2e3df69c779df08163bdc0366f7dcb66b1a1c49e1dff33d21c98753a65abc089

Analysis

max time kernel
382s
max time network
387s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2023 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlueStacks10Installer_10.4.70.1002_native_b91c48101bfc7a192845165c24b6b96c_MzsxNSwwOzUsMTsxNSw0OzE1.exe
Size

899KB
MD5

fed49c1d7213ed9907974d72af383d5b
SHA1

820c57f167ad2ec371a4a2b2435496395d77b578
SHA256

2e3df69c779df08163bdc0366f7dcb66b1a1c49e1dff33d21c98753a65abc089
SHA512

5446b84243d7a604cded3fcf7383d7ff0fdfba2bcf43c439f3edfe02ab3050b9cd612d93c61521696899c500d571d98dedde1eff6b076955c1fc6dfdf7e32026
SSDEEP

12288:livtCXQd0gjKX7zuqGKEFGPDy1xrqNFpMUFtlMx9T7FBZguJrwzncLuwng:livtCXWeGKEFGXFmUBOvhEzncL5ng

Score

8^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Windows Service

T1543.003

pid	Process
6012	netsh.exe
6204	netsh.exe
5800	netsh.exe
1620	netsh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\electron.app.BlueStacks Services = "C:\\Users\\Admin\\AppData\\Local\\Programs\\bluestacks-services\\BlueStacksServices.exe --hidden"	BlueStacksServices.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\electron.app.BlueStacks Services = "C:\\Users\\Admin\\AppData\\Local\\Programs\\bluestacks-services\\BlueStacksServices.exe --hidden"	BlueStacksServices.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	BlueStacksServices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	BlueStacksServices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	BlueStacks10Installer_10.4.70.1002_native_b91c48101bfc7a192845165c24b6b96c_MzsxNSwwOzUsMTsxNSw0OzE1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	BlueStacksInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	BlueStacksServices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	BlueStacks10Installer_10.4.70.1002_native_b91c48101bfc7a192845165c24b6b96c_MzsxNSwwOzUsMTsxNSw0OzE1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	BlueStacksServices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	BlueStacksServices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	BlueStacksWeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	BlueStacksWeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	BSX-Setup-5.13.220.1002_nxt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	BlueStacksServices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	BlueStacks X.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BlueStacks X\api-ms-win-eventing-provider-l1-1-0.dll	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\audio_filter\libmad_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\misc\liblogger_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\MyGames\mgr_hover.svg	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\tick.png	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\hr.pak	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\translations\qt_ko.qm	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\audio_filter\libnormvol_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\codec\libspudec_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\video_chroma\librv32_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\account\edit.svg	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\MyGames\no_game_arrow.png	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\translations\qt_nn.qm	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\www\images\msi5-noNetwork.svg	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\imageformats\qicns.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\video_filter\libanaglyph_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\video_filter\libvhs_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\app.ico	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\cef\locales\nb.pak	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\quest.png	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\fa.pak	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\el.pak	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\api-ms-win-crt-utility-l1-1-0.dll	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\imageformats\qtga.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\cef\locales\zh-TW.pak	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\cef\resources.pak	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\MyGames\NavigatorForward_Holding.svg	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\language\pt.qm	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\audio_filter\libstereo_widen_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\stream_filter\libskiptags_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\video_filter\liberase_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\cef\locales\ja.pak	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\green.bat	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\settings\remove_normal.svg	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\msvcp140_atomic_wait.dll	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\services_discovery\libupnp_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\position\qtposition_positionpoll.dll	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\ucrtbase.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\account\now.gg.svg	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\account\to.svg	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\MyGames\pc_refresh_holding.svg	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\access\libvdr_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\bearer	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\wallet	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\en-US.pak	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\msvcp140_codecvt_ids.dll	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\xplugins\MyGamePlugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\audio	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\DownloadDialog	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\Gallery\close_pressed.svg	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\MyGames\NavigatorBack_Holding.svg	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\misc\libaddonsfsstorage_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\video_chroma\libswscale_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\Qt5SerialPort.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\stream_filter	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\cef\locales\nl.pak	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\Search\Promotes_Title.svg	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\access\libtimecode_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\d3dcompiler_47.dll	BSX-Setup-5.13.220.1002_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\stream_filter\libcache_block_plugin.dll	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\icon_onCloud_delete.svg	BSX-Setup-5.13.220.1002_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\settings\Jump.svg	BSX-Setup-5.13.220.1002_nxt.exe

Executes dropped EXE 20 IoCs

pid	Process
1732	BlueStacksInstaller.exe
2728	HD-CheckCpu.exe
964	HD-CheckCpu.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
5356	BlueStacksInstaller.exe
6184	HD-CheckCpu.exe
408	BlueStacksServicesSetup.exe
4700	BlueStacksServices.exe
6364	BlueStacksServices.exe
6932	BlueStacksServices.exe
5412	BlueStacksServices.exe
5136	BlueStacksServices.exe
2748	BlueStacksServices.exe
1844	BlueStacksServices.exe
5808	BlueStacksServices.exe
1384	BlueStacksServices.exe
1732	BlueStacksServices.exe
6944	BlueStacks X.exe
1824	BlueStacksWeb.exe
1576	BlueStacksWeb.exe

Loads dropped DLL 64 IoCs

pid	Process
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BlueStacks X.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BlueStacks X.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	BlueStacks X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BlueStacks X.exe

