Analysis Overview
SHA256
0f6f10d6878d8ad729d409d81fec2ebfd3faa146cd2e7173c880d0fa2630f6f8
Threat Level: Likely malicious
The file drive-download-20241117T030056Z-001.zip was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Reads the content of photos stored on the user's device.
Loads dropped Dex/Jar
Queries information about running processes on the device
Requests dangerous framework permissions
Reads information about phone network operator.
Queries information about the current Wi-Fi connection
Checks the presence of a debugger
Checks computer location settings
Uses Crypto APIs (Might try to encrypt user data)
Loads dropped DLL
Executes dropped EXE
Registers a broadcast receiver at runtime (usually for listening for system events)
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Modifies system certificate store
Checks memory information
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Checks CPU information
MITRE ATT&CK
Enterprise Matrix V15
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 03:32
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Required to be able to connect to paired Bluetooth devices. | android.permission.BLUETOOTH_CONNECT | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:39
Platform
win7-20240903-en
Max time kernel
118s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Android\obb\com.dts.freefireth\main.2019117682.com.dts.freefireth.jar
Network
Files
memory/3068-2-0x00000000025D0000-0x0000000002840000-memory.dmp
memory/3068-10-0x0000000001B70000-0x0000000001B71000-memory.dmp
memory/3068-11-0x00000000025D0000-0x0000000002840000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:40
Platform
win10v2004-20241007-en
Max time kernel
125s
Max time network
173s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\manifest.json
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:40
Platform
win10v2004-20241007-en
Max time kernel
129s
Max time network
177s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Custom Hud By DANI YT.png"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:40
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
173s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\FREEFIRE V7A DANI YT.zip"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:39
Platform
win10v2004-20241007-en
Max time kernel
131s
Max time network
174s
Command Line
Signatures
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Android\obb\com.dts.freefireth\main.2019117682.com.dts.freefireth.jar
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/1696-2-0x0000027EAD150000-0x0000027EAD3C0000-memory.dmp
memory/1696-11-0x0000027EAB880000-0x0000027EAB881000-memory.dmp
memory/1696-12-0x0000027EAD150000-0x0000027EAD3C0000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:39
Platform
win7-20240903-en
Max time kernel
117s
Max time network
133s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2252 wrote to memory of 2432 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2252 wrote to memory of 2432 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2252 wrote to memory of 2432 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2432 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2432 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2432 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2432 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\manifest.json
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\manifest.json
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\manifest.json"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 34f601e66cdc124020e7fa8bba6cf136 |
| SHA1 | 990715914341010547e2805d74e8ba35452668f1 |
| SHA256 | 790d99fa06f27b0d128934f6cd7346dd254cfcb9647c4d20e150e6a868b7669e |
| SHA512 | 15ba80e16498e021b398c53607546159a646f2f870c0026eda462f1958f16986e84b28a8205e34f5a0fa8ed22cf8a5164dc148e64604e617984d9562912440af |
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:39
Platform
win7-20240903-en
Max time kernel
102s
Max time network
30s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2668 wrote to memory of 2920 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2668 wrote to memory of 2920 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2668 wrote to memory of 2920 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2920 wrote to memory of 2560 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2920 wrote to memory of 2560 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2920 wrote to memory of 2560 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2920 wrote to memory of 2560 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\com.dts.freefireth.cfg
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\com.dts.freefireth.cfg
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\com.dts.freefireth.cfg"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | d5e8af9a71c091cecabdc9e2e58346ad |
| SHA1 | 5a5cf1eca9ad70ae07370705952850faf87dc734 |
| SHA256 | 10fa0fa325fd8a63ffb0c8af42a79974ef709504ca4ce50cbdb14d5afe2d7d54 |
| SHA512 | e6ef908ee5b15de895fa2d69ba5d1eb494124378944d998b8b72c58dd0990e53f64427c546a194f2893dac56efa732f7a9e9684d13949bf90995ec1f5c1d999a |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:39
Platform
win7-20241010-en
Max time kernel
121s
Max time network
142s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\drive-download-20241117T030056Z-001.zip"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:40
Platform
win10v2004-20241007-en
Max time kernel
90s
Max time network
