Malware Analysis Report

2025-05-28 18:48

Sample ID 241117-d2dcsszfrb
Target drive-download-20241117T030056Z-001.zip
SHA256 0f6f10d6878d8ad729d409d81fec2ebfd3faa146cd2e7173c880d0fa2630f6f8
Tags
discovery collection evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0f6f10d6878d8ad729d409d81fec2ebfd3faa146cd2e7173c880d0fa2630f6f8

Threat Level: Likely malicious

The file drive-download-20241117T030056Z-001.zip was found to be: Likely malicious.

Malicious Activity Summary

discovery collection evasion impact persistence

Checks if the Android device is rooted.

Reads the content of photos stored on the user's device.

Loads dropped Dex/Jar

Queries information about running processes on the device

Requests dangerous framework permissions

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Checks the presence of a debugger

Checks computer location settings

Uses Crypto APIs (Might try to encrypt user data)

Loads dropped DLL

Executes dropped EXE

Registers a broadcast receiver at runtime (usually for listening for system events)

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies system certificate store

Checks memory information

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 03:32

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:39

Platform

win7-20240903-en

Max time kernel

118s

Max time network

137s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Android\obb\com.dts.freefireth\main.2019117682.com.dts.freefireth.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Android\obb\com.dts.freefireth\main.2019117682.com.dts.freefireth.jar

Network

N/A

Files

memory/3068-2-0x00000000025D0000-0x0000000002840000-memory.dmp

memory/3068-10-0x0000000001B70000-0x0000000001B71000-memory.dmp

memory/3068-11-0x00000000025D0000-0x0000000002840000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:40

Platform

win10v2004-20241007-en

Max time kernel

125s

Max time network

173s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\manifest.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\manifest.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:40

Platform

win10v2004-20241007-en

Max time kernel

129s

Max time network

177s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Custom Hud By DANI YT.png"

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Custom Hud By DANI YT.png"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:40

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

173s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\FREEFIRE V7A DANI YT.zip"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\FREEFIRE V7A DANI YT.zip"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:39

Platform

win10v2004-20241007-en

Max time kernel

131s

Max time network

174s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Android\obb\com.dts.freefireth\main.2019117682.com.dts.freefireth.jar

Signatures

N/A

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Android\obb\com.dts.freefireth\main.2019117682.com.dts.freefireth.jar

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/1696-2-0x0000027EAD150000-0x0000027EAD3C0000-memory.dmp

memory/1696-11-0x0000027EAB880000-0x0000027EAB881000-memory.dmp

memory/1696-12-0x0000027EAD150000-0x0000027EAD3C0000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:39

Platform

win7-20240903-en

Max time kernel

117s

Max time network

133s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\manifest.json

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\manifest.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\manifest.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\manifest.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 34f601e66cdc124020e7fa8bba6cf136
SHA1 990715914341010547e2805d74e8ba35452668f1
SHA256 790d99fa06f27b0d128934f6cd7346dd254cfcb9647c4d20e150e6a868b7669e
SHA512 15ba80e16498e021b398c53607546159a646f2f870c0026eda462f1958f16986e84b28a8205e34f5a0fa8ed22cf8a5164dc148e64604e617984d9562912440af

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:39

Platform

win7-20240903-en

Max time kernel

102s

Max time network

30s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\com.dts.freefireth.cfg

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\com.dts.freefireth.cfg

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\com.dts.freefireth.cfg

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\com.dts.freefireth.cfg"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 d5e8af9a71c091cecabdc9e2e58346ad
SHA1 5a5cf1eca9ad70ae07370705952850faf87dc734
SHA256 10fa0fa325fd8a63ffb0c8af42a79974ef709504ca4ce50cbdb14d5afe2d7d54
SHA512 e6ef908ee5b15de895fa2d69ba5d1eb494124378944d998b8b72c58dd0990e53f64427c546a194f2893dac56efa732f7a9e9684d13949bf90995ec1f5c1d999a

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:39

Platform

win7-20241010-en

Max time kernel

121s

Max time network

142s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\drive-download-20241117T030056Z-001.zip"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\drive-download-20241117T030056Z-001.zip"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:40

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

155s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\drive-download-20241117T030056Z-001.zip"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\drive-download-20241117T030056Z-001.zip"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:39

Platform

win7-20241010-en

Max time kernel

15s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280 C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 19000000010000001000000014d4b19434670e6dc091d154abb20edc040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab7280180000000100000010000000fd960962ac6938e0d4b0769aa1a64e261400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191830f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b03200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72800f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e261400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e26200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 1400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183180000000100000010000000fd960962ac6938e0d4b0769aa1a64e2619000000010000001000000014d4b19434670e6dc091d154abb20edc0f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b03040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab7280200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b031400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183180000000100000010000000fd960962ac6938e0d4b0769aa1a64e2619000000010000001000000014d4b19434670e6dc091d154abb20edc0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab7280040000000100000010000000c6150925cfea5941ddc7ff2a0a506692200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 180000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b031400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191830300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab7280040000000100000010000000c6150925cfea5941ddc7ff2a0a50669219000000010000001000000014d4b19434670e6dc091d154abb20edc200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe
PID 2016 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe
PID 2016 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe
PID 2016 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe
PID 920 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\HD-CheckCpu.exe
PID 920 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\HD-CheckCpu.exe
PID 920 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\HD-CheckCpu.exe
PID 920 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\HD-CheckCpu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe

"C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\HD-CheckCpu.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\HD-CheckCpu.exe" --cmd checkHypervEnabled

Network

Country Destination Domain Proto
US 8.8.8.8:53 cloud.bluestacks.com udp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 8.8.8.8:53 delegate.bluestacks.com udp
US 52.2.140.10:443 delegate.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 8.8.8.8:53 crt.rootg2.amazontrust.com udp
FR 3.164.163.127:80 crt.rootg2.amazontrust.com tcp
US 52.2.140.10:443 delegate.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\Assets\change_hover.png

MD5 57092634754fc26e5515e3ed5ca7d461
SHA1 3ae4d01db9d6bba535f5292298502193dfc02710
SHA256 8e5847487da148ebb3ea029cc92165afd215cdc08f7122271e13eb37f94e6dc1
SHA512 553baf9967847292c8e9249dc3b1d55069f51c79f4d1d3832a0036e79691f433a3ce8296a68c774b5797caf7000037637ce61b8365885d2a4eed3ff0730e5e2a

