75e176788275283daf177498a6b4d99ec58b5616475df460c3282ce30713f27f

Analysis

max time kernel
90s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/02/2023, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bluestacks-app-player-4-240-0-1075.exe
Size

1.1MB
MD5

cd65f57a6786232a03289b7f15fe189f
SHA1

221823fdaabbd8d2783b5df554fe59380cecfa11
SHA256

75e176788275283daf177498a6b4d99ec58b5616475df460c3282ce30713f27f
SHA512

35ba7c1f61c3b9033cd8e79a07b85371d2086910620f7445cf7ae3dfa6554b9b5972e8f807922f7913eabdf954cf7b013f102790e65e2bcf871d24a132dd545a
SSDEEP

24576:1cVkKS/WtWrnngnnnKnanxNp2bp2h9YEO18SRvL0J2OYDWR0Pze:1cB6WErnngnnnKnanzY9y9o840JDL

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\7zS05347836\Locales\i18n.en-US.txt

Ransom Note

STRING_RESTART = Restart STRING_QUIT_BLUESTACKS = Quit STRING_UPLOAD_DEBUG_LOGS = Report problem STRING_INSTALL_UPDATES = Install updates STRING_APPS = Apps STRING_APP = App STRING_INSTALLED = installed STRING_FULL_SCREEN_BUTTON_TOOLTIP = Toggle full screen STRING_LOADING_MESSAGE = Loading STRING_SYSTEM_APP = System app STRING_BROWSER_APP = Browser STRING_SETTINGS = Settings STRING_SETTING_APP = Settings STRING_CAMERA_APP = Camera STRING_GOOGLE_PLAY_GAMES_APP = Google Play games STRING_MEDIA_MANAGER_APP = Media Manager STRING_GOOGLE_PLAY_STORE_APP = Google Play STRING_RETURN_APP = Return STRING_HELP_CENTER_APP = Help Center STRING_INSTANCE_MANAGER_APP = Instance manager STRING_MACRO_RECORDER_APP = Macro recorder STRING_INITIALIZING = Initializing STRING_FULL_SCREEN_TOAST = @@STRING_PRODUCT_NAME@@ is in full screen mode. Press F11 to exit full screen. STRING_SNAPSHOT_ERROR_TOAST = No snapshot sharing application is installed STRING_INCOMPATIBLE_FRONTEND_QUIT_CAPTION = A PC antivirus or security application is preventing @@STRING_PRODUCT_NAME@@ from running STRING_INCOMPATIBLE_FRONTEND_QUIT = Please terminate your PC's antivirus or security application that is preventing @@STRING_PRODUCT_NAME@@ from running STRING_BLUESTACKS = @@STRING_PRODUCT_NAME@@ STRING_INSTALL_SUCCESS = has been installed STRING_UNINSTALL_SUCCESS = has been uninstalled STRING_INSTALL_FAIL = Installation failed STRING_USER_WAIT = Installing apk STRING_FORM = App Player support tool STRING_ATTACHMENT_SIZE_EXCEEDS_LIMIT = The file you are trying to attach exceeds the maximum allowed limit of 4MB. Please select another file. STRING_ATTACHMENT_UNALLOWED_EXTENSION = The file you are trying to attach is not an image. Please attach a screenshot of the issue and try again. STRING_STATUS_INITIAL = Starting collector STRING_STATUS_COLLECTING_PRODUCT = Collecting product information STRING_STATUS_COLLECTING_HOST = Collecting host information STRING_STATUS_COLLECTING_GUEST = Collecting Android information STRING_STATUS_ARCHIVING = Creating support archive STRING_STATUS_SENDING = Sending problem report STRING_APP_NAME = Enter app name STRING_FINISH_CAPT = Support tool complete STRING_FINISH_REPORT_SEND = Your problem report has been sent. We will get back to you soon. STRING_PROMPT = Could not send problem report. A file named BlueStacks-Support.zip has been created on your desktop. Please e-mail this file along with a brief description of the issue you are experiencing to [email protected]. STRING_RPC_FORM = Troubleshoot Google login errors STRING_STUCK_AT_INITIALIZING_FORM = Troubleshoot stuck at initializing STRING_WORK_DONE = All done, If the problem still persists, then please report a problem STRING_PROGRESS = Please wait, we are trying to resolve the problem. STRING_TROUBLESHOOTER = Troubleshoot and try to resolve my problem automatically STRING_LOGCOLLECTOR_RUNNING = The problem report tool is already running STRING_CATEGORY = Category STRING_ZIP_NAME = BlueStacks-Support.zip STRING_RESTART_UTILITY_TITLE = @@STRING_PRODUCT_NAME@@ restart utility STRING_RESTART_UTILITY_RESTARTING = Restarting @@STRING_PRODUCT_NAME@@ STRING_RESTART_UTILITY_CANNOT_START = Cannot start @@STRING_PRODUCT_NAME@@ STRING_RESTART_UTILITY_UNHANDLED_EXCEPTION = Caught unhandled exception. Please check the log for