155s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\drive-download-20241117T030056Z-001.zip"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:39
Platform
win7-20241010-en
Max time kernel
15s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\HD-CheckCpu.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280 | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 19000000010000001000000014d4b19434670e6dc091d154abb20edc040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab7280180000000100000010000000fd960962ac6938e0d4b0769aa1a64e261400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191830f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b03200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72800f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e261400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e26200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 1400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183180000000100000010000000fd960962ac6938e0d4b0769aa1a64e2619000000010000001000000014d4b19434670e6dc091d154abb20edc0f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b03040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab7280200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b031400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183180000000100000010000000fd960962ac6938e0d4b0769aa1a64e2619000000010000001000000014d4b19434670e6dc091d154abb20edc0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab7280040000000100000010000000c6150925cfea5941ddc7ff2a0a506692200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 180000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b031400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191830300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab7280040000000100000010000000c6150925cfea5941ddc7ff2a0a50669219000000010000001000000014d4b19434670e6dc091d154abb20edc200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe
"C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\HD-CheckCpu.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\HD-CheckCpu.exe" --cmd checkHypervEnabled
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cloud.bluestacks.com | udp |
| US | 34.160.86.181:443 | cloud.bluestacks.com | tcp |
| US | 34.160.86.181:443 | cloud.bluestacks.com | tcp |
| US | 34.160.86.181:443 | cloud.bluestacks.com | tcp |
| US | 34.160.86.181:443 | cloud.bluestacks.com | tcp |
| US | 34.160.86.181:443 | cloud.bluestacks.com | tcp |
| US | 34.160.86.181:443 | cloud.bluestacks.com | tcp |
| US | 8.8.8.8:53 | delegate.bluestacks.com | udp |
| US | 52.2.140.10:443 | delegate.bluestacks.com | tcp |
| US | 34.160.86.181:443 | cloud.bluestacks.com | tcp |
| US | 34.160.86.181:443 | cloud.bluestacks.com | tcp |
| US | 8.8.8.8:53 | crt.rootg2.amazontrust.com | udp |
| FR | 3.164.163.127:80 | crt.rootg2.amazontrust.com | tcp |
| US | 52.2.140.10:443 | delegate.bluestacks.com | tcp |
| US | 34.160.86.181:443 | cloud.bluestacks.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\Assets\change_hover.png
| MD5 | 57092634754fc26e5515e3ed5ca7d461 |
| SHA1 | 3ae4d01db9d6bba535f5292298502193dfc02710 |
| SHA256 | 8e5847487da148ebb3ea029cc92165afd215cdc08f7122271e13eb37f94e6dc1 |
| SHA512 | 553baf9967847292c8e9249dc3b1d55069f51c79f4d1d3832a0036e79691f433a3ce8296a68c774b5797caf7000037637ce61b8365885d2a4eed3ff0730e5e2a |
\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe
| MD5 | 0d021ad9fc86a22215cd014b088f307e |
| SHA1 | 531e18244b9a43798562c1297c09ccc0239adb61 |
| SHA256 | c14eb1c61d737e195ce06cb84ba2b05925dcf36ac35c1078f260e423b1ad3485 |
| SHA512 | e5d977d5a3f5a5888e054521168a9ac22712892d5aea225a6f545e9be885deef1983fbcd963927367b2d7439c18b2e6c71a6b143a924a41f5acabc76e0a6e993 |
C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe.config
| MD5 | 1b456d88546e29f4f007cd0bf1025703 |
| SHA1 | e5c444fcfe5baf2ef71c1813afc3f2c1100cab86 |
| SHA256 | d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb |
| SHA512 | c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6 |
memory/920-127-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp
memory/920-129-0x0000000000EC0000-0x0000000000F60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\JSON.dll
| MD5 | f5fd966e29f5c359f78cb61a571d1be4 |
| SHA1 | a55e7ed593b4bc7a77586da0f1223cfd9d51a233 |
| SHA256 | d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156 |
| SHA512 | d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be |
memory/920-131-0x0000000000E30000-0x0000000000E98000-memory.dmp
memory/920-132-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabD2C.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD6E.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\Locales\i18n.en-US.txt
| MD5 | a1e3293265a273080e68501ffdb9c2fc |
| SHA1 | add264c4a560ce5803ca7b19263f8cd3ed6f68f0 |
| SHA256 | 1cb847f640d0b2b363ce3c44872c4227656e8d2f1b4a5217603a62d802f0581f |
| SHA512 | cb61083dc4d7d86f855a4cc3fe7c4938232a55188ad08b028a12445675fbff6188bb40638bd1ce4e6077f5bfc94449c145118c8f9b8929d4e9c47ed74cf7bece |
C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\HD-CheckCpu.exe
| MD5 | 81234fd9895897b8d1f5e6772a1b38d0 |
| SHA1 | 80b2fec4a85ed90c4db2f09b63bd8f37038db0d3 |
| SHA256 | 2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c |
| SHA512 | 4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16 |
memory/920-189-0x0000000000A80000-0x0000000000A8A000-memory.dmp
memory/920-190-0x0000000000A80000-0x0000000000A8A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\Assets\loader.png
| MD5 | 03903fd42ed2ee3cb014f0f3b410bcb4 |
| SHA1 | 762a95240607fe8a304867a46bc2d677f494f5c2 |
