hxxps://www[.]bluestacks[.]com/download[.]html

Analysis

max time kernel
200s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.bluestacks.com/download.html

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 8 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
7256	netsh.exe
7292	netsh.exe
7372	netsh.exe
8516	netsh.exe
8600	netsh.exe
8644	netsh.exe
8900	netsh.exe
5216	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	BSX-Setup-5.21.580.1017_nxt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	BlueStacksInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	BlueStacks10Installer_10.41.580.1012_native_1097447614da6bce58b50b94b340a79d_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	BlueStacksServices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	BlueStacksServices.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	BlueStacks10Installer_10.41.580.1012_native_1097447614da6bce58b50b94b340a79d_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe

Executes dropped EXE 32 IoCs

pid	Process
4972	BlueStacks10Installer_10.41.580.1012_native_1097447614da6bce58b50b94b340a79d_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe
5264	BlueStacksInstaller.exe
5408	HD-CheckCpu.exe
5536	HD-CheckCpu.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
840	BlueStacks10Installer_10.41.580.1012_native_1097447614da6bce58b50b94b340a79d_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe
5408	Bootstrapper.exe
5568	BlueStacksInstaller.exe
6412	7zr.exe
6552	7zr.exe
5348	BlueStacksServicesSetup.exe
9576	HD-ForceGPU.exe
9628	HD-GLCheck.exe
9732	HD-GLCheck.exe
4536	HD-GLCheck.exe
9864	HD-GLCheck.exe
3620	HD-GLCheck.exe
9892	HD-GLCheck.exe
6124	BlueStacksServices.exe
2060	HD-CheckCpu.exe
9972	7zr.exe
2528	BlueStacksServices.exe
5148	BlueStacksServices.exe
7332	BlueStacksServices.exe
9900	7zr.exe
7868	7zr.exe
5564	7zr.exe
8460	HD-GLCheck.exe
8392	HD-GLCheck.exe
8436	HD-GLCheck.exe
8828	HD-CheckCpu.exe
5680	7zr.exe

Loads dropped DLL 64 IoCs

pid	Process
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\electron.app.BlueStacks Services = "C:\\Users\\Admin\\AppData\\Local\\Programs\\bluestacks-services\\BlueStacksServices.exe --hidden"	BlueStacksServices.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\storage.json	BlueStacksServices.exe
File opened for modification	C:\Windows\system32\storage.json	BlueStacksServices.exe