Enumerates processes with tasklist 1 TTPs 33 IoCs

Process Discovery

T1057

pid	Process
868	tasklist.exe
5748	tasklist.exe
4448	tasklist.exe
3196	tasklist.exe
5424	tasklist.exe
5240	tasklist.exe
5828	tasklist.exe
1824	tasklist.exe
7152	tasklist.exe
3716	tasklist.exe
6076	tasklist.exe
5016	tasklist.exe
3504	tasklist.exe
6408	tasklist.exe
5492	tasklist.exe
4496	tasklist.exe
3204	tasklist.exe
4812	tasklist.exe
2972	tasklist.exe
1932	tasklist.exe
6372	tasklist.exe
3288	tasklist.exe
3192	tasklist.exe
1124	tasklist.exe
6428	tasklist.exe
2784	tasklist.exe
4528	tasklist.exe
6332	tasklist.exe
6996	tasklist.exe
1912	tasklist.exe
6344	tasklist.exe
2680	tasklist.exe
4104	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\bstsrvs\URL Protocol	BlueStacksServices.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\bstsrvs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\bluestacks-services\\BlueStacksServices.exe\" \"%1\""	BlueStacksServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacks X	BSX-Setup-5.13.220.1002_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacks X\URL Protocol	BSX-Setup-5.13.220.1002_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacks X\shell\	BSX-Setup-5.13.220.1002_nxt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacks X\shell\open\command	BSX-Setup-5.13.220.1002_nxt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\bstsrvs\URL Protocol	BlueStacksServices.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\bstsrvs\shell\open\command	BlueStacksServices.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	BSX-Setup-5.13.220.1002_nxt.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\bstsrvs\shell\open\command	BlueStacksServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacks X\DefaultIcon	BSX-Setup-5.13.220.1002_nxt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacks X\shell	BSX-Setup-5.13.220.1002_nxt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacks X\shell\open	BSX-Setup-5.13.220.1002_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacks X\shell\open\	BSX-Setup-5.13.220.1002_nxt.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\bstsrvs	BlueStacksServices.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\bstsrvs	BlueStacksServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacks X\ = "URL:BlueStacks X Protocol Handler"	BSX-Setup-5.13.220.1002_nxt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\bstsrvs\ = "URL:bstsrvs"	BlueStacksServices.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1873812795-1433807462-1429862679-1000\{1495CB5F-CCBB-4A50-9962-2330A15FE6D6}	BlueStacks X.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\bstsrvs\shell\open	BlueStacksServices.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\bstsrvs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\bluestacks-services\\BlueStacksServices.exe\" \"%1\""	BlueStacksServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacks X\DefaultIcon\ = "C:\\Program Files (x86)\\BlueStacks X\\BlueStacks X.exe,0"	BSX-Setup-5.13.220.1002_nxt.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\bstsrvs\shell	BlueStacksServices.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\bstsrvs\ = "URL:bstsrvs"	BlueStacksServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacks X\shell\open\command\ = "\"C:\\Program Files (x86)\\BlueStacks X\\BlueStacks X.exe\" -open \"%1\""	BSX-Setup-5.13.220.1002_nxt.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	BlueStacks X.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	BlueStacks X.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	BlueStacks X.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	BlueStacks X.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	BlueStacks X.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6944	BlueStacks X.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1732	BlueStacksInstaller.exe
1732	BlueStacksInstaller.exe
1732	BlueStacksInstaller.exe
1732	BlueStacksInstaller.exe
1732	BlueStacksInstaller.exe
1732	BlueStacksInstaller.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
2532	BSX-Setup-5.13.220.1002_nxt.exe
5356	BlueStacksInstaller.exe
5356	BlueStacksInstaller.exe
5356	BlueStacksInstaller.exe
5356	BlueStacksInstaller.exe
5356	BlueStacksInstaller.exe
5356	BlueStacksInstaller.exe
5356	BlueStacksInstaller.exe
408	BlueStacksServicesSetup.exe
408	BlueStacksServicesSetup.exe
4528	tasklist.exe
4528	tasklist.exe
1824	BlueStacksWeb.exe
1576	BlueStacksWeb.exe
16716	msedge.exe
16716	msedge.exe
4276	msedge.exe
4276	msedge.exe
14184	identity_helper.exe
14184	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6944	BlueStacks X.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1732	BlueStacksInstaller.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	BlueStacksInstaller.exe
Token: SeSecurityPrivilege	2532	BSX-Setup-5.13.220.1002_nxt.exe
Token: SeDebugPrivilege	5356	BlueStacksInstaller.exe
Token: SeDebugPrivilege	4528	tasklist.exe
Token: SeSecurityPrivilege	408	BlueStacksServicesSetup.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeDebugPrivilege	3504	tasklist.exe
Token: SeDebugPrivilege	6332	tasklist.exe
Token: SeDebugPrivilege	2972	tasklist.exe
Token: SeDebugPrivilege	3196	tasklist.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeDebugPrivilege	6372	tasklist.exe
Token: SeDebugPrivilege	5424	tasklist.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeDebugPrivilege	3288	tasklist.exe
Token: SeDebugPrivilege	6408	tasklist.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeDebugPrivilege	1824	tasklist.exe
Token: SeDebugPrivilege	2680	tasklist.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	4700	BlueStacksServices.exe
Token: SeShutdownPrivilege	4700	BlueStacksServices.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
4700	BlueStacksServices.exe
4700	BlueStacksServices.exe
4700	BlueStacksServices.exe
4700	BlueStacksServices.exe
4700	BlueStacksServices.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
4700	BlueStacksServices.exe
4700	BlueStacksServices.exe
4700	BlueStacksServices.exe
4700	BlueStacksServices.exe
4700	BlueStacksServices.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe
4276	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
6944	BlueStacks X.exe
6944	BlueStacks X.exe
6944	BlueStacks X.exe
6944	BlueStacks X.exe
6944	BlueStacks X.exe
6944	BlueStacks X.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 1732	2744	BlueStacks10Installer_10.4.70.1002_native_b91c48101bfc7a192845165c24b6b96c_MzsxNSwwOzUsMTsxNSw0OzE1.exe	90
PID 2744 wrote to memory of 1732	2744	BlueStacks10Installer_10.4.70.1002_native_b91c48101bfc7a192845165c24b6b96c_MzsxNSwwOzUsMTsxNSw0OzE1.exe	90
PID 1732 wrote to memory of 2728	1732	BlueStacksInstaller.exe	93
PID 1732 wrote to memory of 2728	1732	BlueStacksInstaller.exe	93
PID 1732 wrote to memory of 2728	1732	BlueStacksInstaller.exe	93
PID 1732 wrote to memory of 964	1732	BlueStacksInstaller.exe	98
PID 1732 wrote to memory of 964	1732	BlueStacksInstaller.exe	98
PID 1732 wrote to memory of 964	1732	BlueStacksInstaller.exe	98
PID 1732 wrote to memory of 2532	1732	BlueStacksInstaller.exe	107
PID 1732 wrote to memory of 2532	1732	BlueStacksInstaller.exe	107
PID 1732 wrote to memory of 2532	1732	BlueStacksInstaller.exe	107
PID 1732 wrote to memory of 5528	1732	BlueStacksInstaller.exe	110
PID 1732 wrote to memory of 5528	1732	BlueStacksInstaller.exe	110
PID 1732 wrote to memory of 5528	1732	BlueStacksInstaller.exe	110
PID 5528 wrote to memory of 5356	5528	BlueStacks10Installer_10.4.70.1002_native_b91c48101bfc7a192845165c24b6b96c_MzsxNSwwOzUsMTsxNSw0OzE1.exe	111
PID 5528 wrote to memory of 5356	5528	BlueStacks10Installer_10.4.70.1002_native_b91c48101bfc7a192845165c24b6b96c_MzsxNSwwOzUsMTsxNSw0OzE1.exe	111
PID 5356 wrote to memory of 6184	5356	BlueStacksInstaller.exe	112
PID 5356 wrote to memory of 6184	5356	BlueStacksInstaller.exe	112
PID 5356 wrote to memory of 6184	5356	BlueStacksInstaller.exe	112
PID 408 wrote to memory of 1044	408	BlueStacksServicesSetup.exe	117
PID 408 wrote to memory of 1044	408	BlueStacksServicesSetup.exe	117
PID 408 wrote to memory of 1044	408	BlueStacksServicesSetup.exe	117
PID 1044 wrote to memory of 4528	1044	cmd.exe	119
PID 1044 wrote to memory of 4528	1044	cmd.exe	119
PID 1044 wrote to memory of 4528	1044	cmd.exe	119
PID 1044 wrote to memory of 6484	1044	cmd.exe	120
PID 1044 wrote to memory of 6484	1044	cmd.exe	120
PID 1044 wrote to memory of 6484	1044	cmd.exe	120
PID 2532 wrote to memory of 2300	2532	BSX-Setup-5.13.220.1002_nxt.exe	123
PID 2532 wrote to memory of 2300	2532	BSX-Setup-5.13.220.1002_nxt.exe	123
PID 2532 wrote to memory of 2300	2532	BSX-Setup-5.13.220.1002_nxt.exe	123
PID 2300 wrote to memory of 6632	2300	WScript.exe	128
PID 2300 wrote to memory of 6632	2300	WScript.exe	128
PID 2300 wrote to memory of 6632	2300	WScript.exe	128
PID 6632 wrote to memory of 6012	6632	cmd.exe	180
PID 6632 wrote to memory of 6012	6632	cmd.exe	180
PID 6632 wrote to memory of 6012	6632	cmd.exe	180
PID 6632 wrote to memory of 6204	6632	cmd.exe	133
PID 6632 wrote to memory of 6204	6632	cmd.exe	133
PID 6632 wrote to memory of 6204	6632	cmd.exe	133
PID 6632 wrote to memory of 5800	6632	cmd.exe	134
PID 6632 wrote to memory of 5800	6632	cmd.exe	134
PID 6632 wrote to memory of 5800	6632	cmd.exe	134
PID 6632 wrote to memory of 1620	6632	cmd.exe	135
PID 6632 wrote to memory of 1620	6632	cmd.exe	135
PID 6632 wrote to memory of 1620	6632	cmd.exe	135
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136
PID 4700 wrote to memory of 6364	4700	BlueStacksServices.exe	136

C:\Users\Admin\AppData\Local\Temp\BlueStacks10Installer_10.4.70.1002_native_b91c48101bfc7a192845165c24b6b96c_MzsxNSwwOzUsMTsxNSw0OzE1.exe
"C:\Users\Admin\AppData\Local\Temp\BlueStacks10Installer_10.4.70.1002_native_b91c48101bfc7a192845165c24b6b96c_MzsxNSwwOzUsMTsxNSw0OzE1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\BlueStacksInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\BlueStacksInstaller.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\HD-CheckCpu.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\HD-CheckCpu.exe" --cmd checkHypervEnabled
    3⤵
    - Executes dropped EXE
    PID:2728
- - C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\HD-CheckCpu.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\HD-CheckCpu.exe" --cmd checkSSE4
    3⤵
    - Executes dropped EXE
    PID:964
- - C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.13.220.1002_nxt.exe
    "C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.13.220.1002_nxt.exe" -s
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\BlueStacks X\green.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c green.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:6632
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name="BlueStacksWeb"
        6⤵
        Modifies Windows Firewall
        
        PID:6012
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name="Cloud Game"
        6⤵
        Modifies Windows Firewall
        
        PID:6204
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="BlueStacksWeb" dir=in action=allow program="C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe"
        6⤵
        Modifies Windows Firewall
        
        PID:5800
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Cloud Game" dir=in action=allow program="C:\Program Files (x86)\BlueStacks X\Cloud Game.exe"
        6⤵
        Modifies Windows Firewall
        
        PID:1620
- - C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacks10Installer_10.4.70.1002_native_b91c48101bfc7a192845165c24b6b96c_MzsxNSwwOzUsMTsxNSw0OzE1.exe
    "C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacks10Installer_10.4.70.1002_native_b91c48101bfc7a192845165c24b6b96c_MzsxNSwwOzUsMTsxNSw0OzE1.exe" -versionMachineID=43303f8d-70e8-475a-b873-6db612b5cae9 -machineID=569601a5-d21d-400f-9bac-feece5d103b3 -pddir="C:\ProgramData\BlueStacks_nxt" -defaultImageName=Nougat32 -imageToLaunch=Nougat32 -isSSE4Available=1 -appToLaunch=bsx -bsxVersion=10.4.70.1002 -country=US -skipBinaryShortcuts -isWalletFeatureEnabled
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5528
  - - C:\Users\Admin\AppData\Local\Temp\7zS8958CBE9\BlueStacksInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS8958CBE9\BlueStacksInstaller.exe" -versionMachineID=43303f8d-70e8-475a-b873-6db612b5cae9 -machineID=569601a5-d21d-400f-9bac-feece5d103b3 -pddir="C:\ProgramData\BlueStacks_nxt" -defaultImageName=Nougat32 -imageToLaunch=Nougat32 -isSSE4Available=1 -appToLaunch=bsx -bsxVersion=10.4.70.1002 -country=US -skipBinaryShortcuts -isWalletFeatureEnabled
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5356
    - - C:\Users\Admin\AppData\Local\Temp\7zS8958CBE9\HD-CheckCpu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8958CBE9\HD-CheckCpu.exe" --cmd checkHypervEnabled
        5⤵
        Executes dropped EXE
        
        PID:6184

C:\ProgramData\BlueStacksServicesSetup.exe
"C:\ProgramData\BlueStacksServicesSetup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq BlueStacksServices.exe" | find "BlueStacksServices.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq BlueStacksServices.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- - C:\Windows\SysWOW64\find.exe
    find "BlueStacksServices.exe"
    3⤵
    PID:6484