| SHA256 | 076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1 |
| SHA512 | 8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857 |
C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\ThemeFile
| MD5 | c3e6bab4f92ee40b9453821136878993 |
| SHA1 | 94493a6b3dfb3135e5775b7d3be227659856fbc4 |
| SHA256 | de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6 |
| SHA512 | a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a40a116ea7f315cbb2c16a918705a4fb |
| SHA1 | 8a0c12d4aa711840cd709841e3629c3515e32ad7 |
| SHA256 | 73cb0b2f7ac94f256be621c563d6ffe2446a781206896a10ec12f10464649c9a |
| SHA512 | 3a0c1d0f0fdc5328119275f91862505d86ed5b66d8314cf18a110225f1cdd0eb4653f02a3136932948a4c470fa1b9b7763dd06261d9575e32d97120d020a90f6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cbce2bdb62cfb3ad5c3760db3b3c34d5 |
| SHA1 | 5fdb0472cdb36dfba615e38cac0b7cb51b2a50ac |
| SHA256 | 51fcbf4cffb3013b3bb401ee36c7fc793992cb261a04d0d2c572aa7efae1d066 |
| SHA512 | 227024b208731796d68624cea5b153030dbc1b2a34647ff1117e987ff8cfc86b597076992936c696d695e5d1ca01b9090b14ca6e5751ac6ee901cb8603136a61 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 27c46e7a711637e36f99f94253323c40 |
| SHA1 | 6b81a19b6034c151a016739a201cc58da9017417 |
| SHA256 | b71f29bfbb9bfc3a662bed4d4db5cf33dfa1ee8fadf9416d5d1a60158b90ee05 |
| SHA512 | 6b27dc775414384993f56aa3d281b78626a90d7cf07a44ae26f9c331cf109a01113b66d4191417ba2df4a9f7f9e1924a00e969edf5401bd96f5eb5adae13d3e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 45c2d356361984982b8a174c0629dabc |
| SHA1 | a0909016c10eba1362412aa4240a83a0d99414d0 |
| SHA256 | e5826e29020571e47122485f94acf1970893cd8fdd44253680c27e3980f477a5 |
| SHA512 | a9b1d06a76eda5448421c13f803cb0fa88d2a28ed52b8bfd0971c7e5ca314e1315548436a69b05b166609e903707b020643c452d8662e261a9dbf25bfffd1125 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 82bcb85707f8943f65431a8dfe5f1554 |
| SHA1 | 07c8b7274f617e9fda14a8bac0d319a38221f637 |
| SHA256 | 5d3210b4fc94e94e37a64f95bac6abc1c6b7d9ba1ce3456d4c57f7fc9c605a60 |
| SHA512 | 08d4b99714e686f49e11f0319ed3696dec42ecccb1879410d665828cd5749d81e586e28f5cc0b9ae699ddafc9dd686617b8e1551010953387899d721f8921d57 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0872be1eb6281de2ece7489be17ee8a3 |
| SHA1 | 9ce85a86020a371ae69ebecc47dc0c66cb41e952 |
| SHA256 | 79b77225ab340c9ce8737cf33364aac5c4df43fb492c60b5522a9b0bd646c2c1 |
| SHA512 | 4b77374a478a4979b7eddade32ec249be737e83295467d38b43be04a870f79a2a742582f7a01b4869a116686d2db6166d32a970525a68647ceeb59de97ec5046 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c53c2beaea9d83e29b1dd3b77bc41ae2 |
| SHA1 | f7f7e85b0da9c8524b07ce8db821ff0d14b3cc4c |
| SHA256 | 2758b6acb5c87871f8e5984991a87d423e239c066d4392b7b24b4c3714d90324 |
| SHA512 | b61eccfcf0625aad718895adf1c8ef7de8b9644a1d52fd609a82cda2b67562c76d7d541eee74a045553761b4dc08821a955182f06345f6ec86bae0c7d1b4e35b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8839869fba583131a44d38d7538ca03 |
| SHA1 | 9b7ca767b06b8fd1710fc78cef04b0907f273915 |
| SHA256 | fad9913e6c5fe618a7e882928dc3f78dbe6958284c3d758594d9479ea4dc3936 |
| SHA512 | 35f8c0a496e1c2c17c0dbb8ae6c9c5a23babacc62e267bb5e9b97b7a0e501c30dd6d01836ac752021f41f4f471966de1a6596e12ac79fc5babd92017c400960f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fc611c095b5496781c32210b5a4e2d0f |
| SHA1 | e3eedd980673a0f1b4cb699c58c47b96020bf2c0 |
| SHA256 | 0acfb97a3a802c63e14d1610e66d88febf6d9eec9d951c1662047f0952df30c4 |
| SHA512 | b37df90381598d394a4e7c7adb40c6e74b339682075bbf9b64b1fb1a275935beb5510eb50712ddf09b9b8baa23cd3b3fb56b4c3b49bfdc20b402f13b51b932d3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 102c0afbd52432e1fbfda8d84c3e31ee |
| SHA1 | 641753c9a4850f74868a40551396610a5437259b |
| SHA256 | 08e6a0e6c921c8472fb130841178634995287c36e809fa94fb12290317a7d7fb |
| SHA512 | 39dc4f89ad8d179d899c565d1c1208d9c376a0b837dfa9cc29eee73b788682a507a08a3e3987707d23b945a643edbf941053bb417e22c02a0b10d97745f35cb3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3d98efec43ea873b3cfa709eb5ef1dee |
| SHA1 | 9eb1eb0b7c77be7814b045b3ce78bd5005d21c02 |
| SHA256 | 2611b715aa42fda5b7a1aca54e86f377ab26d2e981f4ea3234adf3f31ce9261f |
| SHA512 | f80656a0481291b588370ed27766e398f8224e7aac1810433698184f02a0ffc052c2226aa560688b2076a4d9d3edd61011cbe7f80e46f6ff3df026bf41a46e4e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1801ca321aceaaba8790f7bd0b8e0cfb |
| SHA1 | 454a7dbdc0ec3a529dd2cfba88ccc429e408f08e |
| SHA256 | 326cd9d81b577b08085b9cb221cbc67d8f36e87aa4435cd2dcedf6d630342108 |
| SHA512 | 6921a1f0def0b4c1ed96a3518c0ec1288f80ec329da41deb4309c66ca11bf8ab05aa4e116208074e6d5fb42582ba54ac7e553ad34ea7a9392c7e33d8a52e5941 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8c5e4c0154678d80799fde1795f4993 |
| SHA1 | 7144c4238dc2d1ceee5d714c10a8b63e4ca1c50f |
| SHA256 | edee620f8db08bac70e0789f1e6d02633f3f776ecdb56d4f51ee8b4dcc441910 |
| SHA512 | ab9dfe1292c77871a04a4c41096bfaccb3899cd7547b64820758f5f2883733510a82130f1983303ddd024e18f6470304707102a71a99db97443c526c4d649689 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eff76776b4bb885c054c09b50c2ca14b |
| SHA1 | 54ddc0e9a3f26c7e3478dcccef42400452e42682 |
| SHA256 | af4ee5de06868e75df0039e209a38e97ddc773428520bb64c00d192d8405c523 |
| SHA512 | 7a438d13f7c08643b64c216bddd9ac61d338460f0f531db62337cf724e9defce31f083b05dea1620f2e70807fe5d578f9f992aa0b064d1a281f6e9ba849e64e2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
| MD5 | d9a52c304b1781e64d6c68d8d9481400 |
| SHA1 | c9ce3a97aceddcde6582f54690415f6e9186b245 |
| SHA256 | ad10a9c3ca312cfaf1623c395de0cb6f9ee81581f46cbc0ec7a7585ebbcbd7f9 |
