6d996f70f6b9f99e4ae0aad1f28d224c84c22194551ca4e21f56127eb563faea

Resubmissions

09-07-2024 17:41

240709-v9f74awcpm 7

09-07-2024 17:40

240709-v816waxfrf 5

09-07-2024 17:26

240709-v1ctbavgpm 8

Analysis

max time kernel
575s
max time network
580s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe
Size

911KB
MD5

05cd50890a8efa95d686384d2d96c530
SHA1

ad496d950142315aa8662edb002549e84d3de424
SHA256

6d996f70f6b9f99e4ae0aad1f28d224c84c22194551ca4e21f56127eb563faea
SHA512

6dc050e3c6577299ba4bcc306d1866ddea3eb2499f75f1de96e435d03f03b0ccf4021602be0eb6c816d7a0e81ce29590de247a084d67e88a64fa6ced4043bcf3
SSDEEP

24576:bivtCXWeGKM8WolR74uEFQWa3GZllJCGt3:+tCXWPIWofUuCQWa25JN3

Score

8^/10

discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

BlueStacksServices.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\electron.app.BlueStacks Services = "C:\\Users\\Admin\\AppData\\Local\\Programs\\bluestacks-services\\BlueStacksServices.exe --hidden"	BlueStacksServices.exe

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 8 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

6716 netsh.exe
7036 netsh.exe
3968 netsh.exe
8100 netsh.exe
7668 netsh.exe
5584 netsh.exe
7180 netsh.exe
7144 netsh.exe

pid	process
6716	netsh.exe
7036	netsh.exe
3968	netsh.exe
8100	netsh.exe
7668	netsh.exe
5584	netsh.exe
7180	netsh.exe
7144	netsh.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BlueStacksWeb.exeBlueStacksWeb.exeBlueStacksWeb.exeBSX-Setup-5.21.218.1001_nxt.exeBlueStacksInstaller.exeBlueStacks X.exeBlueStacksWeb.exeBlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exeBlueStacksServices.exeBlueStacksWeb.exeBlueStacks X.exeBlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exeBootstrapper.exeWScript.exeBlueStacksServices.exeBlueStacks-Installer_5.21.218.1001_amd64_native.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	BlueStacksWeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	BlueStacksWeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	BlueStacksWeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	BSX-Setup-5.21.218.1001_nxt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	BlueStacksInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	BlueStacks X.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	BlueStacksWeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	BlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	BlueStacksServices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	BlueStacksWeb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	BlueStacks X.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	BlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	BlueStacksServices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	BlueStacks-Installer_5.21.218.1001_amd64_native.exe

Drops file in System32 directory 2 IoCs

Processes:

BlueStacksServices.exe

description	ioc	process
File created	C:\Windows\system32\storage.json	BlueStacksServices.exe
File opened for modification	C:\Windows\system32\storage.json	BlueStacksServices.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

BSX-Setup-5.21.218.1001_nxt.exe7zr.exe7zr.exe

description	ioc	process
File created	C:\Program Files (x86)\BlueStacks X\image\MyGames\NavigatorBack_Disable.svg	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\TypeIndicator\web3.svg	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\QtGraphicalEffects\HueSaturation.qml	7zr.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\cs.pak	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\api-ms-win-crt-math-l1-1-0.dll	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files\BlueStacks_nxt\Qt5WebChannel.dll	7zr.exe
File created	C:\Program Files\BlueStacks_nxt\QtGraphicalEffects\ThresholdMask.qml	7zr.exe
File created	C:\Program Files\BlueStacks_nxt\QtWebEngine\qmldir	7zr.exe
File created	C:\Program Files (x86)\BlueStacks X\cef\locales\fi.pak	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\Search\History_ButtonDelete_hover.svg	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files\BlueStacks_nxt\HD-Bridge-Native.dll	7zr.exe
File created	C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\fr.pak	7zr.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\dialog\min_hover.svg	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\aws\aws-cpp-sdk-core.dll	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\video_filter\libgradfun_plugin.dll	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\xplugins\BuriedpointPlugin.dll	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\audio_filter\libparam_eq_plugin.dll	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\video_filter\libscene_plugin.dll	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\cef\locales\kn.pak	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\MyGames\no_game_bg.png	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\TypeIndicator\MyGame_hover.svg	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\translations\qt_hr.qm	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\imageformats\qwebp.dll	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\libvlccore.dll	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\HD-Bridge-Native.dll	7zr.exe
File created	C:\Program Files\BlueStacks_nxt\QtWebEngine\plugins.qmltypes	7zr.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\settings\Icon_Back_Default.svg	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\de.pak	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\audio_mixer\libinteger_mixer_plugin.dll	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\account\Choose_img4.png	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\dialog\Close_pressed.svg	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\MyGames\mygames_cloud.svg	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\imageformats\qjpeg.dll	7zr.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\MyGames\next_hover.svg	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\api-ms-win-crt-time-l1-1-0.dll	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\access\libaccess_mms_plugin.dll	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\access\libhttps_plugin.dll	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files\BlueStacks_nxt\vccorlib140.dll	7zr.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\QtQuick\Layouts	7zr.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\codec	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\imageformats\qwebp.dll	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\video_filter\libadjust_plugin.dll	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\LICENSE.txt	7zr.exe
File created	C:\Program Files\BlueStacks_nxt\QtGraphicalEffects\private\qtgraphicaleffectsprivate.dll	7zr.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\QtQuick\Window.2\windowplugin.dll	7zr.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\cef\snapshot_blob.bin	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\codec\libfluidsynth_plugin.dll	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\mux\libmux_mpjpeg_plugin.dll	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\video_filter\libextract_plugin.dll	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\Qt5WebEngineCore.dll	7zr.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\QtQuick\Controls\ApplicationWindow.qml	7zr.exe
File created	C:\Program Files (x86)\BlueStacks X\cef\locales\zh-CN.pak	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\access\libhttp_plugin.dll	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\aws\aws-c-http.dll	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\aws\aws-c-io.dll	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\HD-DiskFormatCheck.exe	7zr.exe
File created	C:\Program Files (x86)\BlueStacks X\cef\icudtl.dat	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\bg.pak	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\cef\chrome_elf.dll	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\account\Default_img.svg	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\access\libsmb_plugin.dll	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\audio_filter\libugly_resampler_plugin.dll	BSX-Setup-5.21.218.1001_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\video_output\libvmem_plugin.dll	BSX-Setup-5.21.218.1001_nxt.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\hr.pak	7zr.exe

Executes dropped EXE 41 IoCs

Processes:

BlueStacksInstaller.exeHD-CheckCpu.exeHD-CheckCpu.exeBSX-Setup-5.21.218.1001_nxt.exeBlueStacksInstaller.exeHD-CheckCpu.exeBlueStacksServicesSetup.exeBlueStacksServices.exeBlueStacksServices.exeBlueStacksServices.exeBlueStacksServices.exeBlueStacks X.exeBlueStacksWeb.exeBlueStacksWeb.exeBlueStacksWeb.exeBlueStacks X.exeBlueStacksWeb.exeBlueStacksWeb.exeBlueStacksServices.exeBlueStacks-Installer_5.21.218.1001_amd64_native.exeBootstrapper.exeBlueStacksInstaller.exe7zr.exe7zr.exeHD-ForceGPU.exeHD-GLCheck.exeHD-GLCheck.exeHD-GLCheck.exeHD-GLCheck.exeHD-GLCheck.exeHD-GLCheck.exeHD-CheckCpu.exe7zr.exeHD-GLCheck.exeHD-GLCheck.exeHD-GLCheck.exe7zr.exe7zr.exe7zr.exeHD-CheckCpu.exe7zr.exe

pid	process
408	BlueStacksInstaller.exe
4752	HD-CheckCpu.exe
3252	HD-CheckCpu.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
7680	BlueStacksInstaller.exe
4472	HD-CheckCpu.exe
8000	BlueStacksServicesSetup.exe
9020	BlueStacksServices.exe
9180	BlueStacksServices.exe
3984	BlueStacksServices.exe
3108	BlueStacksServices.exe
2716	BlueStacks X.exe
8476	BlueStacksWeb.exe
8492	BlueStacksWeb.exe
6476	BlueStacksWeb.exe
5784	BlueStacks X.exe
7600	BlueStacksWeb.exe
7440	BlueStacksWeb.exe
5876	BlueStacksServices.exe
2176	BlueStacks-Installer_5.21.218.1001_amd64_native.exe
6328	Bootstrapper.exe
2744	BlueStacksInstaller.exe
8764	7zr.exe
3416	7zr.exe
1612	HD-ForceGPU.exe
8632	HD-GLCheck.exe
640	HD-GLCheck.exe
8924	HD-GLCheck.exe
3024	HD-GLCheck.exe
2044	HD-GLCheck.exe
3020	HD-GLCheck.exe
4156	HD-CheckCpu.exe
5432	7zr.exe
4104	HD-GLCheck.exe
5600	HD-GLCheck.exe
2952	HD-GLCheck.exe
4968	7zr.exe
8796	7zr.exe
6572	7zr.exe
8028	HD-CheckCpu.exe
8644	7zr.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3888 sc.exe

pid	process
3888	sc.exe

Loads dropped DLL 64 IoCs

Processes:

BSX-Setup-5.21.218.1001_nxt.exe

pid	process
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BlueStacks X.exeBlueStacksInstaller.exeBlueStacks X.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	BlueStacks X.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BlueStacksInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BlueStacksInstaller.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	BlueStacks X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BlueStacks X.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BlueStacks X.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BlueStacks X.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BlueStacks X.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BlueStacks X.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BlueStacks X.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
2596	tasklist.exe
8160	tasklist.exe
6044	tasklist.exe
7328	tasklist.exe
2764	tasklist.exe
6664	tasklist.exe
5392	tasklist.exe
1396	tasklist.exe
7696	tasklist.exe
8060	tasklist.exe
8404	tasklist.exe
6876	tasklist.exe
3408	tasklist.exe
5432	tasklist.exe
7416	tasklist.exe
7880	tasklist.exe
3176	tasklist.exe
1016	tasklist.exe
6864	tasklist.exe
8500	tasklist.exe
5260	tasklist.exe
8612	tasklist.exe
4760	tasklist.exe
7672	tasklist.exe
1392	tasklist.exe
6544	tasklist.exe
4240	tasklist.exe
5648	tasklist.exe
6908	tasklist.exe
5752	tasklist.exe
4040	tasklist.exe
7020	tasklist.exe
7312	tasklist.exe
4132	tasklist.exe
6752	tasklist.exe
4480	tasklist.exe
3456	tasklist.exe
6168	tasklist.exe
1952	tasklist.exe
3428	tasklist.exe
8036	tasklist.exe
7576	tasklist.exe
6108	tasklist.exe
2104	tasklist.exe
6612	tasklist.exe
6940	tasklist.exe
1800	tasklist.exe
1688	tasklist.exe
5244	tasklist.exe
6504	tasklist.exe
8896	tasklist.exe
744	tasklist.exe
8476	tasklist.exe
6996	tasklist.exe
1480	tasklist.exe
5892	tasklist.exe
2260	tasklist.exe
4428	tasklist.exe
3088	tasklist.exe
1236	tasklist.exe
8232	tasklist.exe
5900	tasklist.exe
6524	tasklist.exe
5560	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 21 IoCs

Processes:

BSX-Setup-5.21.218.1001_nxt.exeBlueStacks X.exeBlueStacksServices.exeBlueStacks X.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\ = "URL:BlueStacksX Protocol Handler"	BSX-Setup-5.21.218.1001_nxt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\DefaultIcon	BSX-Setup-5.21.218.1001_nxt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\open	BSX-Setup-5.21.218.1001_nxt.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-464762018-485119342-1613148473-1000\{648AB490-6F53-4C86-A8E7-CD284FB0F205}	BlueStacks X.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\bstsrvs\ = "URL:bstsrvs"	BlueStacksServices.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\bstsrvs\shell\open\command	BlueStacksServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX	BSX-Setup-5.21.218.1001_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\URL Protocol	BSX-Setup-5.21.218.1001_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\DefaultIcon\ = "C:\\Program Files (x86)\\BlueStacks X\\BlueStacks X.exe,0"	BSX-Setup-5.21.218.1001_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\open\command\ = "\"C:\\Program Files (x86)\\BlueStacks X\\BlueStacks X.exe\" -open \"%1\""	BSX-Setup-5.21.218.1001_nxt.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	BSX-Setup-5.21.218.1001_nxt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\bstsrvs\URL Protocol	BlueStacksServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell	BSX-Setup-5.21.218.1001_nxt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\open\command	BSX-Setup-5.21.218.1001_nxt.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\bstsrvs\shell	BlueStacksServices.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\bstsrvs\shell\open	BlueStacksServices.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-464762018-485119342-1613148473-1000\{FE76B3DD-3733-4052-8CEB-51CBE195E27C}	BlueStacks X.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\	BSX-Setup-5.21.218.1001_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\open\	BSX-Setup-5.21.218.1001_nxt.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\bstsrvs	BlueStacksServices.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\bstsrvs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\bluestacks-services\\BlueStacksServices.exe\" \"%1\""	BlueStacksServices.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

BlueStacks X.exeBlueStacks X.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	BlueStacks X.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	BlueStacks X.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	BlueStacks X.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	BlueStacks X.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	BlueStacks X.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	BlueStacks X.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	BlueStacks X.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	BlueStacks X.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	BlueStacks X.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

BlueStacks X.exeBlueStacks X.exe

pid process

2716 BlueStacks X.exe
5784 BlueStacks X.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

BlueStacksInstaller.exeBSX-Setup-5.21.218.1001_nxt.exeBlueStacksInstaller.exeBlueStacksServicesSetup.exetasklist.exeBlueStacksWeb.exeBlueStacksWeb.exeBlueStacksWeb.exeBlueStacksWeb.exeBlueStacksWeb.exeBlueStacksServices.exeBootstrapper.exeBlueStacksInstaller.exeBlueStacks X.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
408	BlueStacksInstaller.exe
408	BlueStacksInstaller.exe
408	BlueStacksInstaller.exe
408	BlueStacksInstaller.exe
408	BlueStacksInstaller.exe
408	BlueStacksInstaller.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
4120	BSX-Setup-5.21.218.1001_nxt.exe
7680	BlueStacksInstaller.exe
7680	BlueStacksInstaller.exe
7680	BlueStacksInstaller.exe
7680	BlueStacksInstaller.exe
7680	BlueStacksInstaller.exe
7680	BlueStacksInstaller.exe
8000	BlueStacksServicesSetup.exe
8000	BlueStacksServicesSetup.exe
7872	tasklist.exe
7872	tasklist.exe
8476	BlueStacksWeb.exe
8492	BlueStacksWeb.exe
6476	BlueStacksWeb.exe
7600	BlueStacksWeb.exe
7440	BlueStacksWeb.exe
5876	BlueStacksServices.exe
5876	BlueStacksServices.exe
6328	Bootstrapper.exe
6328	Bootstrapper.exe
6328	Bootstrapper.exe
6328	Bootstrapper.exe
6328	Bootstrapper.exe
6328	Bootstrapper.exe
6328	Bootstrapper.exe
6328	Bootstrapper.exe
2744	BlueStacksInstaller.exe
2744	BlueStacksInstaller.exe
2744	BlueStacksInstaller.exe
2744	BlueStacksInstaller.exe
2744	BlueStacksInstaller.exe
2744	BlueStacksInstaller.exe
2744	BlueStacksInstaller.exe
5784	BlueStacks X.exe
5784	BlueStacks X.exe
8680	msedge.exe
8680	msedge.exe
8424	msedge.exe
8424	msedge.exe
2120	identity_helper.exe
2120	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