C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
"C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --hidden --initialLaunch
1⤵
- Adds Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
  "C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1720,i,3731228841226888991,7895956226903679304,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:6364
- C:\Windows\system32\cscript.exe
  cscript.exe
  2⤵
  PID:1184
- C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
  "C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --mojo-platform-channel-handle=2028 --field-trial-handle=1720,i,3731228841226888991,7895956226903679304,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:6932
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKCU\SOFTWARE\BlueStacksServices
  2⤵
  PID:2292
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKCU\SOFTWARE\BlueStacksServices
  2⤵
  PID:5576
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regPutValue.wsf A
  2⤵
  PID:2700
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regPutValue.wsf A
  2⤵
  PID:5504
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:5460
- C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
  "C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --app-user-model-id=com.bluestacks.services --app-path="C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2652 --field-trial-handle=1720,i,3731228841226888991,7895956226903679304,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5412
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:1316
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:3784
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:1996
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:4812
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:3324
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6324
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt
  2⤵
  PID:4336
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt
  2⤵
  PID:4664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5928
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6012
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:6280
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5424
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:3408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:2948
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:2028
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6408
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt
  2⤵
  PID:7152
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:2404
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt
  2⤵
  PID:6448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5428
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:3076
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:4948
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:3000
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1932
- C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
  "C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --app-user-model-id=com.bluestacks.services --app-path="C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3436 --field-trial-handle=1720,i,3731228841226888991,7895956226903679304,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1384
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:4340
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:5392
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt
  2⤵
  PID:6492
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt
  2⤵
  PID:5532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:7164
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6664
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1124
- C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
  "C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --app-user-model-id=com.bluestacks.services --app-path="C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3808 --field-trial-handle=1720,i,3731228841226888991,7895956226903679304,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:3004
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:7152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:2988
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:6428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:888
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:5576
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:4728
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:5880
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:1984
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:448
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5764
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:6996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:7032
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5136
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:4504
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:7148
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:6076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:2300
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:364
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:5020
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6720
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:6344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:4340
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4812

C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
"C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe"
1⤵
- Adds Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5136
- C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
  "C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1700,i,8019859635901825227,16069272433107540555,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
  "C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --mojo-platform-channel-handle=1908 --field-trial-handle=1700,i,8019859635901825227,16069272433107540555,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
  "C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --app-user-model-id="electron.app.BlueStacks Services" --app-path="C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2220 --field-trial-handle=1700,i,8019859635901825227,16069272433107540555,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5808

C:\Program Files (x86)\BlueStacks X\BlueStacks X.exe
"C:\Program Files (x86)\BlueStacks X\BlueStacks X.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6944
- C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe
  BlueStacksWeb.exe --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,NetworkServiceInProcess,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,InstalledApp,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=3816 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe
  BlueStacksWeb.exe --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,NetworkServiceInProcess,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,InstalledApp,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3872 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bluestacks.go2cloud.org/aff_c?aff_id=1&offer_id=13401&source=bsx_app_detail~~~0~0bfc7a1d-cda3-4449-ab8d-68e869490f86~10.4.70.1002
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd403546f8,0x7ffd40354708,0x7ffd40354718
    3⤵
    PID:18296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,7007781041936076229,8422636911432230470,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
    3⤵
    PID:16696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,7007781041936076229,8422636911432230470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:16716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,7007781041936076229,8422636911432230470,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
    3⤵
    PID:16928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7007781041936076229,8422636911432230470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
    3⤵
    PID:15728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7007781041936076229,8422636911432230470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
    3⤵
    PID:15736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7007781041936076229,8422636911432230470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
    3⤵
    PID:15180
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,7007781041936076229,8422636911432230470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
    3⤵
    PID:14200
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,7007781041936076229,8422636911432230470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:14184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7007781041936076229,8422636911432230470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
    3⤵
    PID:14060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7007781041936076229,8422636911432230470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
    3⤵
    PID:14068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7007781041936076229,8422636911432230470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
    3⤵
    PID:13784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7007781041936076229,8422636911432230470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4336 /prefetch:1
    3⤵
    PID:13792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:16004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:15872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BlueStacks X\BlueStacks X.exe

Filesize
475KB

MD5
94b44422c2842c6362540a9d788a8174

SHA1
6cada90bc410e25b4689e92bad20944282e2cf68

SHA256
b0b6d9077232dd5ed5bb88119db9a862f53f7c1974b2dd7e7afbe60bcdc9cc58

SHA512
b5b5935555b2f51b8edfc9ce34a173d405774a6736c689b18ac25bf365808d86656e7c4c1f95f2f89056e588db81f30c5b47ef3c3704c05695b7a9a3183d6132

Download Submit
C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_disabled.svg

Filesize
569B

MD5
e7fdf6a9c8cae1fc1108dc5a803a1905

SHA1
2853f9ff5e63685ebb1449dcf693176b17e4ab60

SHA256
8ee5aa84139b2ea5549f7272523aeb203d73954c5ccdcf6f7407bf1a3469f13e

SHA512
a6388b24926934e20ccf7fcab41bd219dc6c0053428481d7f466bf89f26bf1a36fdff716a9ddd9ab268df73b04dff1449c6bac1f5c707e31ae2ee71c2087e0d9

Download Submit
C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_hover.svg

Filesize
653B

MD5
76166804e6ce35e8a0c92917b8abc071

SHA1
8bd38726a11a9633ac937b9c6f205ce5d36348b0

SHA256
1bca2e912184b8168ee8961de68d1d839f4f9827fde6f48ab100fb61e82eff90

SHA512
93c4f1af7e9f89091a207ab308e05ddd4c92406c039f7465d3b8aca7e0cc7a6c922a22e1eee2f5c88db5e89016ef69294b2a0905d7d6a90fd32835bc11929005

Download Submit
C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_normal.svg

Filesize
569B

MD5
3221ac69d7facd8aa90ffa15aea991b0

SHA1
e0571f30f4708ec78addc726a743679ca0f05e45

SHA256
92aeae68e9e0973d9e0dc575941f1cb2e24afd0574341a46b870be7384eaa537

SHA512
5e2de0abfe60a4db16ea5e8739260c19962fbfc60869a77bde6ab3547ad8ee3ad88e74e97da31fa23be096afddad018e431d152d6d0fa21a75357a11dacb1328

Download Submit
C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_pressed.svg

Filesize
653B

MD5
dfddf8d0788988c3e48fcbfb2a76cd20

SHA1
463bb61f0012289e860c32f1885a3a8f57467f2e

SHA256
9585f41eb6202e89f2087266fa31852d7f41ca8cc659b907c96753fe165f937d

SHA512
e708c5114c60f7574589d6a56c9faedda26ee4a40f0eeb25f5e12eadcf790f24fdbf393fa0aa6ad449b5337d625b092d6f8822472fa8a6ce1339aca59c50c3ca

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\Log\log.txt

Filesize
768B

MD5
f7d6be5a66b64426d8f6d0b842d1493e

SHA1
ec5849da4b79dd042b2847d28663b9370d442fc8

SHA256
e0d644d3e55ca726a6ba18e2a3fb79c9221652f6f838d855379f799147a0c02d

SHA512
1d6c26a84eee020c48fd4e853efea1e184d2af1e40195ca66fc61c184b6287eee8ab54b20275cc9438cd135e82f41111cd91c15d0d2a279f607317d4539b30f7

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\Log\log.txt

Filesize
1KB

MD5
79a0c7857caecddf3cc7fe29fdbaaee7

SHA1
5ff0156ac6f31a001736386aa6d4532220a1133f

SHA256
2d88a99bea1a80c813df28b7eaef37d5f1f93f76961710b4ac4f55910201fc35

SHA512
d35c44d4b7bedaa7db4f47a71296ccd80764decea3a0b50eea86c108a946aadf9837c5a1c98bf2938567b03531d7346cac537646a53a0e06f3fd5551f9a97f81

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\Log\log.txt

Filesize
4KB

MD5
d511a78076239642ccbacf8ed0f26c3e

SHA1
8ad4b92597c85c515daea43626008f4d76ac5a02

SHA256
454fb4101c029496b869a23be457d755107a1c3da1ecff6538774fda24a94ab1

SHA512
37c98faf48e8ca3118f4203a425fa3512a219a580bad5706c5d8c8d577d461668527bd7d4b4efc68a22457da031800604dd0bf7f5e1f7732d14797e9ae6c1bf6

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\Nougat32_5.13.220.1002.exe

Filesize
446.1MB

MD5
75673c7e285e45f9da41446ac3bb83a7

SHA1
12c95aaff3432c028546a29adf4ade0ec3feae75

SHA256
6db177ee7e436762b11d10752f0690a2bd0ed0bd3801753d8f406270cb76c863

SHA512
552f1455a6abba26920be871dbcb6cba90dd8e2af6723f1e6a897958deaffbd7ba83e5835e04ee9ef8f728190b12b4bff56a8554b11e0d0ef851eaccfd5c2739

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\QtWebEngine\Default\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\QtWebEngine\Default\Network Persistent State

Filesize
955B

MD5
8b0ff587e0882903207a527669261d85

SHA1
9f579ec8215c5d1f4571cd838376c7b3315958c8

SHA256
cd4c6d566b333fbeceded7a8bad4c468134a62d4568234a638e56d00707c6729

SHA512
ca53c3739b869474f5e75288f7b401bb9fa8b4b3cbc614236db230396d4b76b5412db738a059aa391b8d8862c3cd453a36e4c33779c11c48479219660fad437d

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\QtWebEngine\Default\TransportSecurity