| SHA512 | 7adaece4aa1eb94c1970a272c67ff250975354af18afedd66100e75b32d9915e30930f3d94c7c48bb80483b25cc0d513d193555d562a6cf087dcc11ac1599e57 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
| MD5 | 55540a230bdab55187a841cfe1aa1545 |
| SHA1 | 363e4734f757bdeb89868efe94907774a327695e |
| SHA256 | d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb |
| SHA512 | c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DABA17F5E36CBE65640DD2FE24F104E7
| MD5 | 731534cd7441e37ee789f772c1ac4ffe |
| SHA1 | 6ab51df76218be73e36074cd3bda7d2f2aaea2df |
| SHA256 | 32df0658c84c29725d3d9fc7af9add0f64d750083854820ca8e2ba269aaefbd4 |
| SHA512 | cfacec3c84320d0566794c5ce7191dad9087e50ba99bda8546dd13d9cc253e84713104271e10522ac892f9b7b0a9d0184196e624fed1a5a9a01924a9489c7639 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DABA17F5E36CBE65640DD2FE24F104E7
| MD5 | c6150925cfea5941ddc7ff2a0a506692 |
| SHA1 | 9e99a48a9960b14926bb7f3b02e22da2b0ab7280 |
| SHA256 | 28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996 |
| SHA512 | b3bd41385d72148e03f453e76a45fcd2111a22eff3c7f1e78e41f6744735444e058144ed68af88654ee62b0f117949f35739daad6ad765b8cde1cff92ed2d00c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 69fdee4d2d2dfa188bed8b2a2a43e488 |
| SHA1 | 5826f3e0eced944ef2e850b9882e4c9e665a3565 |
| SHA256 | f143aad5ad4b31f7acb9c6c2d0d99a2b7cba896263a2affc4652d7748631fb56 |
| SHA512 | e25f824a3f83c9d3f664af1dcc8a92c140fde1c38247bc2f2a32613d777d34109cab68ff5fe18fb77d19be88265b426fec4f446fcccfdc610c61170a1053d1fc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c744ca5276d4c7e54d30d3eaa4b4e95b |
| SHA1 | da88255313f2038ac72d2be553ea110f93027943 |
| SHA256 | 0991ed507bce56e2b193c370d23d23fb663ce20e275826c837d602b215f9c846 |
| SHA512 | e23e0587797266902e6085a944680404c5dd9145fe05acde0b4fe5dee53ed96143ee3ce672ad08dad4df6ba0182b019cadb341443c5b790f7c6b72a5e47b0f94 |
C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\Assets\minimize_progress.png
| MD5 | 1504b80f2a6f2d3fefc305da54a2a6c2 |
| SHA1 | 432a9d89ebc2f693836d3c2f0743ea5d2077848d |
| SHA256 | 2f62d4e8c643051093f907058dddc78cc525147d9c4f4a0d78b4d0e5c90979f6 |
| SHA512 | 675db04baf3199c8d94af30a1f1c252830a56a90f633c3a72aa9841738b04242902a5e7c56dd792626338e8b7eabc1f359514bb3a2e62bc36c16919e196cfd94 |
C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\Assets\exit_close.png
| MD5 | 26eb04b9e0105a7b121ea9c6601bbf2a |
| SHA1 | efc08370d90c8173df8d8c4b122d2bb64c07ccd8 |
| SHA256 | 7aaef329ba9fa052791d1a09f127551289641ea743baba171de55faa30ec1157 |
| SHA512 | 9df3c723314d11a6b4ce0577eb61488061f2f96a9746a944eb6a4ee8c0c4d29131231a1b20988ef5454b79f9475b43d62c710839ecc0a9c98324f977cab6db68 |
C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\Assets\error_icon_72.png
| MD5 | 4aaf83d2b3fd56ad806708e60474df39 |
| SHA1 | 144777a265879b69fadea3eb3ac6939458918578 |
| SHA256 | 84e59d14d9433e6c3d92daeb8c443063b5e3be6c0b297f0403dbde473a05cb3f |
| SHA512 | 3b8485f054fe6ed2374bc81cb1786f09741219fbfcb22503707b11cf5db1ab262ba4349633597d5d9ddabc3415b170fa8eebc932f58d211d7092b8fb96fa1304 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7348038121260f26323f679cc666c33d |
| SHA1 | f413c158aafd6aa51adf8bd206cdf53d74e0431b |
| SHA256 | 5a04370bf766a335ddde6fd279ec2d57a4fa495b81cab1cfedd15e355369a6bc |
| SHA512 | d64469afe0d784f16f2d4de2713b6d9958a7c4ef86b356ab353df400d591938877d45ad21bf83e47140c47924b0437cc8eef92daefd43ad921f96f6895fe6424 |
memory/920-850-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp
memory/920-851-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp
memory/920-852-0x0000000000A80000-0x0000000000A8A000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:39
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
175s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe
"C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe" --cmd checkHypervEnabled
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe" --cmd checkSSE4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloud.bluestacks.com | udp |
| US | 34.160.86.181:443 | cloud.bluestacks.com | tcp |
| US | 34.160.86.181:443 | cloud.bluestacks.com | tcp |
| US | 8.8.8.8:53 | 181.86.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn-bgp.bluestacks.com | udp |
| GB | 2.20.12.81:443 | cdn-bgp.bluestacks.com | tcp |
| US | 8.8.8.8:53 | 81.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\change_hover.png
| MD5 | 57092634754fc26e5515e3ed5ca7d461 |
| SHA1 | 3ae4d01db9d6bba535f5292298502193dfc02710 |
| SHA256 | 8e5847487da148ebb3ea029cc92165afd215cdc08f7122271e13eb37f94e6dc1 |
| SHA512 | 553baf9967847292c8e9249dc3b1d55069f51c79f4d1d3832a0036e79691f433a3ce8296a68c774b5797caf7000037637ce61b8365885d2a4eed3ff0730e5e2a |
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe
| MD5 | 0d021ad9fc86a22215cd014b088f307e |
| SHA1 | 531e18244b9a43798562c1297c09ccc0239adb61 |
| SHA256 | c14eb1c61d737e195ce06cb84ba2b05925dcf36ac35c1078f260e423b1ad3485 |
| SHA512 | e5d977d5a3f5a5888e054521168a9ac22712892d5aea225a6f545e9be885deef1983fbcd963927367b2d7439c18b2e6c71a6b143a924a41f5acabc76e0a6e993 |
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe.config
| MD5 | 1b456d88546e29f4f007cd0bf1025703 |
| SHA1 | e5c444fcfe5baf2ef71c1813afc3f2c1100cab86 |
| SHA256 | d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb |
| SHA512 | c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6 |
memory/1972-125-0x00007FF8BFF33000-0x00007FF8BFF35000-memory.dmp
memory/1972-126-0x00000000003D0000-0x0000000000470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\JSON.dll