details. STRING_APKINSTALLER_ALREADY_RUNNING = An app is already being installed. Please wait while its installation completes. STRING_UPDATER_UTILITY_NO_UPDATE_TITLE = @@STRING_PRODUCT_NAME@@ Updater STRING_UPDATER_UTILITY_ASK_TO_INSTALL = Would you like to update to the latest version of @@STRING_PRODUCT_NAME@@? STRING_UPDATE_SUCCESS = has been updated STRING_MINIMIZE_TOOLTIP = Minimize STRING_CLOSE = Close STRING_SET_LOCATION = Set location STRING_TOOLBAR_CAMERA = Take screenshot ANDROID = Android STRING_FINISH = Complete STRING_START_BLUESTACKS = Start @@STRING_PRODUCT_NAME@@ STRING_DOWNLOADING = Downloading BLUESTACKS = @@STRING_PRODUCT_NAME@@ STRING_BACK = Back STRING_EXIT = Exit STRING_WELCOME_TO_BLUESTACKS = Welcome to @@STRING_PRODUCT_NAME@@ STRING_BLUESTACKS_APK_HANDLER_TITLE = @@STRING_PRODUCT_NAME@@ apk handler STRING_SNAPSHOT_SHARE_STRING = shared via @@STRING_PRODUCT_NAME@@ App Player (www.bluestacks.com) STRING_LOADING_SCREEN_APP_TITLE = @@STRING_PRODUCT_NAME@@ App Player STRING_CLOSE_MESSAGE_PROMPT = Would you like to end streaming? STRING_CLOSE_WHILE_STREAMING_TOOLTIP = End streaming STRING_BLACKSCREEN_FORM = Troubleshoot black screen STRING_SELECT_APP_NAME = Select app name STRING_SELECT = Select STRING_CREATE_BLUESTACKS_REGISTRY = Creating @@STRING_PRODUCT_NAME@@ registry STRING_CREATE_SHORTCUTS = Creating @@STRING_PRODUCT_NAME@@ shortcuts STRING_COULD_NOT_RESOTRE_INSUFFICIENT_SPACE = Unfortunately, the restore was not successful since it requires at least STRING_CORRUPT_INSTALLATION_MESSAGE = Unfortunately, @@STRING_PRODUCT_NAME@@ is unable to start and you will have to reinstall it. Please uninstall @@STRING_PRODUCT_NAME@@ and reinstall the latest version from https://bluestacks.com. STRING_SUBCATEGORY = Subcategory STRING_FILTER_UPDATE_TITLE = @@STRING_PRODUCT_NAME@@ filter updater STRING_INITIALIZING_DOWNLOADER = Initializing downloader STRING_DOWNLOADING_0_of_1 = Downloading {0} of {1} STRING_DOWNLOADED = Download completed STRING_APPLYING = Applying theme, please wait. STRING_LATER_BUTTON = Later STRING_DOWNLOAD_ERROR = Oops! some error occurred. Filters will be updated on next launch STRING_STOP_STREAMING_REQUIRED = This update will require stop streaming STRING_OBS_ERROR = Unfortunately, something went wrong. Would you like to retry? STRING_OBS_ALREADY_RUNNING = Another OBS Instance is already running. Please terminate it before you can go live. STRING_RESTORE_BUTTON = Restore STRING_RECOMMENDED = Recommended STRING_BLUESTACKS_WARNING_PROMPT = @@STRING_PRODUCT_NAME@@ warning STRING_SELECT_BACKUP = Select a folder where you want to create backup STRING_SELECT_RESTORE = Select a folder from which you want to restore STRING_QUITTING = Quitting @@STRING_PRODUCT_NAME@@ STRING_ANDROID_BACKUP = Creating Android backup STRING_ANDROID_RESTORE = Restoring Android backup STRING_USER_DATA_BACKUP = Creating user data backup STRING_USER_DATA_RESTORE = Restoring user data backup STRING_BACKUP_COMPLETE = Backup complete STRING_RESTORE_COMPLETE = Restore complete STRING_BACKUP_FAILED = Failed to backup. Please try again later. STRING_RESTORE_FAILED = Unfortunately, the restore was not successful. STRING_DATA_MANAGER = @@STRING_PRODUCT_NAME@@ Data Manager STRING_APP_PLAYER_ONLINE = App Player online STRING_MANAGE_NOTIFICATION = Manage notifications STRING_MUTE_NOTIFICATION_TOOLTIP = Mute STRING_HOUR = 1 hour STRING_WEEK = 1 week STRING_DAY = 1 day STRING_FOREVER = Forever STRING_CLEAR = Clear STRING_NO_NEW_NOTIFICATION = No notifications STRING_NOTIFICATION = Notifications STRING_SHOW = Show STRING_AUTO_HIDE = Auto hide STRING_SHOW_NOTIFICATIONS = Show desktop notifications STRING_AUTO_HIDE_TOOLTIP = Notification hidden after 10 seconds. STRING_DISMISS_TOOLTIP = Dismiss STRING_SHOW_NOTIFICATION_TOOLTIP = Show notification STRING_RESET_APPS_AND_DATA = Resetting all apps and data. STRING_AUTO = Auto STRING_WEBCAM_SOURCE_STRING = Webcam source STRING_STREAM_QUALITY_DETAILS = This does not affect the preview screen on the left STRING_STREAM_QUALITY = Stream quality STRING_SERVER_LOCATION = Choose a server