Filesize
1KB

MD5
3906b9ae5fd4bc792f66a2bdce968e68

SHA1
9e503d3b1b728c4d1eb53287a3738ead826972a7

SHA256
42a76d1c51f0111455ddd1c8f8b07872a489af062474644d78707a1012938648

SHA512
8d39f43390adf74a4002d4ae05dfc0c5feaea162daf5a3ef7d44bcafb3f56ca875392d50c80e78428b469836be8ef20c5cd17374a7a0b325504218d266971065

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\QtWebEngine\Default\TransportSecurity~RFe5ccf4e.TMP

Filesize
1KB

MD5
4617b4e602eb077728808d7a7736b4b7

SHA1
8db24db88d51b24a8fa5a118a0b146da611babf4

SHA256
e965920edfc3598d515a91540f73690db3f309e355a0830e54efdcfdf58d36fb

SHA512
bb6fe99f89b4ca2e49ba69090868f017e5dd7c25dd248552b79be4a42b60c7c4b5e16fb968dbe9d183c6bf0f7a54eebbef61b72ef9b2e095fc77318709e5dbe8

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\cache\QtWebEngine\Default\Cache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\cache\QtWebEngine\Default\Cache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.13.220.1002_nxt.exe

Filesize
160.0MB

MD5
3790b64b7d1bc73948f5100f9a4379e3

SHA1
d02e054ff8c0de91a30a416695106b23ff59982a

SHA256
75b691b9e4b1b558b94119c25c96c03e195b1e9fad0aad0fdd510d4e9218fdce

SHA512
13cc70ee6299a547aa26d50870a22df59d257fb9af7069cd6058442f4b36cecba36ec86622c3acd87faa2c5e50850ef9615a7e3177cf57f58f0173be6b0d0551

Download Submit
C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.13.220.1002_nxt.exe

Filesize
160.0MB

MD5
3790b64b7d1bc73948f5100f9a4379e3

SHA1
d02e054ff8c0de91a30a416695106b23ff59982a

SHA256
75b691b9e4b1b558b94119c25c96c03e195b1e9fad0aad0fdd510d4e9218fdce

SHA512
13cc70ee6299a547aa26d50870a22df59d257fb9af7069cd6058442f4b36cecba36ec86622c3acd87faa2c5e50850ef9615a7e3177cf57f58f0173be6b0d0551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0668bb9d-10e3-4b17-8dde-0874813351da.tmp

Filesize
6KB

MD5
ad5f4497db0a9e3419c73b6eba9b4c8d

SHA1
511d821ba687843ee6c68e412351faa7f104a3d2

SHA256
4ec08d5c4c24c7167f518b4d9f787ce11a405a081de40004f6da1690ac8a5a7c

SHA512
caf1e6650ee6f06865145cc78c02293c187bf615753c633c3988618f4f9805647991a07c1cfd4e2c27d7e09da233d06ed9a18e057629e95e5ab28d48d39b806c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\17ea2233-ffd7-4ea7-b0d8-83cc242f9868.tmp

Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
f112c1fac1bef4ea775201d4a1a77364

SHA1
c74df718f52bf8ceba475af023aed4f947eb2663

SHA256
93408e996ec510df0d7944222c633e5677acda681fb78d787edb809bc0b90a1e

SHA512
4c4f0f38106d8c2b9716a0b302a7c23e8a328fc71d9a4eec3ff81d0b21cd218c81e509274b917bf71188e471291b86132f37e51c137cab34be7499a45a070f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f8d0f522f4654d99d4caa783c19ad470

SHA1
869b9715e2721d523a9b65be4d8f152338eba357

SHA256
2791d17d2efe7e9f82b64b96c769bcfe1ffc4cfaab4ecea407863ab05624e171

SHA512
a57b04b220af6b2086655df7657d2c226155350f3ae493cc3cdc2647d1866518be95127279b48ac4ac201782bba0e1f26d3a9e0b50264e21f3bcb32765a2ab57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
90c8e41e86ec558c1fe3517777e16a12

SHA1
fa51cdfbaaea0b9d3b37cdbfca389c7342f6c6a2

SHA256
524aa1036ab8a29efd110df0a25036f5d42e1d1273809fac3c4f98f8a11619f1

SHA512
45b24a1d54ec9ad852ae37941caa474301625e952b94761e10e4fc362ea7f58c6729f9af40a24ed1af04122940225bf7a1f1bac977a96a355b9a428c793945ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\da5b7adb-6c57-4494-9f32-a128b473ccb1.tmp

Filesize
1KB

MD5
5b919c802390c9a5b2adb5ba2ac7bab4

SHA1
27e23999d1498f56365f2aa1e8dcbc3b81400750

SHA256
8bb2a80df7cb8de0df41249f23e45905a012a1dd199e8f7e6b40f4e75e320b08

SHA512
f47f408be6ab2d9e18d4e969153a718f65e25d165b3af2238043b026963fc413087cfdd4a55ad620b9a3cc89868ccd1bea2a560460085149525668cb4a9b0173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
59de5dce01cc682c0372ae6ecb39eb21

SHA1
4064b178c6f056c85650f7beafb2a624aca70ebc

SHA256
f0f4900c3500a3d428835d906c3d07fedd4d1739504d75553b75dc69303fd425

SHA512
7a2a5473170c091ce72fbc0e9ce3bb51f07305e0d1105e47e329eb1644c82247403035f11a8b0e04e90d7ca2a9d854b83299fd18fd9a03d06c3beacddecf0f82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
85e3cc677252849764d9bf59194ab689

SHA1
a07a58300445ef9b2ec14d4a8e13c96fe20abdb0

SHA256
0738c933b165168c39e52684f6e73be17e9410dce49bc91935c7ffa4b0b072dc

SHA512
5a919c91353a360de43e9ff6c5386240782ae151470c81b663da896d0626272ad60b792c4f3e2dfc73ecc1b5b9797c068e2c7d38130223f001a920f570c95f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f9dad915e6838ca12fc42841988fe993

SHA1
ecada23e3d4ecc4c81390a7ede2be16857684ea1

SHA256
fd1ae77d0abd16df1d15affff46651e07562ec3837554ae8f1b22dea8375011d

SHA512
880624743b5938fc893b5072617b3c1f1c5c46e2fdd98700d0d357e2a4b856614301402ba90bddaa46785e93ebfcd60665d1d6f3242fe31b348ea8d63d630e18

Download Submit
C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe

Filesize
154.7MB

MD5
38165e6075caad04ce4d7d3b8ff622e9

SHA1
7bc1b82eb0a959cb5c15e10814cfe8ff19c114ea

SHA256
50444086b627e031a9b8b445d59104be7c451b420083b33a49fc335dd9faa278

SHA512
1ce00d7426a713bfbe13d131b3adf1286110b1f7ed04412853d9d1b27b99653805ee2c0ff19883c6c5e48c1ce5f998ddeba5c1a5655664b531f864a425dfc620

Download Submit
C:\Users\Admin\AppData\Local\Temp\47910f2d-dd42-4675-80cd-014bb517ca0a.tmp.node

Filesize
2.2MB

MD5
f9915c2277a4a90defe36e35d99f4858

SHA1
12331658f5269b6c7a23376c464e3600a0833064

SHA256
f3a6e09ff35cd15269e961e1ee1c43c2f469c48643ec95d587125c2ff2142bce

SHA512
aa6355ba96151bfffb67764ee179960acafea6667aaa2e40f84fb9d3628252a20c10f23c30b70a2a54d26f4cc1288b216528527c7f7244cde6d451c73d7ca426

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8958CBE9\Assets\exit_close.png

Filesize
670B

MD5
26eb04b9e0105a7b121ea9c6601bbf2a

SHA1
efc08370d90c8173df8d8c4b122d2bb64c07ccd8

SHA256
7aaef329ba9fa052791d1a09f127551289641ea743baba171de55faa30ec1157

SHA512
9df3c723314d11a6b4ce0577eb61488061f2f96a9746a944eb6a4ee8c0c4d29131231a1b20988ef5454b79f9475b43d62c710839ecc0a9c98324f977cab6db68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8958CBE9\Assets\minimize_progress.png

Filesize
212B

MD5
1504b80f2a6f2d3fefc305da54a2a6c2

SHA1
432a9d89ebc2f693836d3c2f0743ea5d2077848d

SHA256
2f62d4e8c643051093f907058dddc78cc525147d9c4f4a0d78b4d0e5c90979f6

SHA512
675db04baf3199c8d94af30a1f1c252830a56a90f633c3a72aa9841738b04242902a5e7c56dd792626338e8b7eabc1f359514bb3a2e62bc36c16919e196cfd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8958CBE9\HD-CheckCpu.exe

Filesize
200KB

MD5
81234fd9895897b8d1f5e6772a1b38d0

SHA1
80b2fec4a85ed90c4db2f09b63bd8f37038db0d3

SHA256
2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c

SHA512
4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\Assets\backicon.png

Filesize
15KB

MD5
7ff5dc8270b5fa7ef6c4a1420bd67a7f

SHA1
b224300372feaa97d882ca2552b227c0f2ef4e3e

SHA256
fa64884054171515e97b78aaa1aad1ec5baa9d1daf9c682e0b3fb4a41a9cb1c1

SHA512
f0d5a842a01b99f189f3d46ab59d2c388a974951b042b25bbce54a15f5a3f386984d19cfca22ba1440eebd79260066a37dfeff6cb0d1332fca136add14488eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\Assets\checked_gray.png