| MD5 | f5fd966e29f5c359f78cb61a571d1be4 |
| SHA1 | a55e7ed593b4bc7a77586da0f1223cfd9d51a233 |
| SHA256 | d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156 |
| SHA512 | d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be |
memory/1972-128-0x000000001AFA0000-0x000000001B008000-memory.dmp
memory/1972-129-0x00007FF8BFF30000-0x00007FF8C09F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Locales\i18n.en-US.txt
| MD5 | a1e3293265a273080e68501ffdb9c2fc |
| SHA1 | add264c4a560ce5803ca7b19263f8cd3ed6f68f0 |
| SHA256 | 1cb847f640d0b2b363ce3c44872c4227656e8d2f1b4a5217603a62d802f0581f |
| SHA512 | cb61083dc4d7d86f855a4cc3fe7c4938232a55188ad08b028a12445675fbff6188bb40638bd1ce4e6077f5bfc94449c145118c8f9b8929d4e9c47ed74cf7bece |
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe
| MD5 | 81234fd9895897b8d1f5e6772a1b38d0 |
| SHA1 | 80b2fec4a85ed90c4db2f09b63bd8f37038db0d3 |
| SHA256 | 2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c |
| SHA512 | 4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16 |
memory/1972-135-0x00007FF8BFF30000-0x00007FF8C09F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\loader.png
| MD5 | 03903fd42ed2ee3cb014f0f3b410bcb4 |
| SHA1 | 762a95240607fe8a304867a46bc2d677f494f5c2 |
| SHA256 | 076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1 |
| SHA512 | 8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857 |
memory/1972-137-0x00007FF8BFF30000-0x00007FF8C09F1000-memory.dmp
memory/1972-138-0x000000001D640000-0x000000001DB68000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\ThemeFile
| MD5 | c3e6bab4f92ee40b9453821136878993 |
| SHA1 | 94493a6b3dfb3135e5775b7d3be227659856fbc4 |
| SHA256 | de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6 |
| SHA512 | a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895 |
memory/1972-140-0x000000001CCA0000-0x000000001CCD8000-memory.dmp
memory/1972-141-0x000000001C9B0000-0x000000001C9BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\installer_minimize.png
| MD5 | 38b539a1e4229738e5c196eedb4eb225 |
| SHA1 | f027b08dce77c47aaed75a28a2fce218ff8c936c |
| SHA256 | a064f417e3c2b8f3121a14bbded268b2cdf635706880b7006f931de31476bbc2 |
| SHA512 | 2ce433689a94fae454ef65e0e9ec33657b89718bbb5a038bf32950f6d68722803922f3a427278bad432395a1716523e589463fcce4279dc2a895fd77434821cc |
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\installer_logo.png
| MD5 | e33432b5d6dafb8b58f161cf38b8f177 |
| SHA1 | d7f520887ce1bfa0a1abd49c5a7b215c24cbbf6a |
| SHA256 | 9f3104493216c1fa114ff935d23e3e41c7c3511792a30b10a40b507936c0d183 |
| SHA512 | 520dc99f3176117ebc28da5ef5439b132486ef67d02fa17f28b7eab0c59db0fa99566e44c0ca7bb75c9e7bd5244e4a23d87611a55c841c6f9c9776e457fb1cbf |
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\close_red.png
| MD5 | 93216b2f9d66d423b3e1311c0573332d |
| SHA1 | 5efaebec5f20f91f164f80d1e36f98c9ddaff805 |
| SHA256 | d0b6d143642d356b40c47459a996131a344cade6bb86158f1b74693426b09bfb |
| SHA512 | 922a7292de627c5e637818556d25d9842a88e89f2b198885835925679500dfd44a1e25ce79e521e63c4f84a6b0bd6bf98e46143ad8cee80ecdbaf3d3bc0f3a32 |
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\setpath.png
| MD5 | b2e7f40179744c74fded932e829cb12a |
| SHA1 | a0059ab8158a497d2cf583a292b13f87326ec3f0 |
| SHA256 | 5bbb2f41f9f3a805986c3c88a639bcc22d90067d4b8de9f1e21e3cf9e5c1766b |
| SHA512 | b95b7ebdb4a74639276eaa5c055fd8d9431e2f58a5f7c57303f7cf22e8b599f6f2a7852074cf71b19b49eb31cc9bf2509aedf41d608981d116e49a00030c797c |
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\backicon.png
| MD5 | 7ff5dc8270b5fa7ef6c4a1420bd67a7f |
| SHA1 | b224300372feaa97d882ca2552b227c0f2ef4e3e |
| SHA256 | fa64884054171515e97b78aaa1aad1ec5baa9d1daf9c682e0b3fb4a41a9cb1c1 |
| SHA512 | f0d5a842a01b99f189f3d46ab59d2c388a974951b042b25bbce54a15f5a3f386984d19cfca22ba1440eebd79260066a37dfeff6cb0d1332fca136add14488eef |
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\custom.png
| MD5 | 03b17f0b1c067826b0fcc6746cced2cb |
| SHA1 | e07e4434e10df4d6c81b55fceb6eca2281362477 |
| SHA256 | fbece8bb5f4dfa55dcfbf41151b10608af807b9477e99acf0940954a11e68f7b |
| SHA512 | 67c78ec01e20e9c8d9cdbba665bb2fd2bb150356f30b88d3d400bbdb0ae92010f5d7bcb683dcf6f895722a9151d8e669d8bef913eb6e728ba56bb02f264573b2 |
memory/1972-150-0x00000000218E0000-0x00000000218E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\installer_bg.jpg
| MD5 | 3478e24ba1dd52c80a0ff0d43828b6b5 |
| SHA1 | b5b13bbf3fb645efb81d3562296599e76a2abac0 |
| SHA256 | 4c7471c986e16de0cd451be27d4b3171e595fe2916b4b3bf7ca52df6ec368904 |
| SHA512 | 5c8c9cc76d6dbc7ce482d0d1b6c2f3d48a7a510cd9ed01c191328763e1bccb56daeb3d18c33a9b10ac7c9780127007aa13799fa82d838de27fbe0a02ad98119d |
memory/1972-161-0x00007FF8BFF33000-0x00007FF8BFF35000-memory.dmp
memory/1972-162-0x00007FF8BFF30000-0x00007FF8C09F1000-memory.dmp
memory/1972-163-0x00007FF8BFF30000-0x00007FF8C09F1000-memory.dmp
memory/1972-164-0x00007FF8BFF30000-0x00007FF8C09F1000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:39
Platform
android-x86-arm-20240624-en
Max time kernel
93s
Max time network
137s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /system/xbin/su | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | Anonymous-DexFile@0xebabe000-0xebac0aa8 | N/A | N/A |
| N/A | Anonymous-DexFile@0xe8b3c000-0xe8b3f14c | N/A | N/A |
| N/A | Anonymous-DexFile@0xe8aa9000-0xe8aabd2c | N/A | N/A |
| N/A | Anonymous-DexFile@0xcd652000-0xcd657b38 | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Reads the content of photos stored on the user's device.
| Description | Indicator | Process | Target |