BlueStacks X.exeBlueStacks X.exe

pid process

2716 BlueStacks X.exe
5784 BlueStacks X.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

8424 msedge.exe
8424 msedge.exe
8424 msedge.exe
8424 msedge.exe
8424 msedge.exe
8424 msedge.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

BlueStacksInstaller.exe

pid process

408 BlueStacksInstaller.exe

pid	process
656

pid	process
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

BlueStacksInstaller.exeBSX-Setup-5.21.218.1001_nxt.exeBlueStacksInstaller.exetasklist.exeBlueStacksServicesSetup.exeBlueStacksServices.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	408	BlueStacksInstaller.exe
Token: SeSecurityPrivilege	4120	BSX-Setup-5.21.218.1001_nxt.exe
Token: SeDebugPrivilege	7680	BlueStacksInstaller.exe
Token: SeDebugPrivilege	7872	tasklist.exe
Token: SeSecurityPrivilege	8000	BlueStacksServicesSetup.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeDebugPrivilege	5372	tasklist.exe
Token: SeDebugPrivilege	5400	tasklist.exe
Token: SeDebugPrivilege	6908	tasklist.exe
Token: SeDebugPrivilege	6108	tasklist.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeDebugPrivilege	2176	tasklist.exe
Token: SeDebugPrivilege	1396	tasklist.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeDebugPrivilege	6168	tasklist.exe
Token: SeDebugPrivilege	6296	tasklist.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeDebugPrivilege	6804	tasklist.exe
Token: SeDebugPrivilege	6996	tasklist.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeDebugPrivilege	6504	tasklist.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	9020	BlueStacksServices.exe
Token: SeDebugPrivilege	3448	tasklist.exe
Token: SeShutdownPrivilege	9020	BlueStacksServices.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

BlueStacksServices.exemsedge.exe

pid	process
9020	BlueStacksServices.exe
9020	BlueStacksServices.exe
9020	BlueStacksServices.exe
9020	BlueStacksServices.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe

Suspicious use of SendNotifyMessage 29 IoCs

Processes:

BlueStacksServices.exemsedge.exe

pid	process
9020	BlueStacksServices.exe
9020	BlueStacksServices.exe
9020	BlueStacksServices.exe
9020	BlueStacksServices.exe
9020	BlueStacksServices.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe
8424	msedge.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

BlueStacks X.exeBlueStacks X.exeHD-GLCheck.exeHD-GLCheck.exe

pid	process
2716	BlueStacks X.exe
2716	BlueStacks X.exe
2716	BlueStacks X.exe
2716	BlueStacks X.exe
2716	BlueStacks X.exe
2716	BlueStacks X.exe
2716	BlueStacks X.exe
5784	BlueStacks X.exe
5784	BlueStacks X.exe
5784	BlueStacks X.exe
5784	BlueStacks X.exe
5784	BlueStacks X.exe
5784	BlueStacks X.exe
2044	HD-GLCheck.exe
5600	HD-GLCheck.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exeBlueStacksInstaller.exeBSX-Setup-5.21.218.1001_nxt.exeWScript.execmd.exeBlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exeBlueStacksInstaller.exeBlueStacksServicesSetup.execmd.exeBlueStacksServices.exe

description	pid	process	target process
PID 5060 wrote to memory of 408	5060	BlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe	BlueStacksInstaller.exe
PID 5060 wrote to memory of 408	5060	BlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe	BlueStacksInstaller.exe
PID 408 wrote to memory of 4752	408	BlueStacksInstaller.exe	HD-CheckCpu.exe
PID 408 wrote to memory of 4752	408	BlueStacksInstaller.exe	HD-CheckCpu.exe
PID 408 wrote to memory of 4752	408	BlueStacksInstaller.exe	HD-CheckCpu.exe
PID 408 wrote to memory of 3252	408	BlueStacksInstaller.exe	HD-CheckCpu.exe
PID 408 wrote to memory of 3252	408	BlueStacksInstaller.exe	HD-CheckCpu.exe
PID 408 wrote to memory of 3252	408	BlueStacksInstaller.exe	HD-CheckCpu.exe
PID 408 wrote to memory of 4120	408	BlueStacksInstaller.exe	BSX-Setup-5.21.218.1001_nxt.exe
PID 408 wrote to memory of 4120	408	BlueStacksInstaller.exe	BSX-Setup-5.21.218.1001_nxt.exe
PID 408 wrote to memory of 4120	408	BlueStacksInstaller.exe	BSX-Setup-5.21.218.1001_nxt.exe
PID 4120 wrote to memory of 6228	4120	BSX-Setup-5.21.218.1001_nxt.exe	WScript.exe
PID 4120 wrote to memory of 6228	4120	BSX-Setup-5.21.218.1001_nxt.exe	WScript.exe
PID 4120 wrote to memory of 6228	4120	BSX-Setup-5.21.218.1001_nxt.exe	WScript.exe
PID 6228 wrote to memory of 6320	6228	WScript.exe	cmd.exe
PID 6228 wrote to memory of 6320	6228	WScript.exe	cmd.exe
PID 6228 wrote to memory of 6320	6228	WScript.exe	cmd.exe
PID 6320 wrote to memory of 7180	6320	cmd.exe	netsh.exe
PID 6320 wrote to memory of 7180	6320	cmd.exe	netsh.exe
PID 6320 wrote to memory of 7180	6320	cmd.exe	netsh.exe
PID 6320 wrote to memory of 7144	6320	cmd.exe	netsh.exe
PID 6320 wrote to memory of 7144	6320	cmd.exe	netsh.exe
PID 6320 wrote to memory of 7144	6320	cmd.exe	netsh.exe
PID 6320 wrote to memory of 6716	6320	cmd.exe	netsh.exe
PID 6320 wrote to memory of 6716	6320	cmd.exe	netsh.exe
PID 6320 wrote to memory of 6716	6320	cmd.exe	netsh.exe
PID 6320 wrote to memory of 7036	6320	cmd.exe	netsh.exe
PID 6320 wrote to memory of 7036	6320	cmd.exe	netsh.exe
PID 6320 wrote to memory of 7036	6320	cmd.exe	netsh.exe
PID 408 wrote to memory of 6808	408	BlueStacksInstaller.exe	BlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe
PID 408 wrote to memory of 6808	408	BlueStacksInstaller.exe	BlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe
PID 408 wrote to memory of 6808	408	BlueStacksInstaller.exe	BlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe
PID 6808 wrote to memory of 7680	6808	BlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe	BlueStacksInstaller.exe
PID 6808 wrote to memory of 7680	6808	BlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe	BlueStacksInstaller.exe
PID 7680 wrote to memory of 4472	7680	BlueStacksInstaller.exe	HD-CheckCpu.exe
PID 7680 wrote to memory of 4472	7680	BlueStacksInstaller.exe	HD-CheckCpu.exe
PID 7680 wrote to memory of 4472	7680	BlueStacksInstaller.exe	HD-CheckCpu.exe
PID 8000 wrote to memory of 7828	8000	BlueStacksServicesSetup.exe	cmd.exe
PID 8000 wrote to memory of 7828	8000	BlueStacksServicesSetup.exe	cmd.exe
PID 8000 wrote to memory of 7828	8000	BlueStacksServicesSetup.exe	cmd.exe
PID 7828 wrote to memory of 7872	7828	cmd.exe	tasklist.exe
PID 7828 wrote to memory of 7872	7828	cmd.exe	tasklist.exe
PID 7828 wrote to memory of 7872	7828	cmd.exe	tasklist.exe
PID 7828 wrote to memory of 7880	7828	cmd.exe	find.exe
PID 7828 wrote to memory of 7880	7828	cmd.exe	find.exe
PID 7828 wrote to memory of 7880	7828	cmd.exe	find.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe
PID 9020 wrote to memory of 9180	9020	BlueStacksServices.exe	BlueStacksServices.exe

C:\Users\Admin\AppData\Local\Temp\BlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe
"C:\Users\Admin\AppData\Local\Temp\BlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\BlueStacksInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\BlueStacksInstaller.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\HD-CheckCpu.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\HD-CheckCpu.exe" --cmd checkHypervEnabled
    3⤵
    - Executes dropped EXE
    PID:4752
- - C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\HD-CheckCpu.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\HD-CheckCpu.exe" --cmd checkSSE4
    3⤵
    - Executes dropped EXE
    PID:3252
- - C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.218.1001_nxt.exe
    "C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.218.1001_nxt.exe" -s
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\BlueStacks X\green.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:6228
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c green.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:6320
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name="BlueStacksWeb"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7180
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name="Cloud Game"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7144
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="BlueStacksWeb" dir=in action=allow program="C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6716
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Cloud Game" dir=in action=allow program="C:\Program Files (x86)\BlueStacks X\Cloud Game.exe"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7036
- - C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe
    "C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacks10Installer_10.41.218.1001_native_c75d25f7ed2ec41cea2157098d2f8da2_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe" -versionMachineID=c176d027-936a-4956-9787-ea094c2e98d1 -machineID=4925de14-f43a-4b86-8271-fd59cbe80c38 -pddir="C:\ProgramData\BlueStacks_nxt" -defaultImageName=Pie64 -imageToLaunch=Pie64 -isSSE4Available=1 -appToLaunch=bsx -bsxVersion=10.41.218.1001 -country=GB -skipBinaryShortcuts -isWalletFeatureEnabled
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:6808
  - - C:\Users\Admin\AppData\Local\Temp\7zS89A31BA9\BlueStacksInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS89A31BA9\BlueStacksInstaller.exe" -versionMachineID=c176d027-936a-4956-9787-ea094c2e98d1 -machineID=4925de14-f43a-4b86-8271-fd59cbe80c38 -pddir="C:\ProgramData\BlueStacks_nxt" -defaultImageName=Pie64 -imageToLaunch=Pie64 -isSSE4Available=1 -appToLaunch=bsx -bsxVersion=10.41.218.1001 -country=GB -skipBinaryShortcuts -isWalletFeatureEnabled
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:7680
    - - C:\Users\Admin\AppData\Local\Temp\7zS89A31BA9\HD-CheckCpu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS89A31BA9\HD-CheckCpu.exe" --cmd checkHypervEnabled
        5⤵
        Executes dropped EXE
        
        PID:4472

C:\ProgramData\BlueStacksServicesSetup.exe
"C:\ProgramData\BlueStacksServicesSetup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq BlueStacksServices.exe" | find "BlueStacksServices.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:7828
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq BlueStacksServices.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:7872
- - C:\Windows\SysWOW64\find.exe
    find "BlueStacksServices.exe"
    3⤵
    PID:7880

C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
"C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --hidden --initialLaunch
1⤵
- Adds Run key to start application
- Checks computer location settings
- Drops file in System32 directory
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:9020
- C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
  "C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1688,i,48810236327066048,1806864937414398650,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:9180
- C:\Windows\system32\cscript.exe
  cscript.exe
  2⤵
  PID:8048
- C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
  "C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --mojo-platform-channel-handle=1984 --field-trial-handle=1688,i,48810236327066048,1806864937414398650,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKCU\SOFTWARE\BlueStacksServices
  2⤵
  PID:3048
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKCU\SOFTWARE\BlueStacksServices
  2⤵
  PID:4508
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regPutValue.wsf A
  2⤵
  PID:1816
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regPutValue.wsf A
  2⤵
  PID:32
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:3484
- C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
  "C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --app-user-model-id=com.bluestacks.services --app-path="C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2680 --field-trial-handle=1688,i,48810236327066048,1806864937414398650,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5512
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:5520
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5400
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:3940
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:4128
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5680
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:5792
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6108
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt
  2⤵
  PID:7272
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt
  2⤵
  PID:5892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:1096
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:4928
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:7240
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt
  2⤵
  PID:208
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:6460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:3232
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:6212
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6296
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt
  2⤵
  PID:6260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:7296
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:6664
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6348
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:2824
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5104
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:6736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:7652
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:3704
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:6724
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6612
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:7300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:3252
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:7552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6704
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:7880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:7836
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:8144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6564
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:7504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:3252
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:7672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5064
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:6856
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:4000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:452
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:740
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:7944
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:6916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6676
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:8028
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:8232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:8108
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:8236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:8704
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:8636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:8592
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:8676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:456
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:3648
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:5696
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:6064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5272
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2260
- C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
  "C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3512 --field-trial-handle=1688,i,48810236327066048,1806864937414398650,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:5996
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5952
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:5944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:3248
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5940
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:3520
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:6296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6252
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:8864
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:8800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:8024
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:7696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:4288
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:8160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:1308
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:3940
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:5224
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:6096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6180
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:4640
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:7020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:1056
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:7616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:2632
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:6904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:408
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:7688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:7916
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:8060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:7336
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:7312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:1688
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:8136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:8232
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:8404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:8352
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:8520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:9184
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:7612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:3648
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:4488
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:9140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:1832
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:1116
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:4064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5320
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:4684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:5524
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:6044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5208
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:5192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:5348
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5476
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:5740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:5380
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:4848
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:7656
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:6792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:7988
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:6636
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:4508
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:6092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:6016
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:2260
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:8896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:5956
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:6876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5764
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:6684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:1224
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:3952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:696
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:5936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:2204
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6272
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:6468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:6164
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:6168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6244
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:6184
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:3232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:2572
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:6752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:6520
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:8776
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:3004
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:6612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:7028
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:6940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:3200
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:4652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:8812
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:8360
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6724
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:8772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:8256
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:8660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6604
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:3592
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:2848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6748
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:2596
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:636
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:8872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:8916
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:6484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:3372
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:7328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:7904
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:7892
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:7032
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:6544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:7828
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:6864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:1688
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:7316
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:7568
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:8240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:8264
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:8168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:8100
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:7752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:8564
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:8500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:5636
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:2208
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:5716
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:5496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:8044
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:8756
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:4424
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:8612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:4916
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:2832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6292
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:5016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:6168
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:2852
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:2764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:6232
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:1064
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:6664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:1248
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:7008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6688
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:6524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:1852
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6500
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:8476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:8728
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:8696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5864
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:8360
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:8036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:4656
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:2996
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:8072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6916
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:4200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:4836
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:2476
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:8872
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:7840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:7748
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:3372
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:1916
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:7416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:2652
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:7576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:220
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:9072
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:7680
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:4604
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:7376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:8232
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    PID:3892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:5652
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:7596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:8300
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:8352
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    PID:8920

C:\Program Files (x86)\BlueStacks X\BlueStacks X.exe
"C:\Program Files (x86)\BlueStacks X\BlueStacks X.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2716
- C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe
  BlueStacksWeb.exe --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,NetworkServiceInProcess,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,InstalledApp,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=3772 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:8476
- C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe
  BlueStacksWeb.exe --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,NetworkServiceInProcess,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,InstalledApp,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3804 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:8492
- C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe
  BlueStacksWeb.exe --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,NetworkServiceInProcess,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,InstalledApp,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2616 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:6476