Filesize
538B

MD5
ce144d2aab3bf213af693d4e18f87a59

SHA1
df59dc3dbba88bdc5ffc25f2e5e7b73ac3de5afa

SHA256
d8e502fab00b0c6f06ba6abede6922ab3b423fe6f2d2f56941dabc887b229ad3

SHA512
0f930edd485a0d49ef157f6cc8856609c087c91b77845adeb5cc8c8a80ebc7ec5416df351ffa1af780caad884dbb49dcc778b0b30de6fb7c85ffef22d7220ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\Assets\close_red.png

Filesize
15KB

MD5
93216b2f9d66d423b3e1311c0573332d

SHA1
5efaebec5f20f91f164f80d1e36f98c9ddaff805

SHA256
d0b6d143642d356b40c47459a996131a344cade6bb86158f1b74693426b09bfb

SHA512
922a7292de627c5e637818556d25d9842a88e89f2b198885835925679500dfd44a1e25ce79e521e63c4f84a6b0bd6bf98e46143ad8cee80ecdbaf3d3bc0f3a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\Assets\custom.png

Filesize
17KB

MD5
03b17f0b1c067826b0fcc6746cced2cb

SHA1
e07e4434e10df4d6c81b55fceb6eca2281362477

SHA256
fbece8bb5f4dfa55dcfbf41151b10608af807b9477e99acf0940954a11e68f7b

SHA512
67c78ec01e20e9c8d9cdbba665bb2fd2bb150356f30b88d3d400bbdb0ae92010f5d7bcb683dcf6f895722a9151d8e669d8bef913eb6e728ba56bb02f264573b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\Assets\installer_bg.jpg

Filesize
78KB

MD5
3478e24ba1dd52c80a0ff0d43828b6b5

SHA1
b5b13bbf3fb645efb81d3562296599e76a2abac0

SHA256
4c7471c986e16de0cd451be27d4b3171e595fe2916b4b3bf7ca52df6ec368904

SHA512
5c8c9cc76d6dbc7ce482d0d1b6c2f3d48a7a510cd9ed01c191328763e1bccb56daeb3d18c33a9b10ac7c9780127007aa13799fa82d838de27fbe0a02ad98119d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\Assets\installer_logo.png

Filesize
14KB

MD5
e33432b5d6dafb8b58f161cf38b8f177

SHA1
d7f520887ce1bfa0a1abd49c5a7b215c24cbbf6a

SHA256
9f3104493216c1fa114ff935d23e3e41c7c3511792a30b10a40b507936c0d183

SHA512
520dc99f3176117ebc28da5ef5439b132486ef67d02fa17f28b7eab0c59db0fa99566e44c0ca7bb75c9e7bd5244e4a23d87611a55c841c6f9c9776e457fb1cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\Assets\installer_minimize.png

Filesize
113B

MD5
38b539a1e4229738e5c196eedb4eb225

SHA1
f027b08dce77c47aaed75a28a2fce218ff8c936c

SHA256
a064f417e3c2b8f3121a14bbded268b2cdf635706880b7006f931de31476bbc2

SHA512
2ce433689a94fae454ef65e0e9ec33657b89718bbb5a038bf32950f6d68722803922f3a427278bad432395a1716523e589463fcce4279dc2a895fd77434821cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\Assets\loader.png

Filesize
279B

MD5
03903fd42ed2ee3cb014f0f3b410bcb4

SHA1
762a95240607fe8a304867a46bc2d677f494f5c2

SHA256
076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1

SHA512
8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\Assets\setpath.png

Filesize
15KB

MD5
b2e7f40179744c74fded932e829cb12a

SHA1
a0059ab8158a497d2cf583a292b13f87326ec3f0

SHA256
5bbb2f41f9f3a805986c3c88a639bcc22d90067d4b8de9f1e21e3cf9e5c1766b

SHA512
b95b7ebdb4a74639276eaa5c055fd8d9431e2f58a5f7c57303f7cf22e8b599f6f2a7852074cf71b19b49eb31cc9bf2509aedf41d608981d116e49a00030c797c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\Assets\unchecked_gray.png

Filesize
192B

MD5
e50df2a0768f7fc4c3fe8d784564fea3

SHA1
d1fc4db50fe8e534019eb7ce70a61fd4c954621a

SHA256
671f26795b12008fbea1943143f660095f3dca5d925f67d765e2352fd7ee2396

SHA512
c87a8308a73b17cbdd179737631fb1ba7fdaeb65e82263f6617727519b70a81266bb695867b9e599c1306ee2cf0de525452f77ce367ca89bf870ea3ae7189998

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\BlueStacksInstaller.exe

Filesize
604KB

MD5
2d7144b1538c8970bea65e27028f672d

SHA1
68e6ee91057ccd47bcff91f68d1cd55abe401bb1

SHA256
5df7d4c65e7a01c48560401dce8d309abb71e026d1602edc2e61940edf67d21f

SHA512
03efa3050c59b5a5941181b7aa02b5180d0ce68f4545e13cb9a41f795ea1ea3c1dc48020454440d4e7bfc0d8f5b10494f18d3fae33af568e974c9624f76611f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\BlueStacksInstaller.exe

Filesize
604KB

MD5
2d7144b1538c8970bea65e27028f672d

SHA1
68e6ee91057ccd47bcff91f68d1cd55abe401bb1

SHA256
5df7d4c65e7a01c48560401dce8d309abb71e026d1602edc2e61940edf67d21f

SHA512
03efa3050c59b5a5941181b7aa02b5180d0ce68f4545e13cb9a41f795ea1ea3c1dc48020454440d4e7bfc0d8f5b10494f18d3fae33af568e974c9624f76611f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\BlueStacksInstaller.exe

Filesize
604KB

MD5
2d7144b1538c8970bea65e27028f672d

SHA1
68e6ee91057ccd47bcff91f68d1cd55abe401bb1

SHA256
5df7d4c65e7a01c48560401dce8d309abb71e026d1602edc2e61940edf67d21f

SHA512
03efa3050c59b5a5941181b7aa02b5180d0ce68f4545e13cb9a41f795ea1ea3c1dc48020454440d4e7bfc0d8f5b10494f18d3fae33af568e974c9624f76611f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\BlueStacksInstaller.exe.config

Filesize
324B

MD5
1b456d88546e29f4f007cd0bf1025703

SHA1
e5c444fcfe5baf2ef71c1813afc3f2c1100cab86

SHA256
d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb

SHA512
c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\HD-CheckCpu.exe

Filesize
200KB

MD5
81234fd9895897b8d1f5e6772a1b38d0

SHA1
80b2fec4a85ed90c4db2f09b63bd8f37038db0d3

SHA256
2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c

SHA512
4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\HD-CheckCpu.exe

Filesize
200KB

MD5
81234fd9895897b8d1f5e6772a1b38d0

SHA1
80b2fec4a85ed90c4db2f09b63bd8f37038db0d3

SHA256
2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c

SHA512
4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\HD-CheckCpu.exe

Filesize
200KB

MD5
81234fd9895897b8d1f5e6772a1b38d0

SHA1
80b2fec4a85ed90c4db2f09b63bd8f37038db0d3

SHA256
2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c

SHA512
4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\JSON.dll

Filesize
411KB

MD5
f5fd966e29f5c359f78cb61a571d1be4

SHA1
a55e7ed593b4bc7a77586da0f1223cfd9d51a233

SHA256
d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156

SHA512
d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\Locales\i18n.en-US.txt

Filesize
18KB

MD5
34405af4ef073eebfaa23df0ba5555c0

SHA1
2024caf7834505097673287739f881d64f79e9b1

SHA256
f0c241cbc4175898b7bd568fc69ec02323c12faeeb752e8e43355fadcd05dd5f

SHA512
e7fc8cb7380ea15f366f867679a52f21ea1c14373f1042061e6d42ef64f8db61f110b9ba61c08e6ac6811621f3b26679e7c2778008ddc39b51956034a738fa10

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8BA9ACA7\ThemeFile

Filesize
80KB

MD5
c3e6bab4f92ee40b9453821136878993

SHA1
94493a6b3dfb3135e5775b7d3be227659856fbc4

SHA256
de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6

SHA512
a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnF004.tmp\Registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnF004.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnF004.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnF004.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnF004.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnF004.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\BgWorker.dll

Filesize
12KB

MD5
36c81676ada53ceb99e06693108d8cce

SHA1
d31fa4aebd584238b3edc4768dd5414494610889

SHA256
a9e4f7ec65670d2ce375ffaf09b6d07f4cd531132ca002452287a4d540154a38

SHA512
1300de7b3e1ac9e706e0aad0b70e3e2a21db8c860e05b314a52e63dd66b5dffdf6be1e38ab6ede13bfd3a64631cc909486bf4b1403e7d821e3b566edc514c63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\BgWorker.dll

Filesize
12KB

MD5
36c81676ada53ceb99e06693108d8cce

SHA1
d31fa4aebd584238b3edc4768dd5414494610889

SHA256
a9e4f7ec65670d2ce375ffaf09b6d07f4cd531132ca002452287a4d540154a38

SHA512
1300de7b3e1ac9e706e0aad0b70e3e2a21db8c860e05b314a52e63dd66b5dffdf6be1e38ab6ede13bfd3a64631cc909486bf4b1403e7d821e3b566edc514c63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\BgWorker.dll

Filesize
12KB

MD5
36c81676ada53ceb99e06693108d8cce

SHA1
d31fa4aebd584238b3edc4768dd5414494610889

SHA256
a9e4f7ec65670d2ce375ffaf09b6d07f4cd531132ca002452287a4d540154a38

SHA512
1300de7b3e1ac9e706e0aad0b70e3e2a21db8c860e05b314a52e63dd66b5dffdf6be1e38ab6ede13bfd3a64631cc909486bf4b1403e7d821e3b566edc514c63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\BgWorker.dll