| URI accessed for read | content://media/external/images/media | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Reads information about phone network operator.
Checks the presence of a debugger
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.dts.freefireth
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | graph.facebook.com | udp |
| GB | 163.70.147.22:443 | graph.facebook.com | tcp |
| GB | 163.70.147.22:443 | graph.facebook.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.201.110:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | rslw0r-cdn-settings.appsflyersdk.com | udp |
| GB | 18.239.238.20:443 | rslw0r-cdn-settings.appsflyersdk.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
| GB | 142.250.180.14:80 | android.clients.google.com | tcp |
Files
/data/data/com.dts.freefireth/files/xx_tmp_guard.dat
| MD5 | 3b27ad3a0ed8a5dc9562d3ce35a48ce4 |
| SHA1 | f4be5950171fce0869792520bba55f171675851b |
| SHA256 | d0a3c71ed94cc9c450c134bd89e54c95f6ee801b146d557d1bab436908b862e1 |
| SHA512 | 12c9477144bc0974bc861d593bb17a6d1cd97f8892e666091aabac749b4c62e1de76b5007728f93b24cffe00c000c823e2be93f850a1dda0a62ada468eba7a58 |
/data/data/com.dts.freefireth/files/xx_tmp_guard.dat
| MD5 | 70bc8f4b72a86921468bf8e8441dce51 |
| SHA1 | de8a847bff8c343d69b853a215e6ee775ef2ef96 |
| SHA256 | 66687aadf862bd776c8fc18b8e9f8e20089714856ee233b3902a591d0d5f2925 |
| SHA512 | 5046adc1dba838867b2bbbfdd0c3423e58b57970b5267a90f57960924a87f1960a6a85eaa642dac835424b5d7c8d637c00408c7a73da672b7f498521420b6dd3 |
/data/data/com.dts.freefireth/files/ace_shell_di.dat.tmp
| MD5 | c4088b773c278ababa874389a956ac13 |
| SHA1 | 711f12f25b9501e2099d819a1af665300640e000 |
| SHA256 | cc70c38dd7a586dffeb05bca9aa07f21a4dbd6700972cbe68804f9b00c674120 |
| SHA512 | 88a422d102b2822ff8a8e0887acece3dff2f0ae5df882b283a0c0c1ed2382f41ebb0f836f97e5a16b7851d878b955278cc1966f0d81f78c1cc74035ae2d31aed |
/data/data/com.dts.freefireth/files/app/data/libbugly/crash.info.tmp
| MD5 | d2d0de827e715cd317e2a0e8dd1c9caf |
| SHA1 | 0a2425ed3972dfb2401979271abbe6248a5c90dc |
| SHA256 | 112e4f885802f87757cfdb2d14d571a17a1cc6595f543c67a53e7dd33048555a |
| SHA512 | a137c93ad4ae6b33655c1b71be1b4552e5431c431a7bdd2a89f1849f76840d2df2cadebc89bff69b32f8cf05345410f1eebdf6ed2dce815a13f67d23fa05db8c |
/data/data/com.dts.freefireth/files/data/app/com.dts.freefireth-xrz2yZqpO_y6MF0ywEpytg==/base.apk.tmp
| MD5 | ff64991c7c19157cbf9742395e751042 |
| SHA1 | e645bf229b382e617b88d8f78e5b868da8433a7a |
| SHA256 | 7f6e9ee88675adbea3506be9d707465003d3cd37989cba19f009f9bdb490b111 |
| SHA512 | 55e98f66e46fd04578df39501031248dc30917af8712a8f874f3d8bf17e448c87b032b4d9a4f0b5c0f19a02a62678d30be25ac0b7ace268a02c19a8373b9ee09 |
/data/data/com.dts.freefireth/files/ano_tmp/SpeedUpSHC.dat.tmp
| MD5 | 47bc34805115516eaac6b2aa82b20611 |
| SHA1 | f2fdd2b9ce42927697e714bd11520b4c2bb066d5 |
| SHA256 | 9a7f76a0de4a1c2f296eb7a25b3c87a77ac99a37cd91224b6a99178092360807 |
| SHA512 | 8846bdf58962161d4af02fe10cb7700afffce35f1ffb9ef48b45db3814e38ffba33754b1efe15fb1ee368ea74a0fac579f65e98b77d764b73d10a85bb32866c7 |
/data/data/com.dts.freefireth/files/ano_tmp/SpeedUpCCH.dat.tmp
| MD5 | b36b07b66eca5d71b5582433f196c74a |
| SHA1 | ade773909a46d941df52f1e0c5920ef1cd6d6a63 |
| SHA256 | ee060f1067179ff5c44d3a9a9bf258e6616bc2f1ec2b7029c93a9b1f2b893fe4 |
| SHA512 | de9708dad47d246ee0f1ecbe6aaa29591bb25de96cd2a2bffb1e80200b793fe0895e313f988c1f4122b6d5c34fcc866e39b9d696cd4a67eb90851a689189ce46 |
/data/data/com.dts.freefireth/files/ano_tmp/ace_shell_db.dat.tmp
| MD5 | 0b350da9e673672cc6537e4bb483b819 |
| SHA1 | 2215d02868733a9409e3fce9c9c16fe20a1e74f6 |
| SHA256 | 663b38dff9a429faa3a3e24c11b933dd2ab3879b89498802aae59ca047110450 |
| SHA512 | 7aff4c8fdd145a3d8e70ed14fcc2a176aaf12712ab0bc6ca4d9524dc05edd6cbc4ac4ebd33afb41adc8165923f97c32b22a10b2d9fa1981d438d82c659dcd3af |
/data/data/com.dts.freefireth/files/ano_tmp/SpeedUpCCH2.dat.tmp
| MD5 | f93f048ee2115cf007baea8f2913db95 |
| SHA1 | 6368352ad58b0f45202289fd9388c5cae103fea4 |
| SHA256 | 954980c2da7f325fe08a419fb0862ef1e951c283d436550b605b795df7372a0d |
| SHA512 | 2c4fd318b67f1af2ec56c706a651d2e67c2d5940dd9227fd625af31dc26b95c32ae5f2ffbf7cf0e0e9fbad5f2f1c30beaf2283c8c3928313b435bc355099ff92 |
/data/data/com.dts.freefireth/databases/com.google.android.datatransport.events-journal
| MD5 | 4b29537c66b136b6961c1dbab8c964e9 |
| SHA1 | 68b35d7003f703afdeee6c4edb0c86e1c87aeeff |
| SHA256 | 2f71ee0ff260ff2ae81e6bb3f1f39e562c7208adf634e9fc6a3ceb4e2987bc0c |
| SHA512 | e6251406828978703c71eb4d3e24e67dc57591f026f11d447e7d61cae3ce674fad3e33ee7b5fe6107006689cf3f6e5deb8d1f9c7e97d919263a1f182aab0aebf |
/data/data/com.dts.freefireth/databases/com.google.android.datatransport.events
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.dts.freefireth/databases/com.google.android.datatransport.events-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.dts.freefireth/databases/com.google.android.datatransport.events-wal
| MD5 | da44debd5a9d9bac87d8621e4225ab6e |
| SHA1 | c6b8b234ced32f20684de06d465abdd2c646ae75 |
| SHA256 | 92dcce7cb8e7312fc7adf09a03e213df194d9559503a320dd8930c65c576e30a |
| SHA512 | e5bace850fc2ae10f32400eb109fe2f1304a6a4326bd4ff36ca33a1c2d688fcd3367bc11159ad99f4f7b7b340adc5b21563b77e63bb7639ee49840f965889c8e |
/data/data/com.dts.freefireth/files/.com.google.firebase.crashlytics.files.v2:com.dts.freefireth/open-sessions/673964EB027A000110C796A6E513BA9A/report
| MD5 | 66a34df1724772c7cc2f476e19d730e4 |
| SHA1 | 3d316432625e127f61e2a492967919a90a156e4c |
| SHA256 | a2bada1d771df26617a389014203aba717b7656db27e87db321182cfb8208c81 |