Enumerates processes with tasklist 1 TTPs 15 IoCs

discovery

Process Discovery

T1057

pid	Process
7080	tasklist.exe
7100	tasklist.exe
9016	tasklist.exe
7088	tasklist.exe
6432	tasklist.exe
6812	tasklist.exe
7588	tasklist.exe
396	tasklist.exe
5860	tasklist.exe
9404	tasklist.exe
9568	tasklist.exe
1164	tasklist.exe
6384	tasklist.exe
6804	tasklist.exe
9024	tasklist.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BlueStacks X\7z.exe	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files\BlueStacks_nxt\BlueStacksUninstaller.exe	7zr.exe
File created	C:\Program Files\BlueStacks_nxt\HD-Bridge-Native.dll	7zr.exe
File created	C:\Program Files\BlueStacks_nxt\libagora-soundtouch.dll	7zr.exe
File created	C:\Program Files (x86)\BlueStacks X\image\Gallery\pre_disabled.svg	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\hu.pak	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\meta_engine\libfolder_plugin.dll	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\NowBux\NoResult.svg	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\codec\libschroedinger_plugin.dll	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\video_chroma\libi420_rgb_plugin.dll	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\HD-DiskCompaction.exe	7zr.exe
File created	C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\da.pak	7zr.exe
File created	C:\Program Files (x86)\BlueStacks X\image\MyGames\back_hover.svg	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\TypeIndicator\home_hover.svg	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\TypeIndicator\MyGame_on.svg	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\mux\libmux_wav_plugin.dll	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\video_chroma\libyuy2_i422_plugin.dll	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\CloudGame\TitlebarBack.svg	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\Guide\BG.png	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\Search\mini_and.svg	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\Search\mini_cloud.svg	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\HD-Astcdecoder_SSE20.dll	7zr.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\NowBux	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\NowBux\Info.svg	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\wallet\topbar_icon.svg	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\stream_filter\libcache_read_plugin.dll	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\NOTICE.html	7zr.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\Search\History_ButtonDelete_normal.svg	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\id.pak	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files\BlueStacks_nxt\HD-Astcdecoder_AVX1.dll	7zr.exe
File created	C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\cs.pak	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\Qt6Svg.dll	7zr.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\mediaservice	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\account\Choose_img7.png	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\sv.pak	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\access\libaccess_concat_plugin.dll	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\plugins\codec\liba52_plugin.dll	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\Qt5Compat\GraphicalEffects\qtgraphicaleffectsplugin.dll	7zr.exe
File created	C:\Program Files (x86)\BlueStacks X\translations\qtwebengine_locales\sk.pak	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\audio_filter\libparam_eq_plugin.dll	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\codec\libavcodec_plugin.dll	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\Assets\installer_bg_blurred.png	7zr.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\HD-ForceGPU.exe	7zr.exe
File created	C:\Program Files (x86)\BlueStacks X\image\MyGames\tip_ico.svg	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\Tutorial\InstantPlay\Icon_title.png	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\audio_filter\libugly_resampler_plugin.dll	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files\BlueStacks_nxt\imageformats\qjpeg.dll	7zr.exe
File created	C:\Program Files (x86)\BlueStacks X\image\account\Choose_img1.png	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\stream_filter\libprefetch_plugin.dll	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\video_filter\libedgedetection_plugin.dll	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\ta.pak	7zr.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\wallet\logo.svg	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\aws\aws-c-http.dll	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\Qt5Quick.dll	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files\BlueStacks_nxt\Assets\powered_by_bs.png	7zr.exe
File opened for modification	C:\Program Files\BlueStacks_nxt\QtWebEngine	7zr.exe
File created	C:\Program Files (x86)\BlueStacks X\image\MyGames\NavigatorForward_Click.svg	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\image\MyGames\Shadow_under_those_cards.png	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\image\TypeIndicator\Marketplace_on.svg	BSX-Setup-5.21.580.1017_nxt.exe
File opened for modification	C:\Program Files (x86)\BlueStacks X\imageformats\qjpeg.dll	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\plugins\codec\libflac_plugin.dll	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files\BlueStacks_nxt\translations\qtwebengine_locales\it.pak	7zr.exe
File created	C:\Program Files (x86)\BlueStacks X\image\TypeIndicator\MyGame.svg	BSX-Setup-5.21.580.1017_nxt.exe
File created	C:\Program Files (x86)\BlueStacks X\bearer\qgenericbearer.dll	BSX-Setup-5.21.580.1017_nxt.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5500	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD-CheckCpu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7zr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7zr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7zr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueStacks10Installer_10.41.580.1012_native_1097447614da6bce58b50b94b340a79d_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD-CheckCpu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BSX-Setup-5.21.580.1017_nxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7zr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7zr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7zr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueStacksServicesSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7zr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD-CheckCpu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueStacks10Installer_10.41.580.1012_native_1097447614da6bce58b50b94b340a79d_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD-CheckCpu.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BlueStacksInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BlueStacksInstaller.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\DefaultIcon\ = "C:\\Program Files (x86)\\BlueStacks X\\BlueStacks X.exe,0"	BSX-Setup-5.21.580.1017_nxt.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\bstsrvs	BlueStacksServices.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\bstsrvs\ = "URL:bstsrvs"	BlueStacksServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX	BSX-Setup-5.21.580.1017_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\ = "URL:BlueStacksX Protocol Handler"	BSX-Setup-5.21.580.1017_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\URL Protocol	BSX-Setup-5.21.580.1017_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\open\command\ = "\"C:\\Program Files (x86)\\BlueStacks X\\BlueStacks X.exe\" -open \"%1\""	BSX-Setup-5.21.580.1017_nxt.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\bstsrvs\shell\open	BlueStacksServices.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\DefaultIcon	BSX-Setup-5.21.580.1017_nxt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell	BSX-Setup-5.21.580.1017_nxt.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	BSX-Setup-5.21.580.1017_nxt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\bstsrvs\URL Protocol	BlueStacksServices.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\bstsrvs\shell\open\command	BlueStacksServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\	BSX-Setup-5.21.580.1017_nxt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\open	BSX-Setup-5.21.580.1017_nxt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\open\	BSX-Setup-5.21.580.1017_nxt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueStacksX\shell\open\command	BSX-Setup-5.21.580.1017_nxt.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\bstsrvs\shell	BlueStacksServices.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\bstsrvs\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\bluestacks-services\\BlueStacksServices.exe\" \"%1\""	BlueStacksServices.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 501149.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2576	msedge.exe
2576	msedge.exe
4672	msedge.exe
4672	msedge.exe
4012	identity_helper.exe
4012	identity_helper.exe
5048	msedge.exe
5048	msedge.exe
5264	BlueStacksInstaller.exe
5264	BlueStacksInstaller.exe
5264	BlueStacksInstaller.exe
5264	BlueStacksInstaller.exe
5264	BlueStacksInstaller.exe
5264	BlueStacksInstaller.exe
5264	BlueStacksInstaller.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
5916	BSX-Setup-5.21.580.1017_nxt.exe
7480	msedge.exe
7480	msedge.exe
7480	msedge.exe
7480	msedge.exe
5408	Bootstrapper.exe
5408	Bootstrapper.exe
5408	Bootstrapper.exe
5408	Bootstrapper.exe
5408	Bootstrapper.exe
5408	Bootstrapper.exe
5408	Bootstrapper.exe
5408	Bootstrapper.exe
5568	BlueStacksInstaller.exe
5568	BlueStacksInstaller.exe
5348	BlueStacksServicesSetup.exe
5348	BlueStacksServicesSetup.exe
7088	tasklist.exe
7088	tasklist.exe
5568	BlueStacksInstaller.exe
5568	BlueStacksInstaller.exe
5568	BlueStacksInstaller.exe
5568	BlueStacksInstaller.exe
5568	BlueStacksInstaller.exe
5568	BlueStacksInstaller.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5264	BlueStacksInstaller.exe
Token: SeSecurityPrivilege	5916	BSX-Setup-5.21.580.1017_nxt.exe
Token: SeDebugPrivilege	5408	Bootstrapper.exe
Token: SeDebugPrivilege	5568	BlueStacksInstaller.exe
Token: SeRestorePrivilege	6412	7zr.exe
Token: 35	6412	7zr.exe
Token: SeSecurityPrivilege	6412	7zr.exe
Token: SeSecurityPrivilege	6412	7zr.exe
Token: SeRestorePrivilege	6552	7zr.exe
Token: 35	6552	7zr.exe
Token: SeSecurityPrivilege	6552	7zr.exe
Token: SeSecurityPrivilege	6552	7zr.exe
Token: SeDebugPrivilege	7088	tasklist.exe
Token: SeSecurityPrivilege	5348	BlueStacksServicesSetup.exe
Token: SeRestorePrivilege	9972	7zr.exe
Token: 35	9972	7zr.exe
Token: SeSecurityPrivilege	9972	7zr.exe
Token: SeSecurityPrivilege	9972	7zr.exe
Token: SeShutdownPrivilege	6124	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	6124	BlueStacksServices.exe
Token: SeShutdownPrivilege	6124	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	6124	BlueStacksServices.exe
Token: SeShutdownPrivilege	6124	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	6124	BlueStacksServices.exe
Token: SeDebugPrivilege	9404	tasklist.exe
Token: SeDebugPrivilege	9568	tasklist.exe
Token: SeShutdownPrivilege	6124	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	6124	BlueStacksServices.exe
Token: SeDebugPrivilege	7588	tasklist.exe
Token: SeDebugPrivilege	1164	tasklist.exe
Token: SeRestorePrivilege	9900	7zr.exe
Token: 35	9900	7zr.exe
Token: SeSecurityPrivilege	9900	7zr.exe
Token: SeSecurityPrivilege	9900	7zr.exe
Token: SeShutdownPrivilege	6124	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	6124	BlueStacksServices.exe
Token: SeShutdownPrivilege	6124	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	6124	BlueStacksServices.exe
Token: SeShutdownPrivilege	6124	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	6124	BlueStacksServices.exe
Token: SeShutdownPrivilege	6124	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	6124	BlueStacksServices.exe
Token: SeRestorePrivilege	7868	7zr.exe
Token: 35	7868	7zr.exe
Token: SeSecurityPrivilege	7868	7zr.exe
Token: SeSecurityPrivilege	7868	7zr.exe
Token: SeShutdownPrivilege	6124	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	6124	BlueStacksServices.exe
Token: SeRestorePrivilege	5564	7zr.exe
Token: 35	5564	7zr.exe
Token: SeSecurityPrivilege	5564	7zr.exe
Token: SeSecurityPrivilege	5564	7zr.exe
Token: SeShutdownPrivilege	6124	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	6124	BlueStacksServices.exe
Token: SeDebugPrivilege	6432	tasklist.exe
Token: SeDebugPrivilege	6384	tasklist.exe
Token: SeShutdownPrivilege	6124	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	6124	BlueStacksServices.exe
Token: SeShutdownPrivilege	6124	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	6124	BlueStacksServices.exe
Token: SeShutdownPrivilege	6124	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	6124	BlueStacksServices.exe
Token: SeShutdownPrivilege	6124	BlueStacksServices.exe
Token: SeCreatePagefilePrivilege	6124	BlueStacksServices.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
6124	BlueStacksServices.exe
6124	BlueStacksServices.exe
6124	BlueStacksServices.exe
6124	BlueStacksServices.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
6124	BlueStacksServices.exe
6124	BlueStacksServices.exe
6124	BlueStacksServices.exe
6124	BlueStacksServices.exe
6124	BlueStacksServices.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3620	HD-GLCheck.exe
8392	HD-GLCheck.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 3528	4672	msedge.exe	82
PID 4672 wrote to memory of 3528	4672	msedge.exe	82
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2044	4672	msedge.exe	83
PID 4672 wrote to memory of 2576	4672	msedge.exe	84
PID 4672 wrote to memory of 2576	4672	msedge.exe	84
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85
PID 4672 wrote to memory of 8	4672	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bluestacks.com/download.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9984b46f8,0x7ff9984b4708,0x7ff9984b4718
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17036668370310031421,11228333824808327448,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,17036668370310031421,11228333824808327448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,17036668370310031421,11228333824808327448,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17036668370310031421,11228333824808327448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17036668370310031421,11228333824808327448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17036668370310031421,11228333824808327448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17036668370310031421,11228333824808327448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17036668370310031421,11228333824808327448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17036668370310031421,11228333824808327448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17036668370310031421,11228333824808327448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17036668370310031421,11228333824808327448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,17036668370310031421,11228333824808327448,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17036668370310031421,11228333824808327448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,17036668370310031421,11228333824808327448,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6248 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,17036668370310031421,11228333824808327448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5048
- C:\Users\Admin\Downloads\BlueStacks10Installer_10.41.580.1012_native_1097447614da6bce58b50b94b340a79d_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe
  "C:\Users\Admin\Downloads\BlueStacks10Installer_10.41.580.1012_native_1097447614da6bce58b50b94b340a79d_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\BlueStacksInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\BlueStacksInstaller.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5264
  - - C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\HD-CheckCpu.exe
      "C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\HD-CheckCpu.exe" --cmd checkHypervEnabled
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5408
  - - C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\HD-CheckCpu.exe
      "C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\HD-CheckCpu.exe" --cmd checkSSE4
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5536
  - - C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.580.1017_nxt.exe
      "C:\Users\Admin\AppData\Local\BlueStacksSetup\BSX-Setup-5.21.580.1017_nxt.exe" -s
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5916
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\BlueStacks X\green.vbs"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3948
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c green.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:10224
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name="BlueStacksWeb"
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name="Cloud Game"
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:7256
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="BlueStacksWeb" dir=in action=allow program="C:\Program Files (x86)\BlueStacks X\BlueStacksWeb.exe"
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:7292
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Cloud Game" dir=in action=allow program="C:\Program Files (x86)\BlueStacks X\Cloud Game.exe"
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:7372
  - - C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacks10Installer_10.41.580.1012_native_1097447614da6bce58b50b94b340a79d_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe
      "C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacks10Installer_10.41.580.1012_native_1097447614da6bce58b50b94b340a79d_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe" -versionMachineID=e3cdd246-2eb2-4bfc-b956-c42cfd868cd8 -machineID=88272f6e-7114-4523-bf3a-b14fc78eeef8 -pddir="C:\ProgramData\BlueStacks_nxt" -defaultImageName=Pie64 -imageToLaunch=Pie64 -isSSE4Available=1 -appToLaunch=bsx -bsxVersion=10.41.580.1012 -country=GB -skipBinaryShortcuts -isWalletFeatureEnabled
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:840
    - - C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\Bootstrapper.exe" -versionMachineID=e3cdd246-2eb2-4bfc-b956-c42cfd868cd8 -machineID=88272f6e-7114-4523-bf3a-b14fc78eeef8 -pddir="C:\ProgramData\BlueStacks_nxt" -defaultImageName=Pie64 -imageToLaunch=Pie64 -isSSE4Available=1 -appToLaunch=bsx -bsxVersion=10.41.580.1012 -country=GB -skipBinaryShortcuts -isWalletFeatureEnabled
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5408
      - C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\BlueStacksInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\BlueStacksInstaller.exe" -versionMachineID="e3cdd246-2eb2-4bfc-b956-c42cfd868cd8" -machineID="88272f6e-7114-4523-bf3a-b14fc78eeef8" -pddir="C:\ProgramData\BlueStacks_nxt" -defaultImageName="Pie64" -imageToLaunch="Pie64" -appToLaunch="bsx" -bsxVersion="10.41.580.1012" -country="GB" -skipBinaryShortcuts -isWalletFeatureEnabled -parentpath="C:\Users\Admin\AppData\Local\BlueStacksSetup\BlueStacks10Installer_10.41.580.1012_native_1097447614da6bce58b50b94b340a79d_MzsxNSwwOzUsMTsxNSw0OzE1LA==.exe" -md5=1097447614da6bce58b50b94b340a79d -app64=
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\7zr.exe" x "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\CommonInstallUtils.zip" -o"C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\" -aoa
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\7zr.exe" x "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\QtRedistx64.zip" -o"C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\" -aoa
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-ForceGPU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-ForceGPU.exe" 1 "C:\Program Files\BlueStacks_nxt"
        7⤵
        Executes dropped EXE
        