Filesize
12KB

MD5
36c81676ada53ceb99e06693108d8cce

SHA1
d31fa4aebd584238b3edc4768dd5414494610889

SHA256
a9e4f7ec65670d2ce375ffaf09b6d07f4cd531132ca002452287a4d540154a38

SHA512
1300de7b3e1ac9e706e0aad0b70e3e2a21db8c860e05b314a52e63dd66b5dffdf6be1e38ab6ede13bfd3a64631cc909486bf4b1403e7d821e3b566edc514c63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\nsDialogs.dll

Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\nsDui.dll

Filesize
3.0MB

MD5
18901ccc9cb1c91e31d6e209ff4a7574

SHA1
a2584d84e825a7e202ba9e67afbd48ebc92ef732

SHA256
0e569441456efdff4549b283217c48046b67eb52b23f556df11005633a528863

SHA512
9ce7e5881e8a155f85902d1dbe786b8e3e2641c3160472dc70d2df89c6d308ba28bbb2ea222423e9f5ff768e02d7e410fb419ff86a00bd21d3d3bcb533ef1f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\nsDui.dll

Filesize
3.0MB

MD5
18901ccc9cb1c91e31d6e209ff4a7574

SHA1
a2584d84e825a7e202ba9e67afbd48ebc92ef732

SHA256
0e569441456efdff4549b283217c48046b67eb52b23f556df11005633a528863

SHA512
9ce7e5881e8a155f85902d1dbe786b8e3e2641c3160472dc70d2df89c6d308ba28bbb2ea222423e9f5ff768e02d7e410fb419ff86a00bd21d3d3bcb533ef1f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA19B.tmp\nsis7z.dll

Filesize
434KB

MD5
95f6f6ab9509bc366ab9215defe4251a

SHA1
e3f4a6effd6ca5838cfe91a01967cb72edcc7b0b

SHA256
a896a9ece055d334d431cd0f856113ab925d9ee86d2dee383c0bfbbef11a5b50

SHA512
a853f70d2ea7f384df99be067724bf3ca73c63f3c3573c112f5528fc86a96bd34509d934b038e2a81833f3abb3eedbc5894921291139100e01df6e35696c0ecc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\4cca53f6-999f-4863-ba65-c11b423e7ba7.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
a4269493c62b3c83047ff7ee4e7fbfc6

SHA1
64331eb6209fed2f99c684a834e1134dccd3cc65

SHA256
d09ff9699f5de030aae948dbaad217bf5de0468c6653eecfa72ab951d3ca5f2e

SHA512
ac1be1e04848711b91d60bee1a914b7b6af774d1169cbd76a4f34d093ae9bceef582358f021de7ecaa60eaa48886c3068934394666688f1e21e9fb891b3151fe

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Code Cache\wasm\index-dir\the-real-index

Filesize
144B

MD5
71e0023134bb3edd3670de026945e84c

SHA1
5282efbd297904f6f331e8698792080e381be01e

SHA256
81d126c8b6a01f89f67b7bc12e61600b9366e2c9e56c66dac4ea16fa6a6406d2

SHA512
fd233975abe026b10639efe2d66247e874f2716983d1a2cd640cf72a631116d1e7e810578bc0f6e4878637923ccf1b45428b542026c8ba1feef43c62791b23c9

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Network\Network Persistent State

Filesize
2KB

MD5
c9d7c8ef84432fcb1cea5971f3bbcf3e

SHA1
57fee13b635bbf367d6b77bc4d1894a873c8e774

SHA256
6b8b0e4e70d0ddd94204be0c8d449d62ea9fc3f02fbae694baa277a9e554fb64

SHA512
738bb9492c2fab229c9c1a2dbf24352866222d725fd037ca50b5df3b79222c204465afbd24896a3e555508eee16fc17e4a626ea4151ad94c50d419f9aeb115bc

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Network\Network Persistent State

Filesize
2KB

MD5
05022eb7468a0d4c46b46befcc45c9c4

SHA1
621cbb043a78d6984f563dfb4ec3a20d0f02ff17

SHA256
276f596f9464856ff9ed3e13af79cce85c9407bfc6c097cab2fc213f9a50bfe2

SHA512
b83e0f51d719455fc6ff50f0b1dbf1ef53167639e72c0b40bb5beb11756978b9a0598bef9a08b3fa0b1f2f19f0b07ceba4aea6c41043adf4d6899a6d2f067002

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Network\TransportSecurity

Filesize
858B

MD5
2fadc6d36177686f6876a2c6b3e145fc

SHA1
ccb861c60a800afef3946419ef0b098305be39d6

SHA256
7802d6a691a6647b2f2a01d17fe8254e7a48b754e8376ebd30e14baae9ce1599

SHA512
4dfae88f846bb4fd37f8e172c495bccfda9dfe5b59d570846b252080528ff596d0bcdec1e52c71a2fd63be18692d896234c45965b1c1c8535cb782f2b6490618

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Network\TransportSecurity

Filesize
188B

MD5
b76d2ebab8688071c9305cf8eab7c20e

SHA1
1449f6de95ca0fe988166908c3198bb9a9fc6f93

SHA256
cced0b162e7df58d04cccb9b014ff02197c276956f4d84e61fc24b2905665116

SHA512
c13504d0c9f08541d8e2f8403a0c71bd1378b216e84d6bad4d162c689f66bfb51aa0b309c1d3035d4ad3dbe3b3b8aab2e9b73b2421c1dbb8e2422d0bbbcef439

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Network\TransportSecurity

Filesize
690B

MD5
90c4991c884f665b4939c184e543e612

SHA1
286c87c413b4211231ac165c81af353ba9fae13b

SHA256
3df0099bb02c850640dec7c0c740aa1cfa1078b03ff671847f090d55d7d1eff8

SHA512
b0fb2b7e7db2a09f8e25244c97ac004945d00e4639429936456167b3d4e472b5a4b52d2910da1707d695a71a942886031756eba86e64b96bacfeacd169a51d40

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Network\TransportSecurity

Filesize
858B

MD5
6930bfa6136ef3d6139e1a877af8a238

SHA1
2c22cefddfdca03336025f1dfa09d0f35668d5fa

SHA256
335a76f01b1936be7d417a62ac4f465666781c40e0b9cc1a77e03edb294d39a8

SHA512
893c1bc785284820b8f534f506d260064ef66e574a7053d0716d84534b3257b9a99bfff844c37a79d20b49ac94c0a15ec2412c2331a85f51887224f1e6170871

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Network\TransportSecurity~RFe5b1c6e.TMP

Filesize
188B

MD5
e0b86aa53b848492777511f183fe739e

SHA1
1b253076931b001a547a589a5f553f4520a7f737

SHA256
2449726d60b7371733efabcfa71247a1a54ba97442e2df57bcd26fed07e976f0

SHA512
5feb7c796932dab58ec2226ba944d662d020154b3679774537fd6c3b79ecfd1361d8a1e7717694cd8c5ec568b963677aff9f7717dc13e9b8ca58b45ee6b8f0a6

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Service Worker\CacheStorage\ebd1d48456ac10b76eafa6e03ae8fde5deecd34e\16f4208f-cf16-40e9-8ecd-d6710fef5fea\index-dir\the-real-index

Filesize
144B

MD5
b8b037fb6d16aabf8aa25a26c2ca46d2

SHA1
ff5ab1848da5c02f30d4aa38bf05763c9fe97131

SHA256
9f1edb9285c2c61bbe28b63131e88ac67dc21558f4deba1784ad0bbfb6ab947f

SHA512
1e112a339c046ea0fb3016d609b65a2d0444f4ed2e1337b68c98a865b8696f865a2cc34b6203533b1a3ede9b2a992b58e36c70a9c3056315162612342ebf11bf

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Service Worker\CacheStorage\ebd1d48456ac10b76eafa6e03ae8fde5deecd34e\16f4208f-cf16-40e9-8ecd-d6710fef5fea\index-dir\the-real-index~RFe5b7d3b.TMP

Filesize
48B

MD5
7feecc28d334f622c932d30e6f3daf36

SHA1
c9ac7aaa8e92578b41f62d0362d68392451b640a

SHA256
005d3e21199005ecf5aa1a8d6c2f49109c79404a263d9e0b9338db4e2ddedb03

SHA512
c93caaf3f7c3dd946d501367c1e0d410000e2bb4871b19b78ab9854360133ab5ae5c2bc96bcab8234e5dacc6af5ce76397061ef94db0e1a42f445c330b12880f

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Service Worker\CacheStorage\ebd1d48456ac10b76eafa6e03ae8fde5deecd34e\a266ed31-7336-43f9-b176-72db01d040c2\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Service Worker\CacheStorage\ebd1d48456ac10b76eafa6e03ae8fde5deecd34e\bddb8af6-762c-4dbf-acf6-559440fc5258\index-dir\the-real-index

Filesize
72B

MD5
b100ae6a3b412718a4d5be01b39eb661

SHA1
76ea05fa7a97f8e31d3c4f739c29afa6cd7c5e26

SHA256
ec5fb2df6a6b8adce5ab2cbb38f67856ffb086917bcc32e77d66f7f4c0628393

SHA512
1c3851e0d963a806ea75d37cab37db8f899c47b744a0b26a8197199a257ecd74b1e1080c2822ac6a1ca8947f41316aedc87bd4e654ab2f330f85e0a95fd4f765

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Service Worker\CacheStorage\ebd1d48456ac10b76eafa6e03ae8fde5deecd34e\bddb8af6-762c-4dbf-acf6-559440fc5258\index-dir\the-real-index~RFe5b7db8.TMP