C:\Program Files (x86)\BlueStacks X\BlueStacks X.exe
"C:\Program Files (x86)\BlueStacks X\BlueStacks X.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5784
- C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe
  BlueStacksWeb.exe --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,NetworkServiceInProcess,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,InstalledApp,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:7600
- C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe
  BlueStacksWeb.exe --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,NetworkServiceInProcess,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,InstalledApp,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:7440
- C:\Users\Admin\AppData\Local\BlueStacks X\BlueStacks-Installer_5.21.218.1001_amd64_native.exe
  "C:\Users\Admin\AppData\Local\BlueStacks X\BlueStacks-Installer_5.21.218.1001_amd64_native.exe" -s -defaultImageName Pie64 -imageToLaunch Pie64 -skipBinaryShortcuts -appToLaunch=bsx
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Bootstrapper.exe" -s -defaultImageName Pie64 -imageToLaunch Pie64 -skipBinaryShortcuts -appToLaunch=bsx
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:6328
  - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\BlueStacksInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\BlueStacksInstaller.exe" -s -defaultImageName="Pie64" -imageToLaunch="Pie64" -skipBinaryShortcuts -appToLaunch="bsx" -parentpath="C:\Users\Admin\AppData\Local\BlueStacks X\BlueStacks-Installer_5.21.218.1001_amd64_native.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\7zr.exe" x "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\CommonInstallUtils.zip" -o"C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\" -aoa
        5⤵
        Executes dropped EXE
        
        PID:8764
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\7zr.exe" x "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\QtRedistx64.zip" -o"C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\" -aoa
        5⤵
        Executes dropped EXE
        
        PID:3416
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-ForceGPU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-ForceGPU.exe" 1 "C:\Program Files\BlueStacks_nxt"
        5⤵
        Executes dropped EXE
        
        PID:1612
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-GLCheck.exe" 1 2
        5⤵
        Executes dropped EXE
        
        PID:8632
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-GLCheck.exe" 4 2
        5⤵
        Executes dropped EXE
        
        PID:640
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-GLCheck.exe" 2 2
        5⤵
        Executes dropped EXE
        
        PID:8924
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-GLCheck.exe" 1 1
        5⤵
        Executes dropped EXE
        
        PID:3024
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-GLCheck.exe" 4 1
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-GLCheck.exe" 2 1
        5⤵
        Executes dropped EXE
        
        PID:3020
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-CheckCpu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-CheckCpu.exe" --cmd checkSSE4
        5⤵
        Executes dropped EXE
        
        PID:4156
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\7zr.exe" x "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\PF.zip" -o"C:\Program Files\BlueStacks_nxt" -aoa
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        
        PID:5432
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\\HD-GLCheck.exe" 2
        5⤵
        Executes dropped EXE
        
        PID:4104
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\\HD-GLCheck.exe" 3
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5600
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\\HD-GLCheck.exe" 1
        5⤵
        Executes dropped EXE
        
        PID:2952
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\7zr.exe" x "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\QtRedistx64.zip" -o"C:\Program Files\BlueStacks_nxt" -aoa
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        
        PID:4968
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\7zr.exe" x "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\PD.zip" -o"C:\ProgramData\BlueStacks_nxt" -aoa
        5⤵
        Executes dropped EXE
        
        PID:8796
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\7zr.exe" x "C:\ProgramData\Pie64_5.21.218.1001.exe" -o"C:\ProgramData\BlueStacks_nxt\Engine\Pie64" -aoa
        5⤵
        Executes dropped EXE
        
        PID:6572
    - - C:\Windows\SYSTEM32\netsh.exe
        
        "netsh.exe" advfirewall firewall delete rule name="BlueStacks Service"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3968
    - - C:\Windows\SYSTEM32\netsh.exe
        
        "netsh.exe" advfirewall firewall add rule name="BlueStacks Service" dir=in action=allow program="C:\Program Files\BlueStacks_nxt\HD-Player.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:8100
    - - C:\Windows\SYSTEM32\netsh.exe
        
        "netsh.exe" advfirewall firewall delete rule name="BlueStacksAppplayerWeb"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7668
    - - C:\Windows\SYSTEM32\netsh.exe
        
        "netsh.exe" advfirewall firewall add rule name="BlueStacksAppplayerWeb" dir=in action=allow program="C:\Program Files\BlueStacks_nxt\BlueStacksAppplayerWeb.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5584
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-CheckCpu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\HD-CheckCpu.exe" --cmd checkSSE3
        5⤵
        Executes dropped EXE
        
        PID:8028
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c "sc.exe delete BlueStacksDrv_nxt"
        5⤵
        
        PID:8104
      - C:\Windows\system32\sc.exe
        
        sc.exe delete BlueStacksDrv_nxt
        6⤵
        Launches sc.exe
        
        PID:3888
    - - C:\Windows\SYSTEM32\reg.exe
        
        "reg.exe" EXPORT HKLM\Software\BlueStacks_nxt "C:\Users\Admin\AppData\Local\Temp\1rfvxw5k.erb\RegHKLM.txt"
        5⤵
        
        PID:3260
    - - C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\7zr.exe" a "C:\Users\Admin\AppData\Local\Temp\Installer.zip" -m0=LZMA:a=1 "C:\Users\Admin\AppData\Local\Temp\1rfvxw5k.erb\*"
        5⤵
        Executes dropped EXE
        
        PID:8644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cloud.bluestacks.com/bs3/help_articles?article=bsx_engine_install_instruction&launcher_version=10.41.218.1001
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:8424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe908946f8,0x7ffe90894708,0x7ffe90894718
    3⤵
    PID:8536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,12041829065058909522,13625518430698248960,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
    3⤵
    PID:8372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,12041829065058909522,13625518430698248960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:8680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,12041829065058909522,13625518430698248960,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
    3⤵
    PID:1540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12041829065058909522,13625518430698248960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
    3⤵
    PID:1676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12041829065058909522,13625518430698248960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
    3⤵
    PID:8976
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12041829065058909522,13625518430698248960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
    3⤵
    PID:6096
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12041829065058909522,13625518430698248960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12041829065058909522,13625518430698248960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
    3⤵
    PID:5856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12041829065058909522,13625518430698248960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
    3⤵
    PID:6080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12041829065058909522,13625518430698248960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
    3⤵
    PID:5760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12041829065058909522,13625518430698248960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
    3⤵
    PID:6600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BlueStacks X\BlueStacks X.exe

Filesize
477KB

MD5
98b60189831c248690c81ec283544c01

SHA1
3be4bf1b5bccf3e8e9c13ac5da503f1388afba5d

SHA256
aa38680002430fb455679089cdf1c3482aff4c08aa2b383c83c3d873ae1676ca

SHA512
bf0eee97472f4f683b495a0fed63f98083edc4b9a2dcc7d255f33207ed5f54b73a8af871a76b43acdbaf14f02f2da99428944ce0e366d06f89fd6670a1129901

Download Submit
C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_disabled.svg

Filesize
569B

MD5
e7fdf6a9c8cae1fc1108dc5a803a1905

SHA1
2853f9ff5e63685ebb1449dcf693176b17e4ab60

SHA256
8ee5aa84139b2ea5549f7272523aeb203d73954c5ccdcf6f7407bf1a3469f13e

SHA512
a6388b24926934e20ccf7fcab41bd219dc6c0053428481d7f466bf89f26bf1a36fdff716a9ddd9ab268df73b04dff1449c6bac1f5c707e31ae2ee71c2087e0d9

Download Submit
C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_hover.svg

Filesize
653B

MD5
76166804e6ce35e8a0c92917b8abc071

SHA1
8bd38726a11a9633ac937b9c6f205ce5d36348b0

SHA256
1bca2e912184b8168ee8961de68d1d839f4f9827fde6f48ab100fb61e82eff90

SHA512
93c4f1af7e9f89091a207ab308e05ddd4c92406c039f7465d3b8aca7e0cc7a6c922a22e1eee2f5c88db5e89016ef69294b2a0905d7d6a90fd32835bc11929005

Download Submit
C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_normal.svg

Filesize
569B

MD5
3221ac69d7facd8aa90ffa15aea991b0

SHA1
e0571f30f4708ec78addc726a743679ca0f05e45

SHA256
92aeae68e9e0973d9e0dc575941f1cb2e24afd0574341a46b870be7384eaa537

SHA512
5e2de0abfe60a4db16ea5e8739260c19962fbfc60869a77bde6ab3547ad8ee3ad88e74e97da31fa23be096afddad018e431d152d6d0fa21a75357a11dacb1328

Download Submit
C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_pressed.svg

Filesize
653B

MD5
dfddf8d0788988c3e48fcbfb2a76cd20

SHA1
463bb61f0012289e860c32f1885a3a8f57467f2e

SHA256
9585f41eb6202e89f2087266fa31852d7f41ca8cc659b907c96753fe165f937d

SHA512
e708c5114c60f7574589d6a56c9faedda26ee4a40f0eeb25f5e12eadcf790f24fdbf393fa0aa6ad449b5337d625b092d6f8822472fa8a6ce1339aca59c50c3ca

Download Submit
C:\Program Files\BlueStacks_nxt\BlueStacksUninstaller.exe.config

Filesize
392B

MD5
ca0a329097316832e4a6ea5d870c9268

SHA1
4a36b93361d3dc9df9b00313f2c2b394be9e1e72

SHA256
4b7df915d706af6459c38d75b09c5e14f951842ae0678078400f204ad1c7a7c2

SHA512
51f9a874e84f130be4fa29fcc4bc934105318234b5dd9ceedaf569e3f0e6b38e29f3bec056044724476ae24295a510b16d8a737b994fd6f1268609defa315271

Download Submit
C:\Program Files\BlueStacks_nxt\HD-ForceGPU.exe

Filesize
169KB

MD5
5b8f4de0cd704f8e3ea5d419e7a19969

SHA1
893ccbe42e5e8dc247cf98413daefa0fbea1de3a

SHA256
73f9079fabbd41be4e3993797d727c7b37c2717b65f87ec7acf916f862ad4584

SHA512
616ba0d320fd1650a73bed178717b4b9f0734f7eea1501e0c5ffab9784c14aec7f1c5ae5e0c0428715b4fc2aecd27b34f09fde53c9a3692a31e1e06327ae8be8

Download Submit
C:\Program Files\BlueStacks_nxt\HD-GLCheck.exe

Filesize
223KB

MD5
4a68095697039b584824cd50e643f05a

SHA1
106f8160ca48a82c65212c2a40fe0da20fa4199c

SHA256
c99cc02de76d746f01824432730f8f53e888ec3795d2fad90dc4ed098b066fee

SHA512
14153061d0288bd1dfb164e4ed9b76d443b74cbdaf823fbc5078523a74e060b295553da2818ccf9c55e4fe0a2656dda557b84348f8631d826b3ab0a341c36b3d

Download Submit
C:\Program Files\BlueStacks_nxt\ProductLogo.ico

Filesize
131KB

MD5
169706218f98a42594a8c5c5a65771fe

SHA1
b8ded94180212578d86a031eb71ef93dcffe1a26

SHA256
3803045963af064936d7071c178de8e40854968b3d3f9171c57a182c869f3697

SHA512
1c3f18ed0a24ffa78fe938826eb88531eb8be134d6f209b87d7af5d0e8c4829f01947d7b0048996b9755562bbb7f52e000bcd15d07d646cacb2989ac881ce448

Download Submit
C:\Program Files\BlueStacks_nxt\resources\icudtl.dat

Filesize
10.0MB

MD5
03205e5952ea7b803839ecfe3bb000d6

SHA1
74146e76e31fd1e75ae1c34fa8194bc291b34a40

SHA256
8364e6c6bf5744357199de0de3f6ba30846ccda70288675b75059e6fd52241f3

SHA512
badb8843f9a483329cc4f559f95bd07a8cc1f9383e0e67dddacf74e586541067ca452a7fc28b63dcd28edc434c3be8ddc733dcbad0e06d973dafc99242f0b192

Download Submit
C:\Program Files\BlueStacks_nxt\resources\qtwebengine_resources.pak

Filesize
2.4MB

MD5
aed2766cd70116ab1e0c430001a30b8f

SHA1
a06c62b35c333412dd61c493d6a6520a8c04537c

SHA256
4ed3a10f1bbc40b9a2ce3b8cb6dab6f00fe922d0c0e1c6ab5adfd8617cec9389

SHA512
a1ca058b88c1a6839b2e329b08423ee115800864f580f832bbc4f4720f0965984f893d210437951bd79dcfd3b917137b0b2e8f381e50d2a1bc2de37ca5555961

Download Submit
C:\Program Files\BlueStacks_nxt\resources\qtwebengine_resources_100p.pak

Filesize
191KB

MD5
8615f18dea34c152e8aeb8f4e01fd17b

SHA1
032b7bab09943cc5c8a380b0aba29652d5539153

SHA256
e7e2cd13fa9fbaa33c537e8eecfd542e4ce4a621bc0b94159ef9e6e4541652a6

SHA512
2a68ba854d473883f20e1a26375fa39b689cd39d2e284a963b07f25fa3eb6865ff3d8fea2241af23ffc731b83e20ec5b8147486de0a507e83413f75d71eab248

Download Submit
C:\Program Files\BlueStacks_nxt\resources\qtwebengine_resources_200p.pak

Filesize
250KB

MD5
de5e6a97c80d698256369b10255ce45d

SHA1
8d4b979a8c2ee33c2dbc01ed13a165b455a5fdfc

SHA256
669f9d3388438377c440419e5c62973362e33e84a5b247ddd0dd4568da75eb13

SHA512
5609ca5053f581e636c0fe10def704f076c7acf5d958e235991fec32a2ddebd72b312f36a6648d2462766d1cb141f3df12d39df1a344e0dfb4a9e2946dcf1206

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\am.pak

Filesize
420KB

MD5
2a8ca8692a60fe8d33d51d99c9084a9d

SHA1
919d8adacce240fd394d6faf2aa41d2e5b8460ec

SHA256
73f0a7c7632313613814b3ccf5962962aff99de940e084e0b609ecbad1ec1d44

SHA512
080e56cce041226592e7fa816fe8c5e362a1f172a8c671bda4092ff127f0cbe8238c40d41751099f6bac8f02c71faccc011df270b1c1bb8b772286ab95f5f1ea

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\ar.pak

Filesize
441KB

MD5
143ffa8ca3ac0e6dca9a8b3e8ba3f3f5

SHA1
6186940350b3fdd936f6ce41f3091bbca397e9a2

SHA256
3f35466a80f4ca5a5167b2d3a3278e75afd90821206ac98801210a2117c913e2

SHA512
a12b5e3ae821e08aa76657cf84bd79def6f8fdb413e908b13944f6c2bc1aa9724193d0a9a0abd5dc0b87e0845d61b021d39024a5048443531dafa19de707944e