        PID:9576
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-GLCheck.exe" 1 2
        7⤵
        Executes dropped EXE
        
        PID:9628
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-GLCheck.exe" 4 2
        7⤵
        Executes dropped EXE
        
        PID:9732
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-GLCheck.exe" 2 2
        7⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-GLCheck.exe" 1 1
        7⤵
        Executes dropped EXE
        
        PID:9864
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-GLCheck.exe" 4 1
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-GLCheck.exe" 2 1
        7⤵
        Executes dropped EXE
        
        PID:9892
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-CheckCpu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-CheckCpu.exe" --cmd checkSSE4
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\7zr.exe" x "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\PF.zip" -o"C:\Program Files\BlueStacks_nxt" -aoa
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:9972
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\7zr.exe" x "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\QtRedistx64.zip" -o"C:\Program Files\BlueStacks_nxt" -aoa
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:9900
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\7zr.exe" x "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\PD.zip" -o"C:\ProgramData\BlueStacks_nxt" -aoa
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7868
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\7zr.exe" x "C:\ProgramData\Pie64_5.21.580.1017.exe" -o"C:\ProgramData\BlueStacks_nxt\Engine\Pie64" -aoa
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\\HD-GLCheck.exe" 2
        7⤵
        Executes dropped EXE
        
        PID:8460
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\\HD-GLCheck.exe" 3
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:8392
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-GLCheck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\\HD-GLCheck.exe" 1
        7⤵
        Executes dropped EXE
        
        PID:8436
        
        C:\Windows\SYSTEM32\netsh.exe
        
        "netsh.exe" advfirewall firewall delete rule name="BlueStacks Service"
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:8516
        
        C:\Windows\SYSTEM32\netsh.exe
        
        "netsh.exe" advfirewall firewall add rule name="BlueStacks Service" dir=in action=allow program="C:\Program Files\BlueStacks_nxt\HD-Player.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:8600
        
        C:\Windows\SYSTEM32\netsh.exe
        
        "netsh.exe" advfirewall firewall delete rule name="BlueStacksAppplayerWeb"
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:8644
        
        C:\Windows\SYSTEM32\netsh.exe
        
        "netsh.exe" advfirewall firewall add rule name="BlueStacksAppplayerWeb" dir=in action=allow program="C:\Program Files\BlueStacks_nxt\BlueStacksAppplayerWeb.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:8900
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-CheckCpu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\HD-CheckCpu.exe" --cmd checkSSE3
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8828
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c "sc.exe delete BlueStacksDrv_nxt"
        7⤵
        
        PID:9152
        
        C:\Windows\system32\sc.exe
        
        sc.exe delete BlueStacksDrv_nxt
        8⤵
        Launches sc.exe
        
        PID:5500
        
        C:\Windows\SYSTEM32\reg.exe
        
        "reg.exe" EXPORT HKLM\Software\BlueStacks_nxt "C:\Users\Admin\AppData\Local\Temp\oaq140lv.3hr\RegHKLM.txt"
        7⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\7zr.exe" a "C:\Users\Admin\AppData\Local\Temp\Installer.zip" -m0=LZMA:a=1 "C:\Users\Admin\AppData\Local\Temp\oaq140lv.3hr\*"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17036668370310031421,11228333824808327448,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5216 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:744

C:\ProgramData\BlueStacksServicesSetup.exe
"C:\ProgramData\BlueStacksServicesSetup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq BlueStacksServices.exe" | find "BlueStacksServices.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7132
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq BlueStacksServices.exe"
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:7088
- - C:\Windows\SysWOW64\find.exe
    find "BlueStacksServices.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7080

C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
"C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --hidden --initialLaunch
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6124
- C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
  "C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1724,i,1508148425156125603,2224675423393223177,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\system32\cscript.exe
  cscript.exe
  2⤵
  PID:4180
- C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
  "C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --mojo-platform-channel-handle=1996 --field-trial-handle=1724,i,1508148425156125603,2224675423393223177,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:5148
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKCU\SOFTWARE\BlueStacksServices
  2⤵
  PID:920
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKCU\SOFTWARE\BlueStacksServices
  2⤵
  PID:4188
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regPutValue.wsf A
  2⤵
  PID:4604
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regPutValue.wsf A
  2⤵
  PID:2660
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:3632
- C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe
  "C:\Users\Admin\AppData\Local\Programs\bluestacks-services\BlueStacksServices.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\bluestacks-services" --app-user-model-id=com.bluestacks.services --app-path="C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2656 --field-trial-handle=1724,i,1508148425156125603,2224675423393223177,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:7332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6092
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:9568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:3128
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:9404
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:9220
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:4908
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:4232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:9632
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:9728
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt
  2⤵
  PID:9780
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt
  2⤵
  PID:6072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6340
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:6328
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6432
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:6548
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt
  2⤵
  PID:6620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:6676
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:7080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5600
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:7100
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A "HKCU\SOFTWARE\BlueStacks X"
  2⤵
  PID:7036
- C:\Windows\system32\cscript.exe
  cscript.exe //Nologo C:\Users\Admin\AppData\Local\Programs\bluestacks-services\resources\regedit\vbs\regList.wsf A HKLM\SOFTWARE\BlueStacks_nxt
  2⤵
  PID:7068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:6904
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:6812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:4444
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:6804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:8936
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:9024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:8940
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:9016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq BlueStacks X.exe""
  2⤵
  PID:5796
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq BlueStacks X.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist /FI "IMAGENAME eq HD-Player.exe""
  2⤵
  PID:5752
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq HD-Player.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BlueStacks X\BlueStacks X.exe

Filesize
479KB

MD5
9063a25772a72c2b97519f6cfbf18001

SHA1
973f17a935fad003d8965ae36ff08dadd32ad366

SHA256
a5b4faf41eb40438f83c2629d71456fd7aab3f36ea863ae9476936f30da6c9d7

SHA512
697431101835522017bc3304cada539986531aa9e335eb2fdbeb6cea10a34729dc2e9da4466c071cedb16da1c6b65b14a72fa4a43179d583038f054078d7a5a2

Download Submit
C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_disabled.svg

