe

Process information

PID
CMD
Path
Indicators
Parent process
528"C:\Users\admin\Desktop\BlueStacksHelper.exe" C:\Users\admin\Desktop\BlueStacksHelper.exe
explorer.exe
User:
admin
Company:
BlueStack Systems, Inc.
Integrity Level:
MEDIUM
Description:
BlueStacks Helper
Exit code:
3762507597
Version:
1.80
Modules
Images
c:\users\admin\desktop\bluestackshelper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1160dw20.exe -x -s 1492C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
BlueStacksHelper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Error Reporting Shim
Exit code:
0
Version:
2.0.50727.9157 (WinRelRS6.050727-9100)
Modules
Images
c:\windows\microsoft.net\framework64\v2.0.50727\dw20.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9680_none_88e394a52fab6222\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
8 938
Read events
8 938
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
1160dw20.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BlueStacksHelper_441e73be3fd4fefb8d16875c8b81519a2b7ce_00000000_569e7331-25da-4108-a34d-e92949cb28ce\Report.wer
MD5:
SHA256:
528BlueStacksHelper.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DDD60D479047B9472722C3115985BD00binary
MD5:DC93B6A1C3DD750F96476DEE000C152D
SHA256:37F94791BF245770F224668F61122654862F04A8E25EDF50E429FC17424B26C3
528BlueStacksHelper.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:77CCF6A93642FCD3A64FBEFB79DD930E
SHA256:0551851C3BAF27193451E86857F532DD00FBCE1EAE72C2550814F569EDBB0D38
1160dw20.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER.853fd10b-4823-4066-8d51-75d17fe0137b.tmp.xmlxml
MD5:88B78F44BF0C8E9A0B37AC564A8A6632
SHA256:4D8BBFD0DFB40584D18E3ABC3570CF9E20B0A051B24F3FC1DC4EECBADEA07688
528BlueStacksHelper.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:9FF0E8FC94DB8AE3222CCE6334AE6E65
SHA256:BADE0F49C483174759CEE19375EF6C412CFDBEBB5AAF82DCE6669A19FCB2BA10
528BlueStacksHelper.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:8CDD66D52CA2F372E4DA4A46B336D7EE
SHA256:14115735E08562ECF04251D722EEB632F0EF2D0AC037BC017D208BC7D9A13BB6
528BlueStacksHelper.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DDD60D479047B9472722C3115985BD00der
MD5:E0F42648F27D6ABA1C6BF63725E5951C
SHA256:BE81659425FFC0F2CB745C53D36E4DB374A5C64B1D5B23D80CE0823E50B869E8
528BlueStacksHelper.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:15890246031AFEDD8B733282FC07618A
SHA256:4EC9F6B40CBA6F9C714380C801C1034CB59D32F1F97A76623F71ED8533986C81
1160dw20.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER.b65d90b9-309e-45ac-9706-ff7f9cac68be.tmp.WERInternalMetadata.xmlxml
MD5:57E3D6EB92356A2E95C90B90AF150828
SHA256:78D103ECB61D33E19E085D0165C238152E016987BBCB6EE423E88000CB840FFF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
43
DNS requests
31
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6424
MoUsoCoreWorker.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?65c207d86d738f3e
unknown
whitelisted
528
BlueStacksHelper.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
528
BlueStacksHelper.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
GET
200
2.22.61.177:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
528
BlueStacksHelper.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAT51QpseSyf051HLpg3tf8%3D
unknown
whitelisted
6404
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
6404
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
6404
firefox.exe
POST
200
95.100.146.57:80
http://r11.o.lencr.org/
unknown
whitelisted
6404
firefox.exe
POST
200
95.100.146.57:80
http://r11.o.lencr.org/
unknown
whitelisted
HEAD
200
23.35.236.109:443
https://fs.microsoft.com/fs/windows/config.json
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
52.109.89.18:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
192.168.100.255:137
whitelisted
6176
OfficeC2RClient.exe
52.109.89.18:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
6404
firefox.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
6404
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
2.22.61.177:80
Akamai International B.V.
DE
unknown
4524
rundll32.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6424
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6424
MoUsoCoreWorker.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
1592
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted
google.com
  • 142.250.185.142
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
login.live.com
  • 20.190.159.0
  • 40.126.31.71
  • 20.190.159.4
  • 20.190.159.75
  • 40.126.31.73
  • 20.190.159.64
  • 20.190.159.23
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
fp2e7a.wpc.phicdn.net
  • 192.229.221.95
  • 2606:2800:233:fa02:67b:9ff6:6107:833
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BlueStacksHelper.exe