location nearest to you STRING_LBL_RESTORE_DEFAULT = Restore to default STRING_LBL_COMPUTER_SOUND = Computer sound STRING_LBL_MICROPHONE_SOUND = Microphone sound STRING_LBL_MICROPHONE_SOURCE = Microphone source STRING_LABEL_STREAM_AUDIO_SOURCE = Stream-audio source STRING_LABEL_STREAM_AUDIO_SOURCE_DETAIL = This only affects what your viewers will hear STRING_LBL_ADVANCED_STREAM_SETTINGS = Advanced stream settings STRING_AUDIO_BUTTON = Audio STRING_VIDEO_BUTTON = Video STRING_OTHER_BUTTON = Other STRING_VIDEO_BUTTON_TOOLTIP = Video settings cannot be adjusted while live STRING_OTHER_BUTTON_TOOLTIP = Other settings cannot be adjusted while live NONE = None STRING_ACCOUNT = Account STRING_NAVIGATE_FAILED = Failed to navigate STRING_RETRY = Retry STRING_INCORRECT_LOGIN_DETAILS = Failed to restore backup. The @@STRING_PRODUCT_NAME@@ Account associated with this backup is different from the account you are currently signed into. STRING_INCORRECT_PATH = Unfortunately, the restore was not successful. Please select the correct path. STRING_RESTORE_FAILURE = Data restore failed STRING_BACKUP_SUCCESSFUL = Your data was backed up successfully. You can find it at: STRING_RESTORE_SUCCESSFUL = Your data was restored successfully STRING_ADVANCED_SETTINGS = Advanced Settings STRING_EXIT_BLUESTACKS = Would you like to exit @@STRING_PRODUCT_NAME@@? STRING_YES = Yes STRING_NO = No STRING_HOME = Home STRING_SHAKE = Shake STRING_LOCATION = Location STRING_LOADING_ENGINE = Loading Engine STRING_SEARCH = Search STRING_APP_CENTER = App Center STRING_GIFT = Gifts STRING_FEEDBACK = Help and support STRING_ENGINE_VERSION = Engine version STRING_OK = OK STRING_SAVE = Save STRING_CPU_CORES = CPU cores STRING_MEMORY = Memory STRING_APPLY = Apply STRING_GOOGLE_LOGIN_MESSAGE = Login with your Google account to begin using @@STRING_PRODUCT_NAME@@ STRING_MORE_GOOGLE_SEARCH_RESULT = Google search results for STRING_F11_EXIT_FULL_SCREEN = Press F11 to exit full screen mode STRING_ESC_EXIT_FULL_SCREEN = Press Esc to exit full screen mode STRING_WARNING = Warning STRING_BEGINNERS_GUIDE = Beginner's guide STRING_VOLUME_CONTROL = Volume control STRING_ALWAYS_ON_TOP = Always on top STRING_KEY_MAPPING_ENABLED = Keyboard controls enabled STRING_KEY_MAPPING_DISABLED = Keyboard controls disabled STRING_MULTIINSTANCE_DELETE = Would you like to delete this instance? STRING_UNINSTALL_APP_ASK = Would you like to uninstall this app? STRING_MAP = Maps STRING_SOME_ERROR_OCCURED = Unfortunately, something went wrong. Please try again. STRING_DATA_PATH = @@STRING_PRODUCT_NAME@@ data path STRING_INSTALL_NOW = Install now STRING_SPACE_REQUIRED = Space required STRING_SPACE_AVAILABLE = Space available STRING_FOLDER = Folder STRING_INSTALL_DONE = Installation complete STRING_INSTALLATION_CANCEL_CONFIRMATION = Would you like to cancel this installation? STRING_SELECT_FOLDER = Please select another folder STRING_AGREE_WITH_LICENSE = Your agreement to our terms and conditions is required to proceed further STRING_PRE_INSTALL_CHECKS = Checking system requirements STRING_INSTALLING_ENGINE = Installing Engine STRING_EXTRACTING_FILES = Extracting files STRING_INSTALL_FINISH = Installation is complete STRING_CUSTOM = Customize installation STRING_SOFTWARE_LICENSE = software license STRING_AGREE = Accept STRING_UNINSTALL_FINISHED = Uninstalled @@STRING_PRODUCT_NAME@@ STRING_CANCEL = Cancel STRING_UNINSTALL = Uninstall STRING_ENGINE_UNINSTALL = Uninstalling Engine STRING_CLIENT_UNINSTALL = Uninstalling Client STRING_FINISHED = Completed STRING_THANKS_FOR_USING_BLUESTACKS = Thank you for using @@STRING_PRODUCT_NAME@@ STRING_REASON_FOR_UNINSTALL = Please tell us why you chose to uninstall @@STRING_PRODUCT_NAME@@ STRING_INSTALL_ENGINE_FAIL = Could not install Engine STRING_INSTALL_GAME_FAIL = Could not install a game STRING_CONFLICT_WITH_OTHERS = Conflict with other software STRING_START_ENGINE_FAIL = Engine did not start STRING_GAME_LAG = Game play feels slow/sluggish STRING_BLACK_SCREEN = Black screen STRING_CANNOT_FIND_GAME = Could not find a game STRING_APP_CRASH = App