Filesize
569B

MD5
e7fdf6a9c8cae1fc1108dc5a803a1905

SHA1
2853f9ff5e63685ebb1449dcf693176b17e4ab60

SHA256
8ee5aa84139b2ea5549f7272523aeb203d73954c5ccdcf6f7407bf1a3469f13e

SHA512
a6388b24926934e20ccf7fcab41bd219dc6c0053428481d7f466bf89f26bf1a36fdff716a9ddd9ab268df73b04dff1449c6bac1f5c707e31ae2ee71c2087e0d9

Download Submit
C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_hover.svg

Filesize
653B

MD5
76166804e6ce35e8a0c92917b8abc071

SHA1
8bd38726a11a9633ac937b9c6f205ce5d36348b0

SHA256
1bca2e912184b8168ee8961de68d1d839f4f9827fde6f48ab100fb61e82eff90

SHA512
93c4f1af7e9f89091a207ab308e05ddd4c92406c039f7465d3b8aca7e0cc7a6c922a22e1eee2f5c88db5e89016ef69294b2a0905d7d6a90fd32835bc11929005

Download Submit
C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_normal.svg

Filesize
569B

MD5
3221ac69d7facd8aa90ffa15aea991b0

SHA1
e0571f30f4708ec78addc726a743679ca0f05e45

SHA256
92aeae68e9e0973d9e0dc575941f1cb2e24afd0574341a46b870be7384eaa537

SHA512
5e2de0abfe60a4db16ea5e8739260c19962fbfc60869a77bde6ab3547ad8ee3ad88e74e97da31fa23be096afddad018e431d152d6d0fa21a75357a11dacb1328

Download Submit
C:\Program Files (x86)\BlueStacks X\image\LocalAPK\close_pressed.svg

Filesize
653B

MD5
dfddf8d0788988c3e48fcbfb2a76cd20

SHA1
463bb61f0012289e860c32f1885a3a8f57467f2e

SHA256
9585f41eb6202e89f2087266fa31852d7f41ca8cc659b907c96753fe165f937d

SHA512
e708c5114c60f7574589d6a56c9faedda26ee4a40f0eeb25f5e12eadcf790f24fdbf393fa0aa6ad449b5337d625b092d6f8822472fa8a6ce1339aca59c50c3ca

Download Submit
C:\Program Files\BlueStacks_nxt\7zr.exe

Filesize
812KB

MD5
fbaba140f30a11e5ff4f97d921de6d45

SHA1
d12360b79d9fe7ddc5380a22539dc7d4768ff5f3

SHA256
4889c0826c633c0291264d37834363be90ee39d07fcea228494ed151386dcb16

SHA512
cd18bb1b057b1b077fde372ca5f98701614b196b692ac42ec56e5b839535022d884a2cd9b6bf644a520c6f48f12f673574a24e60580c70c695067b66442ea7a5

Download Submit
C:\Program Files\BlueStacks_nxt\Assets\checked_gray.png

Filesize
538B

MD5
ce144d2aab3bf213af693d4e18f87a59

SHA1
df59dc3dbba88bdc5ffc25f2e5e7b73ac3de5afa

SHA256
d8e502fab00b0c6f06ba6abede6922ab3b423fe6f2d2f56941dabc887b229ad3

SHA512
0f930edd485a0d49ef157f6cc8856609c087c91b77845adeb5cc8c8a80ebc7ec5416df351ffa1af780caad884dbb49dcc778b0b30de6fb7c85ffef22d7220ebe

Download Submit
C:\Program Files\BlueStacks_nxt\Assets\checked_gray_hover.png

Filesize
412B

MD5
ea22933e94c7ab813b639627f2b38286

SHA1
c5358c5cb7fb1a0744c775f8148c2376928fb509

SHA256
d7c79677d2ef897fa0ad1efc90e916c46da29f571208f78f24505603b7165c20

SHA512
ba447a1aedec49419e2b4a8de85c6047886f1a5ebb94f1c45e205a3780c6826f412a3892e97115b35e43839f43e346f3c72ffbf0c57d57f6d26b360ae61b3964

Download Submit
C:\Program Files\BlueStacks_nxt\Assets\close_red_click.png

Filesize
15KB

MD5
6db7460b73a6641c7621d0a6203a0a90

SHA1
d39b488b96f3e5b5fe93ee3eecb6d28bb5b03cf3

SHA256
d5a7e6fc5e92e0b29a4f65625030447f3379b4e3ac4bed051a0646a7932ce0cd

SHA512
a0e6911853f51d73605e8f1a61442391fad25ff7b50a3f84d140d510fd98e262c971f130fb8a237a63704b8162c24b8440a5f235f51a5c343389f64e67c1c852

Download Submit
C:\Program Files\BlueStacks_nxt\Assets\close_red_hover.png

Filesize
15KB

MD5
5ceab43aa527bc146f9453a1586ddf03

SHA1
88ffb3cadccb54d4be3aabf31cf4d64210b5f553

SHA256
7c625ae4668cc03e37e4ffc478b87eace06b49b77e71e3209f431c23d98acdd0

SHA512
8a5c81c048fb7d02b246ed23a098ae5f95cdf6f4ca58fd3d30e4fe3001c933444310ca6391096cfaeed86b13f568236f84df4ea9a3d205c0677e31025616f19e

Download Submit
C:\Program Files\BlueStacks_nxt\Assets\powered_by_bs.png

Filesize
9KB

MD5
7a2e5c21140aa8269c2aafd207f5dbaa

SHA1
4e0d9e7e1b09e67eba10100d73dc51623517821e

SHA256
3d2afe5236ec813d9e8063bc43eb34b88c2155784e1bce19c6a533c32767af35

SHA512
63f512559f2068a9702c7c527c126f6017cd8d1d16af52e41b884aa9a64ff4294a57243ec78c3a416f70fb6178a79877d68345357725ff92c935709a2ef8adde

Download Submit
C:\Program Files\BlueStacks_nxt\Assets\unchecked_gray.png

Filesize
192B

MD5
e50df2a0768f7fc4c3fe8d784564fea3

SHA1
d1fc4db50fe8e534019eb7ce70a61fd4c954621a

SHA256
671f26795b12008fbea1943143f660095f3dca5d925f67d765e2352fd7ee2396

SHA512
c87a8308a73b17cbdd179737631fb1ba7fdaeb65e82263f6617727519b70a81266bb695867b9e599c1306ee2cf0de525452f77ce367ca89bf870ea3ae7189998

Download Submit
C:\Program Files\BlueStacks_nxt\Assets\unchecked_gray_hover.png

Filesize
176B

MD5
62d7f14c26608f8392537d68f43dece1

SHA1
add4f30e7c3af4f7622e6bc55d960db612f3bb0a

SHA256
a631e26bd5b6ea19c8c65b766a056c92ba8a47e1483768dcf12b05293c9a7a0d

SHA512
e41210a78e6076954f75a2f73c0f7628e8604a09ecbb1d2ee0972741d4ef1d814b366828977c02944736b03ed116bc559a2ae47ddb7cbc6f4e54578c8263edf4

Download Submit
C:\Program Files\BlueStacks_nxt\BlueStacksUninstaller.exe.config

Filesize
392B

MD5
ca0a329097316832e4a6ea5d870c9268

SHA1
4a36b93361d3dc9df9b00313f2c2b394be9e1e72

SHA256
4b7df915d706af6459c38d75b09c5e14f951842ae0678078400f204ad1c7a7c2

SHA512
51f9a874e84f130be4fa29fcc4bc934105318234b5dd9ceedaf569e3f0e6b38e29f3bec056044724476ae24295a510b16d8a737b994fd6f1268609defa315271

Download Submit
C:\Program Files\BlueStacks_nxt\HD-ForceGPU.exe

Filesize
169KB

MD5
456729be55744776e175ede83e591a63

SHA1
4479fe3ec05bf5bb128c02f570355c09a8eae044

SHA256
ececf497383978c59a7a181a4618bf7e75dd21567d4e609396864357a4ca3b08

SHA512
f2f0e20db036a0e826abc52ea03273509bfe6651a89c418a477710dab2fe33c47f9ce9ba8e70c51cdc11a6eb0848eb75ae06e3fb5a515b8caafe3caf86ee8b44

Download Submit
C:\Program Files\BlueStacks_nxt\HD-GLCheck.exe

Filesize
223KB

MD5
62d951d77febc7d4af2bf3000812bf09

SHA1
ad40be18be2445131e1223555de2c43a0df01090

SHA256
b35b5de6cc0a72fbf7176e5fc7f9457f46001330fa69dd172762d6fb0f7872f2

SHA512
45e2ee6e28062017f3daeabf8aeb3c2a14baea530a2280150dcf61f2c8f642011689bcaa8b21a5e0e6efc19552ab1948e8f47f75556d4b4489bd3f3ba9ff6b2c