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\bg.pak

Filesize
475KB

MD5
154217351d415b13dca71e28727902c4

SHA1
096a1640b5e83a7b20afdfa7cfe2507b4128e0a5

SHA256
da4bb8513745180a0eb26228a315786a6bfb98d6594173491d25cdf9d59c5bcf

SHA512
f1676a8b05c00588308c57b2290c00a6d844811e9ad4495ba94d62ae71a8c58d504ccd2697cfbf822fd5c2ce6423f76da8a901b4eae55095dc4b9667d9c2a8eb

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\bn.pak

Filesize
624KB

MD5
304432105fbe28b1625f0d7b6be3e7bf

SHA1
2d5474854bc0bca3f3ead1b9199d76ef533f0850

SHA256
ac282f17c5f25b55d368d06b305b89b614949d41c2a1377f1dd5aecb57d1ca8e

SHA512
8ab35cf2069f70a3a99dde98a7b7782821000abcefa97eaeb07b8a717d26a7b6c5461d5bcd39110b47db98aad9c56e463ca2707b7e6b71cda1092b8cf3a91ab8

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\ca.pak

Filesize
294KB

MD5
a2c61a98fe7407ded9ece126c4c9d057

SHA1
c7d64d8bdc2fd9e7f1c62dff79e0e56e13f9cd69

SHA256
4d583b753104ae98a1e5858bfe38dfa3195d477128441ca59c882d158d52ebf8

SHA512
7522ee10397140b5eb45ec3d5cb32e9212a7d3cae8fbc377b270872aaf6c7077e7b13465f6005a85b5fdd4d2e86b1731c3366ddfb2e4bccae4ae2d1a178e0b1c

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\cs.pak

Filesize
303KB

MD5
c0bb82986abc67281d8067e5f20625c7

SHA1
e7cc8888dd95d9edf226893f0e4c12e572bf6bf8

SHA256
217718dd6d64f45da33db0629e6d56da8084ae0fd8123eafda909e662a5e5b50

SHA512
80f4542345cc6e0d3589aeb76e0e5f19a824f2d3186d397c8fb71c1e9d6c056108df7f9a192a6515eb9ee43505b7844c0bf76b77596adcaa3c0ee783dd590ad9

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\da.pak

Filesize
271KB

MD5
5eba7377be8e34dd03db766300039ed2

SHA1
b3460fa050b93454b9e05586d86d7cf67881f557

SHA256
94157ad608b35b29dd176a3106caa4613ed6d4c20268ce00ac4ccf13a9950f94

SHA512
7d24210b60fe38b42fc6a4437ffb1e06333b7084025efe462b66e086cdee953254a1d6fec69ab3c8569118156f3a4a957aed5259e1432772ab46cf7905aa4385

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\de.pak

Filesize
292KB

MD5
01cc5b8a05a435482dc692baef032d3a

SHA1
229a4d1c9aea9111bb46895d096dfcaf488b8d4a

SHA256
53d5743a2606d6b553e8dbff871f2f1d3d53666baeb9ecca5b1ed624d48d5835

SHA512
082654e8385811d4e0f35544c017704b0f13638f850947d76c9abe093333fdaf9d1d08c184bb8107d16b0eae6ebcbe0c522ed18138dcee30a71d9d75ea8c3488

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\el.pak

Filesize
522KB

MD5
26afc001a706679413f5deaa3c6603e4

SHA1
c9d780d930775cfc17cf9160712a2e90ca55106e

SHA256
4c2a3552e84fdd08852073d25c99727c4270160260d159572715c7d37e5861bc

SHA512
743380b99f6d55ad892296e8361b74cf90254403fef15de37c3e5fc302bae2991f5bb4ae21ba84bddc30da3b5b31fb4e741b0c524feede1656bcd2d531d76ea1

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\en-GB.pak

Filesize
239KB

MD5
06da37b66f4dbbe8c5ae1bd7e4addc99

SHA1
ac190bbb14b76d14143dcc088f460d1be2ba2886

SHA256
60f87ec2b06329bdea7f835a61e9893fae147343f133caa2bfa5215797881ee0

SHA512
c436359e259c0a1cdc0dea1bb9ecd2bc22fe1124d76b9deac7e8c7751d97d66cbe61739aecef650908ed05363156fa11453490a9c9f23c74c683ac4e8c7c8c3e

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\en-US.pak

Filesize
242KB

MD5
1e958f35257ef1e2e5115d860602a593

SHA1
688afb781ce3c4c9a55fee9696145260d2ce1400

SHA256
4a65112f4d03cf38abf2ccff5e3fe8e161cb3e47d588b510504007c9bb876b37

SHA512
a996e8708f4e92794cf3eb6b7780d9ac8e567b1359aface4fd50d427630e4219678f4cdcd58764123ab6baf12a9c87a08b6ba5767fa8f6042a7319fb45b72a27

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\es-419.pak

Filesize
289KB

MD5
f21b0783d062082ee46aa573eff68df0

SHA1
84f62d15eb68858245e56bef0cf317e273918044

SHA256
859cb8ad8666e97a47f0e24df4ae85aad80002fbf842b4e68afd0a308d6597fe

SHA512
d87e2d51cedba8ba4eba3b0fd390bfb32b25c5cda98a0d6465b5ae351dc745a67ac174c223e7def8b02c9f00729244026e895791add2611680579dfec4b7b07b

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\es.pak

Filesize
293KB

MD5
03265b1a7f6a996513067866d55f3bcb

SHA1
427eecd7810cf24c8758dc9beae18afc9d8969a0

SHA256
516234550bfda93687b28c5cb3b7b5362212bf41b900d790ade52747bcf766da

SHA512
d6ace0340666eaffe28f57fb070eb4504460bd47517cf3c0b9c07671a605ec017c4fb45a38fbb96b9c54887dcee639b41ef03b2fd85ed9a666af56dbb73023dc

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\et.pak

Filesize
261KB

MD5
73e6f20f0c75a9beb72798167f8c6f91

SHA1
d01932a69626d23e8ce9e9bc240f6d99dd155fb4

SHA256
ff1b0d50f6f067b291199578b6a7757797bd7fdc6b0ac472c9361076bf9eadaf

SHA512
98966566211bba402352607a0622dca7f64ad4c056cec2b40cb70572cd1ce5ed92556490b4399a32ed1c04a14d80a3841fd1a758225120ee416c68e9314316db

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\fa.pak

Filesize
422KB

MD5
f913ea1db8c9c99bff701ceeaf8138f3

SHA1
6bef3ff865b3a95dc1900ba3c94c5bf556c695a1

SHA256
b4e0d3f7cb858ce12b5a75a71ef14f2a36494cd4138181b29f6fb3d6bd386c4c

SHA512
edca9b945c6dc90586f6d20e73316f620d5fff61f3ad4fd35c7e9064f55b1988cc77d372a97d100cbf572a2906cd193777a18ace98fabadea1604df42c8823a5

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\fi.pak

Filesize
269KB

MD5
f55358f58eb17b4bc6abb19592c1aba7

SHA1
6dc1d99757bc5a447b9761a4a0c90a2be521c6b0

SHA256
cf3b9a857c63022d671f4cc335728c270935628f085ac9a17568a2529daeb4c1

SHA512
d7cb03ec31a3cd8c7f13e1bae1439fbba3b76636f1f254ba5376c5da82b9a98e93684fc3cab3bbe8a4c892ba42f17c0db1eec1531950e17932aee16007081aab

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\fil.pak

Filesize
301KB

MD5
f5257136ed900e1715979c9a96de292d

SHA1
217cbe02931f6466bdbdb27c85c876b851610b23

SHA256
98a20cd0e9fae36f22de4a4db7b515532b4327e6d475d4e39ae93ea45b76cd90

SHA512
c38828d2736ba26ad0bff9976adc9d3910df7a417aad8cf6e3cf6383688a56ad2581cbda520403d44b010562b56d6107211385fc80988ac57e930199415ca654

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\fr.pak

Filesize
318KB

MD5
75575474726cc8d98def90e0dbddcb0f

SHA1
3e62e3b73bab73597a01c3ece5871c64b142391f

SHA256
d37509844342371b4026b720dc00f77ff88fe2e7c2b27861e3ca66b10e76ca94

SHA512
37e8e5cc44ee4433b0206cd1baedb955947d0fdf172e69a28fb7bc09f2a57c4f27fb45c12a0a49753281cb2e2a92792b67d568f3cd4f90c9c87337249d031fc0

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\gu.pak

Filesize
596KB

MD5
e245057bea15117bed15bc3ee2911d74

SHA1
c8e2d5f85a974fa989c0d0f64121d2836a13bb84

SHA256
4ea64678c7c551c2b2088b9417bcc76218822f3213e9b8028d618864035b97a5

SHA512
a72a1c259332f279f976403034c9d2356a437a1677c0e20c243f23ac246a8ab65bf150a610867687eef48a0b7c87d23f0e357ef21bb1791386790243803ee70f

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\he.pak

Filesize
368KB

MD5
8c02d30c68c4abb4b1a7c2493d8fde51

SHA1
2cbe2f537d59971296f2180d146d9c2905d2a76f

SHA256
e37f0e2516799f320e4ac1a872d0ab7108c4f63d9ad33a17a4008923c7f93e9a

SHA512
9155cb07b6a23d7f73bf8f68af44ee3bc1e25c6ca643c2f8d64a808d3f78076e3ee60f68d3be9cfe3a6dcfbbfd4595e58c897cb4f8b92272e8ffb443cdf6f3a6

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\hi.pak

Filesize
618KB

MD5
61838bdf13a1d60545d15e9cc49866be

SHA1
64bec7fe42caf53f192b58e4e5b068e56d835cec

SHA256
9a399dd9dac62ea30d700f94e83dd79d54827eac8b9cbce0343ad2dc0f4809a1

SHA512
7e9e0c3aabebd6f0c221918b6790d096824ee1c5f7338a21ac489952b8260b1e59be423005ce34bd5039cb38fa7c9197cf48b77974ed8f6b7ab2a2472e3daecf

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\hr.pak

Filesize
290KB

MD5
a621446d9e94b0d47935bf3310c385b5

SHA1
5cb954846bd2a2c477cb28b99545cd9bc0fbe990

SHA256
93f7fbaf2c7e5f52187fc4a2b5726387e84decebd1efd8b922665bb831e5b842

SHA512
80c5ddea81bf8d1721a2c6cf094cb2c99a10a9aa443193bb2942360de9783da75292eaa341711700281626cc0c8a8f9dc071bd8bb589444f764ea307c4b9de37

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\hu.pak

Filesize
312KB

MD5
3c70ba470c8503cae9407540d070f506

SHA1
0b841228d28e8605c37df79f1a3714402d2b18df

SHA256
0770854f32f041df5ee0190164aa24a1ad06e199c79efd46f3ab65e12129023e

SHA512
ded69524127431d1b6a68bcf85119079a57d3aae5c5be7fd8f215090ecc74570b899e8ec70d6cf74da49833d903f8ec2cbb06738a1c917efc5e19a44167183c1

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\id.pak

Filesize
259KB

MD5
fc2cd7f4af1976579f6b0eae3ab2d874

SHA1
c4e434b9d0d95a505947c97d396b05c9a18f3983

SHA256
48b670c94216623a0c81ad611cc3b47a47dc9368215e065fd02448b4ebf808ef

SHA512
9e355bcfcc31535755233cdd7a521b0bc68f897d85a22da658e3fe5bfa388ce8d8dfa7c01087ea04cd268d44d43862c5acf5b305e45b4572dcb25884e45a4535

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\it.pak

Filesize
285KB

MD5
56c13472d7efdb4466d5189af2d06ce6

SHA1
84025c148e10e1885125893dd286d0f9e751e101

SHA256
7114d3e0c7de30f25c789a1dcc7c50e85985b8ff35afce4600128e85318b4af4

SHA512
fa9b17d387585a281ef1582b8596cb61dc79658bf3b121f6fb6355bd6584c517d938e21d1a0b1be6491c01e5c15c2da666d9f77000a12a2da137c040046957f8

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\ja.pak

Filesize
351KB

MD5
9705a8fcead214aa619f1be816135ea0

SHA1
f10d22cdbf5d7960aeaa13c98cf8f7de41034760

SHA256
c8db5560edd42f1a6acc4efd10865ce39c15dadd3b7dbdaaa28922e1f9c86320

SHA512
6d82ae6023e48ef54d6903a13b6f07069fdd5c87aa0e7b1219c0797bf49cc789170b3677d572fb1b63feda138e624f71e7175022eb7928db0dd413cc8652c6af

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\kn.pak

Filesize
693KB

MD5
2e9a1e91aa149308dde43e0b357e1c8a

SHA1
d657811a3b3dabe519fb7b5fad46977674234f51

SHA256
2a0411a1368fd5f342581b00fb3b451f89ad593fa49f0f79fd9abd5ee0d5f5e1

SHA512
d7b612562fb04a89dac28f51e691f42af39cf61bbd2199c4f652a3096330a99084c0f410bf0c449403031b9a264769ba2932cdae8b0c49bcf92b5ae7a4e8fe9b

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\ko.pak

Filesize
296KB

MD5
2a0bc83152bfbc0f365d3a85fd1e1832

SHA1
9b972a8e823ff6f161ca2aadac11043b054b3146

SHA256
ae1cdf9a4cef3a86d3550f7501e5c650cc1e0924c9ab84900df702ea7e351f8f

SHA512
2c3ae97d3c78310cafe92620c0438dde4c624353cd682f3087c92050870d768e6f7071248e55d03232739a2dd94c7694975b0b329f1ffc6148221a18effa9088

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\lt.pak

Filesize
313KB

MD5
7769b6273b1519ea1a8ac9f059e78c93

SHA1
6d8807f4af484041bac83d5d8873d639d5f07d0e

SHA256
e88897c766d8746b9ad859123742dc84b4dc9e6bd05d10a9262b15055a67758a

SHA512
9c91942cb73bc0c2dfdd94a93759520d9a3ac7f6b43ac826d00d2ff46c6335ed87126024bfa955e9c9e744d437a832188d66ad238ae66378a23210b9d1e740ae

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\lv.pak

Filesize
310KB

MD5
17b9ff8c299fff962e9b9bc0d5f2f15b

SHA1
6224d9bf81c4771033e14477da0a652336326036

SHA256
7e4a42d3cc06b7c9cfebad08391de3a275ec129ac20d36ec90ac136ee88223f0

SHA512
8bd3f102b933b94cd0da09e77c78369a156e2ac22f29888ac0c9db8d9d4e2a7e4eeac99942ae7a8785c6207a0277c374c1727712a932922c10646e3fec609963

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\ml.pak

Filesize
728KB

MD5
df01088842b8c05568fce402a69bb595

SHA1
4b97c244ee85efb9c35b69f65f64d9cfcb2d25aa

SHA256
9f1fe59eb3d0da8d36715d63da958b5773ced3967e04c5314b3d5aaad2f3c579

SHA512
b434a12884f7a1d417c02de2fd27955e6af2329d8d8d0db9781675a16396556b89e2f46dc951e070c4077073e126d492a5db7a077b7ac3b1f80fe4fab4d68125

