Malware analysis BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe Malicious activity

Add for printing

File name:	BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe
Full analysis:	https://app.any.run/tasks/5ac1d0ed-88f1-4a89-843b-70eb3989d434
Verdict:	Malicious activity
Analysis date:	December 03, 2020, 19:03:12
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	blue malicious network
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	011E5D3F14FCE23F00F43B958BD74D90
SHA1:	138CAADB352BE7E6F7184266319A92DE34378B4F
SHA256:	91405AA0B9DD7C256255096D7A20C182E55D36A837DDE3320BF10CFC604F1001
SSDEEP:	24576:ZcVkKS/WtWrnngnnnKnanxNpZb67JBVzSKDzzma/EO6O34gezvf0xiLsZpR46l1:ZcB6WErnngnnnKnanzbo5FDzBsO6ij0K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.17843 KB3058515
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)
srvpost (2.12.72)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Hyphenation Parent Package English
IE Spelling Parent Package English
IE Troubleshooters Package
InternetExplorer Optional Package
InternetExplorer Package TopLevel
KB2533623
KB2534111
KB2639308
KB2729094
KB2731771
KB2786081
KB2834140
KB2882822
KB2888049
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
PlatformUpdate Win7 SRV08R2 Package TopLevel
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Drops executable file immediately after starts
  - BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe (PID: 2216)
  - BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe (PID: 3508)
  - BlueStacksInstaller_4.240.30.1002_native_7b1cc5560873b1d21fe43f0f3209510b.exe (PID: 2912)
- Application was dropped or rewritten from another process
  - BlueStacksInstaller.exe (PID: 2752)
  - BlueStacksInstaller.exe (PID: 2444)
  - BlueStacksInstaller.exe (PID: 2544)
  - BlueStacksInstaller.exe (PID: 2612)
  - BlueStacksInstaller.exe (PID: 3156)
- Changes settings of System certificates
  - BlueStacksInstaller.exe (PID: 2752)
- Loads dropped or rewritten executable
  - BlueStacksInstaller.exe (PID: 2752)
SUSPICIOUS
- Executable content was dropped or overwritten
  - BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe (PID: 2216)
  - BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe (PID: 3508)
  - BlueStacksInstaller.exe (PID: 2752)
  - BlueStacksInstaller_4.240.30.1002_native_7b1cc5560873b1d21fe43f0f3209510b.exe (PID: 2912)
  - chrome.exe (PID: 3028)
  - chrome.exe (PID: 3628)
- Drops a file with a compile date too recent
  - BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe (PID: 2216)
  - BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe (PID: 3508)
  - BlueStacksInstaller_4.240.30.1002_native_7b1cc5560873b1d21fe43f0f3209510b.exe (PID: 2912)
- Reads Environment values
  - BlueStacksInstaller.exe (PID: 2444)
  - BlueStacksInstaller.exe (PID: 2752)
  - BlueStacksInstaller.exe (PID: 2612)
  - BlueStacksInstaller.exe (PID: 3156)
- Application launched itself
  - BlueStacksInstaller.exe (PID: 2444)
  - BlueStacksInstaller.exe (PID: 2612)
  - taskmgr.exe (PID: 1392)
- Drops a file that was compiled in debug mode
  - BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe (PID: 2216)
  - BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe (PID: 3508)
  - BlueStacksInstaller_4.240.30.1002_native_7b1cc5560873b1d21fe43f0f3209510b.exe (PID: 2912)
- Adds / modifies Windows certificates
  - BlueStacksInstaller.exe (PID: 2752)
- Modifies files in Chrome extension folder
  - chrome.exe (PID: 3628)
INFO
- Application launched itself
  - chrome.exe (PID: 3628)
- Manual execution by user
  - chrome.exe (PID: 3628)
  - taskmgr.exe (PID: 1392)
  - rundll32.exe (PID: 1780)
  - rundll32.exe (PID: 3100)
  - rundll32.exe (PID: 1616)
  - rundll32.exe (PID: 3248)
  - rundll32.exe (PID: 4076)
  - rundll32.exe (PID: 2948)
- Reads the hosts file
  - chrome.exe (PID: 3028)
  - chrome.exe (PID: 3628)
- Reads settings of System Certificates
  - chrome.exe (PID: 3628)
- Dropped object may contain Bitcoin addresses
  - chrome.exe (PID: 3028)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:02:21 17:00:00+01:00
PEType:	PE32
LinkerVersion:	6
CodeSize:	104448
InitializedDataSize:	372224
UninitializedDataSize:	-
EntryPoint:	0x1910c
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	19.0.0.0
ProductVersionNumber:	19.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	BlueStack Systems Inc.
FileDescription:	BlueStacks Installer
FileVersion:	4
InternalName:	BlueStacks Installer
LegalCopyright:	Copyright (c) BlueStack Systems Inc.
OriginalFileName:	BlueStacksInstaller.exe
ProductName:	BlueStacks Installer
ProductVersion:	4