Download Submit
C:\Program Files\BlueStacks_nxt\ProductLogo.ico

Filesize
131KB

MD5
169706218f98a42594a8c5c5a65771fe

SHA1
b8ded94180212578d86a031eb71ef93dcffe1a26

SHA256
3803045963af064936d7071c178de8e40854968b3d3f9171c57a182c869f3697

SHA512
1c3f18ed0a24ffa78fe938826eb88531eb8be134d6f209b87d7af5d0e8c4829f01947d7b0048996b9755562bbb7f52e000bcd15d07d646cacb2989ac881ce448

Download Submit
C:\ProgramData\BlueStacks_nxt\Client\Assets\exit_close_click.png

Filesize
447B

MD5
b09525b48c0023f893d6b64d06add4b1

SHA1
10ecd439ea04e02eefe17f6c110d0c0a78a1db21

SHA256
caa2a8fe9b282939a21b86f8f61fb0c9452222cc3409f06cbb0dcc45613aca8e

SHA512
c6f5a7014c24133eb576708ca17d15becf2b45ec278b3f94e5275e47c78cf0f2eb8bb1a17d277d1a665039f38f2e25faf830e275f426b0a94c6a3da096b6204f

Download Submit
C:\ProgramData\BlueStacks_nxt\Client\Assets\radio_selected_hover.png

Filesize
577B

MD5
47ff3e4cc15b8c4a07e3ceb6cb619b62

SHA1
0318e54c613b8ff00f54d843e90ef88310c1a96f

SHA256
4786cfb7c98edcf01d6b670abf19c50891d56a4de87b96a5e17be142b1af666a

SHA512
0212bd7f6cee390d3bc221a22189b75407fa660a0951c7f768645bf97e7b61ee86fa9b1de6f546ff1151560dcb3b071db8c14a7b08b0e771b539a817b31b154e

Download Submit
C:\ProgramData\BlueStacks_nxt\Client\Assets\radio_unselected_hover.png

Filesize
480B

MD5
22efccf38e15df945962ac85ac3aa3b7

SHA1
b94a8615dc92982e1637680446896080f97c2564

SHA256
0ec39ed4bf89a341f1b5aea56d0e99ff5c923b9c3a6a81adeb9ff21764136f92

SHA512
41a4dbb57abed1a16aa84c72c202da461ca45cbaf68f69a10cb3e5529e8dff659e89f7f4459d1e2e8f3549c6fd51f23fc8422f86667577ebed5ab5df149c79ee

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.ar-EG.txt

Filesize
26KB

MD5
7dc7a16b5e42818c9249db888ca17075

SHA1
42f6b065b90017078fca7161cc4c26ae530dfbdd

SHA256
e696f4f231acef534d62ec9d99a3f4fc7b74a1c1deb3f9bbbeb4e94194bd9747

SHA512
f2706e0bb348a691d3cdc9d05ff4f71979804628547a41386aab068b008fe4933b8689500b5e45abf6afa6b6f1db3024ade2846659b2664b37b724fac5416a74

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.ar-IL.txt

Filesize
14KB

MD5
9fb07e066cc2f213a64d35a97a8c2922

SHA1
a70db989f5c562bc69caad89a1402c8ad7c9b80e

SHA256
65e7b0f37b5e2aa805ac8d57969804d803430186f34e9703ca9fa09ba908ef90

SHA512
81680bff55b475a62a4bf29a8c219230b84894c1165f60e372209a5aacdba8e4819c3dfb76f3b55c15d472ababeabf0cd4b30c04e7daa26df63c8a5101970c3c

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.de-DE.txt

Filesize
22KB

MD5
defbcf66edf5e18b0b13c8062fdfeff8

SHA1
8c807de19b131831b72325455f1bcc3ead0a09cb

SHA256
a9d87275086fd2d700d588f45c3121eb6a75c64a2e6c4a8714a61032403cdb03

SHA512
a30e142679e942932d82fb8179a9f8ca2cd5882577de64e8e4c38eb84c99e359235346c35b6237133159288261b0f6e9032dc6b14f512e2a431f093187e1447a

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.es-ES.txt

Filesize
22KB

MD5
412ce0feb5a656c908775da52043c31d

SHA1
54a35431dc77d66fde2c828f10372142926b4c47

SHA256
7db48c44d717c50011a2fe2d8f5eb0214c817c7eef5bf1f656feb70270a53458

SHA512
2209d911c91d21ceb44a8e9375fefa9b5ea55cb800f49f709a7baaa56d52a94f5711fce850d880394f6ae78d23d0e3f1a5727514b970f940d0b670e2e978a997

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.fr-FR.txt

Filesize
23KB

MD5
2625613573f48fa7eaa813d7fc16b63c

SHA1
a57a1cd71dbf2dbabe8bc873839adb2005f54c7b

SHA256
08062a8ae430d89af04c9d090506dd6e380490387eb2909f356a47c01540b271

SHA512
8a443771fbea7708479412c5d6c336e5e74745e097118712fbecc279277ecc2ff693ddc8e576f91c6b61ff658d7a576cd37c5b084d5116bc9606434fbfc4222b

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.id-ID.txt

Filesize
20KB

MD5
7e8631459def09a456900fa9d3cba360

SHA1
b5204153e26b303598c473e7e92b01a87818787f

SHA256
9620d50148651dc75d3741eb12a8a23fbdeb5efc29f1be24842fc37d01b71f8a

SHA512
f813863475538f763733b0668f3b5cd7d4b6f7132c1a9df3b4665907fe6280d6d8c9dd4f6e3e06bfee7f90a2a527f7cd66bd647f08b8203664395f31321cf84b

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.it-IT.txt

Filesize
21KB

MD5
444e991f12d84ad04baf6c8eeccc7a9d

SHA1
f4bec5e01161d6f5cc9107f2cba325cc9b0ef325

SHA256
4b1f6e0fbc834a783ab8230e678bfd1506ae6c18b0ac0a5bef1d8344b5b2531f

SHA512
ff61397322d86f36a225e9be7444c643e2760a556311c97b230583b0b2788208d11f723e500c3d291d55d076b5cb0a52d92b50a8b1fdfe348fd61341b915f855

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.ja-JP.txt

Filesize
25KB

MD5
cb5797745966bfbded96d28cf53e2f93

SHA1
1cdc380338f076c608a4143cb685e4cab2bee916

SHA256
25fbeecfbeec0b2a8ad45f8b7da31c4eb6fdbe413f46e75f40cd22d874c8f7c3

SHA512
f42ef0a3566f02a4487daf50725c186a0cd8c03850c569eb0cf4134ad2c2004135730ff8f672207bf12837980fe722c4581bb0c6c1eea5dcc9014da5719901b7

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.ko-KR.txt

Filesize
22KB

MD5
299768cf839ca0926344233731549181

SHA1
773aa661c5bbc1a92a41b2f02e59bf1d78b4b142

SHA256
883cf4af6b2124bb70f51d683c7a1f4b3cecccc4ea61163b8c4ea967155ea839

SHA512
0de4317aa9139b415d4d10aba7f64cbfe39f0417e2d19dd8e69ada7d0915a81f71be242caebf5e019a2638d6d0457c042493c80ea0d24c2dd43c18bfe76dd2c2

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.pl-PL.txt

Filesize
21KB

MD5
c61810a689ad52145f3b644b3e4b01e9

SHA1
ee7f7229aeea4a0ec6e18805b69d0ff928afbf87

SHA256
c5cdf3696ccd6e3e600483836c81b290e5270984fd7ca12becafedea42cd64e4

SHA512
79dcf55c6ac864764fa4c614667053c99cd37f408b2b573ce18077fd09ba70877b3cbbd1f57b680ba6e9b5ed5a4d257f11d12c67a0b56dc9a099bf2584e0c393

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.pt-BR.txt

Filesize
21KB

MD5
f7ec10775c6fa5d5ab49531ec7910ed4

SHA1
9d3b8f8474328725097de234a961b32b2e1dc9ba

SHA256
909f5b1bbfd2cc1779dda1bf4f481c1d6ae1e1af3d9902c1518a535962860668

SHA512
d7d8ea4c15d54d9e4a2b75e4962ac9b81a316d23803c64c8925ffe6348b200fe21d445c6a0b0bd1a5b0a7e413bd5f5ad8935ee15cc56485886a5f4b29e51963b