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\mr.pak

Filesize
584KB

MD5
f40f6817a07049b8589310b7dba04534

SHA1
93afea27adbd165aa1e3261cb67d5ab719ea02db

SHA256
5429e2696d32638253c4372cc427b3fa154d7c997dc13aab90411fdf98c8f6d3

SHA512
450039cebfebd9b5dd012c2980587e78b64e777bb2ed7cebd1f3174b5e88f0a018cbd60af18ef3eaeeecf9729b420a0216a0b167867be4a2814744217bbf84e6

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\ms.pak

Filesize
269KB

MD5
901240b9cb3a7a635c2d56d6ff1b3966

SHA1
c1fdd4ccf213bf1822696061d64930f47a017cdf

SHA256
a750d091e4ca00bdc647ca36c2a22cf9199126c69607fc14f468f6b3b588e55e

SHA512
2b316bc8d5f27f6f90434fa61d270a28f5aef2b9808b1467697c5671aedcfd99d7cf99d72f11d05dee06e73949ab2b22627ea1e925ce8b1ec65b4cd43d03eca4

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\nb.pak

Filesize
264KB

MD5
5c901b43287edab65f05464dbad3e301

SHA1
d76444677a7eeafdfe0bc27a0ff892f028144d67

SHA256
0bdd86ed3444e7e5508dfe4ec483673c2744925accaa5529bff4037cd1b0c2ed

SHA512
46fbe41905a44fe034f3b0798459a2b5bfb4ac408bb90fb5f0f9e82c91407e4b6eddaa82173c0926784881acee514da71284ed02decb49d99cb235784d072da2

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\nl.pak

Filesize
275KB

MD5
884f7faf0e79d04c6536506d6f95eab1

SHA1
39334913aa447b35012a8d7100e7f91e805c7e9d

SHA256
b4d9d873df0ab126f4a312755fde331d4d246519f1757f32087b36714ef4249f

SHA512
77a4379e148c7886950b92bdf8959c12c8695b7121be89142f4d4190cf32c43b8accb77f0c40718cd3c7e3ac0f90e99f3dcf5992140a5769821fc2adac988e18

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\pl.pak

Filesize
301KB

MD5
41ad390a8cc5fbd5b1f352e838b42ce1

SHA1
9efa8f2e5a0312e83f737929765a86112a874272

SHA256
979c4336b428df84e37a2a51a7c5f311ac33ef6e4edc309c138ab2866dd065c0

SHA512
1beb3c66c5b4f9d128e8badcaa8b9dfa9908d74ea910c40a7cde8be3b9b704525e7ddf1e646013cfecf7c66585975b8a8e640b43b27771335bbaa90158f45d01

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\pt-BR.pak

Filesize
285KB

MD5
4792f1e39c6875d8aa5e911f16ed638d

SHA1
c04ecb497096be4173f9aae3f0ae6accc8324156

SHA256
a39bf79dce50c0ef227c3f326728d12c7675a79ab5d4b891fc56913bcbe83e5e

SHA512
5fabf0e030f94c959eac797ae401f28b76ad63816e88d26e3875168978d7448317e3f86aa99b15c0ff266505c5dcb30124c796c6c46c0b90e09ce21b77324d69

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\pt-PT.pak

Filesize
288KB

MD5
0db54f0f25ec3a19dff541ba223bd5b4

SHA1
dc1f0c9b1c2578490af5923df179a92814c04904

SHA256
ff89da2b21c03475373f3839615c570d15b9929fa2cea991105915ef4e648d69

SHA512
96060c6c548085f019f3f127c4250ae6620c2b4f206da9203db94a7d2146c945b5384a661494ad886ceb35cf3f45500302b01009e08b43e549e17ddc318bc48c

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\ro.pak

Filesize
297KB

MD5
14ee5c1a362e753a5c44b11343430fdb

SHA1
b87e4750d5319c5c695f1581feaacdd71abe0cda

SHA256
ac3134a201073f6482a4cceb29a745104325ac76b7ad0d262ac7567584f450a1

SHA512
ed647aa3f3ccd5033e41c8cbb8f85d1bd0dbf783472668abb9a7e83ce5ce05706b9d67d5cfb4c28791414e77b5ea9ca5335189545ee79475d3f7cf58c1f12377

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\ru.pak

Filesize
477KB

MD5
3d28ef9e25426b08409db5379cfd55e3

SHA1
25fefc87d6233da5b287dbbf04a63c34cb9c5571

SHA256
b81a0b0175225dbdf35150dcc0c36154cfc042c1525df216d68034f0ae609057

SHA512
210b8bf28519c1e1576dfaa76260ceb6fe5dc46d23a6c74f1eaba9e08abb310b34989f0e667b6839999f765cb9bb77d35636db63ba082d471c6b73819b357995

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\sk.pak

Filesize
308KB

MD5
b37b81799942fc174e05b6aac03ea4c3

SHA1
788d6d10c82614465628f79bbe1f2346839a582e

SHA256
579a167528badf2a6feafbab487bd2314dd6107d0cc87df17a88ae325ef16319

SHA512
31bb82eb4434665a1b22a21e3e91b48fb2fe78913aac18475f8f328f05fafb2e4bffdd1565b8f48c67061fbf760ad217300882b5871d1753255d969be2b49b44

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\sl.pak

Filesize
294KB

MD5
4138dc422fc6a5afb1a855ffe0caba32

SHA1
8b23cb3c91167908e181eb0ce9d730ca5b3179e7

SHA256
7904fb9153a65105690d76ebda6e9edef2852b868f6a8d2e989b2013d40ffc3b

SHA512
a578919421c6458fd187d5985d721257cfb7bc3404f174dff413c211f29cb2d4552699fe10f0c01a651e224c1c7f3189706aaf71107187120a4260214881e531

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\sr.pak

Filesize
451KB

MD5
97ef86fc3b66a0a3aa4e1be4555369f0

SHA1
bbe68527d0c4c9e6624920d548c0ab0c09dbac88

SHA256
d5a48e324fba0fe6ad0b08da12fa2f4b9279b6271d36710663b3462794a0c7fb

SHA512
fd7802060a8891df3ad2df1252e0fe09f227c7ca81715917fe0020277d28788326d9798cb62acb8820f4701fb18627f78b6d22d9ee8ee402abcfeb4704718ef3

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\sv.pak

Filesize
266KB

MD5
f2bf46d97477489d80659d0be53d9d05

SHA1
a76378ec45dcdef0c596aebe8a4cf36dd3f9c01c

SHA256
196265eea8a2d8746953564b11d64dfc38acc9b17d3e38965f3ae1ba78841e32

SHA512
d65d27d04beacb20d3367af016ef55bea774c782475271e0a0573d2bff2912835d96a803c216ca5f43b56d142e6a77b41a67f35c5bc704c10f5e2aee5d6b7348

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\sw.pak

Filesize
273KB

MD5
e99bc71c3caeae580ef7060155ddd0ff

SHA1
d6986e1fe1dd6c110b05f44f84e956ecac188b97

SHA256
4282f200af58345ac756dbf88d0b898d26750f5aa16b7d2557b4d31c0ec126c8

SHA512
6bef16c9633387a3a0557cb644f152210d75157ac9b8ab1af6b94bdbdfb48b2511d0adc84d269ad16a439415ec46b78ff9a2e743bf72238cc5f25a4ce5bbd7f0

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\ta.pak

Filesize
703KB

MD5
48554783d89587fe96d94cc1afb58248

SHA1
be0843e27225df82cbb27f017acb7bac27c92c5e

SHA256
df0d976ad84bd0dc165f341ca9c5dfe7995a4f676c1c0a09d7a4716747e94896

SHA512
2ec38646a550e86bd6634247de2a49be20e9f3c09820284da82f7aaa6ceabe32920c4395d3bcd728e3370f8342627a9a9f12b6a222de145213efe57239183784

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\te.pak

Filesize
658KB

MD5
079fbd6adf806504199dd0b05c87c697

SHA1
4fec8c3bae9b48f92e35b609fc3977eda5de2039

SHA256
ee2697e8850803f08bee80e461833bd9f4232532c3f569f56521b1320c99e5e2

SHA512
722c6f3f6f61a8eea6965eae290e580a3263b894e07f7aac08fb6cca67e668db92a874728e32764ee0c10f5307b753d1589b8cae5c8a39edb29c7253591c017d

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\th.pak

Filesize
556KB

MD5
433dbeabe2d4c70255f1685ece8fb97b

SHA1
966c16c364b4f3ae6ccb8c5019c0b6bca75b593e

SHA256
dedb178d79730bb0282605f7bbc6e410b03ee7bdcee1a64c08d9e9c442f49942

SHA512
b5f3d434f71b62136647700e7d4c4e207bafeeb20cdb03019c6cd6580e61f88f596a4f2a0ca77b010f38b41a3eaf5df8e2a00e06764db17244083cb95703213c

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\tr.pak

Filesize
282KB

MD5
1a505f3f30511c2b05eb29ee0e0bff26

SHA1
08d4002d32dc5ea8a9476495786f5d5c1bae7ea6

SHA256
27627a61c6857b80b5eec4f6720b585f82b38271b7470c00a444735beee254e0

SHA512
d925f59cc9af4d55ad5daee42094ddf5d120eae816cddb56e906cd8da47039502f7608e9c4af77994ee7db585697fb26dbbd1c2e7c0bee4e3b194c9eee80eeff

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\uk.pak

Filesize
478KB

MD5
e21f45d7685b75be483013e1e8dc8237

SHA1
8f4cdd3dea580d7671117e9c49891212ab950686

SHA256
dd57df6e7b591b3bd6663743c52f4c5f3a7a24e90fd8045b03479707f25702b3

SHA512
b29d8c67a259e4221e9cbb082f41a1b008f665e18dac568c7ac75fd40ee1e1e00df8bcd65825fbac63d51b1bf555c5c3752b96a9c8a4a153cd325377a165a048

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\vi.pak

Filesize
332KB

MD5
561050669f78bd04d0431de3eb98d160

SHA1
028a78bbaabe19ac338648ac95a8b944254e8d3d

SHA256
922eb514cc20dbb44f41745c9e793756f8b46892504207e75de188be0aca6333

SHA512
2df7ff472a616c9271da813a66c6bd98809d788c7dc752ff0f3f68423f245cadd6945a5424af740b17d14f4f6935a2f2bf030b369dc8a39fa6e968d7f2a1897d

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\zh-CN.pak

Filesize
245KB

MD5
54415acf2d54c65718c99ed78b4bf3e5

SHA1
311937480b01256a1e50d0556df9b4f9f9a46424

SHA256
3648945ec3205f590da62f76af957d8a4175890e6ddb5fd1103beeaf66728c7a

SHA512
4eba5d0f1be81e72699d8429252877096524b4e27fd7d8ac480ec13cb60a83f4b8288823299c1c4e210699278588662e578814b8061bd5b72b5179b956624fc9

Download Submit
C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\zh-TW.pak

Filesize
245KB

MD5
c709c2e92d4c0a1a2fd30f5350bed636

SHA1
31c8463300bdfe0238f167451a1adffc4fa899a3

SHA256
37a8707ce5a07b4363579e2d411a1c641913ed1e0377ae1e8cdf70146cee889e

SHA512
38f8da72ecbf73f10a8109ba51f162e77b0f567f7415fe2fa17a2bd7677d9562ff8bd5c136251f44c192c7618cdf72684dfe11070f478255828a5bcc5df8c01d

Download Submit
C:\ProgramData\BlueStacks_nxt\Client\Assets\exit_close_click.png

Filesize
447B

MD5
b09525b48c0023f893d6b64d06add4b1

SHA1
10ecd439ea04e02eefe17f6c110d0c0a78a1db21

SHA256
caa2a8fe9b282939a21b86f8f61fb0c9452222cc3409f06cbb0dcc45613aca8e

SHA512
c6f5a7014c24133eb576708ca17d15becf2b45ec278b3f94e5275e47c78cf0f2eb8bb1a17d277d1a665039f38f2e25faf830e275f426b0a94c6a3da096b6204f

Download Submit
C:\ProgramData\BlueStacks_nxt\Client\Assets\radio_selected_hover.png

Filesize
577B

MD5
47ff3e4cc15b8c4a07e3ceb6cb619b62

SHA1
0318e54c613b8ff00f54d843e90ef88310c1a96f

SHA256
4786cfb7c98edcf01d6b670abf19c50891d56a4de87b96a5e17be142b1af666a

SHA512
0212bd7f6cee390d3bc221a22189b75407fa660a0951c7f768645bf97e7b61ee86fa9b1de6f546ff1151560dcb3b071db8c14a7b08b0e771b539a817b31b154e

Download Submit
C:\ProgramData\BlueStacks_nxt\Client\Assets\radio_unselected_hover.png

Filesize
480B

MD5
22efccf38e15df945962ac85ac3aa3b7

SHA1
b94a8615dc92982e1637680446896080f97c2564

SHA256
0ec39ed4bf89a341f1b5aea56d0e99ff5c923b9c3a6a81adeb9ff21764136f92

SHA512
41a4dbb57abed1a16aa84c72c202da461ca45cbaf68f69a10cb3e5529e8dff659e89f7f4459d1e2e8f3549c6fd51f23fc8422f86667577ebed5ab5df149c79ee

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\Log\log.txt

Filesize
761B

MD5
41efcbe0ad0659011c1b282ef1d687c9

SHA1
08ab417e598b820a19a69ea23090a5a38250a68d

SHA256
d57b904553f9bb40f136d56efb3d6950a27bf7613c99a55843dabdede0af3dd2

SHA512
c512721bcf27bed0d5dc1db035162adc55e00ce198e6ed92191cf8b6a76e4aaf41ae482c8e1a2742ff528d7f4b02271a0bd0d794d9aaaf63b6c4d9adc6acb72d

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\Log\log.txt

Filesize
1KB

MD5
1afb004f7b0af5ec5488b5793cf54126

SHA1
633437077374146809cdde56508bcb257e5efd9c

SHA256
94b6b13af66fc47021a63821feacac6dc8eb9729c9167af5812b9b031c6cdfd3

SHA512
cce196adb304b454ba6201e8a2d660103ef4da8c9da3ea838105760f20d77ce333cd49eb4addcb313b16324ffc1f08ff7a3fcbcdf36ea730a6af629fc005f1e6

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\Log\log.txt

Filesize
2KB

MD5
3a771c9c5b2106e720f9811e3eb1b0a4

SHA1
9104c2a12e60954fb3ee52e1720e2bc93b5c3be4

SHA256
b3e549aabc7aa2d434ff8d5309c2a89477c5bf6be1a423839e83e905bdc28af5

SHA512
b8a37f67a5311e827566f4c2116b96bbff8e93ccdbca628bab727f4993a6dba867a7c8634f2c94a6b425fef7ae0c8b77dc356518ced5e803cb1861776b9f15c6

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\Log\log.txt

Filesize
4KB

MD5
0c631a1b40f5fb4b4976eebf7558ca98

SHA1
1d7605a3f834373020ba29c497bcb5d9f6168398

SHA256
9fa149e5ec5615aa695e1503baed6d41dc15a37036cd26f11abdd0d13a9f415c

SHA512
547718c871ed12d2edbf92443d6480dc9ae9b3f02f41efe844b63bce2604ebbbf2db0d0b94d5f30a397f4b6942e32c24f99f4c6e0e174444a72079ed16697ada

