Overview

overview

10

Static

static

3

ReanProject.exe

windows10-2004-x64

10

Resubmissions

17-09-2024 18:57

240917-xmcmhazajn 10

17-09-2024 18:39

240917-xar7esycnr 10

Analysis

  • max time kernel
    33s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-09-2024 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ReanProject.exe

  • Size

    1.5MB

  • MD5

    40a341513f036e4d5a356f70db6afb15

  • SHA1

    2bde15455a425f52fa221577c22db34f217a69a5

  • SHA256

    6858bca15eed33e61fdc4be3f87a0dfe63ccab54a659de551fcb5df52af060f4

  • SHA512

    2610c45c2683f4773238a99e674aba88d64a45ba3f6bb97a13fc763d13d778519727bcf6087d552d40ad80de2e7cdf23379970fc3ee90bb969fe3c9a0216aa3e

  • SSDEEP

    49152:CzS8CQJK7u2Bg76XDnjmj+e8PgnaADNAr:0SxQJK7XG6L8+e8PIaADNAr

Score
10/10
discoveryexecution

Malware Config

Signatures

  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ReanProject.exe
    "C:\Users\Admin\AppData\Local\Temp\ReanProject.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Users\Admin\AppData\Roaming\ReanProject\bluestacks.exe
      "C:\Users\Admin\AppData\Roaming\ReanProject\bluestacks.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4308
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\PMSfvDOp4bMoWBuUDDFKFsa.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\NAJnMTtNtQp6YRoMQ0Y3XZDYJKnU0fTOAfa5c5spQzAjX6iCI.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3900
          • C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\Bluestacks.exe
            "C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951/bluestacks_nxt/Bluestacks.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:412
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2008
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:232
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:468
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4520
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2848
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4884
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2700
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:452
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4236
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1132
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:624
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1740
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2568
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dwm.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4476
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2248
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4880
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\Bluestacks.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1640
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\layPRQ2iQf.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2432
              • C:\Windows\system32\chcp.com
                chcp 65001
                7⤵
                  PID:5892
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  7⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4252
                • C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe
                  "C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3520
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2320
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:552
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3788
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2204
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\SoftwareDistribution\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3648
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4328
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1836
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3840
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "BluestacksB" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\Bluestacks.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4284
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Bluestacks" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\Bluestacks.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4292
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "BluestacksB" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\Bluestacks.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4300

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      238B

      MD5

      c8557de570db17257ed426ffc2ea0a98

      SHA1

      c82dfb41e43734a3112f526dccc4e9b9e61018d4

      SHA256

      a56b977cf5f01e53c968fb4c0067f1e5797ba2b5180e40ef051ae518c6ed318f

      SHA512

      d37f6acbf2caecdc76c5c671a5a4ece6a65cd7749e4e4e4510e3f70977e755533cfbb837570916d68faeadbda9fcd1a586afbd79fb333260f724f6948b38e72f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      bd5940f08d0be56e65e5f2aaf47c538e

      SHA1

      d7e31b87866e5e383ab5499da64aba50f03e8443

      SHA256

      2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

      SHA512

      c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      2e907f77659a6601fcc408274894da2e

      SHA1

      9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

      SHA256

      385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

      SHA512

      34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      a8e8360d573a4ff072dcc6f09d992c88

      SHA1

      3446774433ceaf0b400073914facab11b98b6807

      SHA256

      bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

      SHA512

      4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      cadef9abd087803c630df65264a6c81c

      SHA1

      babbf3636c347c8727c35f3eef2ee643dbcc4bd2

      SHA256

      cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

      SHA512

      7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      aaaac7c68d2b7997ed502c26fd9f65c2

      SHA1

      7c5a3731300d672bf53c43e2f9e951c745f7fbdf

      SHA256

      8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

      SHA512

      c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iqsbmw5w.52y.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\NAJnMTtNtQp6YRoMQ0Y3XZDYJKnU0fTOAfa5c5spQzAjX6iCI.bat
      Filesize