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	21-Feb-2019 16:00:00
Detected languages:	English - United States
CompanyName:	BlueStack Systems Inc.
FileDescription:	BlueStacks Installer
FileVersion:	4.00
InternalName:	BlueStacks Installer
LegalCopyright:	Copyright (c) BlueStack Systems Inc.
OriginalFilename:	BlueStacksInstaller.exe
ProductName:	BlueStacks Installer
ProductVersion:	4.0

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000108

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	5
Time date stamp:	21-Feb-2019 16:00:00
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LARGE_ADDRESS_AWARE IMAGE_FILE_LINE_NUMS_STRIPPED IMAGE_FILE_LOCAL_SYMS_STRIPPED IMAGE_FILE_RELOCS_STRIPPED

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x00019745	0x00019800	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.63014
.rdata	0x0001B000	0x00003A98	0x00003C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.39319
.data	0x0001F000	0x000023F0	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	3.30023
.sxdata	0x00022000	0x00000004	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.0203931
.rsrc	0x00023000	0x00056DB0	0x00056E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.08403

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.02012	659	Latin 1 / Western European	English - United States	RT_MANIFEST
2	4.12778	67624	Latin 1 / Western European	English - United States	RT_ICON
3	4.47733	9640	Latin 1 / Western European	English - United States	RT_ICON
4	4.77612	4264	Latin 1 / Western European	English - United States	RT_ICON
5	5.18496	1128	Latin 1 / Western European	English - United States	RT_ICON
97	2.93146	144	Latin 1 / Western European	English - United States	RT_DIALOG
188	2.17822	84	Latin 1 / Western European	English - United States	RT_STRING
207	2.4279	108	Latin 1 / Western European	English - United States	RT_STRING

Imports


KERNEL32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

312

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1000,8148611532721311529,16159575251196318888,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=727735082713039528 --mojo-platform-channel-handle=2548 --ignored=" --type=renderer " /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

652

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,8148611532721311529,16159575251196318888,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8058907739387316890 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

700

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,8148611532721311529,16159575251196318888,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2929283873064578727 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

840

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1000,8148611532721311529,16159575251196318888,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=15845923924118845660 --mojo-platform-channel-handle=3872 --ignored=" --type=renderer " /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

1392

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\taskmgr.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Task Manager

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

1616

"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\inetcpl.cpl

C:\Windows\System32\rundll32.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll

1688

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1000,8148611532721311529,16159575251196318888,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=14368532708231253905 --mojo-platform-channel-handle=3788 --ignored=" --type=renderer " /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

1772

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1000,8148611532721311529,16159575251196318888,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=13627712254095674608 --mojo-platform-channel-handle=4208 --ignored=" --type=renderer " /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

1780

"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\inetcpl.cpl

C:\Windows\System32\rundll32.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll

1904

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6c3fa9d0,0x6c3fa9e0,0x6c3fa9ec