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.ru-RU.txt

Filesize
30KB

MD5
a7748f70870a0f2cf2e5804d05f433fb

SHA1
ee74469bbfa6e5d04043dae2a2cdec1a777c5b28

SHA256
f74bceefe2a7e7d39650128096f9b97aca5e929fa67e451bfa8238d7b90cea34

SHA512
122025652c05ba9336b339db79b925b781862a635cdb0c8d5db0adacfeb6e0e43ef85c283d417f119d8622640d0ed15cdc6d915749ee3cc1a4f89b062ae71075

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.th-TH.txt

Filesize
35KB

MD5
bfb84603722e804e4697a52285b867b2

SHA1
5840e5e93319f981dc0f6df4c7d7be23547f6655

SHA256
98f156d8184c10d504189eab0077aeac8687e1d6714d0bb228704d660e01446d

SHA512
e26cc6ab7087a252471cd6233e3baa9d9a66c0a7a0b3703987b31ff4f91f89d00854d8d970f3090b2d90155d5eb5f724a096badddbc6a4dca7dd1a53fad6ffd5

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.tr-TR.txt

Filesize
21KB

MD5
2ddee14b7986e234a208189d650a2e4d

SHA1
ab60bc9393258e556c7ac20a8d68f632ad44ea6d

SHA256
fd9c690e597fc7d8b3bbcba7e39816087c424227f89bf3107da7d16d444fb3dd

SHA512
116d06a37e836d4f48b59aa9cf4164e1ba4abc081e62adfc6f3c8d112f46b57c060381dd2fc361fb83a162ab12f915408df193bdac405490e3014bc0effecc9c

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.vi-VN.txt

Filesize
24KB

MD5
2ffe813470cfedf7384207e61dabf1df

SHA1
1673c446a89a41afff299acd0f74b4df65cc29c1

SHA256
e666975aa6894c7d5230eb44a6ee85564cac7a51188ed05b77059beb60545ac1

SHA512
3288001e68c5533ae092460d7bcb20ca42c37c04fbdfd412c1046ba41f0582ca3a135f136303125f680165c401536b9bacf6d6435e10ec1477d7f9b45942c34c

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.zh-CN.txt

Filesize
18KB

MD5
1eee99faa98b0385fd8077acdf53e81e

SHA1
3191f6c03d6fd3b4db1944e3e7b3a8b85ef20dde

SHA256
7d245f9271426eb08f976a83e8b229e9a830f51674e47b6bfc2181716ec0ecf5

SHA512
d2c116c7c56d7fd6154c2ab856adccba5848ba1fe1ce5ae38fd740e388cae77f095feaf90d4161527a4b3c99c129374156f85033c18f3293defde33f78708691

Download Submit
C:\ProgramData\BlueStacks_nxt\Locales\i18n.zh-TW.txt

Filesize
18KB

MD5
3ab7d825111b89950d8ca4b3da1c00c1

SHA1
cdf4ec4344598ca9593665465497d370a35aa178

SHA256
dd286cac4e14fe69877e4c2f35eab8352de125f7dc757f47e4fc8329572460ce

SHA512
ac0c2dfc6a963a88657304c83d9f00cdadb5735f208571e72d43c410d767ff6c2cd05c4fcfeb5d4c7f8882e079608e8eeee8b1aea1e2cb6442f78cafaa8ffd09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1ef69a92-34b0-42f2-857a-bbca26f2117d.tmp

Filesize
699B

MD5
287bbdd797c474f280f05fccfae9b78d

SHA1
9cf2ebcd6be4f0e76060971f38c559eba8a5ae75

SHA256
8d923b5d11ad61854bd37a143d0033e0f31a9f683e952a390bb11cbf296e289b

SHA512
2a038ac3765f3cd33c246ed16e6dc45c3a55e3ae625fa83aaf7125217946ff8d84c097775846e9cb7633501d0d961046bcb1e849c185c903513edfbb0386df7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
31d95f5da70c4c1529106c2c801fa47f

SHA1
8e413eaefc51bf1828c879ea329097fd1d292c33

SHA256
1d043f1f5eb519850e28b416dd6d739bdcdf06084c77391da08a810fd573cc17

SHA512
a058f5dc9f41ad2d53c50eb35fe1aaafea151bb1a635e064a6466cbfec6cae7e180449211ed6ad7b4f0585f161d785038d10e36801d7fe54b083d46a6f80e783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f3f611a52c75ddcb993b58f05eeacf1f

SHA1
dd80bfae75dc0510d9cc39f6ff807117e80617f3

SHA256
ed792f6ab9318846af9592d18b48b2e94891c413f714492b2da04fffc583e56d

SHA512
25e28b03cded107994f78a6c9198babfd050eade231c594c08bff3323ad8e88ea32471c2d6e922350c4282ef4f699eb94779def5ecf1cc0bc827a4c7286950db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
29e86b5ba228158d91f3d0cf33810b4f

SHA1
bd04352431a0a5b727368989ff960688d6579c2b

SHA256
665cc584992a9a4595b616b877dd97ebeab7147b90ebddf86356f3bb01925b85

SHA512
faef6ebaeb6cfe5b3efb077527ff08d915eb885186df1a7f186e53e97bdcad1d13582a2fe25086ab64094e633c35149c9ba622e7ea867b236c78ebb595e5fcbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de1849a111680f01b2d74facdee8cd4c

SHA1
64180169aa6f7fb91ebcbaa420bccd2661c592a2

SHA256
1f61db3b96ec81338db6227642c6fd51b8ef6801f30682f5028da522e0b00608

SHA512
7a18f01a5cd0dcab1fad6db68009d89ac78fe7187c0747fe746ddb2192c6b01a17d2bc153c08219b782d94b799db76494cdf099dc01b7236c8d876e72dbac849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e96f7e91b358967f3b7cd4b6c80215f8

SHA1
5b6dd9ae33fcb57f5dd5e1b0b297950e842eccaa

SHA256
277b18d79fd0b912af205a3f128f53cf823884051f67d48ede70a7f984cae235

SHA512
6e9a11c0071b19ddec9752d0502f337fc5135df775e97f5e6b4fdfcd3d6ab9764579b5b9399d1ca09b76578db263f339b08baca39eced8b6c9cb0e200474c568

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e5cc.TMP

Filesize
371B

MD5
1fccf378450b5724a0c64462a0218e0f

SHA1
8352c2fc7989a142776563a99b81d230bc359ffb

SHA256
3c6e54eb35d4649378111b22f38b7f2c42d5c99a88c5eea43f8f89e749e72d14

SHA512
2525414775147034503930543559c33cb86a7123fffeae7f39623711073a57c8a6e6816e11992d788b4d0508b8b0362941a2ed382a0d17e7e05a33eaee66921c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1956a47fc86e0580d612cdd09f5dfbfb

SHA1
1ec239435373c709fb3872128f992e0b72855724

SHA256
44336f4b59dea7539f6860cd947995526ba7b7907180cb5ca7244f3d60b8935c

SHA512
d5eef5aa5d37f1417f7290ef7db7d7c786d12c1f65a975d432a6937611454c956dbe5f5c1fb30c05f600e3b089897d259a1ff58b4370164ea513aee67f1090ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ad852620523bbdb695f850c2a5b5fe6f

SHA1
f08a8eacab5c6a87a7bf5c9bb18e9caf02747cb4

SHA256
9f130409b3258d59b9815a60b943175591d974d6072f3b7e2f19901dd3164311

SHA512
c4c2434624250353a160958e0d33c83f239d37217212433bc319e1bc481c35fc560ef77ce91f1e4a4d7cb1b4187a4b4556ea8f99f6063f3ddd9a34258fc6dfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\Assets\exit_close.png

Filesize
670B

MD5
26eb04b9e0105a7b121ea9c6601bbf2a

SHA1
efc08370d90c8173df8d8c4b122d2bb64c07ccd8

SHA256
7aaef329ba9fa052791d1a09f127551289641ea743baba171de55faa30ec1157

SHA512
9df3c723314d11a6b4ce0577eb61488061f2f96a9746a944eb6a4ee8c0c4d29131231a1b20988ef5454b79f9475b43d62c710839ecc0a9c98324f977cab6db68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\Assets\minimize_progress.png