\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe

MD5 0d021ad9fc86a22215cd014b088f307e
SHA1 531e18244b9a43798562c1297c09ccc0239adb61
SHA256 c14eb1c61d737e195ce06cb84ba2b05925dcf36ac35c1078f260e423b1ad3485
SHA512 e5d977d5a3f5a5888e054521168a9ac22712892d5aea225a6f545e9be885deef1983fbcd963927367b2d7439c18b2e6c71a6b143a924a41f5acabc76e0a6e993

C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\BlueStacksInstaller.exe.config

MD5 1b456d88546e29f4f007cd0bf1025703
SHA1 e5c444fcfe5baf2ef71c1813afc3f2c1100cab86
SHA256 d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb
SHA512 c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

memory/920-127-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

memory/920-129-0x0000000000EC0000-0x0000000000F60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\JSON.dll

MD5 f5fd966e29f5c359f78cb61a571d1be4
SHA1 a55e7ed593b4bc7a77586da0f1223cfd9d51a233
SHA256 d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156
SHA512 d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

memory/920-131-0x0000000000E30000-0x0000000000E98000-memory.dmp

memory/920-132-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD2C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD6E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\Locales\i18n.en-US.txt

MD5 a1e3293265a273080e68501ffdb9c2fc
SHA1 add264c4a560ce5803ca7b19263f8cd3ed6f68f0
SHA256 1cb847f640d0b2b363ce3c44872c4227656e8d2f1b4a5217603a62d802f0581f
SHA512 cb61083dc4d7d86f855a4cc3fe7c4938232a55188ad08b028a12445675fbff6188bb40638bd1ce4e6077f5bfc94449c145118c8f9b8929d4e9c47ed74cf7bece

C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\HD-CheckCpu.exe

MD5 81234fd9895897b8d1f5e6772a1b38d0
SHA1 80b2fec4a85ed90c4db2f09b63bd8f37038db0d3
SHA256 2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c
SHA512 4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

memory/920-189-0x0000000000A80000-0x0000000000A8A000-memory.dmp

memory/920-190-0x0000000000A80000-0x0000000000A8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\Assets\loader.png

MD5 03903fd42ed2ee3cb014f0f3b410bcb4
SHA1 762a95240607fe8a304867a46bc2d677f494f5c2
SHA256 076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1
SHA512 8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\ThemeFile

MD5 c3e6bab4f92ee40b9453821136878993
SHA1 94493a6b3dfb3135e5775b7d3be227659856fbc4
SHA256 de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6
SHA512 a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a40a116ea7f315cbb2c16a918705a4fb
SHA1 8a0c12d4aa711840cd709841e3629c3515e32ad7
SHA256 73cb0b2f7ac94f256be621c563d6ffe2446a781206896a10ec12f10464649c9a
SHA512 3a0c1d0f0fdc5328119275f91862505d86ed5b66d8314cf18a110225f1cdd0eb4653f02a3136932948a4c470fa1b9b7763dd06261d9575e32d97120d020a90f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbce2bdb62cfb3ad5c3760db3b3c34d5
SHA1 5fdb0472cdb36dfba615e38cac0b7cb51b2a50ac
SHA256 51fcbf4cffb3013b3bb401ee36c7fc793992cb261a04d0d2c572aa7efae1d066
SHA512 227024b208731796d68624cea5b153030dbc1b2a34647ff1117e987ff8cfc86b597076992936c696d695e5d1ca01b9090b14ca6e5751ac6ee901cb8603136a61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27c46e7a711637e36f99f94253323c40
SHA1 6b81a19b6034c151a016739a201cc58da9017417
SHA256 b71f29bfbb9bfc3a662bed4d4db5cf33dfa1ee8fadf9416d5d1a60158b90ee05
SHA512 6b27dc775414384993f56aa3d281b78626a90d7cf07a44ae26f9c331cf109a01113b66d4191417ba2df4a9f7f9e1924a00e969edf5401bd96f5eb5adae13d3e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45c2d356361984982b8a174c0629dabc
SHA1 a0909016c10eba1362412aa4240a83a0d99414d0
SHA256 e5826e29020571e47122485f94acf1970893cd8fdd44253680c27e3980f477a5
SHA512 a9b1d06a76eda5448421c13f803cb0fa88d2a28ed52b8bfd0971c7e5ca314e1315548436a69b05b166609e903707b020643c452d8662e261a9dbf25bfffd1125

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82bcb85707f8943f65431a8dfe5f1554
SHA1 07c8b7274f617e9fda14a8bac0d319a38221f637
SHA256 5d3210b4fc94e94e37a64f95bac6abc1c6b7d9ba1ce3456d4c57f7fc9c605a60
SHA512 08d4b99714e686f49e11f0319ed3696dec42ecccb1879410d665828cd5749d81e586e28f5cc0b9ae699ddafc9dd686617b8e1551010953387899d721f8921d57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0872be1eb6281de2ece7489be17ee8a3
SHA1 9ce85a86020a371ae69ebecc47dc0c66cb41e952
SHA256 79b77225ab340c9ce8737cf33364aac5c4df43fb492c60b5522a9b0bd646c2c1
SHA512 4b77374a478a4979b7eddade32ec249be737e83295467d38b43be04a870f79a2a742582f7a01b4869a116686d2db6166d32a970525a68647ceeb59de97ec5046