Filesize
48B

MD5
36c6eff8e9f2a0e36dba3dcdea7f1f29

SHA1
566538b0eead0b2b538d204e90d3eddc120e3844

SHA256
d59cdee8f7f9ad7d208620de3d57ff9fe0cf08c6770fe75a9a94c5056b192bd5

SHA512
822e4ff84e05ec2fd3f2bf228da2c4c5c287d722b548243c4c38bde531d118b568cf09c4c7ba788e49130d47e2984d6337f9fe3b9226ded6e7e4560593ee2a1e

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Service Worker\CacheStorage\ebd1d48456ac10b76eafa6e03ae8fde5deecd34e\ecf2253e-a847-4fa2-873d-048df443044a\index-dir\the-real-index

Filesize
144B

MD5
6cb93554ffa0c242c26bf84df18d17c5

SHA1
16c4c40e8622b89bfc36e02e24ea45cc1e5f4073

SHA256
3a90f7a3212affb64f63dac96c414fde63544277eeda65f80a85b0d42fe3b8a4

SHA512
da1f4eca6311438fed67b1d718cedd60900cbe15371abe0fc0b346d120614d5486461abf4c359f2987b8fb513292b9fc077c9702ba9c867efd6b45fac214dd68

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Service Worker\CacheStorage\ebd1d48456ac10b76eafa6e03ae8fde5deecd34e\ecf2253e-a847-4fa2-873d-048df443044a\index-dir\the-real-index~RFe5b7d89.TMP

Filesize
48B

MD5
a5e818dbb2ce5e7a3c3c00aed4468445

SHA1
bcd3967b2bd69624da6f961858112ff458ebd868

SHA256
d3972174041e5f888fee2979f427bd361d9b3f43fe975a57147e77897aa6c494

SHA512
ce6db43be5a60099de1bd692bdf53623d181dd01b4bee91697ac5f68f161e70cd83d42c2a9cbd5a2d38f912dc18114e99e9f7fa4c3ee28f6e24665b406cc6bc0

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Service Worker\CacheStorage\ebd1d48456ac10b76eafa6e03ae8fde5deecd34e\index.txt

Filesize
179B

MD5
d84f26eb69a7e3794d98f233cd800e59

SHA1
525b8c61ade44cac97f39c8d1cc8f9c54e195afe

SHA256
474f94d7ee5b061e1ddd2e3a52976fac2d1ba001d04f4b241d0daf9a320f65c4

SHA512
3279a0571dc374341ee341133af94c8d48e6a8aae292f3d15d4682ac78e17dd86d1cb2937ff7289be705f47986b88d386af46e13b0d9a19cb4aa3dc1235b0be6

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Service Worker\CacheStorage\ebd1d48456ac10b76eafa6e03ae8fde5deecd34e\index.txt

Filesize
247B

MD5
b1bbfa37dc635e30c5c415915e320481

SHA1
15895dc65017b43806027fe2c86c57d6a6f43d9b

SHA256
7246e9f9b57cc38a19fb1be57a60518ee44eafa71f962d07b761b3dc761aba60

SHA512
8389d66ffc380f312ac3242c880d4f6bd3f62ba8458847c4b1c3f5894b91a25a3f831e2e4552fe05a0bca8beebc7965bdb8e5e44299c4fe0bfe41c06dd768a15

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Service Worker\CacheStorage\ebd1d48456ac10b76eafa6e03ae8fde5deecd34e\index.txt

Filesize
174B

MD5
f73f0d98253dbec3cc5caf542948ff4f

SHA1
58f6d7b35fed4b2c7bbd904188618a0ce731605d

SHA256
3a9199b279c4c39f094e62737dbe545a6508bfb6a49f04c669c4c53d88d4fb14

SHA512
d04633c6bcd05b9f31e3e178aaebdd0e63a5dbfd9b08de7e9989c76333ff073cd51c169c044d4cf2709c76ce9c696cf1615f85f656b94939c5c4e174ffb446fd

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Service Worker\CacheStorage\ebd1d48456ac10b76eafa6e03ae8fde5deecd34e\index.txt

Filesize
247B

MD5
63bce5eddc41852c454f827707084a8b

SHA1
7e8f99ce357711069de2b7a40c08f6c15887a82e

SHA256
a7868e5c4cf83c7e796bc272f0b3261ab2c739402340b4c7eb04e634f555f328

SHA512
55379e5549a2428ffb4b174c64e472e19e227f485f58423670244c2c7256d3ceaa0cdd9eab2584c562313a749b2442400457eb33d436a8f8c08cd2cf53a92e7f

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Service Worker\CacheStorage\ebd1d48456ac10b76eafa6e03ae8fde5deecd34e\index.txt

Filesize
176B

MD5
42e957b2e438eb7652652e5b5261549f

SHA1
62c68ec49f27459514bbfb49b60f0e4a6f7a786a

SHA256
aa4cbb0a8948151e4bf9016786b1af1706449daec4c03480daaffeca618dd629

SHA512
44ed288627ce720f687d5c470a3eedbaa78e6e0aa25b3dcf3ccc78bf8c09db75da2b878434abd416cf35875a2f8770b5f2ff2b1c4f3738a444cfc18613daec46

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Service Worker\CacheStorage\ebd1d48456ac10b76eafa6e03ae8fde5deecd34e\index.txt

Filesize
175B

MD5
fd46dc6c2d5d588d34b6645044ec7696

SHA1
b2c8e1a301b7feaadfbbf3c5c9c43ff37e3e7646

SHA256
4da582a444a7eb911c78aea4c98ef186aaafaac03652c17092cf5106ce0b3227

SHA512
073aa820a9312c9dbe04fc17bf523c334e5f36bf74ba0daedd1638c5185491ae9179a4bf670a005c1db1463260e00f59a50412a49b22d533aa68c9566bfce6e6

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Service Worker\CacheStorage\ebd1d48456ac10b76eafa6e03ae8fde5deecd34e\index.txt~RFe5b2f0b.TMP

Filesize
111B

MD5
de20bb9d2d181a0ebe3c33007305a613

SHA1
96c13f7e3c6843bc9bb280ba9e5772b949851788

SHA256
b30669db1babaa79a649042bbcb09a5d27fd2dd342ce610280c05b2942d84aac

SHA512
616109c8c91d3112a9d7cec28f59cbb77e40ca58f62cf90dc82090065086adb84b70430c0f6813aad6d022d4aae60ef7867dd15be04028ee63957a0abe925629

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
22f2040d29ed7cf800646afa7200a365

SHA1
6a76d8146e244be6970ab70fc1a2ed03d83931e5

SHA256
bbb747e2262c3eae8188e210730e8ed8f8e7b70568b8b131bd5bfe493433104f

SHA512
5011f0774a61db037f763e5190798c90db3c0bf7d2e53d693e25b8409d0f79a2db287cc96850b866a5f41f46b6e6dcd4369d530f7b517ab236e8cf5951fe6102

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Service Worker\ScriptCache\index-dir\the-real-index~RFe5b774f.TMP

Filesize
48B

MD5
060b31a646e9d02b7c282effe65b07b4

SHA1
ba11ff92cf40aac274dd65322aef489cee773a08

SHA256
336a482bb28fa28e62db4a89601375df8cb379ac6d90021e7607b36b5794c2e0

SHA512
76454a36c055fb318679dae3c797f12ce6380145b1d7bc3654bc8dcbfda6d41ba24e05be358147a1d680e98c1c52145da9bbf70d3df2bce8f791c9dbc0206c02

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json

Filesize
57B

MD5
5679334912660a20f687f696911d9a66

SHA1
76cabe09055bcdd006d5a11c15b123da7c2a0c75

SHA256
d89a42771e7e8a5fb8ed86f6c74c78874f5a46e4f4d7d007534425b0d5deabe8

SHA512
174b850e5f94858cb7b74ee5c7478dd4ade21398300fc439f26323f3a75e656e340bcceb62b7e90dcd3860f6bd97308a845c6a5f1088be68d022b35cb0af5f8c

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json

Filesize
119B

MD5
50b5ab88126acdb59bfe885e90ad6c4c

SHA1
e27e2c7fca13c5e5343ab3563d3b8bd4ee5420fd

SHA256
7c785bd7158c9780e93da51119a1d2a47a68826eb495bc7eae63f7306b263af8

SHA512
bd019d450b7e389bf935e8e9401867729f0836be5120620ee8c1bdc536f4e5d2d41466b795f105a4dc85b617384170bae7c7b0b8b37f8bf7e8d6acd905134e37

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json

Filesize
1KB

MD5
f9773eb64dd2b239a1a0a37d82ac0dc5

SHA1
94a2f68b59e2c7ced6676353c852359f0c1602a6

SHA256
ab1bbdee06987213d282601ca777a73d2b6d1d2eaf39cb99d771ccc5add6c66c

SHA512
c66d0d6749172ba7b344f780e49b65f8dd631425c0c87a02355503af3d3dd85a21c419ead98358b719c27bbc0cb145d74afec56fa17a6a27259ef5496cfea4b7

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json

Filesize
1KB

MD5
8be3b15cf031ca8dd6572fceda0c2d93

SHA1
ab33356a76846cfc638e1d5a98cce0f4c306fa45

SHA256
4e07df2bab9b6163f5f36e147180a59e2b851f55603594dd6fd226835ac8c0b4

SHA512
6b2bbbc3e041677343039d2b20cf5d58c92fff415609a233c61e1d19a850999f7dc764b48037106077c61afdec9145927f010e0f4c2991e03d4b03dc16077c89