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\QtWebEngine\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\QtWebEngine\Default\Network Persistent State

Filesize
336B

MD5
34190cc99c07fa1a8c65c8af748520cf

SHA1
8a53848b1162239f90742624ef260c7e7bd20835

SHA256
65dca15df06e162f7e93860f474506824dd9854431408239538e2d11749fd067

SHA512
19857c0c55afdc840664a0ba28695735ca6be24730a4c8371c61ba6cd02ccbfe0930f1cc71fefa86a97f0fe315a398ad50c4a1059b159e12f0a6ea4cb7423147

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\QtWebEngine\Default\Platform Notifications\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\QtWebEngine\Default\TransportSecurity

Filesize
539B

MD5
527371af0fec2716d02c29a5ea386d44

SHA1
59aadef347eb4dd2cd38e67c8d5bb0aa13e911e7

SHA256
f73e7d8abe660c29374c117ec54d85851da6c729ae3c3e61e26466109059d4fc

SHA512
68eb6d535e0f230bd197026d88f1b52f6a2526a8c48bbb32b0ff9bb6304ac356f8637cf48edc70a316ef0fdd7e0d72eda9d8a19f14e68e120055715139065490

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\cache\QtWebEngine\Default\Cache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\cache\QtWebEngine\Default\Cache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\cache\QtWebEngine\Default\Cache\f_00000e

Filesize
201KB

MD5
762d651b3659b78aaadd643672f395b4

SHA1
475f84a6cb0eda14d196ffae0b05ff224aa25ca1

SHA256
b15960fc83e52326bab2318e7d9966a7e2bb749f909a20ec8c79de9e67136588

SHA512
a3d62d4841571c5d0a89dc9ca17f3080be8a86e83aa059ba7e2c9e3dd57e7b65ea940f3713fb00f82207914a6a390d138c600a7c8f3cb7c3b1066dee297285df

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\cache\QtWebEngine\Default\Cache\f_00000f

Filesize
154KB

MD5
5bb5fdc56d18d14419a670dd28b156fb

SHA1
d2158a163926ba9dfde6e82a3bffae916bc980ea

SHA256
4cdd4759cb2702d43deb90edce744504412d4d39a7ec657f7da84df0382abd9a

SHA512
1d4f9e3381a71c886199d2ff300b76d8c8834914693284e09ec3a40160aed4dfa5195ce0d8c953970e148b9fc2c23b5e0a9abea291a13844aece3be1d38efb6f

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\cache\QtWebEngine\Default\Cache\f_000014

Filesize
121KB

MD5
864b95c35a68896755b0bbaa3dfe9da7

SHA1
a7d8360923bf2d4a927ff9581aff67adf0999d8b

SHA256
34fe7ba81d687fbe278d1a2d218e2cfa871b622a2c89d83dd361bff0c29ee39d

SHA512
3c54dab83ebc0d7d0a8be53efc3dccbf8a2c7e8a28f46bcfab1b1a65f54ce7b54680b5d31f8cad2e4efffa23694dec8f37ce11f3101924a0866f8039786ac58c

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\cache\QtWebEngine\Default\Cache\f_000015

Filesize
163KB

MD5
008568ff49428d51d7f53c8703c947bc

SHA1
443c6629214ccd22df5daf4047763fa103b47336

SHA256
cc959fe449a989b6b3b05160815511f63197eed52d8cf421bb3d531e9f062a1d

SHA512
2cf342e1161eebf13f9ea0c6464b0914b35a3ca8b45ef397c1d6b7f67d73930ece3fd059d2fe3a75c56d12180eddda80ece3e50b2840715b6366fcbefd2c5ed8

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\cache\QtWebEngine\Default\Cache\f_00001a

Filesize
85KB

MD5
d898661dff268990bfbf516a6bf0b4da

SHA1
06ca5b9434eb8636acbf8ff115a2e99047e53f27

SHA256
491d3edefdd56cefa746bad2efc9dbbc7c1ff0ffdfeb842272a60c47fcefd783

SHA512
89b26a4c3fa4aee378cfebc017eb3f8e7cea3cfacb50398205b3c0de0f4e826c7351e3984546f5dba08d5ec40da723383074fa00964db0a85fcccabfc5f04319

Download Submit
C:\Users\Admin\AppData\Local\BlueStacks X\cache\promote\days.ini.RfKKcs

Filesize
69B

MD5
1452c9f2ba945f32e460165b599286d6

SHA1
9c710ea654319ca59fa3834ffcdb50c0e5c90ae4

SHA256
e9710121a0f08f918110cbcce5c27950381faab2f043981cdb78d789013d9059

SHA512
fec19afeda41171858b7a2c5bdde3a0e07740ea88e9df8508ae837761a2152e617a3a825569db7837a503f165843330148ac7c91e389496588a8c4dd942e19a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
5994dbfc65a65175c40ff8d51babdc0e

SHA1
b9ec667b32e111eaaf459a4d18a7c518f722c5df

SHA256
6877e7cc3d44fd340ba949b5a273e838e5dae585b92cc6fbdce33ee5f006c0b1

SHA512
324ab4f99e71d0a6133c962414c0a2b308d032cf0aa40ae794125050d93197d26f7aa681ca648c170071e67a4a07fdaa9c39b9ac8cd7ffcab08a421878ac2dda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
96f53a7f104466993de3c5fc4a692efb

SHA1
c55600f762ba989e7894298da5a53c4077c838b6

SHA256
8c261910649b0cde1fddb8a1615975385fd4373096784d70ad81a00da8991a7a

SHA512
ac5355198fbdf52798ba70deeca987af82ec3cbba291c74aab2a79c4dad7309b28549bc8bb1fbcf22623722df2e6674cbd71ded4d6cf26f1d1294d7da79cacfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4906ffc26cdaeb16341e099b5f4c0af5

SHA1
80083e3eeab33089d79e12b01807eef2e526cd41

SHA256
7f0691bfa2d9f1da1ad053216a110f07d1d345928a5044bb0dfedba0354bedb1

SHA512
edc2ae89fc7ed3fac843ad7651a4ec96c343ecf1730da4145fb547776c9ac64ee161132f1c471bcd5c72c935381791b7c9200d3c30433cfa5439c98bd7dba120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e9f792b260c02105db2e96fbede23e20

SHA1
17455a6ce3d373fbcbb64ca3935525abded7635a

SHA256
78916589070b7e33dfb43777e1323ea564924de006e11683c8e2b9307e360c6f

SHA512
c69cb9277f518c5e3afcc53641dd8a3aabcfabc56bcccd6abb6caa02b4a769d1f38f1f2648494590507671c27d2859e5efa893d5fa53eddd85a76ed82de6640f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3f1d6452dc9447779c88cc9aed0ff48b

SHA1
0a9d1a5fe7ce76eaa122dd90f939365141aad7df

SHA256
c000f3a660e09b2505df48badffbd7255d52c79efd08b7528e22076299666139

SHA512
19cfba016b681b58d6edd624d2cec82e6ef4c6433fe7d277c982700a8c01c9aac1109c81981558786ad2734d035372a9338d91ddcd2b10e8982688d5854372e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1rfvxw5k.erb\BlueStacks-Installer_5.21.218.1001.log

Filesize
127KB

MD5
3a58e414ab7aedb6382e0ce420b643c9

SHA1
1da722e860fc0a5ee877f64a70abe2b754300893

SHA256
e1b661049e0cc4d850d84a7366563abb5893e006b32b485085439c753e88b2ed

SHA512
8e9375995ead79dc73fd819278fdcf7e82efe785f9353e83cb2c6de1516ae2c25911ceeabd61fdb8f6780f770de6e3e1d7ac6a59dfd9b089f0bd7e54bd67efd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\7zr.exe

Filesize
812KB

MD5
fbaba140f30a11e5ff4f97d921de6d45

SHA1
d12360b79d9fe7ddc5380a22539dc7d4768ff5f3

SHA256
4889c0826c633c0291264d37834363be90ee39d07fcea228494ed151386dcb16

SHA512
cd18bb1b057b1b077fde372ca5f98701614b196b692ac42ec56e5b839535022d884a2cd9b6bf644a520c6f48f12f673574a24e60580c70c695067b66442ea7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\checked_gray.png

Filesize
538B

MD5
ce144d2aab3bf213af693d4e18f87a59

SHA1
df59dc3dbba88bdc5ffc25f2e5e7b73ac3de5afa

SHA256
d8e502fab00b0c6f06ba6abede6922ab3b423fe6f2d2f56941dabc887b229ad3

SHA512
0f930edd485a0d49ef157f6cc8856609c087c91b77845adeb5cc8c8a80ebc7ec5416df351ffa1af780caad884dbb49dcc778b0b30de6fb7c85ffef22d7220ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\checked_gray_hover.png

Filesize
412B

MD5
ea22933e94c7ab813b639627f2b38286

SHA1
c5358c5cb7fb1a0744c775f8148c2376928fb509

SHA256
d7c79677d2ef897fa0ad1efc90e916c46da29f571208f78f24505603b7165c20

SHA512
ba447a1aedec49419e2b4a8de85c6047886f1a5ebb94f1c45e205a3780c6826f412a3892e97115b35e43839f43e346f3c72ffbf0c57d57f6d26b360ae61b3964

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\close_red_click.png

Filesize
15KB

MD5
6db7460b73a6641c7621d0a6203a0a90

SHA1
d39b488b96f3e5b5fe93ee3eecb6d28bb5b03cf3

SHA256
d5a7e6fc5e92e0b29a4f65625030447f3379b4e3ac4bed051a0646a7932ce0cd

SHA512
a0e6911853f51d73605e8f1a61442391fad25ff7b50a3f84d140d510fd98e262c971f130fb8a237a63704b8162c24b8440a5f235f51a5c343389f64e67c1c852

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\close_red_hover.png

Filesize
15KB

MD5
5ceab43aa527bc146f9453a1586ddf03

SHA1
88ffb3cadccb54d4be3aabf31cf4d64210b5f553

SHA256
7c625ae4668cc03e37e4ffc478b87eace06b49b77e71e3209f431c23d98acdd0

SHA512
8a5c81c048fb7d02b246ed23a098ae5f95cdf6f4ca58fd3d30e4fe3001c933444310ca6391096cfaeed86b13f568236f84df4ea9a3d205c0677e31025616f19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\custom_click.png

Filesize
15KB

MD5
ced07c9db242115400e159d9a02bb7b7

SHA1
6f2bebd1714dd7522479b5f3e3f2b3f0d18e8c77

SHA256
1318e0f34a551edae1e82818fdf7de5ac627493db5b24556d919f525052d5b90

SHA512
d52e63792a5b4172d4ac4e2d369b22b170578616d04de5a40be15b260a2741bf8158b3aed9509760c334283360dd13a4fa21538fc4547ba464be5dd700a22b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\custom_hover.png

Filesize
15KB

MD5
f3e05f142e742e25a98d4f5af3ae0623

SHA1
88363e81ddef700803f4859d2f3f0b4af516bbf3

SHA256
d588ef0eaa334ed8482f32e5839a7ee0d0b544d5b8d5f7720b8c57010e080424

SHA512
5f07a7163c9834564dc4de5a1a484ac8208151bc244f8e72d64556abf88c35f6a81dd6718a3e6f681265c10e2dbbadb07570fa64c31113342a88fd605019496a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\error_icon.png

Filesize
1KB

MD5
dab2c4538a83422b5deae0e0de9b7a30

SHA1
78c2ab2271aa4020df1e0289bc3c1ba9a43fd424

SHA256
666ad4fe456216ddc06618967846ed31f81d8db5be97da6531842c0667352b89

SHA512
24cb30a68ce117ba16edd1e94c7d066343eb265c874cd55467db2f913c01b9d776b2ad846e3414cd820c0ba10d93f132aea27739d16165b6e9dd5fbc8890bfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\error_icon_72.png

Filesize
1KB

MD5
4aaf83d2b3fd56ad806708e60474df39

SHA1
144777a265879b69fadea3eb3ac6939458918578

SHA256
84e59d14d9433e6c3d92daeb8c443063b5e3be6c0b297f0403dbde473a05cb3f

SHA512
3b8485f054fe6ed2374bc81cb1786f09741219fbfcb22503707b11cf5db1ab262ba4349633597d5d9ddabc3415b170fa8eebc932f58d211d7092b8fb96fa1304

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\exit_close_hover.png

Filesize
575B

MD5
92c2bf222d6ab81fe7a0c072bf31c107

SHA1
8853eb08a2aa3e99fae6dabb9cff6461704f2a2e

SHA256
bcc053a9a087e077d58114106d29701a34f7851f4052f3157102811355d3e709

SHA512
6548d0038f4bda1db69de0729cc9648725d744953649a396b9147afb16abf018a5aef7ff7d3bb019031863f20c81bc202d6e37d171027ab9fde3b37402e179c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\installer_minimize_click.png

Filesize
112B

MD5
08fc39a69fa17e0f529915919cea1633

SHA1
2966a3f739698e2ce368585fb7f6ac4eae4497b1

SHA256
2599d6a55a8e12b1f05a6e8982d55559151a25ae3690e6637510b6283622dd95

SHA512
f5eae902f9b631410b03b6d4f9be1b4cf6547a94f1a2eee6bf70b0f3036499c01a42c9d58cf98ffbe10edbe79577a01e64faf0e527a70bc9470a1c3d9263b805

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\installer_minimize_hover.png

Filesize
112B

MD5
18fb6465b029206477d0222e8da6fdf9

SHA1
b7f91e5e3002a5d3c84a30ca6cebe1a89a65ba7b

SHA256
57aae4bf49dcbb0ad6cff6263200015c89d7752dc75c2ad918bf846e1ce9646d

SHA512
f045dfed35ea9ff31336cd354a0dd2e9a7ac2582cea1d25a444fffa3bd01e03d73611f786873a81a27a370e5ddb3a6043713e29f064d274088df1c925eb6785f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\installer_upgrade_image_bg.jpg

Filesize
19KB

MD5
3bb85d2c8cef28c89a2d07adf931e955

SHA1
596d13e7742455afce8a534382b28cfd2f6aa185

SHA256
b7f75233e633107d50f24ca82099225c83a832571cd2ce92901f2db3897f058b

SHA512
7075fe989d69ad5f0f4cca5fbbbabad16e0949c2ab8538f3f96020b831a4ec1cc3a701dcb7332e577b5eceba230449efbbf8e288dad47a53d76e40c2337dc730

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\link.png

Filesize
306B

MD5
ae2c73ee43d722c327c7fb6fdbee905c

SHA1
96f238bf53ac80f5b7a9ad6ef2531e8e3f274628

SHA256
28c0abc6bfe7a155815104883a37a53dd783d142300471064c95eddf3cae0eaf

SHA512
5a1e341f727cf1cb4832cced8e96c5a74971451629603c48bfb91ceb4561d0122ab9ae701f8b34681d5f13115a384467d430ccb8282494b40f4577ebc3ad825b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\minimize_progress_hover.png