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c53c2beaea9d83e29b1dd3b77bc41ae2
SHA1 f7f7e85b0da9c8524b07ce8db821ff0d14b3cc4c
SHA256 2758b6acb5c87871f8e5984991a87d423e239c066d4392b7b24b4c3714d90324
SHA512 b61eccfcf0625aad718895adf1c8ef7de8b9644a1d52fd609a82cda2b67562c76d7d541eee74a045553761b4dc08821a955182f06345f6ec86bae0c7d1b4e35b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8839869fba583131a44d38d7538ca03
SHA1 9b7ca767b06b8fd1710fc78cef04b0907f273915
SHA256 fad9913e6c5fe618a7e882928dc3f78dbe6958284c3d758594d9479ea4dc3936
SHA512 35f8c0a496e1c2c17c0dbb8ae6c9c5a23babacc62e267bb5e9b97b7a0e501c30dd6d01836ac752021f41f4f471966de1a6596e12ac79fc5babd92017c400960f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc611c095b5496781c32210b5a4e2d0f
SHA1 e3eedd980673a0f1b4cb699c58c47b96020bf2c0
SHA256 0acfb97a3a802c63e14d1610e66d88febf6d9eec9d951c1662047f0952df30c4
SHA512 b37df90381598d394a4e7c7adb40c6e74b339682075bbf9b64b1fb1a275935beb5510eb50712ddf09b9b8baa23cd3b3fb56b4c3b49bfdc20b402f13b51b932d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 102c0afbd52432e1fbfda8d84c3e31ee
SHA1 641753c9a4850f74868a40551396610a5437259b
SHA256 08e6a0e6c921c8472fb130841178634995287c36e809fa94fb12290317a7d7fb
SHA512 39dc4f89ad8d179d899c565d1c1208d9c376a0b837dfa9cc29eee73b788682a507a08a3e3987707d23b945a643edbf941053bb417e22c02a0b10d97745f35cb3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d98efec43ea873b3cfa709eb5ef1dee
SHA1 9eb1eb0b7c77be7814b045b3ce78bd5005d21c02
SHA256 2611b715aa42fda5b7a1aca54e86f377ab26d2e981f4ea3234adf3f31ce9261f
SHA512 f80656a0481291b588370ed27766e398f8224e7aac1810433698184f02a0ffc052c2226aa560688b2076a4d9d3edd61011cbe7f80e46f6ff3df026bf41a46e4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1801ca321aceaaba8790f7bd0b8e0cfb
SHA1 454a7dbdc0ec3a529dd2cfba88ccc429e408f08e
SHA256 326cd9d81b577b08085b9cb221cbc67d8f36e87aa4435cd2dcedf6d630342108
SHA512 6921a1f0def0b4c1ed96a3518c0ec1288f80ec329da41deb4309c66ca11bf8ab05aa4e116208074e6d5fb42582ba54ac7e553ad34ea7a9392c7e33d8a52e5941

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8c5e4c0154678d80799fde1795f4993
SHA1 7144c4238dc2d1ceee5d714c10a8b63e4ca1c50f
SHA256 edee620f8db08bac70e0789f1e6d02633f3f776ecdb56d4f51ee8b4dcc441910
SHA512 ab9dfe1292c77871a04a4c41096bfaccb3899cd7547b64820758f5f2883733510a82130f1983303ddd024e18f6470304707102a71a99db97443c526c4d649689

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eff76776b4bb885c054c09b50c2ca14b
SHA1 54ddc0e9a3f26c7e3478dcccef42400452e42682
SHA256 af4ee5de06868e75df0039e209a38e97ddc773428520bb64c00d192d8405c523
SHA512 7a438d13f7c08643b64c216bddd9ac61d338460f0f531db62337cf724e9defce31f083b05dea1620f2e70807fe5d578f9f992aa0b064d1a281f6e9ba849e64e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 d9a52c304b1781e64d6c68d8d9481400
SHA1 c9ce3a97aceddcde6582f54690415f6e9186b245
SHA256 ad10a9c3ca312cfaf1623c395de0cb6f9ee81581f46cbc0ec7a7585ebbcbd7f9
SHA512 7adaece4aa1eb94c1970a272c67ff250975354af18afedd66100e75b32d9915e30930f3d94c7c48bb80483b25cc0d513d193555d562a6cf087dcc11ac1599e57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DABA17F5E36CBE65640DD2FE24F104E7

MD5 731534cd7441e37ee789f772c1ac4ffe
SHA1 6ab51df76218be73e36074cd3bda7d2f2aaea2df
SHA256 32df0658c84c29725d3d9fc7af9add0f64d750083854820ca8e2ba269aaefbd4
SHA512 cfacec3c84320d0566794c5ce7191dad9087e50ba99bda8546dd13d9cc253e84713104271e10522ac892f9b7b0a9d0184196e624fed1a5a9a01924a9489c7639

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DABA17F5E36CBE65640DD2FE24F104E7

MD5 c6150925cfea5941ddc7ff2a0a506692
SHA1 9e99a48a9960b14926bb7f3b02e22da2b0ab7280
SHA256 28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996
SHA512 b3bd41385d72148e03f453e76a45fcd2111a22eff3c7f1e78e41f6744735444e058144ed68af88654ee62b0f117949f35739daad6ad765b8cde1cff92ed2d00c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69fdee4d2d2dfa188bed8b2a2a43e488
SHA1 5826f3e0eced944ef2e850b9882e4c9e665a3565
SHA256 f143aad5ad4b31f7acb9c6c2d0d99a2b7cba896263a2affc4652d7748631fb56
SHA512 e25f824a3f83c9d3f664af1dcc8a92c140fde1c38247bc2f2a32613d777d34109cab68ff5fe18fb77d19be88265b426fec4f446fcccfdc610c61170a1053d1fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c744ca5276d4c7e54d30d3eaa4b4e95b
SHA1 da88255313f2038ac72d2be553ea110f93027943
SHA256 0991ed507bce56e2b193c370d23d23fb663ce20e275826c837d602b215f9c846
SHA512 e23e0587797266902e6085a944680404c5dd9145fe05acde0b4fe5dee53ed96143ee3ce672ad08dad4df6ba0182b019cadb341443c5b790f7c6b72a5e47b0f94

C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\Assets\minimize_progress.png

MD5 1504b80f2a6f2d3fefc305da54a2a6c2
SHA1 432a9d89ebc2f693836d3c2f0743ea5d2077848d
SHA256 2f62d4e8c643051093f907058dddc78cc525147d9c4f4a0d78b4d0e5c90979f6
SHA512 675db04baf3199c8d94af30a1f1c252830a56a90f633c3a72aa9841738b04242902a5e7c56dd792626338e8b7eabc1f359514bb3a2e62bc36c16919e196cfd94

C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\Assets\exit_close.png

MD5 26eb04b9e0105a7b121ea9c6601bbf2a
SHA1 efc08370d90c8173df8d8c4b122d2bb64c07ccd8
SHA256 7aaef329ba9fa052791d1a09f127551289641ea743baba171de55faa30ec1157
SHA512 9df3c723314d11a6b4ce0577eb61488061f2f96a9746a944eb6a4ee8c0c4d29131231a1b20988ef5454b79f9475b43d62c710839ecc0a9c98324f977cab6db68

C:\Users\Admin\AppData\Local\Temp\7zS0E71FED6\Assets\error_icon_72.png

MD5 4aaf83d2b3fd56ad806708e60474df39
SHA1 144777a265879b69fadea3eb3ac6939458918578
SHA256 84e59d14d9433e6c3d92daeb8c443063b5e3be6c0b297f0403dbde473a05cb3f
SHA512 3b8485f054fe6ed2374bc81cb1786f09741219fbfcb22503707b11cf5db1ab262ba4349633597d5d9ddabc3415b170fa8eebc932f58d211d7092b8fb96fa1304

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7348038121260f26323f679cc666c33d
SHA1 f413c158aafd6aa51adf8bd206cdf53d74e0431b
SHA256 5a04370bf766a335ddde6fd279ec2d57a4fa495b81cab1cfedd15e355369a6bc
SHA512 d64469afe0d784f16f2d4de2713b6d9958a7c4ef86b356ab353df400d591938877d45ad21bf83e47140c47924b0437cc8eef92daefd43ad921f96f6895fe6424

memory/920-850-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

memory/920-851-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/920-852-0x0000000000A80000-0x0000000000A8A000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:39

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe
PID 3040 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe
PID 1972 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe
PID 1972 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe
PID 1972 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe
PID 1972 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe
PID 1972 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe
PID 1972 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe

"C:\Users\Admin\AppData\Local\Temp\BlueStacksInstaller_5.21.600.1019_native_a2dd660d2ed14f232e1cf3aea7ede127_MDs1.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe" --cmd checkHypervEnabled

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe" --cmd checkSSE4

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 cloud.bluestacks.com udp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 34.160.86.181:443 cloud.bluestacks.com tcp
US 8.8.8.8:53 181.86.160.34.in-addr.arpa udp
US 8.8.8.8:53 cdn-bgp.bluestacks.com udp
GB 2.20.12.81:443 cdn-bgp.bluestacks.com tcp
US 8.8.8.8:53 81.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\change_hover.png

MD5 57092634754fc26e5515e3ed5ca7d461
SHA1 3ae4d01db9d6bba535f5292298502193dfc02710
SHA256 8e5847487da148ebb3ea029cc92165afd215cdc08f7122271e13eb37f94e6dc1
SHA512 553baf9967847292c8e9249dc3b1d55069f51c79f4d1d3832a0036e79691f433a3ce8296a68c774b5797caf7000037637ce61b8365885d2a4eed3ff0730e5e2a

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe

MD5 0d021ad9fc86a22215cd014b088f307e
SHA1 531e18244b9a43798562c1297c09ccc0239adb61
SHA256 c14eb1c61d737e195ce06cb84ba2b05925dcf36ac35c1078f260e423b1ad3485
SHA512 e5d977d5a3f5a5888e054521168a9ac22712892d5aea225a6f545e9be885deef1983fbcd963927367b2d7439c18b2e6c71a6b143a924a41f5acabc76e0a6e993

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\BlueStacksInstaller.exe.config

MD5 1b456d88546e29f4f007cd0bf1025703
SHA1 e5c444fcfe5baf2ef71c1813afc3f2c1100cab86
SHA256 d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb
SHA512 c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

memory/1972-125-0x00007FF8BFF33000-0x00007FF8BFF35000-memory.dmp

memory/1972-126-0x00000000003D0000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\JSON.dll

MD5 f5fd966e29f5c359f78cb61a571d1be4
SHA1 a55e7ed593b4bc7a77586da0f1223cfd9d51a233
SHA256 d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156
SHA512 d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

memory/1972-128-0x000000001AFA0000-0x000000001B008000-memory.dmp

memory/1972-129-0x00007FF8BFF30000-0x00007FF8C09F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Locales\i18n.en-US.txt

MD5 a1e3293265a273080e68501ffdb9c2fc
SHA1 add264c4a560ce5803ca7b19263f8cd3ed6f68f0
SHA256 1cb847f640d0b2b363ce3c44872c4227656e8d2f1b4a5217603a62d802f0581f
SHA512 cb61083dc4d7d86f855a4cc3fe7c4938232a55188ad08b028a12445675fbff6188bb40638bd1ce4e6077f5bfc94449c145118c8f9b8929d4e9c47ed74cf7bece

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\HD-CheckCpu.exe

MD5 81234fd9895897b8d1f5e6772a1b38d0
SHA1 80b2fec4a85ed90c4db2f09b63bd8f37038db0d3
SHA256 2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c
SHA512 4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

memory/1972-135-0x00007FF8BFF30000-0x00007FF8C09F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\loader.png

MD5 03903fd42ed2ee3cb014f0f3b410bcb4
SHA1 762a95240607fe8a304867a46bc2d677f494f5c2
SHA256 076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1
SHA512 8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

memory/1972-137-0x00007FF8BFF30000-0x00007FF8C09F1000-memory.dmp

memory/1972-138-0x000000001D640000-0x000000001DB68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\ThemeFile

MD5 c3e6bab4f92ee40b9453821136878993
SHA1 94493a6b3dfb3135e5775b7d3be227659856fbc4
SHA256 de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6
SHA512 a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895

memory/1972-140-0x000000001CCA0000-0x000000001CCD8000-memory.dmp

memory/1972-141-0x000000001C9B0000-0x000000001C9BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\installer_minimize.png

MD5 38b539a1e4229738e5c196eedb4eb225
SHA1 f027b08dce77c47aaed75a28a2fce218ff8c936c
SHA256 a064f417e3c2b8f3121a14bbded268b2cdf635706880b7006f931de31476bbc2
SHA512 2ce433689a94fae454ef65e0e9ec33657b89718bbb5a038bf32950f6d68722803922f3a427278bad432395a1716523e589463fcce4279dc2a895fd77434821cc

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\installer_logo.png

MD5 e33432b5d6dafb8b58f161cf38b8f177
SHA1 d7f520887ce1bfa0a1abd49c5a7b215c24cbbf6a
SHA256 9f3104493216c1fa114ff935d23e3e41c7c3511792a30b10a40b507936c0d183
SHA512 520dc99f3176117ebc28da5ef5439b132486ef67d02fa17f28b7eab0c59db0fa99566e44c0ca7bb75c9e7bd5244e4a23d87611a55c841c6f9c9776e457fb1cbf

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\close_red.png

MD5 93216b2f9d66d423b3e1311c0573332d
SHA1 5efaebec5f20f91f164f80d1e36f98c9ddaff805
SHA256 d0b6d143642d356b40c47459a996131a344cade6bb86158f1b74693426b09bfb
SHA512 922a7292de627c5e637818556d25d9842a88e89f2b198885835925679500dfd44a1e25ce79e521e63c4f84a6b0bd6bf98e46143ad8cee80ecdbaf3d3bc0f3a32

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\setpath.png

MD5 b2e7f40179744c74fded932e829cb12a
SHA1 a0059ab8158a497d2cf583a292b13f87326ec3f0
SHA256 5bbb2f41f9f3a805986c3c88a639bcc22d90067d4b8de9f1e21e3cf9e5c1766b
SHA512 b95b7ebdb4a74639276eaa5c055fd8d9431e2f58a5f7c57303f7cf22e8b599f6f2a7852074cf71b19b49eb31cc9bf2509aedf41d608981d116e49a00030c797c

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\backicon.png

MD5 7ff5dc8270b5fa7ef6c4a1420bd67a7f
SHA1 b224300372feaa97d882ca2552b227c0f2ef4e3e
SHA256 fa64884054171515e97b78aaa1aad1ec5baa9d1daf9c682e0b3fb4a41a9cb1c1
SHA512 f0d5a842a01b99f189f3d46ab59d2c388a974951b042b25bbce54a15f5a3f386984d19cfca22ba1440eebd79260066a37dfeff6cb0d1332fca136add14488eef

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\custom.png

MD5 03b17f0b1c067826b0fcc6746cced2cb
SHA1 e07e4434e10df4d6c81b55fceb6eca2281362477
SHA256 fbece8bb5f4dfa55dcfbf41151b10608af807b9477e99acf0940954a11e68f7b
SHA512 67c78ec01e20e9c8d9cdbba665bb2fd2bb150356f30b88d3d400bbdb0ae92010f5d7bcb683dcf6f895722a9151d8e669d8bef913eb6e728ba56bb02f264573b2

memory/1972-150-0x00000000218E0000-0x00000000218E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0EB85448\Assets\installer_bg.jpg

MD5 3478e24ba1dd52c80a0ff0d43828b6b5
SHA1 b5b13bbf3fb645efb81d3562296599e76a2abac0
SHA256 4c7471c986e16de0cd451be27d4b3171e595fe2916b4b3bf7ca52df6ec368904
SHA512 5c8c9cc76d6dbc7ce482d0d1b6c2f3d48a7a510cd9ed01c191328763e1bccb56daeb3d18c33a9b10ac7c9780127007aa13799fa82d838de27fbe0a02ad98119d

memory/1972-161-0x00007FF8BFF33000-0x00007FF8BFF35000-memory.dmp

memory/1972-162-0x00007FF8BFF30000-0x00007FF8C09F1000-memory.dmp

memory/1972-163-0x00007FF8BFF30000-0x00007FF8C09F1000-memory.dmp

memory/1972-164-0x00007FF8BFF30000-0x00007FF8C09F1000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:39

Platform

android-x86-arm-20240624-en

Max time kernel

93s

Max time network

137s

Command Line

com.dts.freefireth

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A Anonymous-DexFile@0xebabe000-0xebac0aa8 N/A N/A
N/A Anonymous-DexFile@0xe8b3c000-0xe8b3f14c N/A N/A
N/A Anonymous-DexFile@0xe8aa9000-0xe8aabd2c N/A N/A
N/A Anonymous-DexFile@0xcd652000-0xcd657b38 N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Reads the content of photos stored on the user's device.

collection
Description Indicator Process Target
URI accessed for read content://media/external/images/media N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.dts.freefireth

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 graph.facebook.com udp
GB 163.70.147.22:443 graph.facebook.com tcp
GB 163.70.147.22:443 graph.facebook.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 rslw0r-cdn-settings.appsflyersdk.com udp
GB 18.239.238.20:443 rslw0r-cdn-settings.appsflyersdk.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp
GB 142.250.180.14:80 android.clients.google.com tcp

Files

/data/data/com.dts.freefireth/files/xx_tmp_guard.dat

MD5 3b27ad3a0ed8a5dc9562d3ce35a48ce4
SHA1 f4be5950171fce0869792520bba55f171675851b
SHA256 d0a3c71ed94cc9c450c134bd89e54c95f6ee801b146d557d1bab436908b862e1
SHA512 12c9477144bc0974bc861d593bb17a6d1cd97f8892e666091aabac749b4c62e1de76b5007728f93b24cffe00c000c823e2be93f850a1dda0a62ada468eba7a58

/data/data/com.dts.freefireth/files/xx_tmp_guard.dat

MD5 70bc8f4b72a86921468bf8e8441dce51
SHA1 de8a847bff8c343d69b853a215e6ee775ef2ef96
SHA256 66687aadf862bd776c8fc18b8e9f8e20089714856ee233b3902a591d0d5f2925
SHA512 5046adc1dba838867b2bbbfdd0c3423e58b57970b5267a90f57960924a87f1960a6a85eaa642dac835424b5d7c8d637c00408c7a73da672b7f498521420b6dd3

/data/data/com.dts.freefireth/files/ace_shell_di.dat.tmp

MD5 c4088b773c278ababa874389a956ac13
SHA1 711f12f25b9501e2099d819a1af665300640e000
SHA256 cc70c38dd7a586dffeb05bca9aa07f21a4dbd6700972cbe68804f9b00c674120
SHA512 88a422d102b2822ff8a8e0887acece3dff2f0ae5df882b283a0c0c1ed2382f41ebb0f836f97e5a16b7851d878b955278cc1966f0d81f78c1cc74035ae2d31aed

/data/data/com.dts.freefireth/files/app/data/libbugly/crash.info.tmp

MD5 d2d0de827e715cd317e2a0e8dd1c9caf
SHA1 0a2425ed3972dfb2401979271abbe6248a5c90dc
SHA256 112e4f885802f87757cfdb2d14d571a17a1cc6595f543c67a53e7dd33048555a
SHA512 a137c93ad4ae6b33655c1b71be1b4552e5431c431a7bdd2a89f1849f76840d2df2cadebc89bff69b32f8cf05345410f1eebdf6ed2dce815a13f67d23fa05db8c

/data/data/com.dts.freefireth/files/data/app/com.dts.freefireth-xrz2yZqpO_y6MF0ywEpytg==/base.apk.tmp

MD5 ff64991c7c19157cbf9742395e751042
SHA1 e645bf229b382e617b88d8f78e5b868da8433a7a
SHA256 7f6e9ee88675adbea3506be9d707465003d3cd37989cba19f009f9bdb490b111
SHA512 55e98f66e46fd04578df39501031248dc30917af8712a8f874f3d8bf17e448c87b032b4d9a4f0b5c0f19a02a62678d30be25ac0b7ace268a02c19a8373b9ee09

/data/data/com.dts.freefireth/files/ano_tmp/SpeedUpSHC.dat.tmp

MD5 47bc34805115516eaac6b2aa82b20611
SHA1 f2fdd2b9ce42927697e714bd11520b4c2bb066d5
SHA256 9a7f76a0de4a1c2f296eb7a25b3c87a77ac99a37cd91224b6a99178092360807
SHA512 8846bdf58962161d4af02fe10cb7700afffce35f1ffb9ef48b45db3814e38ffba33754b1efe15fb1ee368ea74a0fac579f65e98b77d764b73d10a85bb32866c7

/data/data/com.dts.freefireth/files/ano_tmp/SpeedUpCCH.dat.tmp

MD5 b36b07b66eca5d71b5582433f196c74a
SHA1 ade773909a46d941df52f1e0c5920ef1cd6d6a63
SHA256 ee060f1067179ff5c44d3a9a9bf258e6616bc2f1ec2b7029c93a9b1f2b893fe4
SHA512 de9708dad47d246ee0f1ecbe6aaa29591bb25de96cd2a2bffb1e80200b793fe0895e313f988c1f4122b6d5c34fcc866e39b9d696cd4a67eb90851a689189ce46

/data/data/com.dts.freefireth/files/ano_tmp/ace_shell_db.dat.tmp

MD5 0b350da9e673672cc6537e4bb483b819
SHA1 2215d02868733a9409e3fce9c9c16fe20a1e74f6
SHA256 663b38dff9a429faa3a3e24c11b933dd2ab3879b89498802aae59ca047110450
SHA512 7aff4c8fdd145a3d8e70ed14fcc2a176aaf12712ab0bc6ca4d9524dc05edd6cbc4ac4ebd33afb41adc8165923f97c32b22a10b2d9fa1981d438d82c659dcd3af

/data/data/com.dts.freefireth/files/ano_tmp/SpeedUpCCH2.dat.tmp

MD5 f93f048ee2115cf007baea8f2913db95
SHA1 6368352ad58b0f45202289fd9388c5cae103fea4
SHA256 954980c2da7f325fe08a419fb0862ef1e951c283d436550b605b795df7372a0d
SHA512 2c4fd318b67f1af2ec56c706a651d2e67c2d5940dd9227fd625af31dc26b95c32ae5f2ffbf7cf0e0e9fbad5f2f1c30beaf2283c8c3928313b435bc355099ff92

/data/data/com.dts.freefireth/databases/com.google.android.datatransport.events-journal

MD5 4b29537c66b136b6961c1dbab8c964e9
SHA1 68b35d7003f703afdeee6c4edb0c86e1c87aeeff
SHA256 2f71ee0ff260ff2ae81e6bb3f1f39e562c7208adf634e9fc6a3ceb4e2987bc0c
SHA512 e6251406828978703c71eb4d3e24e67dc57591f026f11d447e7d61cae3ce674fad3e33ee7b5fe6107006689cf3f6e5deb8d1f9c7e97d919263a1f182aab0aebf

/data/data/com.dts.freefireth/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.dts.freefireth/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.dts.freefireth/databases/com.google.android.datatransport.events-wal

MD5 da44debd5a9d9bac87d8621e4225ab6e
SHA1 c6b8b234ced32f20684de06d465abdd2c646ae75
SHA256 92dcce7cb8e7312fc7adf09a03e213df194d9559503a320dd8930c65c576e30a
SHA512 e5bace850fc2ae10f32400eb109fe2f1304a6a4326bd4ff36ca33a1c2d688fcd3367bc11159ad99f4f7b7b340adc5b21563b77e63bb7639ee49840f965889c8e

/data/data/com.dts.freefireth/files/.com.google.firebase.crashlytics.files.v2:com.dts.freefireth/open-sessions/673964EB027A000110C796A6E513BA9A/report

MD5 66a34df1724772c7cc2f476e19d730e4
SHA1 3d316432625e127f61e2a492967919a90a156e4c
SHA256 a2bada1d771df26617a389014203aba717b7656db27e87db321182cfb8208c81
SHA512 b79b2cb962f09b91f5b970efbe8b87edf9cc1009fe7661cb1142298ed5a0c8f3cfe4b1c0755907289c8607fc648d39bcbe5ca3625da8d61481450399729b14a7

/data/data/com.dts.freefireth/files/GGMEs.version

MD5 33d6dddf6f61b809bc59a10122bf93ec
SHA1 d3ea3fc04015f85da4e653e00333faf0fb09195f
SHA256 9926fd9d2ff304db3d0ead824da601f7f8bd7c9c1a26b247aa9a0a772e2f1d09
SHA512 7419644775595d60154577b3c3593a9488734204d48e03ed3bded7f3e850d9a253beec47041b7aff3297bb0e73e1d6ad1297795ca6a9e047586260b47039d24a

/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/Resources/mscorlib.dll-resources.dat

MD5 21d06dbc8af6432b2b49536ed30609af
SHA1 11a1c0e2ab2f8c06fe4507535ed47e0dd279a60d
SHA256 c5baa176a5b72cd545266340e42102d393a5e43d38c95796bc828918bb95277f
SHA512 2971f54eaa14c3ce6e2352e5a1aea5b044f0894bf4eac92de8cd92515b6473b5ca56ebfcad4369a9d4935cbefea2540a83f332fd4d832c37768310e8776ceb5e

/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/Metadata/global-metadata.dat

MD5 43341ce1b66599b904ae8ed0692e1399
SHA1 bf3f63b4ef4b96c0a96c60790d721c586a447668
SHA256 18b6d91d4c245e67afabb21a6ec30421ffb56b6553be73e5d6bfac5835523d38
SHA512 c859b944912f9bd58401846834a5212c15763272dff268a8681907ed9ee1127b343e0f1561995b9f3f3aa8cbfdf7d7674bbea0c3b25313dad019ad6318e5a6bd

/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/mconfig/config.xml

MD5 096bb534f21d5adfed1aaf8c011a1204
SHA1 9ad10801601db8eae86f550a0a51d94ed18bcbcc
SHA256 a1809f956176325c3ab236854789da917e8fd445d863b400272850e1f2336d64
SHA512 d3a91f16d6bc8db4d8cbb4a568c16d58aeacabb11b6e1132a4acc66062b8bb160c16be7ea331532a95fe18dcf7e7477e1a8fea3baf0174841199580bf815983e

/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/1.0/DefaultWsdlHelpGenerator.aspx

MD5 5f05cffc86a6401d0441aeda6fd1706b
SHA1 f3b197c706f6c147df6f4564776d195260dff72a
SHA256 fefc3b909fc80286ae54d71dc67bff15acd9a3a38d91f79133056bac352c86b8
SHA512 4eafa387c0d6e4a64316ad8c15bfc6919b8b3fb485a7f4811d4b57625396edf7ac30124d4c3288d221419b614cbbae14d47939b6014f109b4438a21f3da88c35

/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/1.0/machine.config

MD5 aac6d2ce4d64d2ca9a1e7b953e3414c7
SHA1 022510cf8def98e8d19678a3535b650f6abcf2b9
SHA256 2115920755189829be20a81083735aebd217f216e02450e7f65187003142850c
SHA512 feb13a2f56b8d7d08bfa4e1c8e57a1d9944a20a973c3a56527a5d74e5eccde7a36ee56a288541d3d3d5ffb7a2da814c5dc7e53fe7d4d1b616893d115ec0316ca

/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/2.0/DefaultWsdlHelpGenerator.aspx

MD5 ce0f7bdf7344da4ddbe9372a0000f70f
SHA1 4d59c8b5335107c1be0be64c130dde3fb1ac6c84
SHA256 7daa0c6a2bdd90c41278ae60eae82cf3976256b9832f4445d626fbda35c90a1b
SHA512 8874c02a6535fef726ed864f82ad193f54ac64dba1f035da307caa05518d7954927356c333dfd6d1d0624d658405b978d38b220bd3c5a14d90b4d4fc73124bcb

/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/2.0/settings.map

MD5 ac24f77bfedc2fb05ea51ec6c7225ae0
SHA1 d77676d27f59885f3ec83fa7497ee25257a59fe3
SHA256 205285250b2f5482698e8a58181cdd711bf87f182083ff03db41aef0fa073361
SHA512 d893e5f04481dbe876e7c3dc03971af85b2803d159bce48f6ab6f957feffce8917552f8f4eacf828b3128cf1700299e11d302d77312ae1fd04bb53a51fe260b5

/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/2.0/web.config

MD5 f56fcf1b58ad450f85effd827f4d6acd
SHA1 bd85d36d737dca1bbe59a8f4795356e820a44b54
SHA256 d72ff8c60ca58fd3bc106365d753c5bfad9f85d33757aeb2ffdf745d61cec1b1
SHA512 da7561788fbba1b0665ad2714be50af10ca0c587b1b488dc45fab8d515319dbf3012c7a9bd8574c8083e0aed2d4eb9806277d3867e463c79aab8142e98fa7882

/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/2.0/Browsers/Compat.browser

MD5 3201df8753c86b4be9cc69c046883d3c
SHA1 04bb09e087efe7d13751ed0b7d9ba0d6e32e93a7
SHA256 bf4ae2fe630714eee3d7b0a28285a3aa49a6589a3660e58cf7868aca3321a7b1
SHA512 ab5590bb8173e277bb7bbcb252a6d65fe5ddc8df02f1be1f772b3dc2a1350f9a17f93e020f27350ad5ef940604ab52e38230d3cfcc3f1f014a4e492104c917b0

/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/2.0/machine.config

MD5 ecb736a47b2a18f6d1829c140766164e
SHA1 ba466f417bb27e3d8d6b4cf98d2e9be184bd02e2
SHA256 1173db3dab5192fc7087626053d3ab33cb597d2b2e69c3bc849157cf319fe721
SHA512 cca1600bbb052cc6e892ff5599cb97081747f1c1b7c5b7599df33faca19016400481451dbf9848cb7dd17c1e514776ba11eb63dcac66439cad7ac69c92987087

/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/browscap.ini

MD5 3eba8a4048e7d197b14cc3eaca87c92b
SHA1 3032d831a309ac97343d87b48e4ffd6e9d0a9359
SHA256 a0380d7baac874d8c1401da882b4bf06b037fd91ba19aae63f7d76c8f0e8f7e6
SHA512 b7fb46fb5dc132e05d71f683cd9702994be0aa1ff7e7bc5ff230ce78ab1462a50f6cfaee9a5d25c6ecbb94187e880ed84087bbc14393bfbf3a8ca0f203ecd431

/storage/emulated/0/Android/data/com.dts.freefireth/files/il2cpp/etc/mono/config

MD5 55a2b628fce21505424a2fa0a35f29a9
SHA1 5f47cfd81c382b3c5cd4adf5d20fe60444cb993d
SHA256 c8ecdbb063c481da5e18f76b0dd60c8dccbdaf73c19d930e579c9794cc21d562
SHA512 b42bd2848b667a3dd71ecff39e53a6c3ed8564e731dfa88c3d7759d3a647e3131ded2f5ecd4459174dae32920250ba627e4bd9acaca28e4e297fa3676ef4937a

/data/data/com.dts.freefireth/files/DSAs.dump

MD5 92820166e40fac24af843e4841e73cc0
SHA1 1cb04dd3a5cd459827a05f4f05dd2c6e4385c1dd
SHA256 8ae89f7009b4c69b3ba09a2221cfb2800b0b8b2ff50259933ad14371c207eadd
SHA512 b3d954b63a8cee0689c2259bf5582f083d210853784bb2e579e4503ebf7b21012052d4010683f6b20f1bbe18cfd72dfae9fd70eca59f7ce0d1e99dc42f548e68

/data/data/com.dts.freefireth/files/Deps.dump

MD5 bd5573fc16c4e3838e5344ce1abf92d3
SHA1 9f86c378b2ba3afbc8026ffd31f4dbd0a45965a0
SHA256 58dd77371b12e232097b9d8f782609bdc5eb8705e54b9211fc58b905df681568
SHA512 a6d4fcb165ec9b5d53b46bc36b00f7be405ed3b4c7116d0f8fc6298c84c092b7d0e8da0721387a5f303ce5d771513ee925e3a14bafdf6b647245368c7eba7d9c

/data/data/com.dts.freefireth/files/RMP.dump

MD5 0242719f617f35551408dae23ba3f681
SHA1 590b9f555fd5fcf3d1ccdcb3a68b054ce1f031d1
SHA256 513427a5ab39a731c1f61e4d6c8e5cbea4e806b1f456d4176903c459a37cdcd2
SHA512 490e538e0eafcec55acd8c8908062415fa45dcf48ecd37221788fbcac28006a475f0046679f0f4d87539219106bd5072ca5fc811a37596d10d6934a5b509ece9

/data/data/com.dts.freefireth/files/InitDump.version

MD5 95e7673c79f6231726400c81c3ac891f
SHA1 cc4a9bdf3ef681c22628a32172a2dcf2f387e46b
SHA256 c85b6ff86bdec8221db54d3f85b4d09e00823bbceae9837174a072ae8fbcdeea
SHA512 f446134ffca198a327b32db811ceb7e20c381b16c84b8a796124249aaf2b8aa42dd74e9df8c0f4c79b8e3cf69ce3d7325b74d4c8a87d58aca320ea2237503e23

Anonymous-DexFile@0xebabe000-0xebac0aa8

MD5 e00990fd74b49515a73bb04c0132a8df
SHA1 66d7750d27b4a5e8c6822ee8f7df7132c1eecd06
SHA256 f4b81ad5a3336f3b7653faf6da2a281edcb4967bb60b5a06b1d88a19e3e39da7
SHA512 9dbfaa135a333dd1d261b04232fe814132e3bb0999040b30d327384c2820f804377f6178bb4fd1be8297cf34684b5441decbae1f2997a194b2ae1cc5c7b8a4a6

Anonymous-DexFile@0xe8b3c000-0xe8b3f14c

MD5 b48839921953187e835fb5731ad78ad4
SHA1 2314e0c6e07148b1deb82b4a87947f17d8197ba7
SHA256 445db7e82ef1b927f7176a746c353b40b202a18033229c4d18d495163f836874
SHA512 340e30e3cb02f05ec88abccfd2dae53d7b49a64db942c5fb8889f481f840d1c5c5e90047dd63c6a09c72ddcbb388495b1bea3aa0de57b0ed54af47a232227dc0

Anonymous-DexFile@0xe8aa9000-0xe8aabd2c

MD5 e91f7ac648fac3b9fcb31e0faf662dc1
SHA1 b1870b65269fe088c5bb4635b735304590c4444d
SHA256 6c25e3eeef0b1607ae21ff248b7fa286a5aee41b19fa01167aaa39d3951540c3
SHA512 304ed2bedf08e5f17e12b7c4621f64bd6a94d78f9d6404f52d3c26d0c910accc8cdb19deb06b90f730d23900da36ea785f5b8f22a47d4f8458c496765b543b4e

Anonymous-DexFile@0xcd652000-0xcd657b38

MD5 57b9fc36122c38752064ea474051ddec
SHA1 264cce700c20cdf09c7f95a0e025cab01c4a2518
SHA256 19b314a696d2c932ab6fcdb147b930b0287e036b87fa0ca4b86be91490da2977
SHA512 b91d525c1b1d37c9a1c95b26141defa1ba0467da257aa0105da8ee0eb3d9b473c62b2e1106e0dfa0bfa1402fd48dd4db5a8cdb6da1f84ac8c8bea78fa0b43f45

/data/data/com.dts.freefireth/databases/DownloadsDB-journal

MD5 922398fc3c58de048dd1b024daebd174
SHA1 91ed4f901025ac7614a9fc009f5af80ca409c4bc
SHA256 98ccb262d37d5138796a8f76415aedd0d0b2e4f13674f73bc26955b171d3f2f5
SHA512 1db599f4f79da17b3ee392bf4ef5fc4bfe98640e27fb13dfbedd83aa2e2368fba2fedc968442ccfad86a241fbee0f79dfe9697d024c2f71d27f1cc281a358308

/data/data/com.dts.freefireth/databases/DownloadsDB-wal

MD5 6895980990097b48eb10e6b46e9f37da
SHA1 7296af4a90fd00ad234520d17c0c9108f35d28e8
SHA256 572251390d2a7fd26cd8957aa63492a313feae6d944b085672067773f63a3ddf
SHA512 2503103e48078f9bfab49f8c02f799fe941a59240074948e6209da2480478e6aae5e1cb855c9e40857cd636fbaa300d469acad400f3f67cb6f8a87aa02a5b000

/data/data/com.dts.freefireth/files/AFRequestCache/1731814648264

MD5 b7bb9651c0982c637d5131a9ad203f8e
SHA1 f4bcd1fb8d1373a08a8ce0a511db16915f924e4d
SHA256 90674ca200e31e806ff23fab9779581ec8c72606f5456261a3c2a716eb327ed0
SHA512 d4828a25a2c3643d1202048465c1830c866060265bd2b1295a128057cc384b347241bbff40d832406980b7c89138e10a68a33d2fd046330e85b0197fbe947176

/data/data/com.dts.freefireth/files/AFRequestCache/1731814648567

MD5 e47930aade5c5def0d2186eeb0bb4ccc
SHA1 e691bbdb4a373d70492937be09bda5efbadd775a
SHA256 125f07ae33010cfa54b44f518735d4da2ea79ea68a17b70fd70780023e1f69e7
SHA512 1d2839efbbbafec5ced01610f071fc9526bb7cbad89623ab85e8a34a41fdc48fd1d1ca16b3c2d1bc30e03e1f3f57071c27c6e5b33fd02ea7dca46b49d2a60059

/data/data/com.dts.freefireth/files/ano_tmp/ace_cache_db.dat.tmp

MD5 12e81664f62baf6722bc855934df3157
SHA1 36e7d42a99a3ac4d1a1dba25e7d2d80f8f3ec726
SHA256 3a98ff9a5ef0e6c6f5aa474b0ddffe234a22c3049c79f665914b36dd7a7d96d5
SHA512 afbe8ed8bfde5d723a2465e0c6a3d51090f4da718086e925198438d15fd7766dced919ebbdbb3df843a5d704830de5242cdbcdefb81ba40d65ae353fe735695e

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:40

Platform

win7-20240903-en

Max time kernel

122s

Max time network

140s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\Custom Hud By DANI YT.png"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\Custom Hud By DANI YT.png"

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:39

Platform

win7-20240903-en

Max time kernel

11s

Max time network

32s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\icon.png

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\icon.png

Network

N/A

Files

memory/2460-0-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2460-1-0x0000000000320000-0x0000000000321000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:39

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

162s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\icon.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\icon.png

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:39

Platform

win10v2004-20241007-en

Max time kernel

131s

Max time network

166s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\com.dts.freefireth.cfg

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\com.dts.freefireth.cfg

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-17 03:29

Reported

2024-11-17 03:39

Platform

win7-20240729-en

Max time kernel

66s

Max time network

22s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\FREEFIRE V7A DANI YT.zip"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\FREEFIRE V7A DANI YT.zip"

Network

N/A

Files

N/A