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

3 465

Read events

3 267

Write events

193

Delete events

Modification events


(PID) Process:	(2216) BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(2216) BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(2444) BlueStacksInstaller.exe	Key:	HKEY_CURRENT_USER\Software\BlueStacksInstaller
Operation:	write	Name:	MachineID
Value: 7313f563-0777-47e0-97eb-365f27ea5c1d
(PID) Process:	(2444) BlueStacksInstaller.exe	Key:	HKEY_CURRENT_USER\Software\BlueStacksInstaller
Operation:	write	Name:	VersionMachineId_4.240.30.1002
Value: 34336652-4f8f-4937-a801-46f9b3973a7e
(PID) Process:	(2444) BlueStacksInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BlueStacksInstaller_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2444) BlueStacksInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BlueStacksInstaller_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2444) BlueStacksInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BlueStacksInstaller_RASAPI32
Operation:	write	Name:	FileTracingMask
Value: 4294901760
(PID) Process:	(2444) BlueStacksInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BlueStacksInstaller_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value: 4294901760
(PID) Process:	(2444) BlueStacksInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BlueStacksInstaller_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(2444) BlueStacksInstaller.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BlueStacksInstaller_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing

Add for printing

Executable files

Suspicious files

Text files

336

Unknown types

Dropped files

PID	Process	Filename		Type
2216	BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe	C:\Users\admin\AppData\Local\Temp\7zS8A82D6B5\Locales\i18n.it-IT.txt		text
		MD5:023A31D90379612D98521B53FBD7436E	SHA256:94CAB09EB0B4B6A648F1B3C149792881D884419386FEDE8F0FEFA85D3BA4A269
2216	BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe	C:\Users\admin\AppData\Local\Temp\7zS8A82D6B5\Locales\i18n.ar-IL.txt		text
		MD5:9FB07E066CC2F213A64D35A97A8C2922	SHA256:65E7B0F37B5E2AA805AC8D57969804D803430186F34E9703CA9FA09BA908EF90
2216	BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe	C:\Users\admin\AppData\Local\Temp\7zS8A82D6B5\Locales\i18n.es-ES.txt		text
		MD5:FB1819935E7031AA26CD5363D7FB06C0	SHA256:12723B04B25736B4BA25D613DCCEE05E1EACD1DAC42DA75C497C84BE3B9355A2
2216	BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe	C:\Users\admin\AppData\Local\Temp\7zS8A82D6B5\Locales\i18n.ar-EG.txt		text
		MD5:1B19F0DAF118F03B79C30FB22BDA884E	SHA256:EF08D46EAA87A179B56E3327BB65878F902446CC2BF419FA661F941962D5F1C5
2216	BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe	C:\Users\admin\AppData\Local\Temp\7zS8A82D6B5\Locales\i18n.de-DE.txt		text
		MD5:0B733F60C9AF585C1B5B94605E50E862	SHA256:BBE1237766E1B71181DD5052FFA2C45F457B0E351E0816C1C66624E052B43853
2216	BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe	C:\Users\admin\AppData\Local\Temp\7zS8A82D6B5\BlueStacksInstaller.exe.config		xml
		MD5:1B456D88546E29F4F007CD0BF1025703	SHA256:D6D316584B63BB0D670A42F88B8F84E0DE0DB4275F1A342084DC383EBEB278EB
2216	BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe	C:\Users\admin\AppData\Local\Temp\7zS8A82D6B5\Locales\i18n.vi-VN.txt		text
		MD5:23467B22A80B1712364381E8845B050B	SHA256:6E96FDE6F2D5D5374CD90A1E83DE4B01064E8F8668DD389E52D644A0F0285963
2216	BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe	C:\Users\admin\AppData\Local\Temp\7zS8A82D6B5\Locales\i18n.ko-KR.txt		text
		MD5:6A1F4FD5A320F3E701EDC5A9B2B4A700	SHA256:3FD86EEBD83D3949C329B5722E63847FBC473848086B89BFA7CED58C7567C619
2216	BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe	C:\Users\admin\AppData\Local\Temp\7zS8A82D6B5\Locales\i18n.fr-FR.txt		text
		MD5:568830BFD78398A1596E14B95E58AE5A	SHA256:6790DCEF71775352801721E2DB0146E676778E844BC6644FFA1DB0374F3AB4F2
2216	BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe	C:\Users\admin\AppData\Local\Temp\7zS8A82D6B5\Locales\i18n.pt-BR.txt		text
		MD5:2684801FCE0B856F86B434D8EBB99057	SHA256:61FC84CDE1719D0C927CC15C2EE5AD83CB292F36B1BEB072B473327A6F5C492B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3156	BlueStacksInstaller.exe	GET	—	65.9.68.7:80	http://cdn3.bluestacks.com/downloads/windows/bgp/4.240.30.1002/8c6ba9ef64cc2e5c31f0e855e519e5b3/x86/BlueStacks-Installer_4.240.30.1002_x86_native.exe?filename=BlueStacksInstaller_4.240.30.1002_native_7b1cc5560873b1d21fe43f0f3209510b.exe	US	—	—	shared
3628	chrome.exe	GET	304	67.27.159.126:80	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	US	compressed	57.5 Kb	whitelisted
3628	chrome.exe	GET	200	67.27.159.126:80	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	US	compressed	57.5 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2444	BlueStacksInstaller.exe	216.58.205.243:443	cloud.bluestacks.com	Google Inc.	US	whitelisted
2752	BlueStacksInstaller.exe	216.58.205.243:443	cloud.bluestacks.com	Google Inc.	US	whitelisted
3028	chrome.exe	216.58.207.45:443	accounts.google.com	Google Inc.	US	whitelisted
3028	chrome.exe	142.250.74.195:443	www.google.com.ua	Google Inc.	US	whitelisted
3028	chrome.exe	172.217.22.35:443	www.gstatic.com	Google Inc.	US	whitelisted
3028	chrome.exe	173.194.73.95:443	fonts.googleapis.com	Google Inc.	US	whitelisted
3028	chrome.exe	173.194.222.101:443	apis.google.com	Google Inc.	US	whitelisted
3028	chrome.exe	172.217.23.110:443	ogs.google.com.ua	Google Inc.	US	whitelisted
3028	chrome.exe	64.233.165.139:443	clients2.google.com	Google Inc.	US	whitelisted
3028	chrome.exe	216.58.212.163:443	fonts.gstatic.com	Google Inc.	US	whitelisted