Filesize
214B

MD5
fc2a0361a751177d3aacdba9c31b2682

SHA1
0a8f672d7a8777d1106e3b8ee36bd6e45bd322ab

SHA256
1a4aaa46893e2a9b011c478fbb0cd0e84c199f9f3520703189640088969ef5cd

SHA512
a15542c90972387133d86f6a94c17435432b1493b02502533c4d7978428ed7d44a7d3c5564fe08946561638f8a5a3dd0b35b81979c2929dcc386ee5f6f7ecccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\powered_by_bs.png

Filesize
9KB

MD5
7a2e5c21140aa8269c2aafd207f5dbaa

SHA1
4e0d9e7e1b09e67eba10100d73dc51623517821e

SHA256
3d2afe5236ec813d9e8063bc43eb34b88c2155784e1bce19c6a533c32767af35

SHA512
63f512559f2068a9702c7c527c126f6017cd8d1d16af52e41b884aa9a64ff4294a57243ec78c3a416f70fb6178a79877d68345357725ff92c935709a2ef8adde

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\setpath_click.png

Filesize
15KB

MD5
624e84e9b49bc150043aa9fb0eed2822

SHA1
f23f2a4ec609e3e9cff9319533e561968ccabb22

SHA256
c94924e95a49b175c8fc00bdc2821bb70a85b864cc193becc553b32f0024dde1

SHA512
288e1954d29bd3d22b56fadb2e0d3d10580a540fa1f2bab1284d957708bad96df5e38b67c6dc14784e1e275b89082c57370b786c0d0c4307601c0d2bf3704460

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\setpath_hover.png

Filesize
15KB

MD5
b1e53a76b6ddb3ecff52bfc1a8e5b09d

SHA1
012b5879e879fa25bf48e4bb62c35ee829eea571

SHA256
2da3f9367c847e47131370dd163f611c4639287512a47f487e0025c5665830e0

SHA512
4369891858b4adaf9144636c44b55979290177bcff57f67f341071e42e90f992531024e122c0bc5436ddb8c55e994e7b913ec37137a642dc0164e6e2516f0b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\unchecked_gray.png

Filesize
192B

MD5
e50df2a0768f7fc4c3fe8d784564fea3

SHA1
d1fc4db50fe8e534019eb7ce70a61fd4c954621a

SHA256
671f26795b12008fbea1943143f660095f3dca5d925f67d765e2352fd7ee2396

SHA512
c87a8308a73b17cbdd179737631fb1ba7fdaeb65e82263f6617727519b70a81266bb695867b9e599c1306ee2cf0de525452f77ce367ca89bf870ea3ae7189998

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Assets\unchecked_gray_hover.png

Filesize
176B

MD5
62d7f14c26608f8392537d68f43dece1

SHA1
add4f30e7c3af4f7622e6bc55d960db612f3bb0a

SHA256
a631e26bd5b6ea19c8c65b766a056c92ba8a47e1483768dcf12b05293c9a7a0d

SHA512
e41210a78e6076954f75a2f73c0f7628e8604a09ecbb1d2ee0972741d4ef1d814b366828977c02944736b03ed116bc559a2ae47ddb7cbc6f4e54578c8263edf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Bootstrapper.exe

Filesize
153KB

MD5
967222fa83fde28087d9a2a2bcaae4a7

SHA1
3d96503ece51905030559564a7fc41c1df234db4

SHA256
5c747e61ebf946b5f2e50d18f5e32a7812f9385af9e8757efc1e5e9775a4df55

SHA512
eeb6053f7010129b0c0a08242dce3a190a9741698898348ba3280fa4b88959c9ee08638234320803dc2af79899d64936f2db4bc4b8b7377765d7f88659bd4787

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.ar-EG.txt

Filesize
25KB

MD5
d6fa1dd077b8900098be14207bc4afbf

SHA1
8902589ed5f0891a8e1f49418396067039be3811

SHA256
7765288a052fc136067e3427d5be8cd2473e3867e73e98bef27a8804600c2f68

SHA512
32ca07d7af6db3b57caee29413112f0206e20a4907e75408ee956ed0e3f7c14f28d7a6e82f0c7df726c3f0c29f04401cfb8f8e22c46eade865aa2ebe949f7507

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.ar-IL.txt

Filesize
14KB

MD5
9fb07e066cc2f213a64d35a97a8c2922

SHA1
a70db989f5c562bc69caad89a1402c8ad7c9b80e

SHA256
65e7b0f37b5e2aa805ac8d57969804d803430186f34e9703ca9fa09ba908ef90

SHA512
81680bff55b475a62a4bf29a8c219230b84894c1165f60e372209a5aacdba8e4819c3dfb76f3b55c15d472ababeabf0cd4b30c04e7daa26df63c8a5101970c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.de-DE.txt

Filesize
22KB

MD5
5a808b3c4bdc506982231466907b5696

SHA1
35b929803d22207052aec135fa5aaecb50e5a286

SHA256
9892441bb8e404533e0e7e58b06f99c380d32f7490c4830275914d14bb37ed78

SHA512
f0dca5012140bc48b893beeeaaa37cdd5f925702109bbedd89d5ed69988e04dc4fd8028de69ddecf9a4859163b8e48ac23730a6c6c249c81ee77a3cd3ff15fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.es-ES.txt

Filesize
21KB

MD5
de22d4e806e6558dc2c6c47a34393c7b

SHA1
ea040afbd8f869a0e610f95ced248d6e8c184d12

SHA256
85975fb551c6618ec35dd3d82cc659af5ba5ced7a4e67a2d14069e48c13a6785

SHA512
18beeee4e61c8e15400c7329f67d5f51e0d0062e72c02ca62af8f0c9cbb632cd9960950c692b02a2714862ac676b93216117265f30f3d83d0c7b7123520763d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.fr-FR.txt

Filesize
22KB

MD5
c4cd29bafff431f555ad85a67a650420

SHA1
5582381384d0a41a803cbaebcfbdeb8592d5a55e

SHA256
f956ba3234e59c1004e402f473cc48836aab71c219180bf585155866a312cc9e

SHA512
b48ea78b1170c260c84d337de131771665962830108b3785f46766ecd01558470d45bf63fffeec656803e3a52c36406487bff5d9395d580fd61cd7c9621b276b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.id-ID.txt

Filesize
20KB

MD5
582b65dc88d0690b1ea9e0879943666b

SHA1
d5793947f8e8fa90b596e424bc1d83e1c6048e63

SHA256
a63d776411340c76898763aa459da3e896e21a21c7adec46b664bf0df3c6a795

SHA512
194fba2a6950f1e1e87edace1d7d3ebef2be27ceebce2b1e5fb2ae0d0029aeab4a944f4f8b382acf681365d013065a9c8b480e1cf33f036ed95e1c92f8c21fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.it-IT.txt

Filesize
21KB

MD5
6b63bbe9f7e97f7e16d2b14a22864f78

SHA1
defb31c230bfb6028ff39b667d454fc582b32d7f

SHA256
fc944f6a1f4861b742bff2251132297c19b899a07cb50cf509b74c58fe2d27a1

SHA512
de3d743186aa2df769396e986c08c00db68793c1c80a80fc46cde3e5ba3a8e085a1e7e5e3c3ac87af9e60bc8ba7ec4db3b2111a472f8040ff27cdc0c58513d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.ja-JP.txt

Filesize
25KB

MD5
9f942e2952636446d0e7f54c6c5d4cb5

SHA1
d4fcadd5e74cf8b2114a733307a01f457530e607

SHA256
fba46c06f1ff14645ff9b4b76843cf25e322e88c3465d0fd1a2e691563468550

SHA512
b9575ccb344e0c86894b737133b20d620a5840c5fae61eef11a1f1cf3c911a9157debc456f3230af9a9026e20da129a777428cf4705dabcd5c8b0f1284beffc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.ko-KR.txt

Filesize
22KB

MD5
a0c96d9a1f6d65c720e75c204d75a572

SHA1
ed72d285e3fe8f07abbc02d2d37992ff01fd3199

SHA256
72873e1c7df53ce18509797d35d2b5e59677ac8ffe69b25e17c51fa49b04f103

SHA512
3750008a574ab627e6f02bbd323c55bd446b14e95041398414006a314638262102957ed0b0a973208bb4cf44eb3c63417d00e92c3cf4f30ddf3f7b7d7f9daa51

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.pl-PL.txt

Filesize
21KB

MD5
96ad067ac5237b3a350a6583f2adb838

SHA1
12571e18e24ff8b315f82eee95e7981a1557f4e2

SHA256
4326c5e3d4ad1dcfcb192381cb73e4254701536407d4c044ed5eb00e8457d56e

SHA512
5825dbe690f5e15dae4e35afda8c28a78a70de04009a47635833e05131cf9d71f0fc8981246ea7ef4abfd389322a7b864df6adfe1cc58544cf216daca76d7acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.pt-BR.txt

Filesize
21KB

MD5
19009369b3afe26375a71b54a781a6d7

SHA1
32f0cd9b5c8ebc9036aba0ae8570714608988a8d

SHA256
bacdf5b4f685b48e80574aeb4d400a0c349733951d10b2592e27a2c20d20775f

SHA512
69f272cc50aa793ec59e7a1c39c2f524a68e89c9aab788d0657adc71f94529131d2d9481cbe9372f1ef71245811c0a431bb4b168e21a9474566a3ee49b265e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.ru-RU.txt

Filesize
29KB

MD5
9ce379e0fba660386cb8f6793f468550

SHA1
6c7a388ce299d9484d9b17352f492fdb1ef027ac

SHA256
659232711fad2121b3ec267f27137a755e236a9944bc687e2852751d922434f6

SHA512
6fb179302f64c91326b0569d56cd10d78664863e2335bb321a0c3ccc9e4169dafc0c1cfb4670d3a121a869e2495ff4dbb7359c5939657feeea70fdf78e225a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.th-TH.txt

Filesize
34KB

MD5
33d9536f956c49a9825cfc636781f5b8

SHA1
a07a6b4cdac215bd82b3dd60fe7c14212d3ff832

SHA256
c7499bd68e03c290410c922ec16598106fac759977e078cf4ba253a654038c69

SHA512
e07e377c544276dcc2ffb71ca83992e8108e2b705f35b79fd5cdd763080fb691899cc7d297441544143328c647794d6c786b39fc009f7624fa9b5c540032c402

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.tr-TR.txt

Filesize
21KB

MD5
5a57bbd06bfd79230199c07aa80fb45c

SHA1
82cc12ab0221630cec39182a7125577d5e016747

SHA256
2a47ae81633f9fe109437c94082b061c12678df940fd12657df76636521cbf52

SHA512
75e23950789f1fc636608edec070ed91a26d71eaf170474ffa192ec32a138a6abeb60e14ff02ffaef5220fec688cc3722c54bc74db686ba7af32cd3c83006924

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.vi-VN.txt

Filesize
24KB

MD5
4df1d1d860f9d70a4dd6719539e49cfe

SHA1
254bae1d7c07a8331835a41992a5689d98047851

SHA256
1a107ad7b1bc17620b3b0e1f6bb57a5d4cd7c9d37746af20cad4ff239a853e20

SHA512
6763652a82d3c14438a35b9d1d4118ede86aa89521eb274e93e651f816e408d030c1db5203c8ebcb9c19228a3285ba432a7df542e6cc5a79bdc7076f9fcc3c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.zh-CN.txt

Filesize
18KB

MD5
9af7a62bec8b388d89a5b4310667d8ee

SHA1
733efdbfbb220b1b17b2a314383fde5e9222caa2

SHA256
8b4f45850dbd2bc381ed994a5ae013b43f0a9fe2050a4d325a8e38f8625af8fd

SHA512
58a4fb6ba4177c55c0167952f5fc1450dd2d58c73123b284206123cc60b575f1464ed50959b66fa9ac0539ae86daf708e5fc3c217cb497b7c9b354c1273fa567

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0883E11C\Locales\i18n.zh-TW.txt

Filesize
18KB

MD5
27f2f8c6418e9aa8b0b101f9bf033126

SHA1
d8406da17c5e999c42a827d9e00faa2a00bbc476

SHA256
bcd66af27473fd51d7789f4a3a4b36e6f36ba3da379ddfe0abac0db4bcb1c51a

SHA512
5d3b0b5ae3086b8f320ee76c77a50e77aac3497591e91d28ad74fc19aa7a376cd44ca3389c57013719c63534e32d1348eea28b1d3d11c3d217f097069d73b94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\Assets\backicon.png

Filesize
15KB

MD5
7ff5dc8270b5fa7ef6c4a1420bd67a7f

SHA1
b224300372feaa97d882ca2552b227c0f2ef4e3e

SHA256
fa64884054171515e97b78aaa1aad1ec5baa9d1daf9c682e0b3fb4a41a9cb1c1

SHA512
f0d5a842a01b99f189f3d46ab59d2c388a974951b042b25bbce54a15f5a3f386984d19cfca22ba1440eebd79260066a37dfeff6cb0d1332fca136add14488eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\Assets\change_hover.png

Filesize
310B

MD5
57092634754fc26e5515e3ed5ca7d461

SHA1
3ae4d01db9d6bba535f5292298502193dfc02710

SHA256
8e5847487da148ebb3ea029cc92165afd215cdc08f7122271e13eb37f94e6dc1

SHA512
553baf9967847292c8e9249dc3b1d55069f51c79f4d1d3832a0036e79691f433a3ce8296a68c774b5797caf7000037637ce61b8365885d2a4eed3ff0730e5e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\Assets\close_red.png

Filesize
15KB

MD5
93216b2f9d66d423b3e1311c0573332d

SHA1
5efaebec5f20f91f164f80d1e36f98c9ddaff805

SHA256
d0b6d143642d356b40c47459a996131a344cade6bb86158f1b74693426b09bfb

SHA512
922a7292de627c5e637818556d25d9842a88e89f2b198885835925679500dfd44a1e25ce79e521e63c4f84a6b0bd6bf98e46143ad8cee80ecdbaf3d3bc0f3a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\Assets\custom.png

Filesize
17KB

MD5
03b17f0b1c067826b0fcc6746cced2cb

SHA1
e07e4434e10df4d6c81b55fceb6eca2281362477

SHA256
fbece8bb5f4dfa55dcfbf41151b10608af807b9477e99acf0940954a11e68f7b

SHA512
67c78ec01e20e9c8d9cdbba665bb2fd2bb150356f30b88d3d400bbdb0ae92010f5d7bcb683dcf6f895722a9151d8e669d8bef913eb6e728ba56bb02f264573b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\Assets\installer_bg.jpg

Filesize
78KB

MD5
3478e24ba1dd52c80a0ff0d43828b6b5

SHA1
b5b13bbf3fb645efb81d3562296599e76a2abac0

SHA256
4c7471c986e16de0cd451be27d4b3171e595fe2916b4b3bf7ca52df6ec368904

SHA512
5c8c9cc76d6dbc7ce482d0d1b6c2f3d48a7a510cd9ed01c191328763e1bccb56daeb3d18c33a9b10ac7c9780127007aa13799fa82d838de27fbe0a02ad98119d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\Assets\installer_logo.png