crash STRING_EXE_CRASH = .exe crash STRING_OTHER_REASON = Other reasons or information, e.g., game name, etc. STRING_INSTANCE_ALREADY_RUNNING_DELETE_IT = This instance is already running. Are you sure want to delete it? STRING_GUEST_NOT_BOOTED = Engine is not ready, please wait STRING_MULTIINSTANCE = Multi instance STRING_INSTALL_APK = Install apk STRING_UNINSTALL_APP = Uninstall app STRING_DELETE = Delete STRING_DEFAULT_KEYBOARD_MAPPING_SETTING_01 = Keyboard controls available for this app STRING_DEFAULT_KEYBOARD_MAPPING_SETTING_02 = Please click below to check or edit STRING_DOWNLOAD_GOOGLE_APP_POPUP_STRING_04 = Do not show again STRING_UPGRADE_NOW = Update now STRING_INSTALLATION_ERROR = Installation error STRING_TRY_RESTARTING_MACHINE = Restart your PC and try again STRING_MULTI_INSTANCE_CREATE_ERROR = Unfortunately, @@STRING_PRODUCT_NAME@@ could not create an instance. STRING_ARE_YOU_SURE = Are you sure? STRING_RESTART_MACHINE_PROMPT = Would you like to restart your PC? STRING_OPEN_KEYMAPPING_UI = Open keyboard controls UI STRING_MAXIMIZE_TOOLTIP = Maximize STRING_VERION_DOWNGRADE = Downgrade STRING_VERSION_ALREADY_INSTALLED = Latest version already installed STRING_CANT_USE_THIS_FOLDER = Unfortunately, the selected folder cannot be used to install @@STRING_PRODUCT_NAME@@ STRING_NO_DISK_SPACE = Unfortunately, there is insufficient disk space STRING_MULTI_INSTANCE_CREATE_BUSY = A new instance is already being created. Please wait for it to complete. STRING_MULTI_INSTANCE_DELETE_BUSY = An instance is already being deleted. Please wait for it to complete STRING_UNINSTALL_BLUESTACKS = Would you like to uninstall @@STRING_PRODUCT_NAME@@? STRING_CLIENT_VERSION = Client version STRING_SYSTEM_REQUIREMENTS_NOT_MET = Minimum system requirements not met STRING_RESTART_NOW = Restart now STRING_EXIT_INSTANCE = Would you like to close this instance? STRING_INSTANCE_CLOSE_TITLE = Close instance STRING_BLUESTACKS_UPDATE_AVAILABLE = @@STRING_PRODUCT_NAME@@ updater STRING_DOWNLOADING_BLUESTACKS_UPDATE = Downloading @@STRING_PRODUCT_NAME@@ update VERSION = Version STRING_ERROR = Error STRING_SCREEN1_TEXT1 = Click on the > button visible on your screen to become familiar with useful features STRING_DIRECTX = DirectX STRING_OPENGL = OpenGL STRING_ENGINE_FAIL_HEADER = Could not start the Engine STRING_ENGINE_RESTART = You can try restarting either the Engine or your PC STRING_CREATING_BACKUP = Creating backup STRING_BACKUP_PLEASE_WAIT = Please wait while we backup your @@STRING_PRODUCT_NAME@@ data to the chosen folder. STRING_RESTORE_BACKUP = Restore backup STRING_RESTORING_BACKUP = Restoring backup STRING_RESTORE_PLEASE_WAIT = Please wait while we restore your @@STRING_PRODUCT_NAME@@ data from the chosen folder. STRING_MAKE_SURE_LATEST_WARNING = Please backup your latest @@STRING_PRODUCT_NAME@@ data (instances, settings, installed games, game data, and keyboard controls ) before restoring from another backup taken earlier. Otherwise, you may lose them and may not be able to recover them again. STRING_BACKUP_WARNING = Backup warning STRING_BLUESTACKS_BACKUP_PROMPT = You will not be able to use @@STRING_PRODUCT_NAME@@ during the process, are you sure you want to proceed? STRING_QUITTING_BLUESTACKS_WHILE_BACKUP_PROMPT = You are about to quit @@STRING_PRODUCT_NAME@@ for creating a backup. Are you sure you want to continue ? STRING_BLANK_NOTIFICATION = Your app has a notification STRING_QUITTING_BLUESTACKS_WHILE_RESTORE_PROMPT = Please wait while we quit @@STRING_PRODUCT_NAME@@, it will automatically start when the restore completes. STRING_SUCCESS = Success STRING_LAUNCHING_BLUESTACKS = Launching @@STRING_PRODUCT_NAME@@ STRING_RUNNING_COMMANDS = Running commands STRING_COMMANDS_ERROR = Encountered an error condition, error code is STRING_TOOL_SUCCESS = Completed successfully. STRING_DELETING_BACKUP = Deleting backup STRING_DELETING_BACKUP_INFO = Please wait while we are cancelling your backup. STRING_ANOTHER_BLUESTACKS_INSTANCE_RUNNING_PROMPT_TEXT1 = Another @@STRING_PRODUCT_NAME@@ program is already running. STRING_AN