      108B

      MD5

      de4e36f99cbe930e00821c18f8c288c1

      SHA1

      4d6a0d1437f1c9bd4c9dfcb9c20946ecebf38237

      SHA256

      bbdb49ae619b6682362e2716011b7749e6d8a54cd5817a42299f774b41323c97

      SHA512

      d4ac2e72e2b651622c894c5853cff3cfd3d31e4dd8f2522d3d3f9ea51a449609506abed5a8e9d1d8e72768fb93c9a69325439c191a7c3e1a48dcc243eb6956af

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\edge_BITS_2896_1048997951\bluestacks_nxt\PMSfvDOp4bMoWBuUDDFKFsa.vbe
      Filesize

      271B

      MD5

      63c111a2284dba9e6b768dad6bbdb9a9

      SHA1

      fbe6e265184162b23f4cbb0585c2516f8972af3b

      SHA256

      e2bda9ddb3fbb6b70c936a2398b6e1a42a7eb2fc52afdc68c1276554cedc4d15

      SHA512

      a348c8deb1992c541424d4764e8e804a7f3e4c068576316f2489a5381ef2d3a86c5914ef530e1a101b581db90f8e483b16fd6c6e299294a089eac6e68c11718a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\layPRQ2iQf.bat
      Filesize

      196B

      MD5

      7572ea21bcdda38f1d703c6758be5b79

      SHA1

      529405456d8d6ddb5815022d4a25b246605a5428

      SHA256

      e718e0cd9cdb52e9731b5c8ee06587bd0a60b7484d415e92dec75ae80769bf08

      SHA512

      44bfd33b6c2d823ca54f2648f4f31b91f0d48c7642f6327851d823dd5edd0abb7a0a63dee81f3db38d3156b1eb2cd66490e374128ba6d2043885dcaaa1ad5927

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ReanProject\bluestacks.exe
      Filesize

      1.8MB

      MD5

      38f724119c083a7ea8a0c57e24e8c8d6

      SHA1

      a9cc386dbc4a1bebbe36f868bff2b881343e7159

      SHA256

      e3203db8a66f69987adf8a03a6ecb492f746be4c8f2bee378b7727a1d730b54b

      SHA512

      a63e229c3e546be78208a16cb91df639fc41731c939cfd438e0e408c1af4f78f5c5556218272f902b52453255b5b638a6ccf4436c200dc42de538a2de7ab39a4

      Download Submit

    • memory/412-54-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/412-56-0x000000001B8D0000-0x000000001B8DC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/412-48-0x000000001BD40000-0x000000001BD52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/412-52-0x000000001B8B0000-0x000000001B8BE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/412-38-0x0000000000AA0000-0x0000000000CA0000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/412-50-0x0000000001390000-0x000000000139C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/412-41-0x0000000001380000-0x000000000138E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/412-43-0x000000001BD00000-0x000000001BD1C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/412-44-0x000000001BD70000-0x000000001BDC0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/412-46-0x000000001BD20000-0x000000001BD38000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1432-10-0x0000000074B40000-0x00000000752F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1432-9-0x0000000074B40000-0x00000000752F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1432-34-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1432-13-0x00000000058D0000-0x00000000058E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1432-11-0x00000000058C0000-0x00000000058CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1432-68-0x0000000074B40000-0x00000000752F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1432-69-0x0000000074B40000-0x00000000752F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1432-1-0x0000000000BB0000-0x0000000000D3C000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1432-0-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1432-39-0x0000000074B40000-0x00000000752F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1432-7-0x0000000005C50000-0x0000000005C64000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1432-8-0x0000000006280000-0x00000000062F4000-memory.dmp

      Filesize

      464KB

      Download

    • memory/1432-6-0x0000000005B00000-0x0000000005C4E000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1432-5-0x0000000074B40000-0x00000000752F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1432-4-0x0000000005780000-0x000000000578A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1432-3-0x00000000057C0000-0x0000000005852000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1432-2-0x0000000005CD0000-0x0000000006274000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2848-90-0x000002997DB50000-0x000002997DB72000-memory.dmp

      Filesize

      136KB

      Download