Filesize
14KB

MD5
e33432b5d6dafb8b58f161cf38b8f177

SHA1
d7f520887ce1bfa0a1abd49c5a7b215c24cbbf6a

SHA256
9f3104493216c1fa114ff935d23e3e41c7c3511792a30b10a40b507936c0d183

SHA512
520dc99f3176117ebc28da5ef5439b132486ef67d02fa17f28b7eab0c59db0fa99566e44c0ca7bb75c9e7bd5244e4a23d87611a55c841c6f9c9776e457fb1cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\Assets\installer_minimize.png

Filesize
113B

MD5
38b539a1e4229738e5c196eedb4eb225

SHA1
f027b08dce77c47aaed75a28a2fce218ff8c936c

SHA256
a064f417e3c2b8f3121a14bbded268b2cdf635706880b7006f931de31476bbc2

SHA512
2ce433689a94fae454ef65e0e9ec33657b89718bbb5a038bf32950f6d68722803922f3a427278bad432395a1716523e589463fcce4279dc2a895fd77434821cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\Assets\loader.png

Filesize
279B

MD5
03903fd42ed2ee3cb014f0f3b410bcb4

SHA1
762a95240607fe8a304867a46bc2d677f494f5c2

SHA256
076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1

SHA512
8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\Assets\setpath.png

Filesize
15KB

MD5
b2e7f40179744c74fded932e829cb12a

SHA1
a0059ab8158a497d2cf583a292b13f87326ec3f0

SHA256
5bbb2f41f9f3a805986c3c88a639bcc22d90067d4b8de9f1e21e3cf9e5c1766b

SHA512
b95b7ebdb4a74639276eaa5c055fd8d9431e2f58a5f7c57303f7cf22e8b599f6f2a7852074cf71b19b49eb31cc9bf2509aedf41d608981d116e49a00030c797c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\BlueStacksInstaller.exe

Filesize
623KB

MD5
f51cd98b34ad6b81081e1a017f5c45bc

SHA1
e734d4f3d81d517b2a2eafaf20310bc94a419207

SHA256
02ca17eaa0f8eec7e7d321756fd73bb8292f2de7f3585d567ecf6f56b4f037f6

SHA512
1b87f6b7c0ac1825a3bd76bebda7e90ebc8293b889a3f39a4513ce04800fcd516e5d8597db379275ed324afb5c7f868afb31d1c965922b434de6968c94c47184

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\BlueStacksInstaller.exe.config

Filesize
324B

MD5
1b456d88546e29f4f007cd0bf1025703

SHA1
e5c444fcfe5baf2ef71c1813afc3f2c1100cab86

SHA256
d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb

SHA512
c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\HD-CheckCpu.exe

Filesize
200KB

MD5
81234fd9895897b8d1f5e6772a1b38d0

SHA1
80b2fec4a85ed90c4db2f09b63bd8f37038db0d3

SHA256
2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c

SHA512
4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\JSON.dll

Filesize
411KB

MD5
f5fd966e29f5c359f78cb61a571d1be4

SHA1
a55e7ed593b4bc7a77586da0f1223cfd9d51a233

SHA256
d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156

SHA512
d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\Locales\i18n.en-US.txt

Filesize
19KB

MD5
0a041eb21be673b37a9a43f751d83400

SHA1
cf98837aeb730d05ec55252277d2ed41ef58f0ba

SHA256
708132b01a012c3a43a5a7e5550318f6fe72a98139bba7e4f5fb352b9e46db29

SHA512
476051e9cc528c8b72a1ff0aec6f9e05cce4e7069ff4af7e75558664f02a7018304a4d840e694ee811d08895b628da072b1c72b8f605e4212b75a84db66b8b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C38E5F7\ThemeFile

Filesize
80KB

MD5
c3e6bab4f92ee40b9453821136878993

SHA1
94493a6b3dfb3135e5775b7d3be227659856fbc4

SHA256
de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6

SHA512
a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89A31BA9\Assets\exit_close.png

Filesize
670B

MD5
26eb04b9e0105a7b121ea9c6601bbf2a

SHA1
efc08370d90c8173df8d8c4b122d2bb64c07ccd8

SHA256
7aaef329ba9fa052791d1a09f127551289641ea743baba171de55faa30ec1157

SHA512
9df3c723314d11a6b4ce0577eb61488061f2f96a9746a944eb6a4ee8c0c4d29131231a1b20988ef5454b79f9475b43d62c710839ecc0a9c98324f977cab6db68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89A31BA9\Assets\minimize_progress.png

Filesize
212B

MD5
1504b80f2a6f2d3fefc305da54a2a6c2

SHA1
432a9d89ebc2f693836d3c2f0743ea5d2077848d

SHA256
2f62d4e8c643051093f907058dddc78cc525147d9c4f4a0d78b4d0e5c90979f6

SHA512
675db04baf3199c8d94af30a1f1c252830a56a90f633c3a72aa9841738b04242902a5e7c56dd792626338e8b7eabc1f359514bb3a2e62bc36c16919e196cfd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshDF8A.tmp\Registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshDF8A.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshDF8A.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshDF8A.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshDF8A.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshDF8A.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi7E35.tmp\BgWorker.dll

Filesize
12KB

MD5
36c81676ada53ceb99e06693108d8cce

SHA1
d31fa4aebd584238b3edc4768dd5414494610889

SHA256
a9e4f7ec65670d2ce375ffaf09b6d07f4cd531132ca002452287a4d540154a38

SHA512
1300de7b3e1ac9e706e0aad0b70e3e2a21db8c860e05b314a52e63dd66b5dffdf6be1e38ab6ede13bfd3a64631cc909486bf4b1403e7d821e3b566edc514c63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi7E35.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi7E35.tmp\nsDialogs.dll

Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi7E35.tmp\nsDui.dll

Filesize
3.0MB

MD5
0c7ca87072902d78b4440ac52dbb3b7b

SHA1
2044cb9b7a7d732a32bf5521dbd2aa183c9a474a

SHA256
66150c3857df97ab104549c07596bb77dc59a7ab06b7d9e7f22c433c061a9c22

SHA512
64f26de14779a3220f79fdecfd7cf050fed21152923f20b54e0d690d2dbab8f6f7236a5a8e09ed91793aa437aadc5564ff36f2a9dcfeda36c67184f8a03b3d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi7E35.tmp\nsis7z.dll

Filesize
434KB

MD5
95f6f6ab9509bc366ab9215defe4251a

SHA1
e3f4a6effd6ca5838cfe91a01967cb72edcc7b0b

SHA256
a896a9ece055d334d431cd0f856113ab925d9ee86d2dee383c0bfbbef11a5b50

SHA512
a853f70d2ea7f384df99be067724bf3ca73c63f3c3573c112f5528fc86a96bd34509d934b038e2a81833f3abb3eedbc5894921291139100e01df6e35696c0ecc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Network\Network Persistent State

Filesize
615B

MD5
2f3bcca027a71e66a2654c0c3d9f48da

SHA1
ca79cfd5bac0dd4e065ac1912abaff199696224b

SHA256
97fb64000c707fcac703ef51b670913c6b334e3cd1c44e204622d4818a62c607

SHA512
e21bef05d8474c97829f17790a1468e2ef356fb7860dd1dbb02356ac92860c49bc1cbe00e3d583598c8c55885da02012f28352d61feea99716a7665a9880b03c

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Network\ba6cd27f-5e8a-46e9-ac00-18d7ec511f67.tmp

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json

Filesize
92B

MD5
bdcbb05f031b26e512e6fadda7a6395d

SHA1
165833067052a04dfb9aff062145e365e1e74e57

SHA256
bd5512c5c1bd25432e5aeb3a7ec3fcd4a93a71e11f954bf970bfe2f432ec8860

SHA512
dbf8328b63175842b2384381634ea8574780cf959313c2914a8c7943cd879994c77611d6596d8e3e1f594ecf61c912317899c3b657030979fea403dad723567e

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json

Filesize
1KB

MD5
2c205bda3575447d5f386fcfb6386e03

SHA1
6d298d1731dfa5feda632fcba9ca16d2e2022b9b

SHA256
3c5b4248a516294c7a72e0d73506cbd24057e367e6113c51edbd9198f41111ea

SHA512
d23c031dc8c7f74402ac805601d42e87f3e747463b7afb4a4d559b4b71755b6773ab65eb19a7f998aba3399900240afe1561bf53a267f6c0705596a2b15c7bf3

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json

Filesize
2KB

MD5
4c32a8a877aa48b13e57401dd509a08e

SHA1
a0fd2c705d4bcf82ec72f96dc706b9071bff65a9

SHA256
a57dfb490ef32277885e72a9dbf51137cb783cf3bb51456ce9b62b442b57217e

SHA512
965cb9fe41e75c8b38a10c88d82b66eb62b27eb0d9d70b852131b498a0380f96a85dc2fa5b5184c70b72dcbb2abf78784a76facb47992f16c056a98bfb04f282

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json

Filesize
57B

MD5
ae9dbbcd82f96e6ae2aeed109057d32a

SHA1
19a47102cdd58f83816b046275af7ae046333eeb

SHA256
b41c91b8d434bfe401c1a94e5b934f7da82a42090372c4e88286c6f0d85bc35b

SHA512
5f259bb2cc96c88f27d63093c5b84bf3771a45673e5fa55e5968cac0fe5b6d95a0188f6fa0f62e7b0974a6b86926ce9ec60fcc4d60b53e9d5fcc00278ad52840

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json

Filesize
119B

MD5
8f19d46fc68919a2762f7f514482096c

SHA1
49495355a9439900a167f90b8ad45e3d9f4844d3

SHA256
8f1f240d34dadbdc2f854173bbb91d33a782c93d0e45acc75b35e07331c1cf18

SHA512
f8dcf1aaf9094d28c589e78da1062fdff6459e5e3d956b1df82b5a2c5785d939c21c2ff2ec98cbfc99a36a7d1c6ce5303756db44d36902453d8ebe8c9f6f04ad

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json.tmp-05462440045cfc31

Filesize
2KB

MD5
9698192e1773cae828ea674b99e1fd88

SHA1
476e92d5a4b6257be40115bcf2e43b7481a2d1a8

SHA256
554ac6249030e31f1c74b31a7c223b518733473bbf75031bf54575c0c15efa1b

SHA512
60d57b4de2e6e0a2cd74191007a2c269f257c0e1a13967055db994d0862bdd52563ed8d143b14bfeb9cc97ab2e128d81686806df3dd087e956ab95dd254ccb67

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json.tmp-054628401067def8

Filesize
2KB

MD5
594ebc3b0b9e72a4c29abf9dcd595d90

SHA1
89e3635984e0ff85eb9d5ee1d3b5765fccf271c3

SHA256
550111e1dbeade1ab84be9b9309cf80ff3c41ad996ce52acf6911dd043378d21

SHA512
9ed4579c3b79e01af53c1ac459050678f90fb681fe4090e81d68d5200ffcfc61f27c2e06ed97b8813db6d1e3904708bb37c1dc8b1ddc56fec85ffb72f8e31e23

Download Submit
C:\Windows\System32\storage.json

Filesize
5B

MD5
75d803935059785011954267bdb0814c

SHA1
2e7c964d7f6d9abae2aee4bcfc2c3a64f9fb4b38

SHA256
1245552f1e44239aa0dfdc7aa0af24ac1e588d66abaee3ad10ddcb82a229f2ef

SHA512
6bd607670a9f1702c193f672802678e790bbf3fa385043c08f5eeea7ea7598ee20cc8660f36711e1ecce7c29090b505a938b5b4ab23d1bddad7d94f2c22f39e7

Download Submit
memory/408-156-0x00007FFE87C00000-0x00007FFE886C1000-memory.dmp

Filesize
10.8MB

Download
memory/408-142-0x000000001D840000-0x000000001D878000-memory.dmp

Filesize
224KB

Download
memory/408-125-0x00007FFE87C03000-0x00007FFE87C05000-memory.dmp

Filesize
8KB

Download
memory/408-126-0x00000000007A0000-0x000000000083E000-memory.dmp

Filesize
632KB

Download
memory/408-157-0x00007FFE87C00000-0x00007FFE886C1000-memory.dmp

Filesize
10.8MB

Download
memory/408-128-0x0000000002BB0000-0x0000000002C18000-memory.dmp

Filesize
416KB

Download
memory/408-155-0x00007FFE87C00000-0x00007FFE886C1000-memory.dmp

Filesize
10.8MB

Download
memory/408-154-0x00007FFE87C03000-0x00007FFE87C05000-memory.dmp

Filesize
8KB

Download
memory/408-129-0x00007FFE87C00000-0x00007FFE886C1000-memory.dmp

Filesize
10.8MB

Download
memory/408-152-0x000000001B550000-0x000000001B558000-memory.dmp

Filesize
32KB

Download
memory/408-135-0x00007FFE87C00000-0x00007FFE886C1000-memory.dmp

Filesize
10.8MB

Download
memory/408-140-0x00007FFE87C00000-0x00007FFE886C1000-memory.dmp

Filesize
10.8MB

Download
memory/408-141-0x000000001E5C0000-0x000000001EAE8000-memory.dmp

Filesize
5.2MB

Download
memory/408-143-0x000000001D810000-0x000000001D81E000-memory.dmp

Filesize
56KB

Download
memory/408-13398-0x00007FFE87C00000-0x00007FFE886C1000-memory.dmp

Filesize
10.8MB

Download
memory/2744-24749-0x000000001B660000-0x000000001B6E0000-memory.dmp

Filesize
512KB

Download
memory/2744-24748-0x0000000000970000-0x00000000009C4000-memory.dmp

Filesize
336KB

Download
memory/3108-13236-0x00007FFEA5770000-0x00007FFEA5771000-memory.dmp

Filesize
4KB

Download
memory/3108-13235-0x00007FFEA44C0000-0x00007FFEA44C1000-memory.dmp

Filesize
4KB

Download
memory/5060-13149-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5060-13441-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5876-24577-0x0000018BAE670000-0x0000018BAE671000-memory.dmp

Filesize
4KB

Download
memory/5876-24580-0x0000018BAE670000-0x0000018BAE671000-memory.dmp

Filesize
4KB

Download
memory/5876-24582-0x0000018BAE670000-0x0000018BAE671000-memory.dmp

Filesize
4KB

Download
memory/5876-24571-0x0000018BAE670000-0x0000018BAE671000-memory.dmp

Filesize
4KB

Download
memory/5876-24581-0x0000018BAE670000-0x0000018BAE671000-memory.dmp

Filesize
4KB

Download
memory/5876-24570-0x0000018BAE670000-0x0000018BAE671000-memory.dmp

Filesize
4KB

Download
memory/5876-24579-0x0000018BAE670000-0x0000018BAE671000-memory.dmp

Filesize
4KB

Download
memory/5876-24572-0x0000018BAE670000-0x0000018BAE671000-memory.dmp

Filesize
4KB

Download
memory/5876-24578-0x0000018BAE670000-0x0000018BAE671000-memory.dmp

Filesize
4KB

Download
memory/5876-24576-0x0000018BAE670000-0x0000018BAE671000-memory.dmp

Filesize
4KB

Download
memory/6328-24747-0x000000001B810000-0x000000001B8F4000-memory.dmp

Filesize
912KB

Download
memory/6328-24746-0x0000000000A50000-0x0000000000A78000-memory.dmp

Filesize
160KB

Download