Emails

[email protected]

URLs

https://bluestacks.com

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	bluestacks-app-player-4-240-0-1075.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	BlueStacksInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	BlueStacksInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	bluestacks-app-player-4-240-0-1075.exe

Executes dropped EXE 3 IoCs

pid	Process
2696	BlueStacksInstaller.exe
3740	BlueStacksInstaller.exe
1352	BlueStacksInstaller.exe

Loads dropped DLL 3 IoCs

pid	Process
2696	BlueStacksInstaller.exe
3740	BlueStacksInstaller.exe
1352	BlueStacksInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2696	BlueStacksInstaller.exe
2696	BlueStacksInstaller.exe
2696	BlueStacksInstaller.exe
2696	BlueStacksInstaller.exe
2696	BlueStacksInstaller.exe
2696	BlueStacksInstaller.exe
2696	BlueStacksInstaller.exe
2696	BlueStacksInstaller.exe
2696	BlueStacksInstaller.exe
2696	BlueStacksInstaller.exe
3740	BlueStacksInstaller.exe
3740	BlueStacksInstaller.exe
1352	BlueStacksInstaller.exe
1352	BlueStacksInstaller.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3740	BlueStacksInstaller.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	BlueStacksInstaller.exe
Token: SeDebugPrivilege	3740	BlueStacksInstaller.exe
Token: SeDebugPrivilege	1352	BlueStacksInstaller.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 2696	4944	bluestacks-app-player-4-240-0-1075.exe	80
PID 4944 wrote to memory of 2696	4944	bluestacks-app-player-4-240-0-1075.exe	80
PID 2696 wrote to memory of 3740	2696	BlueStacksInstaller.exe	82
PID 2696 wrote to memory of 3740	2696	BlueStacksInstaller.exe	82
PID 3740 wrote to memory of 3924	3740	BlueStacksInstaller.exe	90
PID 3740 wrote to memory of 3924	3740	BlueStacksInstaller.exe	90
PID 3740 wrote to memory of 3924	3740	BlueStacksInstaller.exe	90
PID 3924 wrote to memory of 1352	3924	bluestacks-app-player-4-240-0-1075.exe	91
PID 3924 wrote to memory of 1352	3924	bluestacks-app-player-4-240-0-1075.exe	91