Filesize
212B

MD5
1504b80f2a6f2d3fefc305da54a2a6c2

SHA1
432a9d89ebc2f693836d3c2f0743ea5d2077848d

SHA256
2f62d4e8c643051093f907058dddc78cc525147d9c4f4a0d78b4d0e5c90979f6

SHA512
675db04baf3199c8d94af30a1f1c252830a56a90f633c3a72aa9841738b04242902a5e7c56dd792626338e8b7eabc1f359514bb3a2e62bc36c16919e196cfd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8434E6F9\Bootstrapper.exe

Filesize
153KB

MD5
9ec0358d06315158e7c1b70b992512a6

SHA1
6b28a0f86b9f5e6fdb8e178e4259dda8c8eb39f1

SHA256
dc75be84836e90f14dc37733f2c8d3a48cbc9f987f956eca43d2940358f463f6

SHA512
87aea203564dfc72d4837f5b6801a3ec9eb0448e0c3577bf768bcaf56ef87f706eeb552042946c22f1daa1b5772c11342b0ef96a44dd2f892f3e66f7c0d8bfc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\Assets\backicon.png

Filesize
15KB

MD5
7ff5dc8270b5fa7ef6c4a1420bd67a7f

SHA1
b224300372feaa97d882ca2552b227c0f2ef4e3e

SHA256
fa64884054171515e97b78aaa1aad1ec5baa9d1daf9c682e0b3fb4a41a9cb1c1

SHA512
f0d5a842a01b99f189f3d46ab59d2c388a974951b042b25bbce54a15f5a3f386984d19cfca22ba1440eebd79260066a37dfeff6cb0d1332fca136add14488eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\Assets\change_hover.png

Filesize
310B

MD5
57092634754fc26e5515e3ed5ca7d461

SHA1
3ae4d01db9d6bba535f5292298502193dfc02710

SHA256
8e5847487da148ebb3ea029cc92165afd215cdc08f7122271e13eb37f94e6dc1

SHA512
553baf9967847292c8e9249dc3b1d55069f51c79f4d1d3832a0036e79691f433a3ce8296a68c774b5797caf7000037637ce61b8365885d2a4eed3ff0730e5e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\Assets\close_red.png

Filesize
15KB

MD5
93216b2f9d66d423b3e1311c0573332d

SHA1
5efaebec5f20f91f164f80d1e36f98c9ddaff805

SHA256
d0b6d143642d356b40c47459a996131a344cade6bb86158f1b74693426b09bfb

SHA512
922a7292de627c5e637818556d25d9842a88e89f2b198885835925679500dfd44a1e25ce79e521e63c4f84a6b0bd6bf98e46143ad8cee80ecdbaf3d3bc0f3a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\Assets\custom.png

Filesize
17KB

MD5
03b17f0b1c067826b0fcc6746cced2cb

SHA1
e07e4434e10df4d6c81b55fceb6eca2281362477

SHA256
fbece8bb5f4dfa55dcfbf41151b10608af807b9477e99acf0940954a11e68f7b

SHA512
67c78ec01e20e9c8d9cdbba665bb2fd2bb150356f30b88d3d400bbdb0ae92010f5d7bcb683dcf6f895722a9151d8e669d8bef913eb6e728ba56bb02f264573b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\Assets\installer_bg.jpg

Filesize
78KB

MD5
3478e24ba1dd52c80a0ff0d43828b6b5

SHA1
b5b13bbf3fb645efb81d3562296599e76a2abac0

SHA256
4c7471c986e16de0cd451be27d4b3171e595fe2916b4b3bf7ca52df6ec368904

SHA512
5c8c9cc76d6dbc7ce482d0d1b6c2f3d48a7a510cd9ed01c191328763e1bccb56daeb3d18c33a9b10ac7c9780127007aa13799fa82d838de27fbe0a02ad98119d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\Assets\installer_logo.png

Filesize
14KB

MD5
e33432b5d6dafb8b58f161cf38b8f177

SHA1
d7f520887ce1bfa0a1abd49c5a7b215c24cbbf6a

SHA256
9f3104493216c1fa114ff935d23e3e41c7c3511792a30b10a40b507936c0d183

SHA512
520dc99f3176117ebc28da5ef5439b132486ef67d02fa17f28b7eab0c59db0fa99566e44c0ca7bb75c9e7bd5244e4a23d87611a55c841c6f9c9776e457fb1cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\Assets\installer_minimize.png

Filesize
113B

MD5
38b539a1e4229738e5c196eedb4eb225

SHA1
f027b08dce77c47aaed75a28a2fce218ff8c936c

SHA256
a064f417e3c2b8f3121a14bbded268b2cdf635706880b7006f931de31476bbc2

SHA512
2ce433689a94fae454ef65e0e9ec33657b89718bbb5a038bf32950f6d68722803922f3a427278bad432395a1716523e589463fcce4279dc2a895fd77434821cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\Assets\loader.png

Filesize
279B

MD5
03903fd42ed2ee3cb014f0f3b410bcb4

SHA1
762a95240607fe8a304867a46bc2d677f494f5c2

SHA256
076263cc65f9824f4f82eb6beaa594d1df90218a2ee21664cf209181557e04b1

SHA512
8b0e717268590e5287c07598a06d89220c5e9a33cd1c29c55f8720321f4b3efc869d20c61fcc892e13188d77f0fdc4c73a2ee6dece174bf876fcc3a6c5683857

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\Assets\setpath.png

Filesize
15KB

MD5
b2e7f40179744c74fded932e829cb12a

SHA1
a0059ab8158a497d2cf583a292b13f87326ec3f0

SHA256
5bbb2f41f9f3a805986c3c88a639bcc22d90067d4b8de9f1e21e3cf9e5c1766b

SHA512
b95b7ebdb4a74639276eaa5c055fd8d9431e2f58a5f7c57303f7cf22e8b599f6f2a7852074cf71b19b49eb31cc9bf2509aedf41d608981d116e49a00030c797c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\BlueStacksInstaller.exe

Filesize
629KB

MD5
5ca709d612937dfbd2a439adc039bae6

SHA1
1f281122bdbbb72a0a7896469e95818ab5479220

SHA256
d69b526abce93cc839c0729d21845a357dd94723316a3f90f95d869c32fca4d0

SHA512
3be39f04e800e0f0e87006bed39bb285950f835c4109644969685238fda17450328bb8fecef37427faa8496f8055f4360f4fc8fbe3ad8b53c23b9e1ed2a6bd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\BlueStacksInstaller.exe.config

Filesize
324B

MD5
1b456d88546e29f4f007cd0bf1025703

SHA1
e5c444fcfe5baf2ef71c1813afc3f2c1100cab86

SHA256
d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb

SHA512
c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\HD-CheckCpu.exe

Filesize
200KB

MD5
81234fd9895897b8d1f5e6772a1b38d0

SHA1
80b2fec4a85ed90c4db2f09b63bd8f37038db0d3

SHA256
2e14887f3432b4a313442247fc669f891dbdad7ef1a2d371466a2afa88074a4c

SHA512
4c924d6524dc2c7d834bfc1a0d98b21753a7bf1e94b1c2c6650f755e6f265512d3a963bc7bc745351f79f547add57c37e29ba9270707edbf62b60df3a541bc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\JSON.dll

Filesize
411KB

MD5
f5fd966e29f5c359f78cb61a571d1be4

SHA1
a55e7ed593b4bc7a77586da0f1223cfd9d51a233

SHA256
d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156

SHA512
d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\Locales\i18n.en-US.txt

Filesize
20KB

MD5
a1e3293265a273080e68501ffdb9c2fc

SHA1
add264c4a560ce5803ca7b19263f8cd3ed6f68f0

SHA256
1cb847f640d0b2b363ce3c44872c4227656e8d2f1b4a5217603a62d802f0581f

SHA512
cb61083dc4d7d86f855a4cc3fe7c4938232a55188ad08b028a12445675fbff6188bb40638bd1ce4e6077f5bfc94449c145118c8f9b8929d4e9c47ed74cf7bece

