ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7

Analysis

max time kernel
142s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 22:10 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7.exe
Size

1.1MB
MD5

98341684249edae864b1ed61c1b0fd7c
SHA1

788c46a8814f5f39e56aa408711179bab5be398f
SHA256

ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7
SHA512

1c7695754dfa5ebe0a06023ba4795571e68cd02ffa30c2648633aec468dc4aacef59b281e10fe86401d0eeca4d36f64a3e32cdb697afa6e780c6ddb8eb588f58
SSDEEP

24576:HivtCX8jrlikZ3NzhXV0Oy5zCsP2/KzFazfA4hUlIiKPQk/sy:CtCX8nl9XxV07zCukz4BwUy

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7.exe

Executes dropped EXE 3 IoCs

pid	Process
3668	BlueStacksInstaller.exe
2268	HD-CheckCpu.exe
3596	HD-CheckCpu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD-CheckCpu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD-CheckCpu.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3668	BlueStacksInstaller.exe
3668	BlueStacksInstaller.exe
3668	BlueStacksInstaller.exe
3668	BlueStacksInstaller.exe
3668	BlueStacksInstaller.exe
3668	BlueStacksInstaller.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3668	BlueStacksInstaller.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 3668	4340	ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7.exe	87
PID 4340 wrote to memory of 3668	4340	ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7.exe	87
PID 3668 wrote to memory of 2268	3668	BlueStacksInstaller.exe	89
PID 3668 wrote to memory of 2268	3668	BlueStacksInstaller.exe	89
PID 3668 wrote to memory of 2268	3668	BlueStacksInstaller.exe	89
PID 3668 wrote to memory of 3596	3668	BlueStacksInstaller.exe	95
PID 3668 wrote to memory of 3596	3668	BlueStacksInstaller.exe	95
PID 3668 wrote to memory of 3596	3668	BlueStacksInstaller.exe	95

C:\Users\Admin\AppData\Local\Temp\ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7.exe
"C:\Users\Admin\AppData\Local\Temp\ab28a0f279d19c9c0c507a677b74616971f3e443277f0709bb619feffe40daf7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\BlueStacksInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\BlueStacksInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\HD-CheckCpu.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\HD-CheckCpu.exe" --cmd checkHypervEnabled
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2268
- - C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\HD-CheckCpu.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\HD-CheckCpu.exe" --cmd checkSSE4
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3596

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

71.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.159.190.20.in-addr.arpa

IN PTR

Response
DNS

cloud.bluestacks.com

BlueStacksInstaller.exe

Remote address:

8.8.8.8:53

Request

cloud.bluestacks.com

IN A

Response

cloud.bluestacks.com

IN A

34.160.86.181
GET

https://cloud.bluestacks.com/api/getcountryforip

BlueStacksInstaller.exe

Remote address:

34.160.86.181:443

Request

GET /api/getcountryforip HTTP/1.1
Host: cloud.bluestacks.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

cache-control: no-cache
access-control-allow-origin: *
content-type: application/javascript; charset=utf-8
x-cloud-trace-context: 2a7aeecc383c12577fc53d329779882b
date: Sat, 27 Jul 2024 22:11:09 GMT
server: Google Frontend
Content-Length: 51
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://cloud.bluestacks.com/bs3/stats/unified_install_stats

BlueStacksInstaller.exe

Remote address:

34.160.86.181:443

Request

POST /bs3/stats/unified_install_stats HTTP/1.1
x_oem: msi5
x_machine_id: 85e390cc-ca69-40a9-be47-954564e94cbc
x_version_machine_id: e3382c99-044c-4e9e-b3b1-2f7a3f3f931d
x_android_image: Nougat32
Content-Type: application/x-www-form-urlencoded
Host: cloud.bluestacks.com
Content-Length: 296
Expect: 100-continue

Response

HTTP/1.1 200 OK

content-type: text/html; charset=utf-8
cache-control: no-cache
x-cloud-trace-context: b89c1785958fd8b539ee6aa100fd1aca
date: Sat, 27 Jul 2024 22:11:11 GMT
server: Google Frontend
Content-Length: 0
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://cloud.bluestacks.com/app_player/get_bsx_cdn_url