C:\Users\Admin\AppData\Local\Temp\bluestacks-app-player-4-240-0-1075.exe
"C:\Users\Admin\AppData\Local\Temp\bluestacks-app-player-4-240-0-1075.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\7zS05347836\BlueStacksInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS05347836\BlueStacksInstaller.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\7zS05347836\BlueStacksInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS05347836\BlueStacksInstaller.exe" "install" "bluestacks-app-player-4-240-0-1075.exe" "null" "admin" "9141d081-a6e9-4553-921a-735396ee4d8c" "45595e1c-cff6-4947-9b87-01a6763b21d8"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Users\Admin\AppData\Local\BlueStacksSetup\bluestacks-app-player-4-240-0-1075.exe
      "C:\Users\Admin\AppData\Local\BlueStacksSetup\bluestacks-app-player-4-240-0-1075.exe" -versionMachineID=45595e1c-cff6-4947-9b87-01a6763b21d8 -machineID=9141d081-a6e9-4553-921a-735396ee4d8c -pddir="C:\ProgramData\BlueStacks"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Users\Admin\AppData\Local\Temp\7zS45FC6496\BlueStacksInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS45FC6496\BlueStacksInstaller.exe" -versionMachineID=45595e1c-cff6-4947-9b87-01a6763b21d8 -machineID=9141d081-a6e9-4553-921a-735396ee4d8c -pddir="C:\ProgramData\BlueStacks"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BlueStacks\BlueStacksMicroInstaller_4.240.0.1075.log

Filesize
1KB

MD5
b45cf7e15fc94b0bf98743ce670e4afc

SHA1
a6420d64b34734a87d691fb1f4335efcaece61da

SHA256
9c6b7cd4f1682a32428e2ca6fc489a8a0040dd7cc1e044e204754faf56d770ad

SHA512
7bafa3bb2464dce1f7a68ee5d92d3b57db5040a2316dd4d1dd3c999164a436a6415ecaafa57e9c9f478b4131eccbf5e8baaa2269366796d497e5b907d1601603

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks\BlueStacksMicroInstaller_4.240.0.1075.log

Filesize
5KB

MD5
b01430303dd96e7f33a4752c0c547bd6

SHA1
2cdc49580496775d64dae2a216ab188e4d0ca8f3

SHA256
67ab41a8f5f4ed82bae15efce5fd1b50f4947aecd1c04ba315f0b94476608151

SHA512
901cdbc4d952b23d6f307d1599b41dca5aa51abe2660de9db76ed3cdcd2d26e7f9780421f8fc033360f470dc11c830a23ff8c728965e18d6e5175c2ebe10a5d2

Download Submit
C:\Users\Admin\AppData\Local\Bluestacks\Logs.log

Filesize
105B

MD5
c4ab3e9ae363b080b84db5bc37040dfd

SHA1
46a4432006280539e381c9a57a0843907fcc074c

SHA256
575e063185ac7531372a869a1ed62ae2d62b575a858e237df4737948b13945c9

SHA512
39b9b1d34007b793e012a2b1025f0e99c93fa236033f731c2eb4caaf2a1faed1e7b19447c204107bf3f21fb2387ca92592395b6af4d6a76961cf79d3abc2ac44

Download Submit
C:\Users\Admin\AppData\Local\Bluestacks\Logs.log

Filesize
309B

MD5
7d05a608ee68ea6525912452d91f59ce

SHA1
14bcfeb38d10c79840f8028d2e7d2a26e76b2cc6

SHA256
ab884796da2b6b57c7b22e5623d3c280fc9994353fe25e9bcb2a72362ac40463

SHA512
c65cafc92897ceeaa0ed37ab6293bb868951287e9703a1766882a4b09e38564ded3df7ab2d8f7778346cfcc3677c63d73c06bbbe99ecc320b972853cba4694b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BlueStacksInstaller.exe.log

Filesize
2KB

MD5
0f186e94e9b99a5e2e31c2dc955346cc

SHA1
ffd9997b2db8c39f410f5d2a9f3d080f8d7523b7

SHA256
bf171a0e53a7acb766fd4f462f516bc2bab3dbc6e12b7b2423af5bae8be1fdf4

SHA512
530ea4c1e9fd6799cbb1be4f7278d4e9ce23875898164dc42650e62e8b37cd886cfa0174310541736487e58ca691a83b1079aa8780ebb7491de8da65c3433488

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05347836\BlueStacksInstaller.exe

Filesize
642KB

MD5
22220d9945694adebe2461df80330015

SHA1
81a7d67c06a913a22bdfa99e5702afa587f5e532

SHA256
ca4c0af30fcd6445d3b4634ed4df24ac3d8e2eccce50fc0d4b45983f80f9b98f

SHA512
2d240c42d88699bb3443624a706345dc5d5f9e0ab56ee54ecad82b5d871ff52b4c140e56f7334ddd465595cd64aa974541b878bdd37ab1778a23619d8e5f0f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05347836\BlueStacksInstaller.exe