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC635C8E7\ThemeFile

Filesize
80KB

MD5
c3e6bab4f92ee40b9453821136878993

SHA1
94493a6b3dfb3135e5775b7d3be227659856fbc4

SHA256
de1a2e6b560e036da5ea6b042e29e81a5bfcf67dde89670c332fc5199e811ba6

SHA512
a64b6b06b3a0f3591892b60e59699682700f4018b898efe55d6bd5fb417965a55027671c58092d1eb7e21c2dbac42bc68dfb8c70468d98bed45a8cff0e945895

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnE17E.tmp\Registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnE17E.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnE17E.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnE17E.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnE17E.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnE17E.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr559E.tmp\BgWorker.dll

Filesize
12KB

MD5
36c81676ada53ceb99e06693108d8cce

SHA1
d31fa4aebd584238b3edc4768dd5414494610889

SHA256
a9e4f7ec65670d2ce375ffaf09b6d07f4cd531132ca002452287a4d540154a38

SHA512
1300de7b3e1ac9e706e0aad0b70e3e2a21db8c860e05b314a52e63dd66b5dffdf6be1e38ab6ede13bfd3a64631cc909486bf4b1403e7d821e3b566edc514c63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr559E.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr559E.tmp\nsDialogs.dll

Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr559E.tmp\nsDui.dll

Filesize
3.0MB

MD5
e0b3238e186b1fdcc19e65fa82c020c6

SHA1
78cde21524703e9b16817fd1ca977fa867c9bb1b

SHA256
22dae5f8d0cbf192d84cf78f962b0bde90c7300c8e9c23ff890ce996d60a082d

SHA512
86aa445c9b06f8d58dab314ea3b1dd34143fa4679e85ca5508c96ed662a0edad319312093c9243ccd36edb2f8a023cef66af88a9c1bc04a54548b88b367baac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr559E.tmp\nsis7z.dll

Filesize
434KB

MD5
95f6f6ab9509bc366ab9215defe4251a

SHA1
e3f4a6effd6ca5838cfe91a01967cb72edcc7b0b

SHA256
a896a9ece055d334d431cd0f856113ab925d9ee86d2dee383c0bfbbef11a5b50

SHA512
a853f70d2ea7f384df99be067724bf3ca73c63f3c3573c112f5528fc86a96bd34509d934b038e2a81833f3abb3eedbc5894921291139100e01df6e35696c0ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\oaq140lv.3hr\BlueStacks-Installer_5.21.580.1017.log

Filesize
129KB

MD5
e26654c1714e322a5bcc20e39447cf14

SHA1
fd74ff2e2051f0b433b27910b45a278fd86ae6c0

SHA256
99d366490cb46cd9512970294c62ae2e68e1407cc0858b797e52b173ee81d339

SHA512
786b96e06bd2671146863dc6587d959ad3cc02cc347ea4fd7a752c847a399939b2c8c8b186cc2de222ab98cca0a4de4620778e38d53696b37fc844f88a29edc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Network\TransportSecurity

Filesize
188B

MD5
f35bb5de95abe6b017471559b4ae3e75

SHA1
c44e711ba65ece77c820f02e64bc6c13d6821a59

SHA256
a9844e1f7f7f67e3c7f6d768c978e035d25a6338ffaf59c7b04463e82a4d0500

SHA512
56de4ded5a34ae6c4f7b7f96a0e3cee66f42d46d91e2fc9bba568f7ad4ce0de20b2213fc4e289b378f1d59b9f5fe6ece4f0f8a5ee256730a13c268b4cda970ba

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\Network\TransportSecurity~RFe5a6eb9.TMP

Filesize
188B

MD5
03f4f309bc110eee49f288500295ed3d

SHA1
8280fdc226ddc64cc565606a5faf48ed9513fb95

SHA256
275cb2d3f76d5d7ebef16abd9e083a6c15810a4b25aa5ecf84114b5c020de4e8

SHA512
066526d88c5f1f789baa0d74e95ef813e14c050069e5ab05fd3f417f5953ea943317bac4b7839b6454d0a84328ebae822c12ca66c28bca1d7a350ba389f5ea6f

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json

Filesize
57B

MD5
83ce5f864f546b2b7f47e11fe717105a

SHA1
273e86cee5a912a9f46570c62024f2988a39410b

SHA256
c78c31ad1c3f8a1b5aed63e65d0369965e2cc53396a8c59f5f76978da99db874

SHA512
087e03b575f98bbd77861d4eec33dfe7fec5a345dc6156333249273c4453c38d6143920a3d9804b02cb6f0c9fa54447d4301ffdd71954b8fe041196fd7d63ab7

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json

Filesize
1KB

MD5
f4e1dae4f807e69a68678c46a708d65e

SHA1
b7f26da4d01a259a59b6ee0a86f3770e43aecf6c

SHA256
ff915ed297d9d14e4d38e87e88131ce6eae520af62af5d495cd9f55be3198b11

SHA512
e4f0f1e0ebe110ee707a8a97dbeee83a7959e2c15692b661b77189770d60ff664689769682fa6476057bee4de58e242dc16add16ebb2f23152b73fce5e950596

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json.tmp-7734753252275506

Filesize
92B

MD5
53e145d34db7f2fe9821de4c7270a587

SHA1
79a0efcf613e6c695414d8518bf0589bd0cfe5f8

SHA256
b5d02b96a6d8fb23dd9201cdc9c22437a97b8022cb1cf72b4c63e02f263a9079

SHA512
85e67ab420bc9d7e8b429a8cd360d628110c6aeaeab9dcfdb6b44a0737a11e46f6e2b123f27c95a5ccd009eba0b736edca610807f5e02606a386879e0dbf76af

Download Submit
C:\Users\Admin\AppData\Roaming\bluestacks-services\config.json.tmp-773475340178258d

Filesize
119B

MD5
4e0917644ceea160bbfd91dd09b854cc

SHA1
799c290bdc7e62eb6a982c6439cc29b4591af511

SHA256
01a49b062752cc1275ba237b16f5d32d286a8d68c0f1c07d426bdd5c65b71650

SHA512
bbf812d5d7db4bcf29a1fd146b33327139bbe9b1802ef7f274fe6d1d5e8b792b4b86777cdbfaa5c956e6179888ed7a8271cb629348fdfb4bf4278aa12c11b13e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 501149.crdownload

Filesize
913KB

MD5
f1bb3d158ae71c6e53bd8b57561cf884

SHA1
aaed1e9200eac90a1bb7bb2faef792bdc1f9f8a6

SHA256
d96d4767376191859f5738ced9e0c65e85497f34949d3e598bb34b98e04c9542

SHA512
4f7270869e2f62d9b521c0c8330f577c5654ca0799e4a73efe13ebf8f5cf56bfd23e7a05698acac53721c4ec830cc928d046b6c6d4fb84a75d257751199390ee

Download Submit
memory/5264-291-0x0000000000A40000-0x0000000000AE0000-memory.dmp

Filesize
640KB

Download
memory/5264-293-0x000000001B730000-0x000000001B798000-memory.dmp

Filesize
416KB

Download
memory/5264-300-0x000000001CC50000-0x000000001D178000-memory.dmp

Filesize
5.2MB

Download
memory/5264-302-0x000000001C190000-0x000000001C1C8000-memory.dmp

Filesize
224KB

Download
memory/5264-303-0x000000001C160000-0x000000001C16E000-memory.dmp

Filesize
56KB

Download
memory/5264-312-0x00000000207E0000-0x00000000207E8000-memory.dmp

Filesize
32KB

Download
memory/5408-9810-0x000000001AFD0000-0x000000001B0B6000-memory.dmp

Filesize
920KB

Download
memory/5408-9809-0x00000000002C0000-0x00000000002E8000-memory.dmp

Filesize
160KB

Download
memory/5568-9811-0x0000000000CA0000-0x0000000000CF4000-memory.dmp

Filesize
336KB

Download
memory/5568-9812-0x000000001D360000-0x000000001D3E0000-memory.dmp

Filesize
512KB

Download
memory/5568-12032-0x0000000020560000-0x0000000020568000-memory.dmp

Filesize
32KB

Download
memory/5568-12033-0x0000000020650000-0x0000000020672000-memory.dmp

Filesize
136KB

Download
memory/7332-10694-0x00007FF9A5BA0000-0x00007FF9A5BA1000-memory.dmp

Filesize
4KB

Download
memory/7332-11972-0x000001CCB0910000-0x000001CCB09BD000-memory.dmp

Filesize
692KB

Download
memory/7332-10693-0x00007FF9A6610000-0x00007FF9A6611000-memory.dmp

Filesize
4KB

Download