BlueStacksInstaller.exe

Remote address:

34.160.86.181:443

Request

POST /app_player/get_bsx_cdn_url HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: cloud.bluestacks.com
Content-Length: 131
Expect: 100-continue

Response

HTTP/1.1 200 OK

content-type: text/html; charset=utf-8
cache-control: no-cache
x-cloud-trace-context: a9e6424ad155a069772ffcb348099ede
date: Sat, 27 Jul 2024 22:11:14 GMT
server: Google Frontend
Content-Length: 444
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://cloud.bluestacks.com/launcher/features

BlueStacksInstaller.exe

Remote address:

34.160.86.181:443

Request

POST /launcher/features HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: cloud.bluestacks.com
Content-Length: 95
Expect: 100-continue

Response

HTTP/1.1 200 OK

cache-control: no-cache
access-control-allow-origin: *
content-type: application/json; charset=utf-8
x-cloud-trace-context: 201a557e2901f9936e084d73d077709a
date: Sat, 27 Jul 2024 22:11:15 GMT
server: Google Frontend
Content-Length: 2
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://cloud.bluestacks.com/bs3/stats/unified_install_stats

BlueStacksInstaller.exe

Remote address:

34.160.86.181:443

Request

POST /bs3/stats/unified_install_stats HTTP/1.1
x_oem: msi5
x_machine_id: 85e390cc-ca69-40a9-be47-954564e94cbc
x_version_machine_id: e3382c99-044c-4e9e-b3b1-2f7a3f3f931d
x_android_image: Nougat32
Content-Type: application/x-www-form-urlencoded
Host: cloud.bluestacks.com
Content-Length: 345
Expect: 100-continue

Response

HTTP/1.1 200 OK

content-type: text/html; charset=utf-8
cache-control: no-cache
x-cloud-trace-context: cd07d72a5eccf4245068d8144dfc28f5
date: Sat, 27 Jul 2024 22:11:15 GMT
server: Google Frontend
Content-Length: 0
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://cloud.bluestacks.com/bs3/stats/unified_install_stats

BlueStacksInstaller.exe

Remote address:

34.160.86.181:443

Request

POST /bs3/stats/unified_install_stats HTTP/1.1
x_oem: msi5
x_machine_id: 85e390cc-ca69-40a9-be47-954564e94cbc
x_version_machine_id: e3382c99-044c-4e9e-b3b1-2f7a3f3f931d
x_android_image: Nougat32
Content-Type: application/x-www-form-urlencoded
Host: cloud.bluestacks.com
Content-Length: 359
Expect: 100-continue

Response

HTTP/1.1 200 OK

content-type: text/html; charset=utf-8
cache-control: no-cache
x-cloud-trace-context: ae3d65ae4d8b3e9f1c54804542946a1f
date: Sat, 27 Jul 2024 22:11:15 GMT
server: Google Frontend
Content-Length: 0
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://cloud.bluestacks.com/bs3/get_installer_images?md5_hash=&prod_ver=5.12.120.6303&oem=msi5&locale=en-US&android_image=Nougat32&bsxversion=10.0.30.6340&default_launch=bsx

BlueStacksInstaller.exe

Remote address:

34.160.86.181:443

Request

GET /bs3/get_installer_images?md5_hash=&prod_ver=5.12.120.6303&oem=msi5&locale=en-US&android_image=Nougat32&bsxversion=10.0.30.6340&default_launch=bsx HTTP/1.1
x_oem: msi5
x_machine_id: 85e390cc-ca69-40a9-be47-954564e94cbc
x_version_machine_id: e3382c99-044c-4e9e-b3b1-2f7a3f3f931d
User-Agent: MSI App Player Engine/5.12.120.6303/85e390cc-ca69-40a9-be47-954564e94cbc gzip
Host: cloud.bluestacks.com

Response

HTTP/1.1 200 OK

cache-control: no-cache
content-type: application/json; charset=utf-8
x-cloud-trace-context: 38762915f3b9b44985e78b4e62f65e8f
date: Sat, 27 Jul 2024 22:11:16 GMT
server: Google Frontend
Content-Length: 24
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

181.86.160.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

181.86.160.34.in-addr.arpa

IN PTR

Response

181.86.160.34.in-addr.arpa

IN PTR

1818616034bcgoogleusercontentcom
POST

https://cloud.bluestacks.com/bs3/stats/unified_install_stats

BlueStacksInstaller.exe

Remote address:

34.160.86.181:443

Request

POST /bs3/stats/unified_install_stats HTTP/1.1
x_oem: msi5
x_machine_id: 85e390cc-ca69-40a9-be47-954564e94cbc
x_version_machine_id: e3382c99-044c-4e9e-b3b1-2f7a3f3f931d
x_android_image: Nougat32
Content-Type: application/x-www-form-urlencoded
Host: cloud.bluestacks.com
Content-Length: 290
Expect: 100-continue

Response

HTTP/1.1 200 OK

content-type: text/html; charset=utf-8
cache-control: no-cache
x-cloud-trace-context: 796602ce4bcf99b76d2c3e690ffa14b3
date: Sat, 27 Jul 2024 22:11:11 GMT
server: Google Frontend
Content-Length: 197
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://cloud.bluestacks.com/bs3/stats/unified_install_stats

BlueStacksInstaller.exe

Remote address:

34.160.86.181:443

Request

POST /bs3/stats/unified_install_stats HTTP/1.1
x_oem: msi5
x_machine_id: 85e390cc-ca69-40a9-be47-954564e94cbc
x_version_machine_id: e3382c99-044c-4e9e-b3b1-2f7a3f3f931d
x_android_image: Nougat32
Content-Type: application/x-www-form-urlencoded
Host: cloud.bluestacks.com
Content-Length: 388
Expect: 100-continue

Response

HTTP/1.1 200 OK

content-type: text/html; charset=utf-8
cache-control: no-cache
x-cloud-trace-context: 495cc0e210b06f6b2d82e678235b1281
date: Sat, 27 Jul 2024 22:11:15 GMT
server: Google Frontend
Content-Length: 0
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
POST

https://cloud.bluestacks.com/app_player/miscellaneousstats

BlueStacksInstaller.exe

Remote address:

34.160.86.181:443

Request

POST /app_player/miscellaneousstats HTTP/1.1
x_oem: msi5
x_machine_id: 85e390cc-ca69-40a9-be47-954564e94cbc
x_version_machine_id: e3382c99-044c-4e9e-b3b1-2f7a3f3f931d
x_android_image: Nougat32
Content-Type: application/x-www-form-urlencoded
Host: cloud.bluestacks.com
Content-Length: 404
Expect: 100-continue

Response

HTTP/1.1 200 OK

cache-control: no-cache
access-control-allow-origin: *
content-type: application/json; charset=utf-8
x-cloud-trace-context: 4d8a5c9d523f93247d96e1b0f26cbead
date: Sat, 27 Jul 2024 22:11:16 GMT
server: Google Frontend
Content-Length: 17
via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

147.142.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.142.123.92.in-addr.arpa

IN PTR

Response

147.142.123.92.in-addr.arpa

IN PTR

a92-123-142-147deploystaticakamaitechnologiescom
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418559_1LXGGCLQWFST3067K&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418559_1LXGGCLQWFST3067K&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 512342
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8265E4FA19304409891826395586121B Ref B: LON04EDGE1106 Ref C: 2024-07-27T22:12:44Z
date: Sat, 27 Jul 2024 22:12:43 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301409_1O8VP6TH939POQOPO&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301409_1O8VP6TH939POQOPO&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 540045
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9F3CF4C8898C45C9B58DDA662630CBA8 Ref B: LON04EDGE1106 Ref C: 2024-07-27T22:12:44Z
date: Sat, 27 Jul 2024 22:12:43 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301229_1AKKD8EG7YAB9ULZZ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301229_1AKKD8EG7YAB9ULZZ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 495006
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AEC409A5EDA941188BD044D60AB0C1A1 Ref B: LON04EDGE1106 Ref C: 2024-07-27T22:12:44Z
date: Sat, 27 Jul 2024 22:12:43 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317300976_175WPYH13KO5QTHY0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317300976_175WPYH13KO5QTHY0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 706417
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E60F33E034C3442BA01A0925A9A966CD Ref B: LON04EDGE1106 Ref C: 2024-07-27T22:12:44Z
date: Sat, 27 Jul 2024 22:12:43 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418560_12H05GS2AXF1O4KMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418560_12H05GS2AXF1O4KMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 545972
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1F1D1E6B09974FFEAF9EA9101136AEFD Ref B: LON04EDGE1106 Ref C: 2024-07-27T22:12:44Z
date: Sat, 27 Jul 2024 22:12:43 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301638_1CJUTRVU9329NGGEA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301638_1CJUTRVU9329NGGEA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 977247
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EDDA50A97E65453FBE1F81139F25FCAD Ref B: LON04EDGE1106 Ref C: 2024-07-27T22:12:44Z
date: Sat, 27 Jul 2024 22:12:44 GMT
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response

34.160.86.181:443

https://cloud.bluestacks.com/bs3/get_installer_images?md5_hash=&prod_ver=5.12.120.6303&oem=msi5&locale=en-US&android_image=Nougat32&bsxversion=10.0.30.6340&default_launch=bsx

tls, http

BlueStacksInstaller.exe

4.6kB
8.1kB
23
31

HTTP Request

GET https://cloud.bluestacks.com/api/getcountryforip

HTTP Response

200

HTTP Request

POST https://cloud.bluestacks.com/bs3/stats/unified_install_stats

HTTP Response

200

HTTP Request

POST https://cloud.bluestacks.com/app_player/get_bsx_cdn_url

HTTP Response

200

HTTP Request

POST https://cloud.bluestacks.com/launcher/features

HTTP Response

200

HTTP Request

POST https://cloud.bluestacks.com/bs3/stats/unified_install_stats

HTTP Response

200

HTTP Request

POST https://cloud.bluestacks.com/bs3/stats/unified_install_stats

HTTP Response

200

HTTP Request

GET https://cloud.bluestacks.com/bs3/get_installer_images?md5_hash=&prod_ver=5.12.120.6303&oem=msi5&locale=en-US&android_image=Nougat32&bsxversion=10.0.30.6340&default_launch=bsx

HTTP Response

200
34.160.86.181:443

https://cloud.bluestacks.com/app_player/miscellaneousstats

tls, http

BlueStacksInstaller.exe

3.3kB
2.2kB
14
16

HTTP Request

POST https://cloud.bluestacks.com/bs3/stats/unified_install_stats

HTTP Response

200

HTTP Request

POST https://cloud.bluestacks.com/bs3/stats/unified_install_stats

HTTP Response

200

HTTP Request

POST https://cloud.bluestacks.com/app_player/miscellaneousstats

HTTP Response

200
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301638_1CJUTRVU9329NGGEA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

134.7kB
3.9MB
2842
2838

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418559_1LXGGCLQWFST3067K&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301409_1O8VP6TH939POQOPO&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301229_1AKKD8EG7YAB9ULZZ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317300976_175WPYH13KO5QTHY0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418560_12H05GS2AXF1O4KMU&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301638_1CJUTRVU9329NGGEA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

71.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

71.159.190.20.in-addr.arpa
8.8.8.8:53

cloud.bluestacks.com

dns

BlueStacksInstaller.exe

66 B
82 B
1
1

DNS Request

cloud.bluestacks.com

DNS Response

34.160.86.181
8.8.8.8:53

181.86.160.34.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

181.86.160.34.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

147.142.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

147.142.123.92.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\backicon.png

Filesize
778B

MD5
bb32b6c0cb2fd3b9329f0813e1b4239d

SHA1
241b75e5e21aa3e7a6aae5066de65d65db49651f

SHA256
77533707194f691af85e6c990d852b949c09018378c8f9d87763b54b1c118f67

SHA512
e3aa89c3ba19f4d0a26fc6f3fd725c5201f3609b7e3f91bd8fa1fe95aa8cfdac5d684893ccac3e81b290ad241c048264d12bb1c6aa4b9646e604879b54bb9d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\checked_gray.png

Filesize
659B

MD5
f5273eda49f641257ccb5fc5235cee80

SHA1
ac2f52d7a0b34facc5cebf4745fb72e15c0e5c8d

SHA256
fc88b72393b58799ad747a988b76c1b9d8ce3dbaedfd0463e74d6a33be0878b6

SHA512
95457d926dbb7dbcd7c5b30fe6ec45634ab7c0f3dbd5820c8956d21d33a0f5feddc36e0d52d40abbb8b0ba07c005e4594dd56dab1cb278ee3104ec14d8ca921f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\close_red.png

Filesize
1KB

MD5
3759fdf92c29556e5740a6282507e1f9

SHA1
23960cb0edd610083edd8f817c03add5e883453d

SHA256
8cd75e91be69cf7cc6e6979c14b394a11fe683be7b62d5163da1073bb568b7d9

SHA512
d0773ead77552514a2cd7fd7e55abe730579b4fab24981eb976ac43a821fc5a06ae02626e48dff83a58acb37db23d5527444faf5d4b7cb2fc78df33b065b80d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\custom.png

Filesize
580B

MD5
07c7f00c7498d32e8045c1a0eda0727d

SHA1
bebf52df35cf5a95dd6ff5da778b83c5eafeb052

SHA256
8eaab641d186f93f50d2d2bbae6ac5b3c937ca30665bf916321a35c83253eca3

SHA512
142752b1ab40a23f654293a15e075321020322fc0f19efdab93e69716cc0ff5dc2148a83f7db149b7dcd8c30b7f542c0f89ac52bd50470e756b07b00ec78f5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\installer_bg.jpg

Filesize
353KB

MD5
49875ca1499a58b4ca9abda4d34adea5

SHA1
091155113dd5cf955211fd7a932ecba32f8bf136

SHA256
15bde105d61a562560d354614e0254dc4259000d8f610b32be8a965bf26829ca

SHA512
08cf0ce98b4c31f5879789f9458f14526fa3483096efd5feeca0f9b477456d80eb542a1e2f5823593e6d7d4d9d106bae0a7a7f096bacb638ee6fcfc67e13623a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\installer_logo.png

Filesize
19KB

MD5
7ad11e07d8f30571debb2a69f77833c2

SHA1
6351d8968889c6a636abafa2a989b788fd477822

SHA256
fe59d96de7342bcbfea62564e92d8e27530fc52c16399399be5f1d6c45340246

SHA512
7bc37d326a0d0fcf80231b2e69f3491f7ea8a714fa70b91d5606f9a03054b2c9113b4caf5bb5c980f53c5c73a769a11d1634660cd7c1e1e213124d6b55b2fbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\installer_minimize.png

Filesize
157B

MD5
857bcef475b0d4c1d669bf47a143e85e

SHA1
072746be2f79c9571ec9b7e3b702a8cdef5a2b66

SHA256
8e6e37b79756bfebb943d51d3571926fe4992748c4a673bbb6d78b22e87bc7f6

SHA512
b7e236edefe3f4aceefd912f2b6cfcecee034125ff082d3bac5fdf6db57c89dc2dfb4a96897529aed8834a423529680cc0ba1c94d497eb8d9c4f450ff70cf79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\loader.png

Filesize
279B

MD5
03903fd42ed2ee3cb014f0f3b410bcb4

SHA1
762a95240607fe8a304867a46bc2d677f494f5c2

SHA256
076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1

SHA512
8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\setpath.png

Filesize
355B

MD5
f4c65de79fb292fd6104eb1a160ca09b

SHA1
52173df03e93433d88b50ebcd7d3bdbc32bd4165

SHA256
9ea14db4e8d39be52c9b55a39119d5f95dc331a0559d38de44fd8e72e8677718

SHA512
db4bca2ed5582efe9ca27ec67bff59ed2a66c471dc4e4247818e3b79838b57a00cd69d92b709c3a7e0628d7c9e9508335aff877279d30741de18226f0626dced

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Assets\unchecked_gray.png

Filesize
321B

MD5
8b3031b63549708b7ef422da8dfc42a5

SHA1
46407a76af6ac9887a15bd682533922c4b2d09da

SHA256
8355a9b447991ed53c3e1c768f397b622f9535faadb26913e4f2298cc3621c5c

SHA512
97b2fe161483b90abafc0bff3e4839f357aa3c0765b1d5d54e5210fcd9d543480eb4ff3671f2706def344ccc83548fe8d064b9ba1bb15abae9e718b87b91298d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\BlueStacksInstaller.exe