DNS requests

Domain	IP	Reputation
cloud.bluestacks.com	216.58.205.243	whitelisted
clientservices.googleapis.com	216.58.212.131	whitelisted
accounts.google.com	216.58.207.45	shared
www.google.com.ua	142.250.74.195	whitelisted
fonts.googleapis.com	173.194.73.95	whitelisted
www.gstatic.com	172.217.22.35	whitelisted
apis.google.com	173.194.222.101 173.194.222.113 173.194.222.138 173.194.222.102 173.194.222.100 173.194.222.139	whitelisted
ogs.google.com.ua	172.217.23.110	whitelisted
clients2.google.com	64.233.165.139 64.233.165.102 64.233.165.138 64.233.165.100 64.233.165.101 64.233.165.113	whitelisted
fonts.gstatic.com	216.58.212.163	whitelisted

Threats

PID	Process	Class	Message
3156	BlueStacksInstaller.exe	Potential Corporate Privacy Violation	AV POLICY HTTP request for .exe file with no User-Agent
3156	BlueStacksInstaller.exe	Potentially Bad Traffic	ET POLICY Executable served from Amazon S3
3156	BlueStacksInstaller.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3156	BlueStacksInstaller.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download

Add for printing

No debug info

General Info

BlueStacksInstaller_4.240.30.1002_native_51ccd2083bae0570102a4a87c2a2c3f2.exe

011E5D3F14FCE23F00F43B958BD74D90

138CAADB352BE7E6F7184266319A92DE34378B4F

91405AA0B9DD7C256255096D7A20C182E55D36A837DDE3320BF10CFC604F1001

24576:ZcVkKS/WtWrnngnnnKnanxNpZb67JBVzSKDzzma/EO6O34gezvf0xiLsZpR46l1:ZcB6WErnngnnnKnanzbo5FDzBsO6ij0K

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops executable file immediately after starts

Application was dropped or rewritten from another process

Changes settings of System certificates

Loads dropped or rewritten executable

SUSPICIOUS

Executable content was dropped or overwritten

Drops a file with a compile date too recent

Reads Environment values

Application launched itself

Drops a file that was compiled in debug mode

Adds / modifies Windows certificates

Modifies files in Chrome extension folder

INFO

Application launched itself

Manual execution by user

Reads the hosts file

Reads settings of System Certificates

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings