» debug.exe
Overview
Analysis
File Details
Behaviors (1)
Network (6)

debug.exe

BlueStacks

BlueStack Systems, Inc.

The application debug.exe, “BlueStacks StartLauncher” has been detected as a potentially unwanted program by 15 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘RavTroy’. While running, it connects to the Internet address unassigned.psychz.net on port 80 using the HTTP protocol.

File name:

debug.exe

Publisher:

BlueStack Systems, Inc.

Product:

BlueStacks

Description:

BlueStacks StartLauncher

Version:

0.9.31.4259

MD5:

ee8103311ccce8afe0711bb82114de7f

SHA-1:

0270a3d7db6ded12f9608cc79f4fb7d481c8587d

SHA-256:

7d9d2622361e065e84b42231c74d7e79760db1a364a59cf1b334b3e1d6253efc

Scanner detections:

15 / 68

Status:

Potentially unwanted

Analysis date:

11/2/2024 5:25:53 PM UTC (today)

Scan engine

Detection

Engine version

avast!

Win32:Clicker-N [Trj]

2014.9-161209

AVG

Clicker

2017.0.2535

Bkav FE

W32.BorihurtT.Trojan

1.3.0.7400

Clam AntiVirus

Win.Trojan.Agent-476936

0.98/21511

Dr.Web

Tool.Click.7

9.0.1.0344

ESET NOD32

Win32/SiteHelp.A potentially unsafe

10.12997

Fortinet FortiGate

Riskware/SiteHelp

12/9/2016

F-Prot

W32/Admoke.J.gen

v6.4.7.1.166

IKARUS anti.virus

Trojan-Dropper.Agent

t3scan.2.0.6.0

K7 AntiVirus

Trojan

13.213.18680

NANO AntiVirus

Riskware.Win32.Click.cuwdwc

1.0.14.6071

Qihoo 360 Security

HEUR/QVM05.1.Malware.Gen

1.0.0.1120

Total Defense

Win32/Clicker.FZ

37.1.62.1

Vba32 AntiVirus

Trojan.EIC.1717

3.12.26.4

ViRobot

Trojan.Win32.A.Clicker.1198592.B[h]

2014.3.20.0

File size:

1.8 MB (1,908,736 bytes)

Product version:

0.9.31.4259

Original file name:

HD-StartLauncher.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

File PE Metadata

Compilation timestamp:

6/20/1992 5:22:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

Entry address:

0xFE958

Entry point:

55, 8B, EC, 83, C4, F0, 53, B8, A0, E3, 4F, 00, E8, 03, 7D, F0, FF, 8B, 1D, 58, 35, 50, 00, E8, 7C, 80, F0, FF, BA, 10, ED, 4F, 00, E8, 76, AD, F0, FF, 85, C0, 0F, 84, 38, 02, 00, 00, E8, E1, 42, F9, FF, 8B, 03, E8, 16, 93, F8, FF, 8B, 03, BA, 24, ED, 4F, 00, E8, 02, 8F, F8, FF, 8B, 0D, 8C, 32, 50, 00, 8B, 03, 8B, 15, 88, E9, 4C, 00, E8, 0F, 93, F8, FF, 8B, 0D, 0C, 33, 50, 00, 8B, 03, 8B, 15, D8, 9B, 4C, 00, E8, FC, 92, F8, FF, 8B, 0D, 74, 2E, 50, 00, 8B, 03, 8B, 15, 90, 92, 4C, 00, E8, E9, 92, F8, FF, 8B... 
[+]

Entropy:

6.3709

Developed / compiled with:

Microsoft Visual C++

Code size:

1015.5 KB (1,039,872 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

RavTroy

Command:

"C:\windows\mui\debug\debug.exe" \start

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to 201-119-74-198-dedicated.multacom.com (198.74.119.201:80)

TCP (HTTP):

Connects to server-54-192-159-29.sin3.r.cloudfront.net (54.192.159.29:80)

TCP (HTTP):

Connects to server-54-192-159-136.sin3.r.cloudfront.net (54.192.159.136:80)

TCP (HTTP):

Connects to server-54-192-159-78.sin3.r.cloudfront.net (54.192.159.78:80)

TCP (HTTP):

Connects to 176-113-74-198-dedicated.multacom.com (198.74.113.176:80)

TCP (HTTP):

Connects to unassigned.psychz.net (45.34.21.52:80)

Remove debug.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.