| SHA512 | b79b2cb962f09b91f5b970efbe8b87edf9cc1009fe7661cb1142298ed5a0c8f3cfe4b1c0755907289c8607fc648d39bcbe5ca3625da8d61481450399729b14a7 |
/data/data/com.dts.freefireth/files/GGMEs.version
| MD5 | 33d6dddf6f61b809bc59a10122bf93ec |
| SHA1 | d3ea3fc04015f85da4e653e00333faf0fb09195f |
| SHA256 | 9926fd9d2ff304db3d0ead824da601f7f8bd7c9c1a26b247aa9a0a772e2f1d09 |
| SHA512 | 7419644775595d60154577b3c3593a9488734204d48e03ed3bded7f3e850d9a253beec47041b7aff3297bb0e73e1d6ad1297795ca6a9e047586260b47039d24a |
/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/Resources/mscorlib.dll-resources.dat
| MD5 | 21d06dbc8af6432b2b49536ed30609af |
| SHA1 | 11a1c0e2ab2f8c06fe4507535ed47e0dd279a60d |
| SHA256 | c5baa176a5b72cd545266340e42102d393a5e43d38c95796bc828918bb95277f |
| SHA512 | 2971f54eaa14c3ce6e2352e5a1aea5b044f0894bf4eac92de8cd92515b6473b5ca56ebfcad4369a9d4935cbefea2540a83f332fd4d832c37768310e8776ceb5e |
/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/Metadata/global-metadata.dat
| MD5 | 43341ce1b66599b904ae8ed0692e1399 |
| SHA1 | bf3f63b4ef4b96c0a96c60790d721c586a447668 |
| SHA256 | 18b6d91d4c245e67afabb21a6ec30421ffb56b6553be73e5d6bfac5835523d38 |
| SHA512 | c859b944912f9bd58401846834a5212c15763272dff268a8681907ed9ee1127b343e0f1561995b9f3f3aa8cbfdf7d7674bbea0c3b25313dad019ad6318e5a6bd |
/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/mconfig/config.xml
| MD5 | 096bb534f21d5adfed1aaf8c011a1204 |
| SHA1 | 9ad10801601db8eae86f550a0a51d94ed18bcbcc |
| SHA256 | a1809f956176325c3ab236854789da917e8fd445d863b400272850e1f2336d64 |
| SHA512 | d3a91f16d6bc8db4d8cbb4a568c16d58aeacabb11b6e1132a4acc66062b8bb160c16be7ea331532a95fe18dcf7e7477e1a8fea3baf0174841199580bf815983e |
/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/1.0/DefaultWsdlHelpGenerator.aspx
| MD5 | 5f05cffc86a6401d0441aeda6fd1706b |
| SHA1 | f3b197c706f6c147df6f4564776d195260dff72a |
| SHA256 | fefc3b909fc80286ae54d71dc67bff15acd9a3a38d91f79133056bac352c86b8 |
| SHA512 | 4eafa387c0d6e4a64316ad8c15bfc6919b8b3fb485a7f4811d4b57625396edf7ac30124d4c3288d221419b614cbbae14d47939b6014f109b4438a21f3da88c35 |
/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/1.0/machine.config
| MD5 | aac6d2ce4d64d2ca9a1e7b953e3414c7 |
| SHA1 | 022510cf8def98e8d19678a3535b650f6abcf2b9 |
| SHA256 | 2115920755189829be20a81083735aebd217f216e02450e7f65187003142850c |
| SHA512 | feb13a2f56b8d7d08bfa4e1c8e57a1d9944a20a973c3a56527a5d74e5eccde7a36ee56a288541d3d3d5ffb7a2da814c5dc7e53fe7d4d1b616893d115ec0316ca |
/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/2.0/DefaultWsdlHelpGenerator.aspx
| MD5 | ce0f7bdf7344da4ddbe9372a0000f70f |
| SHA1 | 4d59c8b5335107c1be0be64c130dde3fb1ac6c84 |
| SHA256 | 7daa0c6a2bdd90c41278ae60eae82cf3976256b9832f4445d626fbda35c90a1b |
| SHA512 | 8874c02a6535fef726ed864f82ad193f54ac64dba1f035da307caa05518d7954927356c333dfd6d1d0624d658405b978d38b220bd3c5a14d90b4d4fc73124bcb |
/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/2.0/settings.map
| MD5 | ac24f77bfedc2fb05ea51ec6c7225ae0 |
| SHA1 | d77676d27f59885f3ec83fa7497ee25257a59fe3 |
| SHA256 | 205285250b2f5482698e8a58181cdd711bf87f182083ff03db41aef0fa073361 |
| SHA512 | d893e5f04481dbe876e7c3dc03971af85b2803d159bce48f6ab6f957feffce8917552f8f4eacf828b3128cf1700299e11d302d77312ae1fd04bb53a51fe260b5 |
/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/2.0/web.config
| MD5 | f56fcf1b58ad450f85effd827f4d6acd |
| SHA1 | bd85d36d737dca1bbe59a8f4795356e820a44b54 |
| SHA256 | d72ff8c60ca58fd3bc106365d753c5bfad9f85d33757aeb2ffdf745d61cec1b1 |
| SHA512 | da7561788fbba1b0665ad2714be50af10ca0c587b1b488dc45fab8d515319dbf3012c7a9bd8574c8083e0aed2d4eb9806277d3867e463c79aab8142e98fa7882 |
/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/2.0/Browsers/Compat.browser
| MD5 | 3201df8753c86b4be9cc69c046883d3c |
| SHA1 | 04bb09e087efe7d13751ed0b7d9ba0d6e32e93a7 |
| SHA256 | bf4ae2fe630714eee3d7b0a28285a3aa49a6589a3660e58cf7868aca3321a7b1 |
| SHA512 | ab5590bb8173e277bb7bbcb252a6d65fe5ddc8df02f1be1f772b3dc2a1350f9a17f93e020f27350ad5ef940604ab52e38230d3cfcc3f1f014a4e492104c917b0 |
/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/2.0/machine.config
| MD5 | ecb736a47b2a18f6d1829c140766164e |
| SHA1 | ba466f417bb27e3d8d6b4cf98d2e9be184bd02e2 |
| SHA256 | 1173db3dab5192fc7087626053d3ab33cb597d2b2e69c3bc849157cf319fe721 |
| SHA512 | cca1600bbb052cc6e892ff5599cb97081747f1c1b7c5b7599df33faca19016400481451dbf9848cb7dd17c1e514776ba11eb63dcac66439cad7ac69c92987087 |
/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/browscap.ini
| MD5 | 3eba8a4048e7d197b14cc3eaca87c92b |
| SHA1 | 3032d831a309ac97343d87b48e4ffd6e9d0a9359 |
| SHA256 | a0380d7baac874d8c1401da882b4bf06b037fd91ba19aae63f7d76c8f0e8f7e6 |
| SHA512 | b7fb46fb5dc132e05d71f683cd9702994be0aa1ff7e7bc5ff230ce78ab1462a50f6cfaee9a5d25c6ecbb94187e880ed84087bbc14393bfbf3a8ca0f203ecd431 |
/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/config
| MD5 | 55a2b628fce21505424a2fa0a35f29a9 |
| SHA1 | 5f47cfd81c382b3c5cd4adf5d20fe60444cb993d |
| SHA256 | c8ecdbb063c481da5e18f76b0dd60c8dccbdaf73c19d930e579c9794cc21d562 |
| SHA512 | b42bd2848b667a3dd71ecff39e53a6c3ed8564e731dfa88c3d7759d3a647e3131ded2f5ecd4459174dae32920250ba627e4bd9acaca28e4e297fa3676ef4937a |
/data/data/com.dts.freefireth/files/DSAs.dump
| MD5 | 92820166e40fac24af843e4841e73cc0 |
| SHA1 | 1cb04dd3a5cd459827a05f4f05dd2c6e4385c1dd |
| SHA256 | 8ae89f7009b4c69b3ba09a2221cfb2800b0b8b2ff50259933ad14371c207eadd |
| SHA512 | b3d954b63a8cee0689c2259bf5582f083d210853784bb2e579e4503ebf7b21012052d4010683f6b20f1bbe18cfd72dfae9fd70eca59f7ce0d1e99dc42f548e68 |