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json

Filesize
1KB

MD5
76595008bf6598c9cd87c91a559014df

SHA1
bc42a5becdacbfb57cc06a9da8eee4575631d49d

SHA256
5d27ffefb6c859db597bd245baa937272308f9483a84145d18f068bf34a308db

SHA512
760757a060aeba320fe1db5a7e3883abecdf96139f5d6c6bc3b104c046a30ea319c7682f0bc755e42cb982d2f149dc30efff8893ab9fd6e5960c364ad61024f7

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json

Filesize
92B

MD5
e7cbc3872ec50d9501bb66172e0c6da0

SHA1
35142e4347102e0823da312903bb0048118e72ab

SHA256
59444caf30ef0e79bcf8f73b885561d909b14224e16af20ff6d3e9c549a46810

SHA512
acbf2f3b6229dedf7529f88ee83f49f4a509dd93b8ea12aadeb7adc1c6a18dd1314154199b49117cf7b3f7d791fde1618abd9d25570ab36213a6c4f9f8353df6

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json.tmp-0177777023dcc40f

Filesize
1KB

MD5
f67f5699410f05943d63a32ea1ab6e42

SHA1
1e663dcea85a0fcabc8c836e9f625b7b64c77789

SHA256
9f0dde00b8790b231c33a0529cb5e1a0f8f03eb915b33197ac4a0a37f4c4d22b

SHA512
f377a04ae164726456fbb1b018f30d6738e04537fde9c453c965bd26c24acdeffe31c2444e035214624eff504e8b7f195ecafbb3f390bcbe3acc74664472bc8b

Download Submit
memory/1384-13633-0x000001BCD1340000-0x000001BCD1A7F000-memory.dmp

Filesize
7.2MB

Download
memory/1732-125-0x000000001C040000-0x000000001C050000-memory.dmp

Filesize
64KB

Download
memory/1732-148-0x000000001C040000-0x000000001C050000-memory.dmp

Filesize
64KB

Download
memory/1732-13637-0x00000257F0EE0000-0x00000257F161F000-memory.dmp

Filesize
7.2MB

Download
memory/1732-128-0x000000001D460000-0x000000001D988000-memory.dmp

Filesize
5.2MB

Download
memory/1732-3993-0x000000001C040000-0x000000001C050000-memory.dmp

Filesize
64KB

Download
memory/1732-13047-0x00007FFD3EBA0000-0x00007FFD3F661000-memory.dmp

Filesize
10.8MB

Download
memory/1732-131-0x000000001C040000-0x000000001C050000-memory.dmp

Filesize
64KB

Download
memory/1732-115-0x0000000000410000-0x00000000004AA000-memory.dmp

Filesize
616KB

Download
memory/1732-116-0x00007FFD3EBA0000-0x00007FFD3F661000-memory.dmp

Filesize
10.8MB

Download
memory/1732-117-0x000000001C040000-0x000000001C050000-memory.dmp

Filesize
64KB

Download
memory/1732-119-0x000000001AF80000-0x000000001AFE8000-memory.dmp

Filesize
416KB

Download
memory/1732-124-0x000000001C040000-0x000000001C050000-memory.dmp

Filesize
64KB

Download
memory/1732-159-0x000000001C040000-0x000000001C050000-memory.dmp

Filesize
64KB

Download
memory/1732-147-0x00007FFD3EBA0000-0x00007FFD3F661000-memory.dmp

Filesize
10.8MB

Download
memory/1732-165-0x000000001C040000-0x000000001C050000-memory.dmp

Filesize
64KB

Download
memory/1732-133-0x000000001D3B0000-0x000000001D3E8000-memory.dmp

Filesize
224KB

Download
memory/1732-134-0x000000001D380000-0x000000001D38E000-memory.dmp

Filesize
56KB

Download
memory/1732-144-0x0000000020E60000-0x0000000020E68000-memory.dmp

Filesize
32KB

Download
memory/5356-12016-0x000000001BFF0000-0x000000001C000000-memory.dmp

Filesize
64KB

Download
memory/5356-12857-0x00007FFD3EBA0000-0x00007FFD3F661000-memory.dmp

Filesize
10.8MB

Download
memory/5356-10354-0x000000001BFF0000-0x000000001C000000-memory.dmp

Filesize
64KB

Download
memory/5356-10353-0x00007FFD3EBA0000-0x00007FFD3F661000-memory.dmp

Filesize
10.8MB

Download
memory/5356-10805-0x000000001BFF0000-0x000000001C000000-memory.dmp

Filesize
64KB

Download
memory/5412-13334-0x00000253E0E20000-0x00000253E155F000-memory.dmp

Filesize
7.2MB

Download
memory/5412-13269-0x00007FFD5C490000-0x00007FFD5C491000-memory.dmp

Filesize
4KB

Download
memory/5412-13270-0x00007FFD5D720000-0x00007FFD5D721000-memory.dmp

Filesize
4KB

Download
memory/5808-13393-0x0000020864600000-0x0000020864D3F000-memory.dmp

Filesize
7.2MB

Download
memory/6944-15689-0x0000000069CB0000-0x0000000069CED000-memory.dmp

Filesize
244KB

Download
memory/6944-15707-0x0000000069AB0000-0x0000000069B3D000-memory.dmp

Filesize
564KB

Download
memory/6944-15712-0x0000000069A40000-0x0000000069A54000-memory.dmp

Filesize
80KB

Download
memory/6944-15713-0x0000000069A30000-0x0000000069A3E000-memory.dmp

Filesize
56KB

Download
memory/6944-15711-0x0000000069A60000-0x0000000069A6F000-memory.dmp

Filesize
60KB

Download
memory/6944-15715-0x0000000069A10000-0x0000000069A24000-memory.dmp

Filesize
80KB

Download
memory/6944-15717-0x00000000699E0000-0x00000000699FF000-memory.dmp

Filesize
124KB

Download
memory/6944-15716-0x0000000069A00000-0x0000000069A0F000-memory.dmp

Filesize
60KB

Download
memory/6944-15718-0x00000000699C0000-0x00000000699DE000-memory.dmp

Filesize
120KB

Download
memory/6944-15719-0x00000000699A0000-0x00000000699B5000-memory.dmp

Filesize
84KB

Download
memory/6944-15720-0x0000000069980000-0x0000000069991000-memory.dmp

Filesize
68KB

Download
memory/6944-15723-0x0000000069970000-0x000000006997F000-memory.dmp

Filesize
60KB

Download
memory/6944-15725-0x0000000069950000-0x000000006995E000-memory.dmp

Filesize
56KB

Download
memory/6944-15724-0x0000000069960000-0x0000000069970000-memory.dmp

Filesize
64KB

Download
memory/6944-15733-0x0000000069930000-0x0000000069947000-memory.dmp

Filesize
92KB

Download
memory/6944-15738-0x0000000069920000-0x000000006992E000-memory.dmp

Filesize
56KB

Download
memory/6944-15740-0x0000000069900000-0x000000006990E000-memory.dmp

Filesize
56KB

Download
memory/6944-15741-0x00000000698D0000-0x00000000698FC000-memory.dmp

Filesize
176KB

Download
memory/6944-15739-0x0000000069910000-0x0000000069920000-memory.dmp

Filesize
64KB

Download
memory/6944-15709-0x0000000069A80000-0x0000000069A90000-memory.dmp

Filesize
64KB

Download
memory/6944-15708-0x0000000069A90000-0x0000000069AA6000-memory.dmp

Filesize
88KB

Download
memory/6944-15710-0x0000000069A70000-0x0000000069A7E000-memory.dmp

Filesize
56KB

Download
memory/6944-15706-0x0000000069B40000-0x0000000069B61000-memory.dmp

Filesize
132KB

Download
memory/6944-15703-0x0000000069B70000-0x0000000069BB9000-memory.dmp

Filesize
292KB

Download
memory/6944-15702-0x0000000069BC0000-0x0000000069BCE000-memory.dmp

Filesize
56KB

Download
memory/6944-15701-0x0000000069BD0000-0x0000000069BDE000-memory.dmp

Filesize
56KB

Download
memory/6944-15700-0x0000000069BE0000-0x0000000069BF6000-memory.dmp

Filesize
88KB

Download
memory/6944-15695-0x0000000069C00000-0x0000000069C2A000-memory.dmp

Filesize
168KB

Download
memory/6944-15692-0x0000000069C30000-0x0000000069C52000-memory.dmp

Filesize
136KB

Download
memory/6944-15691-0x0000000069C60000-0x0000000069C74000-memory.dmp

Filesize
80KB

Download
memory/6944-15690-0x0000000069C80000-0x0000000069CAC000-memory.dmp

Filesize
176KB

Download
memory/6944-13751-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/6944-15688-0x0000000069CF0000-0x0000000069CFE000-memory.dmp

Filesize
56KB

Download
memory/6944-15687-0x0000000069D00000-0x0000000069D12000-memory.dmp

Filesize
72KB

Download
memory/6944-15686-0x0000000069D20000-0x0000000069D47000-memory.dmp

Filesize
156KB

Download
memory/6944-15684-0x0000000069D70000-0x0000000069D87000-memory.dmp

Filesize
92KB

Download
memory/6944-15685-0x0000000069D50000-0x0000000069D6D000-memory.dmp

Filesize
116KB

Download
memory/6944-15683-0x0000000069D90000-0x0000000069D9F000-memory.dmp

Filesize
60KB

Download
memory/6944-15681-0x000000006C460000-0x000000006C6F4000-memory.dmp

Filesize
2.6MB

Download
memory/6944-15680-0x000000006C7A0000-0x000000006C7CF000-memory.dmp

Filesize
188KB

Download
memory/6944-27078-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download