Filesize
642KB

MD5
22220d9945694adebe2461df80330015

SHA1
81a7d67c06a913a22bdfa99e5702afa587f5e532

SHA256
ca4c0af30fcd6445d3b4634ed4df24ac3d8e2eccce50fc0d4b45983f80f9b98f

SHA512
2d240c42d88699bb3443624a706345dc5d5f9e0ab56ee54ecad82b5d871ff52b4c140e56f7334ddd465595cd64aa974541b878bdd37ab1778a23619d8e5f0f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05347836\BlueStacksInstaller.exe

Filesize
642KB

MD5
22220d9945694adebe2461df80330015

SHA1
81a7d67c06a913a22bdfa99e5702afa587f5e532

SHA256
ca4c0af30fcd6445d3b4634ed4df24ac3d8e2eccce50fc0d4b45983f80f9b98f

SHA512
2d240c42d88699bb3443624a706345dc5d5f9e0ab56ee54ecad82b5d871ff52b4c140e56f7334ddd465595cd64aa974541b878bdd37ab1778a23619d8e5f0f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05347836\BlueStacksInstaller.exe.config

Filesize
324B

MD5
1b456d88546e29f4f007cd0bf1025703

SHA1
e5c444fcfe5baf2ef71c1813afc3f2c1100cab86

SHA256
d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb

SHA512
c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05347836\HD-Common-Native.dll

Filesize
550KB

MD5
6a460a2c1bf5fcdad829fbb2c0ce94ed

SHA1
9773df920340c194ab10d30b41cd8b50e566864c

SHA256
ba3e51dc14c1d98e5477b45c0f0a45d2fab180c446b5537e533054c7ce28eba5

SHA512
c725ab4fa9bf6888f6da655924543aacce0f1b07f86cdf19f35acf512157324f1d2467a9bdb6e237adb4b3b581788b00e7810feca71af7072dfead69c5f87087

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05347836\HD-Common-Native.dll

Filesize
550KB

MD5
6a460a2c1bf5fcdad829fbb2c0ce94ed

SHA1
9773df920340c194ab10d30b41cd8b50e566864c

SHA256
ba3e51dc14c1d98e5477b45c0f0a45d2fab180c446b5537e533054c7ce28eba5

SHA512
c725ab4fa9bf6888f6da655924543aacce0f1b07f86cdf19f35acf512157324f1d2467a9bdb6e237adb4b3b581788b00e7810feca71af7072dfead69c5f87087

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05347836\HD-Common-Native.dll

Filesize
550KB

MD5
6a460a2c1bf5fcdad829fbb2c0ce94ed

SHA1
9773df920340c194ab10d30b41cd8b50e566864c

SHA256
ba3e51dc14c1d98e5477b45c0f0a45d2fab180c446b5537e533054c7ce28eba5

SHA512
c725ab4fa9bf6888f6da655924543aacce0f1b07f86cdf19f35acf512157324f1d2467a9bdb6e237adb4b3b581788b00e7810feca71af7072dfead69c5f87087

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05347836\JSON.dll

Filesize
411KB

MD5
f5fd966e29f5c359f78cb61a571d1be4

SHA1
a55e7ed593b4bc7a77586da0f1223cfd9d51a233

SHA256
d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156

SHA512
d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS05347836\Locales\i18n.en-US.txt

Filesize
114KB

MD5
de5c90736dbdb0d8fc21ede2c708d290

SHA1
bc2baef7a979f28ff93aac75da888d711fd597a9

SHA256
9abc2b3d15d93426144af57d7c9603b21d6da70d523b3ae62695e854fe0240b0

SHA512
38da6d0956eed49429ac84bac1212572553abbc3518b5fcff66db21f454b534b8c06ae57005b3f76c4036eccdef0c27b3895aacd3076aeef03c6db180b434c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45FC6496\BlueStacksInstaller.exe

Filesize
642KB

MD5
22220d9945694adebe2461df80330015

SHA1
81a7d67c06a913a22bdfa99e5702afa587f5e532

SHA256
ca4c0af30fcd6445d3b4634ed4df24ac3d8e2eccce50fc0d4b45983f80f9b98f

SHA512
2d240c42d88699bb3443624a706345dc5d5f9e0ab56ee54ecad82b5d871ff52b4c140e56f7334ddd465595cd64aa974541b878bdd37ab1778a23619d8e5f0f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45FC6496\BlueStacksInstaller.exe

Filesize
642KB

MD5
22220d9945694adebe2461df80330015

SHA1
81a7d67c06a913a22bdfa99e5702afa587f5e532

SHA256
ca4c0af30fcd6445d3b4634ed4df24ac3d8e2eccce50fc0d4b45983f80f9b98f

SHA512
2d240c42d88699bb3443624a706345dc5d5f9e0ab56ee54ecad82b5d871ff52b4c140e56f7334ddd465595cd64aa974541b878bdd37ab1778a23619d8e5f0f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45FC6496\BlueStacksInstaller.exe.config