/data/data/com.dts.freefireth/files/Deps.dump
| MD5 | bd5573fc16c4e3838e5344ce1abf92d3 |
| SHA1 | 9f86c378b2ba3afbc8026ffd31f4dbd0a45965a0 |
| SHA256 | 58dd77371b12e232097b9d8f782609bdc5eb8705e54b9211fc58b905df681568 |
| SHA512 | a6d4fcb165ec9b5d53b46bc36b00f7be405ed3b4c7116d0f8fc6298c84c092b7d0e8da0721387a5f303ce5d771513ee925e3a14bafdf6b647245368c7eba7d9c |
/data/data/com.dts.freefireth/files/RMP.dump
| MD5 | 0242719f617f35551408dae23ba3f681 |
| SHA1 | 590b9f555fd5fcf3d1ccdcb3a68b054ce1f031d1 |
| SHA256 | 513427a5ab39a731c1f61e4d6c8e5cbea4e806b1f456d4176903c459a37cdcd2 |
| SHA512 | 490e538e0eafcec55acd8c8908062415fa45dcf48ecd37221788fbcac28006a475f0046679f0f4d87539219106bd5072ca5fc811a37596d10d6934a5b509ece9 |
/data/data/com.dts.freefireth/files/InitDump.version
| MD5 | 95e7673c79f6231726400c81c3ac891f |
| SHA1 | cc4a9bdf3ef681c22628a32172a2dcf2f387e46b |
| SHA256 | c85b6ff86bdec8221db54d3f85b4d09e00823bbceae9837174a072ae8fbcdeea |
| SHA512 | f446134ffca198a327b32db811ceb7e20c381b16c84b8a796124249aaf2b8aa42dd74e9df8c0f4c79b8e3cf69ce3d7325b74d4c8a87d58aca320ea2237503e23 |
Anonymous-DexFile@0xebabe000-0xebac0aa8
| MD5 | e00990fd74b49515a73bb04c0132a8df |
| SHA1 | 66d7750d27b4a5e8c6822ee8f7df7132c1eecd06 |
| SHA256 | f4b81ad5a3336f3b7653faf6da2a281edcb4967bb60b5a06b1d88a19e3e39da7 |
| SHA512 | 9dbfaa135a333dd1d261b04232fe814132e3bb0999040b30d327384c2820f804377f6178bb4fd1be8297cf34684b5441decbae1f2997a194b2ae1cc5c7b8a4a6 |
Anonymous-DexFile@0xe8b3c000-0xe8b3f14c
| MD5 | b48839921953187e835fb5731ad78ad4 |
| SHA1 | 2314e0c6e07148b1deb82b4a87947f17d8197ba7 |
| SHA256 | 445db7e82ef1b927f7176a746c353b40b202a18033229c4d18d495163f836874 |
| SHA512 | 340e30e3cb02f05ec88abccfd2dae53d7b49a64db942c5fb8889f481f840d1c5c5e90047dd63c6a09c72ddcbb388495b1bea3aa0de57b0ed54af47a232227dc0 |
Anonymous-DexFile@0xe8aa9000-0xe8aabd2c
| MD5 | e91f7ac648fac3b9fcb31e0faf662dc1 |
| SHA1 | b1870b65269fe088c5bb4635b735304590c4444d |
| SHA256 | 6c25e3eeef0b1607ae21ff248b7fa286a5aee41b19fa01167aaa39d3951540c3 |
| SHA512 | 304ed2bedf08e5f17e12b7c4621f64bd6a94d78f9d6404f52d3c26d0c910accc8cdb19deb06b90f730d23900da36ea785f5b8f22a47d4f8458c496765b543b4e |
Anonymous-DexFile@0xcd652000-0xcd657b38
| MD5 | 57b9fc36122c38752064ea474051ddec |
| SHA1 | 264cce700c20cdf09c7f95a0e025cab01c4a2518 |
| SHA256 | 19b314a696d2c932ab6fcdb147b930b0287e036b87fa0ca4b86be91490da2977 |
| SHA512 | b91d525c1b1d37c9a1c95b26141defa1ba0467da257aa0105da8ee0eb3d9b473c62b2e1106e0dfa0bfa1402fd48dd4db5a8cdb6da1f84ac8c8bea78fa0b43f45 |
/data/data/com.dts.freefireth/databases/DownloadsDB-journal
| MD5 | 922398fc3c58de048dd1b024daebd174 |
| SHA1 | 91ed4f901025ac7614a9fc009f5af80ca409c4bc |
| SHA256 | 98ccb262d37d5138796a8f76415aedd0d0b2e4f13674f73bc26955b171d3f2f5 |
| SHA512 | 1db599f4f79da17b3ee392bf4ef5fc4bfe98640e27fb13dfbedd83aa2e2368fba2fedc968442ccfad86a241fbee0f79dfe9697d024c2f71d27f1cc281a358308 |
/data/data/com.dts.freefireth/databases/DownloadsDB-wal
| MD5 | 6895980990097b48eb10e6b46e9f37da |
| SHA1 | 7296af4a90fd00ad234520d17c0c9108f35d28e8 |
| SHA256 | 572251390d2a7fd26cd8957aa63492a313feae6d944b085672067773f63a3ddf |
| SHA512 | 2503103e48078f9bfab49f8c02f799fe941a59240074948e6209da2480478e6aae5e1cb855c9e40857cd636fbaa300d469acad400f3f67cb6f8a87aa02a5b000 |
/data/data/com.dts.freefireth/files/AFRequestCache/1731814648264
| MD5 | b7bb9651c0982c637d5131a9ad203f8e |
| SHA1 | f4bcd1fb8d1373a08a8ce0a511db16915f924e4d |
| SHA256 | 90674ca200e31e806ff23fab9779581ec8c72606f5456261a3c2a716eb327ed0 |
| SHA512 | d4828a25a2c3643d1202048465c1830c866060265bd2b1295a128057cc384b347241bbff40d832406980b7c89138e10a68a33d2fd046330e85b0197fbe947176 |
/data/data/com.dts.freefireth/files/AFRequestCache/1731814648567
| MD5 | e47930aade5c5def0d2186eeb0bb4ccc |
| SHA1 | e691bbdb4a373d70492937be09bda5efbadd775a |
| SHA256 | 125f07ae33010cfa54b44f518735d4da2ea79ea68a17b70fd70780023e1f69e7 |
| SHA512 | 1d2839efbbbafec5ced01610f071fc9526bb7cbad89623ab85e8a34a41fdc48fd1d1ca16b3c2d1bc30e03e1f3f57071c27c6e5b33fd02ea7dca46b49d2a60059 |
/data/data/com.dts.freefireth/files/ano_tmp/ace_cache_db.dat.tmp
| MD5 | 12e81664f62baf6722bc855934df3157 |
| SHA1 | 36e7d42a99a3ac4d1a1dba25e7d2d80f8f3ec726 |
| SHA256 | 3a98ff9a5ef0e6c6f5aa474b0ddffe234a22c3049c79f665914b36dd7a7d96d5 |
| SHA512 | afbe8ed8bfde5d723a2465e0c6a3d51090f4da718086e925198438d15fd7766dced919ebbdbb3df843a5d704830de5242cdbcdefb81ba40d65ae353fe735695e |
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:40
Platform
win7-20240903-en
Max time kernel
122s
Max time network
140s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\Custom Hud By DANI YT.png"
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:39
Platform
win7-20240903-en
Max time kernel
11s
Max time network
32s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Processes
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\icon.png
Network
Files
memory/2460-0-0x0000000000320000-0x0000000000321000-memory.dmp
memory/2460-1-0x0000000000320000-0x0000000000321000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:39
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
162s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\icon.png
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:39
Platform
win10v2004-20241007-en
Max time kernel
131s
Max time network
166s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\com.dts.freefireth.cfg
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-17 03:29
Reported
2024-11-17 03:39
Platform
win7-20240729-en
Max time kernel
66s
Max time network
22s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\FREEFIRE V7A DANI YT.zip"