Filesize
599KB

MD5
bb2236d5046a01067d4be45e5a188900

SHA1
da71f9f9b3d6b5eb3bc63a43bb21d6ca6aa94846

SHA256
b1c4692a370d1871a77d4308d2c65f5507168caf0508e14d9b12bea218f4ba84

SHA512
7cf34504b82248275049e272e1afaa5f47d3981f656d7cb9e4791f63823b2dceeadee9f51ada834e7f41467195b93fbc05747067e9786b921787c8fb5c621b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\BlueStacksInstaller.exe.config

Filesize
324B

MD5
1b456d88546e29f4f007cd0bf1025703

SHA1
e5c444fcfe5baf2ef71c1813afc3f2c1100cab86

SHA256
d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb

SHA512
c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\HD-CheckCpu.exe

Filesize
200KB

MD5
81234fd9895897b8d1f5e6772a1b38d0

SHA1
80b2fec4a85ed90c4db2f09b63bd8f37038db0d3

SHA256
2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c

SHA512
4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\JSON.dll

Filesize
411KB

MD5
f5fd966e29f5c359f78cb61a571d1be4

SHA1
a55e7ed593b4bc7a77586da0f1223cfd9d51a233

SHA256
d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156

SHA512
d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\Locales\i18n.en-US.txt

Filesize
18KB

MD5
2e67781c074a702af42f2c2259a9e94d

SHA1
c40ec186835abd9e8cd1976b0005e57e17c672f2

SHA256
858f09be7e462198c0e77b2b84de544158789f53eff200be78eab70a6acadd1a

SHA512
4adbf7cb6f1621ed1d3904beaad55eb5229475c9007c7ba41720d9dcc9b3f63c849b9a5cd9aaf86c5a063693b80c1b39fdf41eb2b026f35cd15a5d92d5ce843a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4F013AE7\ThemeFile

Filesize
79KB

MD5
51e4b1a661b3e96697b54899cb2317de

SHA1
1cacf6e055023cd2cd7100e2537a6d2dee7d9a84

SHA256
87bbd881c9603d6032564b787a85a1c040fc1a2c216f25a1b0b62e26fedcdf69

SHA512
55dbe855478a32ba78f15b0611847f609279fe262a7940c024a09378d58e1b84397038847aad03cd113ab5d1e4026fb323fb07d3024e0470f40eefa18949e7d3

Download Submit
memory/3668-119-0x00007FFBF6D50000-0x00007FFBF7811000-memory.dmp

Filesize
10.8MB

Download
memory/3668-133-0x000000001DAF0000-0x000000001DB28000-memory.dmp

Filesize
224KB

Download
memory/3668-129-0x000000001DCA0000-0x000000001E1C8000-memory.dmp

Filesize
5.2MB

Download
memory/3668-128-0x00007FFBF6D50000-0x00007FFBF7811000-memory.dmp

Filesize
10.8MB

Download
memory/3668-127-0x00007FFBF6D50000-0x00007FFBF7811000-memory.dmp

Filesize
10.8MB

Download
memory/3668-134-0x000000001DAC0000-0x000000001DACE000-memory.dmp

Filesize
56KB

Download
memory/3668-118-0x000000001C9D0000-0x000000001CA38000-memory.dmp

Filesize
416KB

Download
memory/3668-116-0x00000000003E0000-0x000000000047A000-memory.dmp

Filesize
616KB

Download
memory/3668-144-0x00000000218A0000-0x00000000218A8000-memory.dmp

Filesize
32KB

Download
memory/3668-115-0x00007FFBF6D53000-0x00007FFBF6D55000-memory.dmp

Filesize
8KB

Download
memory/3668-146-0x00007FFBF6D53000-0x00007FFBF6D55000-memory.dmp

Filesize
8KB

Download
memory/3668-147-0x00007FFBF6D50000-0x00007FFBF7811000-memory.dmp

Filesize
10.8MB

Download
memory/3668-148-0x00007FFBF6D50000-0x00007FFBF7811000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.