Filesize
324B

MD5
1b456d88546e29f4f007cd0bf1025703

SHA1
e5c444fcfe5baf2ef71c1813afc3f2c1100cab86

SHA256
d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb

SHA512
c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45FC6496\HD-Common-Native.dll

Filesize
550KB

MD5
6a460a2c1bf5fcdad829fbb2c0ce94ed

SHA1
9773df920340c194ab10d30b41cd8b50e566864c

SHA256
ba3e51dc14c1d98e5477b45c0f0a45d2fab180c446b5537e533054c7ce28eba5

SHA512
c725ab4fa9bf6888f6da655924543aacce0f1b07f86cdf19f35acf512157324f1d2467a9bdb6e237adb4b3b581788b00e7810feca71af7072dfead69c5f87087

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45FC6496\HD-Common-Native.dll

Filesize
550KB

MD5
6a460a2c1bf5fcdad829fbb2c0ce94ed

SHA1
9773df920340c194ab10d30b41cd8b50e566864c

SHA256
ba3e51dc14c1d98e5477b45c0f0a45d2fab180c446b5537e533054c7ce28eba5

SHA512
c725ab4fa9bf6888f6da655924543aacce0f1b07f86cdf19f35acf512157324f1d2467a9bdb6e237adb4b3b581788b00e7810feca71af7072dfead69c5f87087

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45FC6496\Locales\i18n.en-US.txt

Filesize
114KB

MD5
de5c90736dbdb0d8fc21ede2c708d290

SHA1
bc2baef7a979f28ff93aac75da888d711fd597a9

SHA256
9abc2b3d15d93426144af57d7c9603b21d6da70d523b3ae62695e854fe0240b0

SHA512
38da6d0956eed49429ac84bac1212572553abbc3518b5fcff66db21f454b534b8c06ae57005b3f76c4036eccdef0c27b3895aacd3076aeef03c6db180b434c3a

Download Submit
C:\Users\Public\BlueStacks\MachineID

Filesize
36B

MD5
c0a3e3def46e91cd8c8c6a364b966376

SHA1
2c689f082b0183bf0e36e8c7eb33d3288b4a757d

SHA256
e136a23b51c7e9c1a5a008bdeb14a5a63c9edad2a0d548f81a4501a77b05af62

SHA512
55bec3f4fbc0898ccdb6215cb6434dd9405b5d7c12b8a64d94b5731362312c9ced2e4d181102f685cc14c519fb45d36d7deb8bd23f4faa62cee5c8b297365e30

Download Submit
C:\Users\Public\BlueStacks\VersionMachineId_4.240.0.1075

Filesize
36B

MD5
79ed040afefacf9da4fa94c03d884311

SHA1
c760690f6c0f0d73b38e39ec57677d0321261863

SHA256
f19822d97376ce6af3f8b3b1a40fc19a59a59deb8ee2b4a0ef97792684e5ddf8

SHA512
d8c8e75bbf8d640c6f5cd2913d1b282c788275a4641be1012c05010d8185e089016dd6d70e640207e39f7729b72768e66d9a0cb7d00abe285078223f6e834efe

Download Submit
memory/1352-166-0x00007FFBCDFE0000-0x00007FFBCEAA1000-memory.dmp

Filesize
10.8MB

Download
memory/1352-167-0x00007FFBCDFE0000-0x00007FFBCEAA1000-memory.dmp

Filesize
10.8MB

Download
memory/1352-168-0x00007FFBCDFE0000-0x00007FFBCEAA1000-memory.dmp

Filesize
10.8MB

Download
memory/2696-137-0x00007FFBCDFE0000-0x00007FFBCEAA1000-memory.dmp

Filesize
10.8MB

Download
memory/2696-136-0x0000000000880000-0x0000000000924000-memory.dmp

Filesize
656KB

Download
memory/2696-154-0x00007FFBCDFE0000-0x00007FFBCEAA1000-memory.dmp

Filesize
10.8MB

Download
memory/2696-171-0x00007FFBCDFE0000-0x00007FFBCEAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3740-164-0x00007FFBCDFE0000-0x00007FFBCEAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3740-151-0x0000000020880000-0x000000002088E000-memory.dmp

Filesize
56KB

Download
memory/3740-150-0x00000000208B0000-0x00000000208E8000-memory.dmp

Filesize
224KB

Download
memory/3740-149-0x0000000021220000-0x0000000021228000-memory.dmp

Filesize
32KB

Download
memory/3740-148-0x00007FFBCDFE0000-0x00007FFBCEAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3740-170-0x00007FFBCDFE0000-0x00007FFBCEAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3740-153-0x0000000021DB0000-0x0000000021E18000-memory.dmp

Filesize
416KB

Download